Softpanorama
(slightly skeptical) Open Source Software Educational Society

May the source be with you, but remember the KISS principle ;-)

Slightly Skeptical Notes on Solaris DNS Server Installation and Administration

Old News ;-)	See Also	Recommended Books	Recommended Links	Tutorials	FAQs	RFCs
Load balancing via DNS	Troubleshooting	DNS Tools	DNS Security	Consulting	Humor	Quiz

Solaris uses an open source DNS implementation called BIND (Berkeley Internet Name Domain) as its DNS daemon. BIND (Berkeley Internet Name Domain) is the oldest implementation of the DNS protocol that can be traced to original BSD systems.

Contrary to popular urban myth Paul Vixie did nit write the original BIND. As Kevin Oberman recollected:

The first BIND version (4.3?) was written by the CSRG at UC Berkeley by Kevin Dunlap who was on loan to CSRG by Digital (who also employed Paul at that time). When Paul took over support of BIND at about 4.4, it was a horrid mess and rapidly moving toward death. After some fixes and clean-up of the code, the first real BIND from Paul was 4.8. ISC (including Paul) wrote BIND 8. BIND 9 was contracted out to Nominum and one of the stipulations was that the existing code base could not be used at all and another was that the team that wrote BIND 8 should not work on BIND 9. For that (and other) reason, Paul did not write any of BIND 9

In his comment to the letter Paul Vixie clarified some facts:

> Well, Paul Vixie wrote bind

nope. kevin dunlap and other folks at U C Berkeley wrote BIND originally. all i did was fork the code base at 4.8.3, produce King James BIND, then BIND 4.9 through BIND 8.1, and along the way co-founded ISC with rick adams. also along the way i won the "most cert advisories by a single author" award (which noone has been willing to try to take away from me) and stopped coding. i'm pleased to announce that BIND9 has no code from BIND8 or BIND4 in it, and also no code from me in it.

--- oberman@es.net ("Kevin Oberman") writes:

> Paul Vixie did NOT write the original BIND. The first BIND version
> (4.3?) was written by the CSRG at UC Berkeley by Kevin Dunlap who was on
> loan to CSRG by Digital (who also employed Paul at that time).

no, i was employed by Digital later, long after kevin dunlap had moved on.

> When Paul took over support of BIND at about 4.4,

4.8.3.

> it was a horrid mess and rapidly moving toward death.

and there were other code forks besides mine. what distinguished my work
was that i merged in every change i could understand from every other fork.
(that's why i called it King James BIND, for you literary history buffs.)

> After some fixes and clean-up of the
> code, the first real BIND from Paul was 4.8.

4.9.

> ISC (including Paul) wrote BIND 8.

john gilmore and bob halley had a LOT to do with the creation of BIND8 btw.
(john also taught me to use CVS rather than RCS, to my great betterment,
and he wrote some early DNSSEC code, and negotiated a licensing deal between
RSADSI and ISC... he's an unsung hero in the BIND revolution.)

> BIND 9 was contracted out to Nominum

internet engines. Which later became nominum.

> and one of the stipulations was that the existing code base could not be
> used at all and another was that the team that wrote BIND 8 should not
> work on BIND 9.

actually, bob halley worked on both BIND8 and BIND9.

> For that (and other) reason, Paul did not write any of BIND 9.

yea, verily.

--- david.conrad@nominum.com (David Conrad) writes:

> However, I don't speak authoritatively (pun intended) on BIND.

and yet, for the record, i agree with everything drc said in his note today.
--
Paul Vixie

The source code is licensed under BSD license and includes implementation of:

a Domain Name System server (named)
a Domain Name System resolver library
tools for verifying the proper operation of the DNS server (dig and nslookup).

When you are working with BIND it's evident how old it is and how people who developed various packages for it were unable to understand the "spirit of Unix" and come with kluges that contradict Unix philosophy, but for some reason stay with us for decades. Actually first implementations of DNS servers were for the TOPS-20 operating system in 1983.

