module 2 zone files. objective understand the idea of a zone and how it relates to a domain name...
TRANSCRIPT
Module 2
Zone Files
Objective Understand the idea of a zone and how it
relates to a domain name understand zone file structure Understand the major Resource Record
(RRs) used to create zone files Understand IPv4 Reverse Mapping Understand which zone files are required
DNS – Zone Files Domain = Zone Textual descriptions of various Resource
Records (RRs) that describe the domain, such as Name Servers, Mail Servers, Services and hosts and Directives
Forward mapping translates a name into an IP address or a secondary name
Reverse Mapping translates an IP address into a name
The Authoritative server for the Domain (Zone) loads the zone files
DNS Zone File; IPv4 zone file for example.com$TTL 2d ; default TTL for zone$ORIGIN example.com. ; base domain-name; Start of Authority record defining the key characteristics of the zone (domain)@ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ); name servers Resource Records for the domain IN NS ns1.example.com.; the second name server is; external to this zone (domain). IN NS ns2.example.net.; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com.; the second mail server has lower priority and is; external to the zone (domain) IN MX 20 mail.example.net.; domain hosts includes NS and MX records defined previously; plus any others requiredns1 IN A 192.168.254.2mail IN A 192.168.254.4joe IN A 192.168.254.6www IN A 192.168.254.7; aliases ftp (ftp server) to an external locationftp IN CNAME ftp.example.net.
DNS - Forward Mapping
SOA RR defines the Apex of the zone and general properties
NS RRs define the Name Servers (DNS) which are authoritative
MX RRs define the mail servers CNAME RRs define aliases A (IPv4) and AAAA (IPv6) define IP
addresses TXT RRs are general records (SPF)
example.com
RRs – Generic Format
name or label identifies the record externally, for instance, www
ttl (Time-to-Live) defines how long the RR may be cached in seconds
class = IN = Internet type of RR, for example, MX One or more type-specific parameters TTL and Class can be omitted
name ttl class type parameters
Zone Directives All start with $ $TTL time-in-seconds
default Time-to-Live for the zone in seconds $ORIGIN FQDN.
Base domain (zone) name $INCLUDE file-name
Include another file here Comments start with ;
$TTL Zone Directive The default Time-to-Live in seconds
if no TTL value on the RR 172800 = 2 days Takes short forms in BIND
m, h, d, w 172800 = 2d or 48h $TTL 1d2h3m = 93780
Must appear before any RR (first)
DNS - TTL Only used by caching name servers
(resolvers) Slave uses SOA parameters Determines the time the RR can held
in a cache before being refreshed Value in seconds (think in hours) 0 = never cache (dangerous) Determines DNS change
propagation time
$ORIGIN Directive Defines a label (name) that will be
used to substitute all non-FQDN names
Parameter must be an FQDN terminates with a dot
$ORIGIN example.com. Optional - defaults to zone name Usage illustrated later
DNS Zone File; IPv4 zone file for example.com$TTL 2d ; default TTL for zone$ORIGIN example.com. ; base domain-name; Start of Authority record defining the key characteristics of the zone (domain)@ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum ); name servers Resource Records for the domain IN NS ns1.example.com.; the second name server is; external to this zone (domain). IN NS ns2.example.net.; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com.; the second mail server has lower priority and is; external to the zone (domain) IN MX 20 mail.example.net.; domain hosts includes NS and MX records defined previously; plus any others requiredns1 IN A 192.168.254.2mail IN A 192.168.254.4joe IN A 192.168.254.6www IN A 192.168.254.7; aliases ftp (ftp server) to an external locationftp IN CNAME ftp.example.net.
File layout rules
Comments begin with ;
Parameters continued in parenthesis ()
; IPv4 zone file for example.com
@ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; se = serial number 12h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 2h ; min = minimum )
Name @ = $ORIGIN
Blank or TAB = last label or $ORIGIN
DNS – Substitution Rule If any name (label) in a zone file is
not an FQDN the last value of $ORIGIN will be appended to the end of the name (label).
