Linux Network Administration

Transcription

1 Linux Network Administration Objective Describe the organization of the namespace Define the top-level subdomains of the Describe the process of converting IP addresses into names Define the concept of zones as used in the namespace Describe the three classes of name servers List the steps required when a name server sends a query up the hierarchy Describe the purpose and usefulness of caching-only name servers Describe the general format of a zone file Describe the format of SOA, A, PTR, HINFO, CNAME, and NS records 29 June June

2 Introduction The Domain Name Service () is an Internet-wide service for converting numeric IP addresses to host names and back It may also be used on networks without an Internet connection setting up is a worthwhile because it simplifies integrating a local network into the Internet when a connection becomes available 29 June Namespace The namespace for is organized into a tree, or hierarchical structure, of domains and subdomains is an example of a distributed, hierarchical database the information in the database is spread out among many different machines across the Internet (it is distributed) The purpose of this database is to manage the relationship between the namespace (the collection of possible names for machines) and IP addresses 29 June June

3 Namespace A entity s name is specified by giving its position in this tree of domains and subdomains, with each subdomain name separated from the next by a period The root domain, which is the root of the entire tree of domains, is named. (dot) For example, a machine named belongs to the domain.acmecorp.com, which in turn is a subdomain of the.com domain, which in turn is a subdomain of the root domain (represented by a period). 29 June Fully Qualified Domain Names The Fully Qualified Domain Name (FQDN) of a entity is the full path from the root of the tree to that entity Because an FQDN always specifies the full path to the entity, it must always end with a period The FQDN for the machine would be This terminating period plays the same role in the naming scheme that the leading slash (/) marker plays when specifying the absolute path name of a file in the UNIX filesystem The difference is that a path name moves from general to specific as we read from left to right, and an FQDN moves from specific to general as we read from left to right Thus the marker for the root of the tree occurs at the left in a path name, and at the right in an FQDN. 29 June June

4 Top-level Domains 1. ARPAnet domain (now obsolete) 2. Commercial organizations 3. Educational organizations 4. Civilian government organizations 5. Military organizations 6. Network support centers 7. Other organizations (non-profits, lobbying groups, Political Action Committees) 8. International organizations 9. Geographic code for each country; for example: us = United States de = Germany uk = United Kingdom il = Israel 29 June Top-level Domains Below these top-level domain names, the managers of the delegate further subdivision of the namespace to organizations with networks connected to the Internet This delegation takes place through the process of domain name registration, in which an organization registers its chosen name and associated network addresses with the InterNIC and its agent, the private company Network Solutions, Inc. Once an organization registers its domain name (such as acme.com or brookdalecc.edu), it is free to further subdivide that name The owners of the acme.com domain name may then freely create sales.acme.com, development.acme.com, and so forth. 29 June June

5 Reverse Lookups Besides converting domain names into Internet Protocol (IP) addresses, the system can do the reverse convert IP addresses into names This conversion is done by associating a domain name with a network address and placing this domain name in the top level in-addr.arpa domain Suppose that a company has the Class C network address The associated in-addr.arpa domain name is in-addr.arpa. This name is created from the network address by reversing the order of the bytes in the network address and tacking in-addr.arpa at the end 29 June Reverse Lookups This reverse lookup convention has a certain logic to it The conventions for IP addresses are such that the left-most bytes of a network address pertain to more general networks; each additional byte, moving from left to right, makes the address more specific The conventions for domain names are exactly the opposite To convert a network address into a domain name, we must reverse the order of the bytes in the network address Suppose we want to find the hostname of the machine with IP address We extract the network portion of this IP address ( ) and look in the database under the domain name inaddr.arpa for the host number June June

6 Zones A branch of the namespace under the administrative control of some entity is called a zone A company that registers the domain name company.com gains administrative control of the company.com zone It also gains administrative control of other zones It gains control of the in-addr.arpa zones corresponding to its network addresses Suppose that company.com has two Class C network addresses ( and ) company.com will have control over the company.com zone, and the two reverse zones inaddr.arpa and in-addr.arpa 29 June Name Servers A name server is a process that accepts queries into the database It is also common usage to refer to the computer on which this process is running as a name server A name server process binds to the UDP port and TCP port 53 (the domain port listed in /etc/services) and listens for incoming queries The UDP port is used for most database lookup queries while the TCP port is used for zone file transfers Individual name servers play different roles in the overall operation of the database The three important classes of name servers are primary servers, secondary servers, and root servers. 29 June June

7 Primary Servers Every zone must have exactly one associated primary name server This name server is the unique location that has the official or authoritative information on its zone When an organization registers a new domain, it is required to supply the administrators at the InterNIC with the IP address of an authoritative server for its zones The primary server is distinguished by the fact that the data for its zone is stored on the server host s local disk in a set of files called zone files 29 June Secondary Servers In addition to its primary server, a zone may have one or more secondary servers A secondary server provides an alternative source for information on the zone Secondary servers allow for load distribution (so that the authoritative server need not answer every query) and provide a backup (in case the authoritative server crashes or is down for maintenance) Administrators of zones are required to supply at least one secondary server for each zone when they register their domain Secondary servers obtain their data from the authoritative server by periodically downloading a copy of the authoritative server s zone files This transfer is called a zone file transfer. Zone file transfers between name servers use TCP port 53 A primary or secondary server for a zone is called authoritative because it obtains its information directly from data files describing the zone 29 June June

