network-dns.html

FreeBSD操作系统的详细使用手册

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta name="generator" content="HTML Tidy, see www.w3.org" />
<title>Domain Name System (DNS)</title>
<meta name="GENERATOR" content="Modular DocBook HTML Stylesheet Version 1.7" />
<link rel="HOME" title="FreeBSD Handbook" href="index.html" />
<link rel="UP" title="Network Servers" href="network-servers.html" />
<link rel="PREVIOUS" title="Automatic Network Configuration (DHCP)"
href="network-dhcp.html" />
<link rel="NEXT" title="BIND9 and FreeBSD" href="network-bind9.html" />
<link rel="STYLESHEET" type="text/css" href="docbook.css" />
</head>
<body class="SECT1" bgcolor="#FFFFFF" text="#000000" link="#0000FF" vlink="#840084"
alink="#0000FF">
<div class="NAVHEADER">
<table summary="Header navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<th colspan="3" align="center">FreeBSD Handbook</th>
</tr>

<tr>
<td width="10%" align="left" valign="bottom"><a href="network-dhcp.html"
accesskey="P">Prev</a></td>
<td width="80%" align="center" valign="bottom">Chapter 23 Network Servers</td>
<td width="10%" align="right" valign="bottom"><a href="network-bind9.html"
accesskey="N">Next</a></td>
</tr>
</table>

<hr align="LEFT" width="100%" />
</div>

<div class="SECT1">
<h1 class="SECT1"><a id="NETWORK-DNS" name="NETWORK-DNS">23.6 Domain Name System
(DNS)</a></h1>

<i class="AUTHORGROUP"><span class="CONTRIB">Contributed by</span> Chern Lee.</i> 

<div class="SECT2">
<h2 class="SECT2"><a id="AEN34760" name="AEN34760">23.6.1 Overview</a></h2>

<p>FreeBSD utilizes, by default, a version of BIND (Berkeley Internet Name Domain), which
is the most common implementation of the DNS protocol. DNS is the protocol through which
names are mapped to IP addresses, and vice versa. For example, a query for <tt
class="HOSTID">www.FreeBSD.org</tt> will receive a reply with the IP address of The
FreeBSD Project's web server, whereas, a query for <tt
class="HOSTID">ftp.FreeBSD.org</tt> will return the IP address of the corresponding FTP
machine. Likewise, the opposite can happen. A query for an IP address can resolve its
hostname. It is not necessary to run a name server to perform DNS lookups on a
system.</p>

<p>DNS is coordinated across the Internet through a somewhat complex system of
authoritative root name servers, and other smaller-scale name servers who host and cache
individual domain information.</p>

<p>This document refers to BIND 8.x, as it is the stable version used in FreeBSD. BIND
9.x in FreeBSD can be installed through the <a
href="http://www.FreeBSD.org/cgi/url.cgi?ports/net/bind9/pkg-descr"><tt
class="FILENAME">net/bind9</tt></a> port.</p>

<p>RFC1034 and RFC1035 dictate the DNS protocol.</p>

<p>Currently, BIND is maintained by the Internet Software Consortium <a
href="http://www.isc.org/" target="_top">http://www.isc.org/</a>.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN34775" name="AEN34775">23.6.2 Terminology</a></h2>

<p>To understand this document, some terms related to DNS must be understood.</p>

<div class="INFORMALTABLE"><a id="AEN34784" name="AEN34784"></a>
<table border="0" frame="void" width="100%" class="CALSTABLE">
<col width="25%" />
<col width="75%" />
<thead>
<tr>
<th>Term</th>
<th>Definition</th>
</tr>
</thead>

<tbody>
<tr>
<td>Forward DNS</td>
<td>Mapping of hostnames to IP addresses</td>
</tr>

<tr>
<td>Origin</td>
<td>Refers to the domain covered in a particular zone file</td>
</tr>