DNS - SOA RR
SOA defines the start of the zone and must be first non-directive entry
pmns = Primary Master Name Server One of the authoritative name servers OR if DDNS is used it defines the NS which will be
updated Spec. name is MNAME
SOA pmns mail sn refresh retry expiry min
DNS - SOA RR
mail = mailbox of DNS administrator or tech contact Format is all dot separated (@ is used) hostmaster.example.com (recommended) =
[email protected] Can be very important Spec name is RNAME
SOA pmns mail sn refresh retry expiry min
DNS - SOA RR
sn = serial number of zone contents Arbitrary 10 digit number (4294967295) Usage typically YYYYMMDDSS YYYY = year, MM = month DD = day, SS =
sequence number MUST increment every time zone contents
change Slave reads SOA and compares serial number
SOA pmns mail sn refresh retry expiry min
DNS - SOA RR
refresh = time after which Slave will start to refresh zone from Master (AXFR, IXFR)
retry = time between failed attempts to fresh zone
expiry = time after which Slave will not respond to zone requests if Master not accessed
min = time NXDOMAIN (no name) may be cached (max 3 hours)
SOA pmns mail sn refresh retry expiry min
DNS – SOA Example
@ IN SOA ns1.example.com. hostmaster.example.com. (
2003080800 ; se = serial number
12h ; ref = refresh
15m ; ret = update retry
3w ; ex = expiry
2h ; min = nxdomain ttl
)
DNS – SOA Example
$ORIGIN example.com.
@ IN SOA ns1 hostmaster (
2003080800 ; se = serial number
12h ; ref = refresh
15m ; ret = update retry
3w ; ex = expiry
2h ; min = nxdomain ttl
)
DNS - NS RR
NS RRs list all name servers for the domain At zone apex for this zone Minimum of two In-zone servers will need A or AAAA RRs name = name of an internal or external name
server that is authoritative for this domain NS RRs appear in the zone (authoritative) and
the parent (point of delegation – not authoritative)
NS name
DNS – NS RRs
; name servers Resource Records for the domain
IN NS ns1.example.com.
; could have been
; IN NS ns1
; the second name server is
; external to this zone (domain).
IN NS ns2.example.net.
DNS – NS RRs
$ORIGIN example.com.
; name servers Resource Records for the domain
IN NS ns1.example.com.
; missing dot
IN NS ns1.example.com
; looks for ns1.example.com.example.com.
DNS - MX RR
MX RRs list all incoming mail servers for the domain
Defined at zone apex for this zone One or more priority = relative priority of defined server
(low is most important). Value = 0 – 65535 name = name of an internal or external mail
server for this domain In-zone servers will have A or AAAA RRs
MX priority name
DNS – MX RRs
; mail server Resource Records for the zone (domain) 3w IN MX 10 mail.example.com.; the second mail server has lower priority and is; external to the zone (domain) - backup IN MX 20 mail.example.net.
3w = TTL
Priority 10 simply means you can add a more important mail server with only one change
DNS - A RR
A RRs list all visible hosts for the zone (domain).
Must include the in-zone NS and MX RRs plus others
IPv4-address = standard dotted quad address (address not a name)
A IPv4-address
DNS - AAAA RR
AAAA RRs list all visible IPv6 hosts for the zone (domain).
Mixed with A RRs Both A and AAAA if dual stacked IPv6-address = standard colon
separated address (address not a name)
AAAA IPv6-address
DNS – A RRs
; domain hosts includes NS and MX records defined;previously plus any others requiredns1 IN A 192.168.254.2mail IN A 192.168.254.4joe IN A 192.168.254.6www IN A 192.168.254.7
DNS - CNAME RR
CNAME RRs maps an alias name to a canonical (real) name (A or AAAA RRs)
May point to a host name in-zone or out-of-zone canonical-name = real name of host CNAME costs extra access Alternate is to use multiple A or AAAA RRs
CNAME canonical-name
DNS – CNAME RRs
; aliases ftp (ftp server) to an external locationftp IN CNAME ftp.example.net.
