Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 21. Software -NetworkingNext

21.4. Primary master name Server

A primary master name server for a zone reads the data for the zone from a file on it's host and are authoritative for that zone.The necessary files to setup a primary master name server are:

  1. named.conf

  2. db.127.0.0

  3. db.208.164.186

  4. db.openna

  5. db.cache

  6. named script

To configure the /etc/named.conf file for a master name server, use this configuration for the server on your network that acts as a master name server. After compiling DNS, you need to set up a primary domain name for your server. We'll use openna.com as an example domain, and assume you are using IP network address of 208.164.186.0. To do this, add the following lines to your /etc/named.conf. Create the named.conf file touch /etc/named.conf and add: 

 options {
 directory "/var/named";
 fetch-glue no;                    (1)
 recursion no;                     (2)
 allow-query { 208.164.186/24; 127.0.0/8; };  (3)
 allow-transfer { 208.164.186.2; };           (4)
 transfer-format many-answers;
 };

 // These files are not specific to any zone
 zone "." in {
 type hint;
 file "db.cache";
 };

 zone "0.0.127.in-addr.arpa" in {
 type master;
 file "db.127.0.0";
 };

 // These are our primary zone files
 zone "openna.com" in {
 type master;
 file "db.openna ";
 };

 zone "186.164.208.in-addr.arpa" in {
 type master;
 file "db.208.164.186";
 };

(1)(2)
The fetch-glue no option can be used in conjunction with the option recursion no to prevent the server's cache from growing or becoming corrupted. Also, disabling recursion puts your name servers into a passive mode, telling it never to send queries on behalf of other name servers or resolvers. A non-recursive name server is very difficult to spoof, since it doesn't send queries, and hence doesn't cache any data.
(3)
In the allow-query line, 208.164.186/24 and 127.0.0/8 are the IP addresses allowed to ask ordinary questions to the server.
(4)
In the allow-transfer line, 208.164.186.2 is the IP address allowed to receive zone transfers from the server. You must ensure that only your real slave name servers can transfer zones from your name serve, as the information provided is often used by spammers and IP spoofers.

Note: The options recursion no, allow-query, and allow-transfer in the named.conf file above are security features.

To configure the /var/named/db.127.0.0 file for a master and slave name server, you can use this configuration file by both a master name server and a slave name server. The db.127.0.0 file covers the loopback network. Create the following files in /var/named/.

Create the db.127.0.0 file, touch /var/named/db.127.0.0 and add: 

 ; Revision History: April 22, 1999 - admin@mail.openna.com
 ; Start of Authority (SOA) records.
 $TTL 345600
 @  IN  SOA  deep.openna.com. admin.mail.openna.com.  (
 00	; Serial
 86400	; Refresh
 7200	; Retry
 2592000	; Expire
 345600 )	; Minimum

 ; Name Server (NS) records.
 NS   deep.openna.com.
 NS   mail.openna.com.

 ; only One PTR record.
 1      PTR  localhost.

To configure the /var/named/db.208.164.186 file for a master name server, Use this configuration for the server on your network that acts as a master name server. The file db.208.164.186 maps host names to addresses. Create the following files in /var/named/.

Create the db.208.164.186 file, touch /var/named/db.208.164.186 and add: 

 ; Revision History: April 22, 1999 - admin@mail.openna.com
 ; Start of Authority (SOA) records.
 $TTL 345600
 @  IN  SOA  deep.openna.com. admin.mail.openna.com.  (
 00	; Serial
 86400	; Refresh
 7200	; Retry
 2592000	; Expire
 345600 )	; Minimum

 ; Name Server (NS) records.
 NS   deep.openna.com.
 NS   mail.openna.com.

 ; Addresses Point to Canonical Names (PTR) for Reverse lookups
 1  PTR      deep.openna.com.
 2  PTR      mail.openna.com.
 3  PTR      www.openna.com.

To configure of the /var/named/db.openna file for a master name server, use this configuration for the server on your network that acts as a master name server. The file db.openna maps addresses to host names. Create the following file in /var/named/.

Create the db.openna file touch /var/named/db.openna and add: 

 ; Revision History: April 22, 1999 - admin@mail.openna.com
 ; Start of Authority (SOA) records.
 $TTL 345600
 @  IN  SOA  deep.openna.com. admin.mail.openna.com.  (
 00	; Serial
 86400	; Refresh
 7200	; Retry
 2592000	; Expire
 345600 )	; Minimum

 ; Name Server (NS) records.
 NS   deep.openna.com.
 NS   mail.openna.com.

 ; Mail Exchange (MX) records.
 MX   0  mail.openna.com.

 ; Address (A) records.
 localhost	A       127.0.0.1
 deep	A       208.164.186.1
 mail	A       208.164.186.2
 www	A       208.164.186.3

 ; Aliases in Canonical Name (CNAME) records.
 ;www                           CNAME  deep.openna.com.

To configure the /var/named/db.cache file for a master and slave name servers Before starting your DNS server you must take a copy of the db.cache file and copy it into the /var/named/ directory. The db.cache tells your server where the servers for the root zone are.

Use the following command on another Unix computer in your organization to query a new db.cache file for your DNS Server or pick one from your Red Hat Linux CD-ROM source distribution: 

 [root@deep] /# dig @.aroot-servers.net . ns > db.cache
Don't forget to copy the db.cache file to the /var/named/ directory on your server where you're installing DNS server after retrieving it over the Internet.

PrevHomeNext
Caching-only name ServerUpSecondary slave name Server