|
More on DNS
Expanding the networkThe network that contains the domain e-nor.loc has now been expanded by the addition of another Linux server. However to make life interesting, this server is in a new domain called i-nor.loc. So the fully qualified host name of this new server is linux-3.i-nor.loc. Due to a lack of suitable hardware to allow the domain i-nor.loc to exist on its own network segment, both domains now exist on the same network segment of 192.192.192.192/28 This has interesting implications for providing DNS for each of the domains, particularily as it is required for each domain to have its own domain server. All this is not as far removed from reality as may be first thought - a somewhat similar situation can exist where an ISP has acquired a number of Class C networks, and sells the IP addresses on to customers in smaller lots than 256 at a time, using classless IP addressing. Each customer will want to run and maintain their own DNS servers, with no account being taken of the other customers.
Why this causes a problem with DNSThe forward lookup facility is not too much of a problem, since a fully qualified host name contains the name of the domain, and so a division on the basis of domain is relatively easy. The main problem arises from the requirement to provide reverse lookup - reverse lookups are normally done through the use of one of the zones 192.in-addr.arpa. 192.192.in-addr.arpa. 192.192.192.in-addr.arpa. But these three zones are multiples of 256 addresses, this system does not allow smaller divisions. In general terms, the solution is to create another break point before the first 192 in the last of the above zones. So for example, if a class C network is split into two classless networks of 128 IP addresses each, two zones would be created, which would be 0-127.192.192.192.in-addr.arpa. 128-255.192.192.192.in-addr.arpa. A higher level DNS server would point the reverse lookups to the correct DNS server for that zone, through the use of the CNAME type of resource record to provide the identity of the correct zone, and hence DNS server, for each address within the class C range. This should become clearer by looking at the relevant zone files for the network 192.192.192.192/28
Introduction to 192.192.192.192/28The isolated network 192.192.192.192/28 I am using is of course slightly different from the situation described above for ISP`s, because I have two domains on the one network segment, rather than the two domains on two classless subnets. However the principles for DNS are pretty similar. In this case,
The /etc/hosts filesThese stay the same, so for linux-1 it looks like
for linux-2 it is
and for linux-3 it is
Linux-2 still lives within the e-nor.loc domain, even though it is the root DNS server for both domains.
The /etc/resolv.conf filesAgain, these stay pretty well the same for linux-1 and linux-3, except the domain names change - For linux-1,
However the /etc/resolv.conf file for linux-2 needs to change - it needs to reflect the fact that linux-2 is not the primary dns server for the domain e-nor.loc. The primary name server for e-nor.loc is linux-1, and for i-nor.loc, it is linux-3. So the /etc/resolv.conf file in linux-2 looks like
Any DNS enquiries originating within linux-2 will try 192.192.192.196 first, if that server cannot answer the query, linux-2 will try 192.192.192.206 next.
Introducing the DNS root serverHaving decided that linux-2 is to function as a DNS root server on the 192.192.192.192/28 network, two steps have to be taken -
Configuring linux-2 as the root serverThe starting point is the /etc/named.conf, which advises the "named" daemon about the zones it is required to deal with. In linux-2, this looks like
As can be seen, there are only two zones. The forward zone is for the domain ".", as this is the highest level domain - the named.for file for this zone looks like
So this forward file is fairly conventional, and does only two tasks - it identifies the name servers for each domain, and it provides the IP address for the two primary DNS servers. All the domain names are fully qualified, as it is not wanted for the local domain to be appended to any of them. The reverse file is more interesting - because an IP address does not contain any explicit information about which domain it should be attached to, the reverse file on the root server has to provide this information. It does this by first of all splitting up the whole range of IP addresses that are part of the subnet - in this case, the subnet is of course 192.192.192.192/28. It can therefore contain host addresses in the range 192.192.192.193 up to 192.192.192.206 In this case, the subnet is split into two unequal parts, and a fifth number is added to the dotted quad notation to identify these two parts. Then each IP number in the range 192.192.192.193 up to 192.192.192.206 is pointed to the correct part of the subnet, by using the CNAME type of resource record. So the reverse file looks like
Note that this lookup table does not know anything about the host names that will exist on the subnet - what it does is point to the correct reverse lookup file using the CNAME resource records, and then uses the NS resource records to point to the DNS server that carries that reverse file.
Configuring linux-1 and linux-3The first thing to do is to make the DNS servers on linux-1 and linux-3 aware of the existence of the root server. This is done through the /etc/named.conf file, by specifying the zones that "named" will work with. To make the DNS server aware of the root server, another zone is added to the /etc/named.conf file. This part of the /etc/conf looks like
The root.cache file contains only two lines -
If a DNS query cannot be solved from the master zone for the domain, ie, from the named.for file, then the DNS server consults the next DNS server upwards, which in this case is the root server on linux-2. The named.for file is fairly standard, this zone provides the normal forward lookups. For linux-1 this looks like
The corresponding one for linux-3 is
The last bit of configuration through the /etc/named.conf is to set up the reverse lookup zone. This is set up to match the zone files that were defined in the reverse lookup file for the root DNS server, ie, linux-2. The reverse zone file for the e-nor.loc domain was specified as 1.192.192.192.in-addr.arpa and for the i-nor.loc domain, 3.192.192.192.in-addr.arpa These zone files are actually unchanged in content, it is only the name of the zones which have changed.
and
For completeness, here are the /etc/named.conf files for linux-1 and linux-3 They now show the new zone for the root server, and the changed name for the reverse lookup zone. For linux-1
And for linux-3
Finally ....And that is it - the biggest problem is that all reverse lookup queries must go through the root server reverse zone file, and then get transferred to the correct local name server. It would be better if the primary name server for a domain was able to decide if an IP address on the subnet was for the local domain, or for another domain. But if a zone called "192.192.192.IN-ADDR.ARPA" is created for the domain`s primary name server, then the name server tries to lookup all the IP addresses in the range 192.192.192.000 up to 192.192.192.255 in this zone, and when it does not find an answer, the lookup fails. However it has created the situation that was required - ie, each domain has its own name server, and the host names only appear on the local name servers. Neither the name server for one domain , nor the root server, need to know about the host names for the other domain.
© 2002 Ron Turner Return to the Linux index page
|
|