8 Root Servers The root servers are the servers for the root domain They are operated by the InterNIC At present, there are thirteen root servers, named A.ROOT-SERVERS.NET, B.ROOT- SERVERS.NET, and so forth The root servers play a crucial role in binding together the database through the mechanism of recursion 29 June Caching-only Name Servers A caching-only name server is a name server process with no authoritative information of its own It relies entirely on information obtained by recursion Name servers cache the results of recursive queries for a while Over time a caching server builds up a substantial amount of information The purpose of using a caching-only server is to eliminate some of the network traffic Suppose that a host is running a caching-only name server process, and the resolver library on that machine is directed to consult that local name server process, which does not require network access If the resolver library is making a new query, the caching-only server will need to use recursion to find the answer; but subsequent requests for that information can be satisfied using the cached information Caching eliminates a substantial amount of network traffic, while reducing the access time of the query at the same time. 29 June June

9 Caching-only Name Servers The usefulness of caching servers is particularly striking on machines running Web browsers A typical Web page contains multiple links to the same machine, so that a user moving through a Web page generates multiple queries asking about the same target If the local name server satisfies these requests (after the first one) without using the network, the user will have much better performance 29 June Zone Files and Resource Records Record Type State of Authority Address Pointer Host Information Canonical Name Mail Exchange Name Server Abbr SOA A PTR HINFO CNAME MX NS Purpose Sets basic parameters for a zone, and establishes responsible parties Specifies a name-to-address mapping Specifies an address-to-name mapping Describes the architecture and OS of a host in the database Defines an alias, or alternative name, for a host Defines a mail exchange host Declares a name server for a zone 29 June June

10 Zone File Special Features 1. The key to be looked up 2. Internet 3. Type of Resource Record 4. Result of the lookup 5. The key is blank, so the previous key is used 6. All the key values in the left column are relative to corporation.com 29 June 2005 Signs There is one additional special feature that may appear in zone signs sign represents a value to be inserted by the server from its configuration files If the server is configured to use the file file.zone as the zone file for the corporation.com zone, and sign is used in the left column as a KEY value, the server replaces with corporation.com 29 June June

11 Types of Resource Records 1. The FQDN of the host where this SOA record resides The authoritative server for this zone 2. The address of the administrator for this zone, written with the sign replaced by a dot 3. A number identifying this version of the zone file This field is used by secondary servers to decide if the zone file has changed, so it should be incremented every time the file is modified 4. How often (in seconds) the secondary servers should reload this zone file to check for changes 5. How long (in seconds) the secondary servers should wait after a failed zone file transfer before retrying 6. How long (in seconds) the secondary servers should wait between successful zone file transfers before discarding the data 7. Tells other servers how long, by default, to cache results from this server 29 June State of Authority (SOA) records An SOA record sets up basic parameters for a zone of authority and marks the beginning of a zone Every zone or subzone must have exactly one SOA record and the zone continues until another SOA record is encountered The fields in an SOA record have the following meanings: KEY is the zone to which this SOA applies. VALUE has the following form: 29 June June

12 Address (A) and Pointer (PTR) records Address records specify a mapping from the host name to the IP address These records are the heart of the database Address records appear in the forward lookup zone file (for corporation.com ) PTR records appear in the reverse file (the inaddr.arpa zone file). 29 June Host Information (HINFO) Records Host information records give the operating system and architecture for the specified host Many sites do not put this information in their database because it provides extra information to hackers However, it can be quite convenient on networks with many different kinds of machines The format is: KEY IN HINFO Architecture O/S The valid names for architecture and operating system are the official names supplied by the system You can get these names by using the uname command 29 June June

13 Canonical Name (CNAME) Records Canonical name records define an alias In our previous example, the record: www IN CNAME vanderbilt.corporation.com. declares that is an alias for the machine vanderbilt.corporation.com. 29 June Name Server (NS) Records A name server (NS) record declares a machine to be a name server for a specified zone The KEY is the name of the zone, and the value is the FQDN for the name server Usually, the NS records immediately follow the SOA record, with the first NS record pointing to the authoritative name server for the zone Zone files use Fully Qualified Domain Names, so be very careful to make sure that you use periods at the end of host names when they occur as VALUE fields in A records, and in the SOA record Ninety-nine percent of the time, a problem with a zone file is due to a missing period 29 June June

14 nslookup The nslookup is a program in UNIX used to query servers When you start the program from the UNIX command line, it uses the /etc/resolv.conf file to locate a name server, and initially directs its queries at that server It has two modes, interactive and noninteractive An example of the noninteractive mode is ping In its simplest form, nslookup extracts the A and PTR records from the database Sometimes it is useful to use nslookup to read the SOA, HINFO, and other record types 29 June NETW 111 bind 29 June