Still BIND is a pretty vivid demonstration of inability of designers of Unix packages to grasp the spirit of Unix :-) And while the general DNS architecture is sound the BIND implementation was (until version 9 let's hope) a very questionable security-wise. Administration-wise it continues to be challenging to say the least. IMHO administration was done unnecessary complex by configuration files that are far from being human-friendly and have subtle interdependencies that for some unexplainable reason need to be resolved manually (many scripts exist for this purpose and at least couple of them should probably be used by every non-masochistic DNS admin).

The structure of DNS configuration files can serve as a good example of how old data-related mini-languages survive in software packages. And they can be quite horrible mess even if the code written by above average programmers. Even in Bind 9 the configuration files remain very cumbersome and their maintenance time consuming and error prone.

Currently the second (or third) generation of Unix administrators needs to suffer from all those unnecessary complexity. In a sense BIND is the greatest failure of open source programming model. Despite its critical role in Internet infrastructure BIND 4 and 8 were probably one of the most "security-challenged" open source applications widely deployed. At least until version 9 was released. For decades it was pretty unusual not have a bind exploit each second quarter. Not that all of those exploit were really dangerous, but still the feeling was that one needs to upgrade and countless hours were spend on countless upgrade of bind by each organization with its own nameserver.

BIND's complexity provided a windows opportunity for book publishers and I believe O'Reilly got a neat revenue from selling four editions of BIND book.

Alternative implementations of DNS servers exist including several open source packages but none get the same level of prominence as original BIND. Of alternative free packages only D. J. Bernstein's djbdns got some traction due to it significantly higher level of security: it is sometimes called "Continuous DNS service without continual software upgrades" :-)

As of Jan 2006 current versions from Internet Systems Consortium, Inc. are

Current Release
BIND 9.3.2 [ download ] [ security ] [ manual: html | pdf ]
Maintenance Releases
BIND 9.2.6 [ download ] [ security ] [ manual: html | pdf ]
BIND 8.4.7 [ download ] [ security ]

You should recompile those versions using Studio 11 or download the latest precompiled version from Solaris freeware site. It does not make sense to preserve the version that comes with Solaris 9 or 10.

In Solaris the daemon in.named is by default placed in /usr/sbin/ . It is stared during system boot if the /etc/named.conf file exists. When configuring nameserver, you need to supply the following information in your /etc/named.conf and files that it refers to (so called DNS resource records) :

Names and addresses of root servers.
The information needed to resolve all domains for which the server is authoritative. Those records, called A records provide name to address translation.
The information needed to resolve all inverse domains for which the server is authoritative. Those records called IN records provide address to name translation (construction of IN records can be automated as all information necessary is contains in A-record
Names and addresses of servers for all domains one level below the domain being served by this server. This is sometimes referred to as parenting or delegating.
All of this information is supplied in configuration files referred to by the BIND configuration file /etc/named. conf and loaded into the in . named cache.

There are two major versions of BIND daemon: version 8 and version 9. Solaris 9 uses BIND 8.x.x implementation. Solaris 10 uses 9.x.x implementation.

/etc/named.conf configuration file determines if the server is a primary, secondary, or cache-only name server. It also specifies the zones over which the server has authority and which data files it should read to get its initial data.

master server is defined by the type master in the zone statement of /etc/named.conf .
slave servers are defined by the type slave argument to the zone statement in the /etc/named.conf configuration file.

The/etc/named.conf file consists of statements possibly separated by blank lines. Each statement should end with a semicolon. Some statements can contain a block of statements in curvy brackets. Again, each statement in the block is terminated with a semicolon.

There are several major types of named.conf statements. Four are used in the example below:

options Controls global server configuration options and sets default values for other statements.
zone Defines a zone. Selectively applies options on a per-zone basis, rather than to all zones.
file Defines an include file that contains so called called DNS resource records. Is used to break up the configuration into more easily managed chunks.
type Sets designated type associated with a server.

