First of all: you read all the stuff before here right? You have to.
Before we really start this section I'm going to serve you
some theory on and an example of how DNS works. And you're going to
read it because it's good for you. If you don't want to you should at
least skim it very quickly. Stop skimming when you get to what should
go in your named.conf
file.
DNS is a hierarchical, tree structured, system. The top is written
`.
' and pronounced `root', as is usual for tree data-structures.
Under .
there are a number of Top Level Domains (TLDs); the best
known ones are ORG
, COM
, EDU
and NET
, but there
are many more. Just like a tree it has a root and it branches out.
If you have any computer science background you will recognize DNS as
a search tree, and you will be able to find nodes, leaf nodes and
edges. The dots are nodes, the edges are on the names.
When looking for a machine the query proceeds recursively into the
hierarchy starting at the root. If you want to find the address of
prep.ai.mit.edu.
, your nameserver has to start asking somewhere.
It starts by looking it its cache. If it knows the answer, having
cached it before, it will answer right away as we saw in the last
section. If it does not know it will remove parts from the name
starting at the left, checking if it knows anything about
ai.mit.edu.
, then mit.edu.
, then edu.
and if not that
it does know about .
because that was in the hints file. It will
then ask a .
server about prep.ai.mit.edu
. This .
server will not know the answer, but it will help your server on its
way by giving a referral, telling it where to look instead. These
referrals will eventually lead your server to a nameserver that knows
the answer. I will illustrate that now. +norec
means that dig
is asking non-recursive questions so that we get to do the recursion
ourselves. The other options are to reduce the amount of dig produces
so this won't go on for too many pages:
$ dig +norec +noH +noques +nostats +nocmd prep.ai.mit.edu.
;; res options: init defnam dnsrch
;; got answer:
; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 13
;; AUTHORITY SECTION:
. 5d23h48m47s IN NS I.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS E.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS D.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS A.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS H.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS C.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS G.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS F.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS B.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS J.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS K.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS L.ROOT-SERVERS.NET.
. 5d23h48m47s IN NS M.ROOT-SERVERS.NET.
;; ADDITIONAL SECTION:
I.ROOT-SERVERS.NET. 6d23h48m47s IN A 192.36.148.17
E.ROOT-SERVERS.NET. 6d23h48m47s IN A 192.203.230.10
D.ROOT-SERVERS.NET. 6d23h48m47s IN A 128.8.10.90
A.ROOT-SERVERS.NET. 6d23h48m47s IN A 198.41.0.4
H.ROOT-SERVERS.NET. 6d23h48m47s IN A 128.63.2.53
C.ROOT-SERVERS.NET. 6d23h48m47s IN A 192.33.4.12
G.ROOT-SERVERS.NET. 6d23h48m47s IN A 192.112.36.4
F.ROOT-SERVERS.NET. 6d23h48m47s IN A 192.5.5.241
B.ROOT-SERVERS.NET. 6d23h48m47s IN A 128.9.0.107
J.ROOT-SERVERS.NET. 6d23h48m47s IN A 198.41.0.10
K.ROOT-SERVERS.NET. 6d23h48m47s IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6d23h48m47s IN A 198.32.64.12
M.ROOT-SERVERS.NET. 6d23h48m47s IN A 202.12.27.33
This is a referral. It is giving us an "Authority section" only, no "Answer section". Our own nameserver refers us to a nameserver. Pick one at random:
$ dig +norec +noH +noques +nostats +nocmd prep.ai.mit.edu. @H.ROOT-SERVERS.NET.
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3
;; AUTHORITY SECTION:
MIT.EDU. 2D IN NS BITSY.MIT.EDU.
MIT.EDU. 2D IN NS STRAWB.MIT.EDU.
MIT.EDU. 2D IN NS W20NS.MIT.EDU.
;; ADDITIONAL SECTION:
BITSY.MIT.EDU. 2D IN A 18.72.0.3
STRAWB.MIT.EDU. 2D IN A 18.71.0.151
W20NS.MIT.EDU. 2D IN A 18.70.0.160
It refers us to MIT.EDU servers at once. Again pick one at random:
$ dig +norec +noH +noques +nostats +nocmd prep.ai.mit.edu. @bitsy.mit.edu
; (1 server found)
;; res options: init defnam dnsrch
;; got answer:
; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4
;; ANSWER SECTION:
prep.ai.mit.edu. 3h50m7s IN A 198.186.203.18
;; AUTHORITY SECTION:
AI.MIT.EDU. 6H IN NS FEDEX.AI.MIT.EDU.
AI.MIT.EDU. 6H IN NS LIFE.AI.MIT.EDU.
AI.MIT.EDU. 6H IN NS ALPHA-BITS.AI.MIT.EDU.
AI.MIT.EDU. 6H IN NS BEET-CHEX.AI.MIT.EDU.
;; ADDITIONAL SECTION:
FEDEX.AI.MIT.EDU. 6H IN A 192.148.252.43
LIFE.AI.MIT.EDU. 6H IN A 128.52.32.80
ALPHA-BITS.AI.MIT.EDU. 6H IN A 128.52.32.5
BEET-CHEX.AI.MIT.EDU. 6H IN A 128.52.32.22
This time we got a "ANSWER SECTION", and an answer for our
question. The "AUTHORITY SECTION" contains information about which
servers to ask about ai.mit.edu
the next time. So you can ask
them directly the next time you wonder about ai.mit.edu
names.
So starting at .
we found the successive name servers for each
level in the domain name by referral. If you had used your own DNS
server instead of using all those other servers, your named would
of-course cache all the information it found while digging this out
for you, and it would not have to ask again for a while.
In the tree analogue each ``.
'' in the name is a branching
point. And each part between the ``.
''s are the names of
individual branches in the tree. One climbs the tree by taking the
name we want (prep.ai.mit.edu
) asking the root (.
) or
whatever servers father from the root toward prep.ai.mit.edu we have
information about in the cache. Once the cache limits are reached
the recursive resolver goes out asking servers, pursuing referrals
(edges) further into the name.
A much less talked about, but just as important domain is
in-addr.arpa
. It too is nested like the `normal' domains.
in-addr.arpa
allows us to get the host's name when we have its
address. A important thing to note here is that the IP addresses are
written in reverse order in the in-addr.arpa
domain. If you have
the address of a machine: 192.148.52.43
named proceeds just like
for the prep.ai.mit.edu
example: find arpa.
servers. Find
in-addr.arpa.
servers, find 192.in-addr.arpa.
servers, find
148.192.in-addr.arpa.
servers, find 52.148.192.in-addr.arpa.
servers. Find needed records for 43.52.148.192.in-addr.arpa.
Clever huh? (Say `yes'.) The reversion of the numbers can be
confusing for years though.