; very common use of CNAMEmail IN A 192.168.2.3www IN CNAME mail
; alternate – functionally identicalmail IN A 192.168.2.3www IN A 192.168.2.3
DNS - TXT RRs
TXT RRs may be used to contain any text Externally visible Used to define Sender Profile (SPF) RRs
(now also SPF RR) Used to define DKIM RRs text = enclosed in quotes
TXT text
DNS – TXT RRs
; uses of TXTftp IN CNAME ftp.example.net. IN TXT “Supports FTP and SFTP”
mail IN A 192.168.0.18mail IN TXT “v=spf1 ip4:192.168.0.3/27 –all”
; DKIM TXT RRmail._domainkey IN TXT "v=DKIM1;t=s;p=blah....blah;"; ADSP TXT RR_adsp._domainkey IN TXT "dkim=discardable;"
DNS – Reverse Mapping Maps an IP address to a name Domain name hierarchy is right to left –
www.example.com IP address hierarchy is left to right
192.168.0.1 Solution
Remove last digit (192.168.0) Invert number (0.168.192) Append in-addr.arpa (0.168.192.in-addr.arpa) Define .1 (and others) in zone file with PTR RR
DNS – Reverse Mapping
DNS – Reverse Zone File
; simple reverse mapping zone file for example.com$TTL 2d ; default TTL for zone$ORIGIN 254.168.192.IN-ADDR.ARPA.; Start of Authority record defining the key characteristics of the zone (domain)@ IN SOA ns1.example.com. hostmaster.example.com. ( 2003080800 ; sn = serial number 12h ; refresh 15m ; retry 3w ; expiry 2h ; min = minimum ); name servers Resource Records for the domain IN NS ns1.example.com.; the second name server is; external to this zone (domain). IN NS ns2.anotherdomain.com.; PTR RR maps an IPv4 address to a host name2 IN PTR ns1.example.com......4 IN PTR mail.example.com......16 IN PTR joe.example.com.17 IN PTR www.example.com.....
DNS - PTR RRs
PTR RRs maps a name to a name Both left and right hand expressions are names –
needs $ORIGIN Right hand name must be FQDN PTR is used for both IPv4 and IPv6 Separate zone files for IPv4 and IPv6 because of
domain name Reverse map domain for IPv6 is ip6.arpa Generally only a single IP mapped to a name
name PTR name
DNS – PTR RR
$ORIGIN 254.168.192.IN-ADDR.ARPA....; PTR RR maps an IPv4 address to a host name2 IN PTR ns1.example.com......4 IN PTR mail.example.com......16 IN PTR joe.example.com.1 IN PTR www.example.com.; could be written as 17. 254.168.192.IN-ADDR.ARPA. IN PTR www.example.com....; missing dot1 IN PTR bill.example.com; maps to bill.example.com.254.168.192.IN-ADDR.ARPA.....
DNS – Reverse Mapping IPv4 Optional Used especially by mail systems to
do reverse lookup (essential) IPv6 Optional (originally Mandatory) Local IP address reverse map
Zone File – Best Practice Comment file – changes made Always include $ORIGIN
$ORIGIN is optional defaulted to name of zone
bad practice – non-self documenting Use consistent style FQDN on right
names, or left names or both
Required Zone Files Depends on name server function Forward and reverse map for localhost
zone Forward domain = localhost Reverse map 0.0.127.in-addr.arpa
Hints file if caching server – points to root-servers
Reverse map private IPs (192.168.x, 10.x.x, 172.16.x)
Hints (Root) Zone file
;
; last update: Jan 29, 2004; related version of root zone: 2004012900;;; formerly NS.INTERNIC.NET;. 3600000 IN NS A.ROOT-SERVERS.NET.A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4…
Local Host Forward Map
$TTL 86400 ; 24 hours could have been written as 24h or 1d$ORIGIN localhost.@ 1D IN SOA @ hostmaster ( 2004022401 ; serial 12h; refresh 15m ; retry 1w ; expiry 3h ; minimum )@ 1D IN NS @ ; localhost is the name server 1D IN A 127.0.0.1 ; always returns the loop-back address
Alternate Format
$TTL 1d ;$ORIGIN localhost.localhost. IN SOA localhost. hostmaster.localhost. ( 2002022401 ; serial 3H ; refresh 15M ; retry 1w ; expire 3h ; minimum )localhost. IN NS localhost. ; localhost is the name serverlocalhost. IN A 127.0.0.1 ; the loop-back address
Localhost Reverse Map
$TTL 86400 ; 24 hours; could use $ORIGIN 0.0.127.IN-ADDR.ARPA.@ IN SOA localhost. hostmaster.localhost. ( 1997022700 ; Serial 3h ; Refresh 15 ; Retry 1w ; Expire 3h ) ; Minimum IN NS localhost.1 IN PTR localhost.
Quick Quiz What RR defines a mail server? What is the first record in a zone file? What does the $ORIGIN directive do? How does the slave know to transfer
zone? What is a PTR RR used for? What value defines how long an RR can
be cached?