Here is an example of the BIND configuration file /etc/named. conf and its relationship to name server data files.

options {
   DIRECTORY "/var/named";
};

zone "." in {
   type hint;
   file "named.root";
};

zone "softpanorama.org" in {
   type master;
   file "softpanorama.org.zone";
};

zone "10.10.10.in-addr.arpa" in {
   type master;
   file "softpanorama.org.rzone";
};

zone "127.in-addr.arpa" in {
   type master;
   file "loopback-domain-info";
};

Other statements include:

acl Defines a named IP address match list used for access control. The address match list designates one or more IP addresses or IP prefixes. The named IP address match list must be defined by an acl statement before it can be used elsewhere. No forward references are allowed.
key Specifies a key ID used for authentication and authorization on a particular name server.

logging Specifies the information the server logs and the destination of log messages.

Further reading:

Format of resource records is discussed in DNS Resource Records page.
Security in Solaris DNS Security Links
See also an excellent tutorial at Everything Solaris/DNS for dummies

Dr. Nikolai Bezroukov

Notes:

Those pages are written by people for whom English is not a native language. Some amount of grammar and spelling errors should be expected.
This is a Spartan WHYFF (We Help You For Free) site. It cannot replace the best teachers and the best books.
The site contain some obsolete pages as it develops like a living tree... Some links on older pages are broken. Please try to use Google, Open directory, etc. to find a replacement link (see HOWTO search the WEB for details). We would appreciate if you can mail us a correct link.

Search Amazon by keywords:
Open directory	Research Index

Old News ;-)

2007

2006

2005

2004

2003

2002 and earlier

[Nov 19, 2007] Novel Course 3074_Sample/Configure a DNS Server

The configuration of each DNS server type is slightly different. In this objective the following is discussed:

Configure a Caching-Only DNS Server

Configure a Master Server for Your Domain

Configure One or More Slave Servers

[Aug 30, 2006] A community-submitted Tech Tip, Implementing a DNS Server on the Solaris 8 OS, offers suggestions for setup on both SPARC and x86 platforms. -- pretty poor and very basic.

[Jan 27, 2006] DNS Server Setup Template for the Solaris Operating Environment Technical Articles and Tips DNS Server Setup Template for the Solaris Operating Environment

You never know when the set up for a trade show, demo, lab, or other project might come to a loggerhead because someone needs a robust internet domain name server (DNS). The function of the DNS is to act as the server that client applications contact to resolve an IP address from the host name. The IP address is then used by network routers to send data packets to the remote server.

In reverse mode, the DNS can also resolve host names when given an IP address. Many UNIX applications use this method to perform security checks, Address Resolution Protocol (ARP), or Reverse Address Resolution Protocol (RARP) to verify that the host name data and IP address do indeed match. For example, if you try to Telnet or FTP to a Solaris host from a renegade laptop using a valid but unresolvable IP address on the LAN, you may notice that it can take up to 60 seconds to receive the login prompt. You can fix this delay by simply adding an entry for host name and IP address into the maps on the primary network DNS.

Setting up a DNS from scratch can be complicated. Although you can read the man pages and generate valid map files from scratch, it is not very efficient. A better way is to follow an example template provided in the next section.

Unpacking Instructions

Download this template to a work directory, such as /var. To unpack the file, at the command line type:
    zcat name.tar.Z | tar xvf -
Fast Installation Overview

For quick installation, do the following:
Determine what type of DNS you want and what support information you need from your network provider, such as global caching DNS.

Edit the named.* files you need. For releases prior to Solaris 7, use named.boot, named.local, named.cache, named.mydomain, and named.mydomain.rev. For Solaris 7 and Solaris 8, the map files are the same, but edit the named.conf instead of named.boot.
Edit the /etc/resolv.conf file. It should look like the following:
    domain mydomain.com
    nameserver 127.0.0.1     ;if DNS server runs on this host
    nameserver 129.200.9.1   ;if this is a remote client
Create a symbolic link in /etc/ to either the named.boot or named.conf file and start the DNS (/usr/sbin/in.named).