15 Elements of the BIND Software Now that we've looked at using nslookup, let's address the problem of setting up a name server on a UNIX computer The UNIX name server software derives from the package known as Berkeley Internet Name Daemon (BIND) BIND has three parts: The name server process itself, usually called named or in.named The configuration file for the name server process, usually called /etc/named.boot The data files for the name server 29 June Name Server Data Files The data files for the name server include: a root cache file usually called root.ca or root.cache This file is used to prime the name server with the addresses of the root servers A zone file for the loopback zone A loopback zone is a reverse zone that enables resolution of the loopback address ( ) to the name localhost This tiny file is a zone file for the network address (the loopback address) This file follows the usual conventions for zone files sign is a placeholder for information from the name server configuration file 29 June June

16 loopback IN SOA localhost. root.localhost. ( ; Serial ; Refresh ; Retry ; Expire ) ; Minimum IN NS localhost. 1 IN PTR localhost. 29 June Directive Arguments 1. The directory directive establishes an initial path for later file references, to make the file easier to read In our example, all future file references are relative to the path /var/named 2. The cache directive primes the cache 3. The arguments of the cache directive are the origin domain for the cache file, followed by the name of the file The origin for the cache file is the root domain., and the cache file name is /var/named/named.ca 29 June June

17 Directive Arguments 4. The primary directive declares the server as an authoritative server for a particular zone 5. The arguments of the primary directive are the origin of the zone and the name of the zone file In our example, our server is primary (authoritative) for corporation.com, with zone file /var/named/corp.zone, and for the reverse zone in-addr.arpa, with zone file /var/named/rev.zone 29 June Directive Arguments 6. The secondary directive declares the server as a secondary server for a particular zone 7. The arguments of the secondary directive are the origin of the zone, the IP address of the zone s primary server, and the file name where the zone file is to be stored In this example, our server is a secondary server for company.com, the primary server is located at , and the zone file is named /var/named/company.zone 29 June June

18 Components Required for a Server Configuring a server involves the use of many tools At the least, you will require a name server, such as BIND, which is nearly universal on UNIX systems For the system to function fully, you must ensure that the server package you install has three parts: 1. The name server process /usr/sbin/named on Linux 2. The configuration file (called /etc/named.boot or /etc/named.conf depending on BIND version) 3. Zone files, including: A root cache file (usually called root.ca or root.cache) A loopback zone file (usually called named.local) A forward zone file (for example, forward.company.zone) A reverse zone file (for example, reverse.company.zone) 29 June Practical Server Configuration 1. Gather information - Collect the information you need to create the zone files This task includes choosing a domain name for your network 2. Prepare zone files - As you prepare your zone files, remember that each zone must have an SOA record Remember that forward and reverse zones each need name servers, and so their zone files must have NS records 3. Kill the name server process 4. Prepare the named.boot file Once you have killed the name server process, you can then create or edit the named.boot file 29 June June

19 Practical Server Configuration 5. Run nslookup 6. Configure the Clients To configure a UNIX client, you need only to alter the /etc/resolv.conf file for each host that you want to participate in the domain. 7. Control problems Do not to get too ambitious as you first work with BIND Take each step one at a time, and work slowly Document each move Work in this way, and you will control the risks of establishing a server 29 June Gather Information for the Zone Files This task includes choosing a domain name for your network You will need the addresses and names of the name server machines for your network, and for each host on the network you will need to know: IP address Host name If you choose to include HINFO records describing the hosts on your network, for each host you will need, to know the: Operating system System architecture (for example, Sparc, Intel, PPC, and so on) If your network is divided into subnetworks, you need the names of the subnetworks and their name servers, with addresses, as well Compile the host information by creating a table 29 June June

20 Creating a Server Create Zone Files. As you prepare your zone files, remember that each zone must have an SOA record Remember that forward and reverse zones each need name servers, and so their zone files must have NS records Naming Your Zone File You can name your zone file anything you want You could name the forward zone file forward.zone, and name the reverse zone file reverse.zone, or any other name you see fit Some administrators include the name of the domain or company this file serves If you were in a company named Security Inc., you could name the forward zone file security.forward.zone. 29 June Creating a Server Cache and Loopback Files You must also provide cache and loopback files You can name these anything you like, although named.ca and named.local are usual names for each respective file You need not create or configure the root cache file You can obtain the latest root cache file from the InterNIC FTP site This file does not change frequently (the current version was last modified in 2004) 29 June June

21 Creating a Server Sample loopback IN SOA localhost. root.localhost. ( ; Serial ; Refresh ; Retry ; Expire ) ; Minimum IN NS localhost. 1 IN PTR localhost. 29 June Placing Your Zone Files Once you have prepared your zone files, you need to place them in the /var/named directory on the primary server host clients do not need to create zone files, nor do they need to have named running They only need to have the primary and secondary name servers listed in /etc/resolv.conf 29 June June