24.1. Introduction

Name resolution includes the Domain Name System (DNS) and hosts files. The Dynamic Host Configuration Protocol (DHCP) goes hand-in-hand with name resolution. Name resolution resolves names to IP addresses, and DHCP takes over the tedious chore of assigning IP addresses to individual hosts. Servers need static IP addresses. Workstations do just fine with dynamically assigned addresses—just plug 'em in and let DHCP do the work.

DNS powers the Internet. All it does is name resolution, or translation of names to numbers. As simple as the concept is, a huge infrastructure has evolved to implement it. We could get along fine without DNS—after all, we've been using complex postal mail addresses and phone numbers all of our lives. But there are many advantages to using name resolution. Several names can be mapped to a single IP address. Names are easier to remember. And we can indulge in giving our servers fanciful hostnames, like the names of Tolkien characters, or astronomical terms, or mythological characters. (Okay, so that last one isn't vitally important—but it is fun.)

24.1.1 Implementing DNS

One difficulty with learning to run a DNS server is that the vast majority of the documentation is BIND-centric. Berkeley Internet Name Domain (BIND) is the oldest and most widely used DNS server. It seems as though BIND is considered to be the DNS protocol, rather than just an implementation of it.

This chapter contains recipes for two different DNS servers: BIND and djbdns. I believe that djbdns is the superior choice. It's modular, small, very fast, and very secure. It's also simple to configure and very dependable, because it runs from supervisory daemons that automatically restart it if it should die unexpectedly. Replicating a djbdns server securely and efficiently is easy—you use standard Linux utilities such as rsync-over-ssh, which means you can easily set up authenticated datafile transfers using SSH keys.

BIND has been around forever, and it is widely deployed. However, it's one big monolithic program, so you cannot customize the installation to suit your needs. About all you can do is configure it differently for different uses, which is not completely effective in shutting down the parts you don't need. This presents security risks, and BIND has a long history of security problems. Furthermore, it uses odd proprietary methods for replicating zone files to backup servers (secondaries), instead of nice, reliable, standard Unix utilities. Even back in the days before rsync, there was no shortage of dependable methods for transferring files, so the reason for the evolution of these BIND-specific file transfer protocols is a mystery.

Despite its drawbacks, BIND has the advantage in sheer volume of books and documentation, with Cricket Liu's books being the standards: the DNS & BIND Cookbook and DNS and BIND, which is now on its fourth edition (both published by O'Reilly), are must-haves for the BIND admin.

24.1.2 A DNS Glossary

DNS refers to three things: the DNS protocol; name resolution; and the entire system that implements it, which consists of domain name registrars, root servers, authoritative servers, IANA and the regional Internet registries, ICANN, and all the caching DNS servers that spread the load and keep things moving. Here are some terms to familiarize yourself with:

IANA

Internet Assigned Numbers Authority. It all starts here—this is the group that coordinates the allocation of IP addresses worldwide. Both IPv4 and IPv6 addresses are part of the brew now. IANA dispenses blocks of IP adresses to the Regional Internet registries:

APNIC (Asia Pacific Network Information Centre): Asia/Pacific Region

ARIN (American Registry for Internet Numbers): North America and Sub-Saharan Africa

LACNIC (Latin American and Caribbean IP Address Registry):Latin America and some Caribbean Islands

RIPE NCC (Réseaux IP Européens): Europe, the Middle East, Central Asia, and African countries located north of the equator

ICANN

Internet Corporation for Assigned Names and Numbers. Among many other duties, ICANN oversees domain name allocation and registration.

Root servers

There are 13 root DNS servers. Run the dig command with no options to generate a list. All but three are hosted in the United States. However, the C, F, I, J, and K servers are geographically dispersed clusters using anycast, so the actual number of root servers is much larger, and they are distributed all over the planet. anycast is a network addressing and routing scheme that routes data to the nearest or best destination.

Authoritative server, or content server

This is the DNS server controlled by you, the ace hostmaster for your domain, that contains all your name-to-IP address mappings. The root name servers do not store actual DNS records. All they do is point to authoritative name servers, or name servers that know the route to the authoritative name servers.

Caching server, or caching DNS resolver

Caching servers make this huge amount of traffic and complexity manageable. If every DNS request for a domain had to hit the authoritative server, the whole works would soon grind to a halt. This does not happen because the Internet is infested with DNS caching servers. Caching servers are very hardworking—they query external servers to satisfy DNS requests, and they also store the results of DNS lookups in memory, so that they can directly answer subsequent requests.