You can verify the DNS is working properly by running some queries to test forward and reverse resolution.
Detailed Installation
Determine what kind of DNS you need.
If you are at a trade show and without Internet access, you need to be a primary.

If you are at a trade show and have Internet access, find the ISP and ask whether they have (a) a world resolvable caching DNS and (b) a primary for the show floor. If they have (a) but not (b), you will need to be a primary for this subnet. Any reputable ISP will have at least (a). If they have both (a) and (b), but are unreliable for (b), you should be a secondary. If (b) does not have a complete map or maps, you may need to create your own primary for that subnet.

If you are just starting a new subnet (e.g. you are at a startup company and the person who knows anything about network administration is the IT person), then you probably want to be your own primary for the subnet. You should talk it over with your ISP. If your ISP is responsive and reliable, and doesn't mind that you constantly re-assign IP addresses and hosts, you should use them as your primary. Otherwise, if you are planning to do some very complicated DHCP, IP address sharing, NAT, or network customization, you probably should be your own primary. In other words, if you want your network to be resolvable and routable outside of your network, you may want to arrange with your ISP to give you primary domain DNS control for your subnet and have the ISP act as a "secondary" to your subnet domain. This configuration is common at many large universities. For example, each department or college group manages its own subnet within a large Class A or B network. The institution's top level DNS is actually a secondary for the various smaller subnet primaries.

If you need to resolve Internet host names outside of the corporate network, but have an inadequate primary DNS on your network, you should become a secondary DNS for your local subnet. You can also add a forwarders entry to the corporate top-level gateway DNS so that you can resolve IP addresses outside of the corporate network. Other people can then configure their hosts to use your DNS as their default to use these features.

If you are running Solaris 7 or Solaris 8, examine the named.conf file. If you are running releases prior to Solaris 7, see the named.boot file. Each file is self explanatory and you can copy the /etc/hosts file and add Authoritative records (A) and pointer records (PTR) to your maps.
Note: For Solaris 7 users who are familiar with BIND8 (old) format named.boot files and want to convert them to the new BIND9 format named.conf files, you can run the /usr/sbin/named-bootconf -i infile -o outfile utility.

Edit all the files you need, usually:

Mandatory files
named.boot or named.conf (depending on OS version)
named.cache
named.local

Optional files (for primary DNS)
named.mydomain
named.mydomain.rev
[other reverse or forward maps]

You may have multiple forward and reverse maps because this DNS may be supporting multiple domain names and subnets.
Edit the /etc/resolv.conf file. It should look like the following:
    domain mydomain.com
    nameserver 127.0.0.1     ;if DNS server runs on this host
    nameserver 129.200.9.1   ;if this is a remote client
You can have multiple DNS entries in the resolv.conf file. Each entry is searched in top-to-bottom order until the server responds, or times out. Therefore, you should put the server that is the most robust and responds the fastest at the top of the list. When a DNS is successfully queried, it is general practice for the client to use only that server for querying, even if the DNS responds that there are no entries. If the DNS you configured to use on the client is not resolving all of the hosts you know exist, you should contact the administrator for that DNS or simply change to a server that can resolve all the names. If a DNS server is down, you may experience a long wait before the client application fails and switches to use the next DNS. This can vary from 15 to 60 seconds per DNS entry in the resolv.conf file. If you are experiencing DNS resolution delays repeatedly and have access to another server, you should change the resolv.conf file to use another DNS.
Create a symbolic link in /etc/ to either the named.boot or named.conf file. For example, if you unpacked the file in /var/named on a Solaris 2.6 system, type at the command line:
    ln -s /var/named/named.boot /etc/named.boot
Start the DNS server by typing:
    /usr/sbin/in.named
Test the DNS by running some queries to test forward and reverse resolution. You can use the following forward test:
    /usr/sbin/nslookup myhost
A sample response looks like:
    Server: localhost
    Address: 127.0.0.1
 
    Name: myhost.mydomain.com
    Address: 129.200.9.1
You should repeat your test using an IP address instead:
    /usr/sbin/nslookup 129.200.9.2
A sample response looks like:
    Server: localhost
    Address: 127.0.0.1
 
    Name: myhost2.mydomain.com
    Address: 129.200.9.2
If the DNS is set up to resolve Internet addresses, you can test this by typing:
    /usr/sbin/nslookup nuc.berkeley.edu
A sample response looks like:
    Server: localhost
    Address: 127.0.0.1
 
    Non-authoritative answer:

    Name: nuc.berkeley.edu
    Address: 128.32.142.96
Disclaimer

This template is supplied "AS IS" without support or warranties.

[Jan 27, 2006] currentversions from Internet Systems Consortium, Inc.

Current Release
BIND 9.3.2 [ download ] [ security ] [ manual: html | pdf ]
Maintenance Releases
BIND 9.2.6 [ download ] [ security ] [ manual: html | pdf ]
BIND 8.4.7 [ download ] [ security ]

docs.sun.com Solaris 10 What's New

BIND 9 is new in the Solaris Express 8/04 release. In the Solaris 10 3/05 release, the BIND version was upgraded to BIND version 9.2.4.

BIND is an open source implementation of DNS. BIND is developed by the Internet Systems Consortium (ISC). BIND allows DNS clients and applications to query DNS servers for the IPv4 and IPv6 networks. BIND includes two main components: a stub resolver API, resolver(3resolv), and the DNS name server with various DNS tools.

BIND enables DNS clients to connect to IPv6 DNS servers by using IPv6 transport. BIND provides a complete DNS client-server solution for IPv6 networks.

BIND 9.2.4 is a redesign of the DNS name server and tools by the Internet Systems Consortium (ISC). The BIND version 9.2.4 nameserver and tools are available in the Solaris 10 OS.

BIND 8.x-to-BIND 9 migration information is available in the System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP). Additional information and documentation about BIND 9 is also available on the ISC web site at http://www.isc.org. For information about IPv6 support, see the System Administration Guide: IP Services.

Reference

Internet Systems Consortium, Inc.

BIND 9 Administrator Reference Manual

BIND FAQ from Nominum Home of DNS inventor. Paul Mockapetris, the inventor of the domain name system, is chief scientist and chairman of the board at Nominum.

Ask Mr DNS facility on the Acme site is a searchable DNS/BIND FAQ + list archive

Simple DNS Configuration Example (RIPE-192): Probably the quickest way to get going, if you are using BIND 8 on Unix. Just cut and paste the examples and make a few changes for a working setup.

FAQ: FAQ document for the newsgroup comp.protocols.tcp-ip.domains by Chris Peckham. Here is a local copy of the most recently posted text version. You could also try a DNS book, DNSRD tips or Ask Mr. DNS.

FAQ for microsoft.public.windowsnt.dns: FAQ document for the Microsoft newsgroup microsoft.public.windowsnt.dns.

Linux DNS HOWTO: How to set up DNS on Linux, by Nicolai Langfeldt. There are some small problems with this document, but it has some useful tips.

Tutorials

DNS Server Setup Template for the Solaris Operating Environment

Everything Solaris/DNS for dummies

Name Service and Resolver Configuration discusses named and bind configuration. From The Network Administrators' Guide by Olaf Kirch/Andrew Anderson.

Setting up a basic DNS server for a domain by Craig Richmond: Good tutorial document, now somewhat out of date. Part of the BIND distribution.

BOG: Name Server Operations Guide for BIND by Paul Vixie (originally by Kevin J Dunlap and Michael J Karels). Generally known as the BOG; part of the BIND distribution. Here are local HTML (conversion by Graeme Cox), PostScript and text copies. For BIND 4.x
Dealing with Lame Delegations by Bryan Beecher Describes the lamers tool to detect and flag lame delegations.
DNS Demystified by Al Berg Short operational overview.
DNS for Internet Administrators by Andr�s Salamon Slides for one-day DNS course, from October 1996.
The Internet Cookbook: DNS by Robert J. Kohlhepp: Examples of building a DNS, with sample database files; from a series of articles in Network Computing Online, February 1997.
Features of BIND 8.2 by Cricket Liu: Summary of new features of BIND 8.2, by the author of the standard cricket book. 14-Jan-2000
Hedrick: `Keeping track of names and information: the domain system', Section 5 of Introducti on to the Internet Protocols by Charles L. Hedrick. This is a well-known paper from 1987, made available in HTML by Steven E. Newton.
Passive DNS Replication: Describes building partial zone files based on observing the query traffic at a third party name server, by Florian Weimer.
Setting Up Your Own DNS by Gary Kessler: Thorough practical overview.
Style Guide for Zone Files by Paul Vixie: The recommended style for manually maintained zone files, from the maintainer of BIND. Highly recommended.
A Survey of DNS Tools by Cricket Liu: A comparison of nslookup, dig, host, doc, dnswalk, dnsparse and h2n. Slides presented in February 1993.
10 DNS Errors That Will Kill Your Network by Bill Boswell: Common DNS errors in Microsoft Windows environments. Many of these problems are not specific to Windows. (checked 07-Sep-2004)
Tricks of the BIND Trade by Cricket Liu: Slides presented in February 1993. Some of the material is out of date for recent BIND versions.
Webmonkey's quick overview: Very quick overview of DNS from Webmonkey.
What is a domain? by Mark R. Horton: Introductory paper, similar to but easier to read than the fundamental RFCs. Part of the BIND distribution.

http://cramsession.brainbuzz.com/cramsession/microsoft/win2knet_infra/guide.asp

Spitzner, Lance. "DNS Access." 26 January 2000.
URL: http://www.enteract.com/~lspitz/rules/rule6.html (21 July, 2000).

Gray, Damon. "The "IN-ADDR.ARPA" domain and it�s relation to DNS."
URL: http://www.wednet.edu/network/whitepapers/in-addr.arpa.domain-whitepaper.html (23 July, 2000).

DNS HOWTO -- Nicolai Langfeldt janl@math.uio.no HOWTO become a totally small time DNS admin.

1. Preamble

2. Introduction.

3. A caching only name server.

3.1 Starting named

4. A simple domain.

5. A real domain example

6. Maintenance

7. Converting from version 4 to version 8

8. Questions and Answers

9. How to become a bigger time DNS admin.

Setting up DNS by Jeff Moe. This page explains the basics on how to get your nameserver up and going.
Files needed on primary nameserver (Change db.mydomain.com to db.[whatever your domain is] and db.192.168.222 to db.[whatever your class C is]):
Files needed on secondary nameserver
Note that the locations and names of these files can vary quite a bit, but this naming scheme will work fine.

Index of pubdocsunix-tutorials courses

dns.ps -- PostScript version
dns.txt -- text version

Domain Name System (DNS) -- course notes
FAQ - DNS -- outdated (1993)
Setting up a basic DNS Server for a domain -- Revision 1.1.2 Craig Richmond craig@ecel.uwa.edu.au
3rd August 1993 Last modified 960804

Help-Site Computer Manuals - Internet
- DNS
Scott Newton's TCP/IP tutorial, DNS section -- not impressive
DNS Tips and Tricks from the DNS resources directory
Setting up DNS
Fast Guide to DNS -- too basic

RFCs

Nice collection can be found at Nominum-Resources-Standards Information-DNS RFCs

FAQs

tcp-ipdomains-faq -- DNS faq
REPOST comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 1 of 2)
REPOST comp.protocols.tcp-ip.domains Frequently Asked Questions (FAQ) (Part 2 of 2)
BIND FAQ maintained by Ronny H. Kavli (originally written by Craig Richmond)
Linux DNS Howto
GraniteCanyon's FAQ about DNS in general and their DNS hosting services in particular
Setting up a basic DNS server for a domain

Usenet

comp.protocols.dns.bind Last 50 Messages

comp.protocols.dns.ops Last 50 Messages

Training

dns_security_course from men and mice
Verison DNS Training (two day course, not bad but expensive)
Tutorial Program S13pm -- Lisa usually has one
Tutorial Program T3 -- Paul Vixie tutorial for Usenix

Slides

USM Engineering Department -- System Guides DNS The Domain Name Service By Glenn Stevens. Very good slides

Network Ice Corporation. "DNS Zone Transfer." 2000.
URL: http://www.netice.com/advice/intrusions/2000401 (22 July, 2000).

Mr. DNS. "Restricting zone transfers in BIND 4.9.x with the xfernets directive."
URL: http://acmebw.com/askmrdns/00031.htm (22 July, 2000).

Split DNS

Network Ice Corporation. "Split-DNS"
URL: http://www.netice.com/advice/Services/Directory/DNS/split-DNS/default.htm (22 July, 2000).

Load Balancing via DNS

lbnamed -- a Perl script for load balancing. It communicates between a server farm and the DNS server to allow the DNS server to determine which is the best server to handle a request.

DNS Redirect by IP range

Author: Ernesto Vargas (---.z064002177.mia-fl.dsl.cnc.net) Date: 12-18-00 12:29 I'm looking for a DNS solutions that can redirect to X or Y server depending on there IP address. Something like Akamai... Any idea? EV

Reply To This Message

RE: DNS Redirect by IP range

Author: Bishop (---.nnj.adsl.bellatlantic.net) Date: 12-18-00 20:17 I am not sure of your question - I can't be totally sure of your American-style grammar - but I think I got it. I think that a DNS server is not what you need. DNS only resolves hosts and IPs back and forth. It's not known as the best way to load-balance. It sounds like you need some kind of redirector daemon. I use portfwd, but I've heard that smarter people can do redirection with the filtering subsystem itself. I'll leave that up to them, though, and work with what I know. I've not heard of one that does any calculations on-the-fly, but as for statically configured redirectors go, I'm very happy with portfwd. It does 90% of what I want, and I can extend it for the other 10%. Are you actually looking for one that does load-balancing or one that performs even simple calculations to determine the destination address, or would a static one suffice? If you like static ones, Portfwd's probably at http://sourceforge.net/projects/portfwd Let me know if I misinterpreted your use of 'there'. After all, I wasn't born in this country and am only learning American. - bishop

Reply To This Message

RE: DNS Redirect by IP range

Author: j (---.texaco.com) Date: 12-19-00 10:44 ipchains can do the redirect for you based on the ip.

Reply To This Message

RE: DNS Redirect by IP range

Author: None (---.rit.reuters.com) Date: 12-20-00 07:54 The best I can say is to try dnrd (Domain Name Relay daemon) at, http://members.home.net/garsh/dnrd/ as I think that has a lot of hope of adding smart logic to DNS. Once I work out my status re: Open Source and my employer then I to would like to direct DNS requests based on the source IP address. Your request may be similar. ////

Reply To This Message

RE: DNS Redirect by IP range

Author: iserlohn (---.rchmd1.bc.wave.home.com) Date: 12-25-00 02:53 You need EDDIE!!!! Here's a short excerpt (from freshmeat) - Eddie acts as a high availability WAN and LAN clustering tool for web servers (including Apache). It provides load balancing at two levels (DNS and LAN), failover redundancy, and admission control to maintain quality of service levels. Last time I check it allowed different DNS responses depending on IP. http://eddie.sourceforge.net

Copyright � 1996-2008 by Dr. Nikolai Bezroukov. www.softpanorama.org was created as a service to the UN Sustainable Development Networking Programme (SDNP) in the author free time. Submit comments This document is an industrial compilation designed and created exclusively for educational use and is placed under the copyright of the Open Content License(OPL). Original materials copyright belong to respective owners. Quotes are made for educational purposes only in compliance with the fair use doctrine.

Standard disclaimer: The statements, views and opinions presented on this web page are those of the author and are not endorsed by, nor do they necessarily reflect, the opinions of the author present and former employers, SDNP or any other organization the author may be associated with. We do not warrant the correctness of the information provided or its fitness for any purpose.

Consulting

DNS, DHCP, IP Address Management Solutions from Men & Mice

Yahoo! - Nominum, Inc. Company Profile

Etc

Domain Name System: Proper use reduces intranet administration costs by Anton Holleman: Brief white paper from Origin, supporting the use of DNS instead of services like NIS or WINS. Originally published in Dutch in April 1999.

The InterNIC Lame Delegation Policy: The InterNIC's draft policy to deal with lame delegations for domains that they administer. They are supposed to deregister the domain if all delegated servers are lame for 90 days, but they don't seem to bother. The issues relating to trademarks are highly contentious. See also the DNSRD pages on domain registration and disputes.

Quiz

Q1. FQDN stands for ________________________ ?

A: Fully Qualified Name of Domain

Q2. Which of the following is FQDN ?

a. www.mydomain.com

b. mydomain.com

c. www.mydomain.com.

A: C (the dot at the end is essential for FQDN)

Q3. True/Flase: Relative domain name (RDN) ends with the dot.

A: False

Q4. What is the maximum number of characters you can have in a FQDN ?

A: 255

Q5. True or Flase: domain names can contain the symbol �*� ?

Ans: False

Note: Only alpha numerics and dashes

Q6. _________ servers maintain the top-level zones (com, net, edu).

A: root

Q7. ___________ servers are authoritative for domains they serve.

A: Primary (Master)

Q8. The DNS server configuration file is:

A: /etc/named.conf

Q9. True/Flase: Secondary DNS servers can not be authoritative for any domains .

A: False

Note: They can be authoritative for other domains they serve

Q10. True/False: Secondary DNS Servers can help in load sharing with the primary servers .

A: True

Q11. Secondary servers are defined by the type keyword ______ in the named.conf file .

A: slave

Q12. Name 4 kinds of DNS servers ?

A: Primary, Secondary, Caching-only, Forwarding

Q13. Which 2 kinds of DNS servers can never be authoritative over any domain ?

A: Caching-only and Forwarding

Q14. You have a few PCs at the remote location. Uplink bandwidth is premium. You want to reduce DNS lookup traffic as much as possible. Which should you do ?

A: Setup a forwarding DNS server

Note: such servers build a rich DNS cache which minimize number of off-site queries (queries forwarded to master or secondary server).

Q15. 2 kinds of answers a client can get from any DNS server are:

A: Authoritative and Non-Authoritative

Q16. Non-authoritative answers can be incorrect mostly due to :

A: changes that have not been propagated via updates

Q17. What does the /var/named/named.root file specify ?

A: specifies name of address mapping of root servers

Q18. How does a DNS server find the actual root servers ?

A: by querying the servers listed in the file /var/named/named.root

Q19. Which file has name and IP for all systems in the domain (on a DNS server) ?

A: /var/named/domain.info

Q20. Which file on a DNS server has IP to name resolution ?

A: /var/named/inverse-domain.info

Q21. What does the /var/named/loopback-domain.info file specify ?

A: inverse loopback domain address

Q22. Which file does a workstation consult to find out which DNS servers should be consulted to resolve names ?

A: /etc/resolv.conf

Q23. Which command causes in.named to take a snapshot of its in-memory cached data.

A: pkill �INT in.named

Q24. You you ran pkill �INT in.named, where will it write the snapshot of its in-memory cached data ?

A: /var/named/named_dump.db

Q25. Which command causes in.named to increase its debug level by 1 ?

A: pkill �USR1 in.named

Q26. Which command causes name daemon to return to level 0 (debug) ?

A: pkill �USR2 in.named

Q27. Which command will cause the in.named daemon to reread it's configuration files ?

A: pkill �HUP in.named

Q28. True/False: DNS gives you the ability to restrict queries from machines in a particular zone.

A: True

Q29. True/False: Bind provides the facility to block unauthorized zone transfers.

A: True

Q30. Which tool converts /etc/hosts files to DNS zone files ?

A: h2n

Q31. Which DNS debugging tool allows in-depth debugging of DNS problems ?

A: dig

Created May 16, 1996; Last modified: June 02, 2008