<tr>
<td><b class="APPLICATION">named</b>, BIND, name server</td>
<td>Common names for the BIND name server package within FreeBSD</td>
</tr>

<tr>
<td>Resolver</td>
<td>A system process through which a machine queries a name server for zone
information</td>
</tr>

<tr>
<td>Reverse DNS</td>
<td>The opposite of forward DNS; mapping of IP addresses to hostnames</td>
</tr>

<tr>
<td>Root zone</td>
<td>The beginning of the Internet zone hierarchy. All zones fall under the root zone,
similar to how all files in a file system fall under the root directory.</td>
</tr>

<tr>
<td>Zone</td>
<td>An individual domain, subdomain, or portion of the DNS administered by the same
authority</td>
</tr>
</tbody>
</table>
</div>

<p>Examples of zones:</p>

<ul>
<li>
<p><tt class="HOSTID">.</tt> is the root zone</p>
</li>

<li>
<p><tt class="HOSTID">org.</tt> is a zone under the root zone</p>
</li>

<li>
<p><tt class="HOSTID">example.org</tt> is a zone under the <tt class="HOSTID">org.</tt>
zone</p>
</li>

<li>
<p><tt class="HOSTID">foo.example.org.</tt> is a subdomain, a zone under the <tt
class="HOSTID">example.org.</tt> zone</p>
</li>

<li>
<p><tt class="HOSTID">1.2.3.in-addr.arpa</tt> is a zone referencing all IP addresses
which fall under the <tt class="HOSTID">3.2.1.*</tt> IP space.</p>
</li>
</ul>

<p>As one can see, the more specific part of a hostname appears to its left. For example,
<tt class="HOSTID">example.org.</tt> is more specific than <tt class="HOSTID">org.</tt>,
as <tt class="HOSTID">org.</tt> is more specific than the root zone. The layout of each
part of a hostname is much like a filesystem: the <tt class="FILENAME">/dev</tt>
directory falls within the root, and so on.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN34843" name="AEN34843">23.6.3 Reasons to Run a Name
Server</a></h2>

<p>Name servers usually come in two forms: an authoritative name server, and a caching
name server.</p>

<p>An authoritative name server is needed when:</p>

<ul>
<li>
<p>one wants to serve DNS information to the world, replying authoritatively to
queries.</p>
</li>

<li>
<p>a domain, such as <tt class="HOSTID">example.org</tt>, is registered and IP addresses
need to be assigned to hostnames under it.</p>
</li>

<li>
<p>an IP address block requires reverse DNS entries (IP to hostname).</p>
</li>

<li>
<p>a backup name server, called a slave, must reply to queries when the primary is down
or inaccessible.</p>
</li>
</ul>

<p>A caching name server is needed when:</p>

<ul>
<li>
<p>a local DNS server may cache and respond more quickly than querying an outside name
server.</p>
</li>

<li>
<p>a reduction in overall network traffic is desired (DNS traffic has been measured to
account for 5% or more of total Internet traffic).</p>
</li>
</ul>

<p>When one queries for <tt class="HOSTID">www.FreeBSD.org</tt>, the resolver usually
queries the uplink ISP's name server, and retrieves the reply. With a local, caching DNS
server, the query only has to be made once to the outside world by the caching DNS
server. Every additional query will not have to look to the outside of the local network,
since the information is cached locally.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN34865" name="AEN34865">23.6.4 How It Works</a></h2>

<p>In FreeBSD, the BIND daemon is called <b class="APPLICATION">named</b> for obvious
reasons.</p>

<div class="INFORMALTABLE"><a id="AEN34869" name="AEN34869"></a>
<table border="0" frame="void" class="CALSTABLE">
<col />
<col />
<thead>
<tr>
<th>File</th>
<th>Description</th>
</tr>
</thead>

<tbody>
<tr>
<td><b class="APPLICATION">named</b></td>
<td>the BIND daemon</td>
</tr>

<tr>
<td><tt class="COMMAND">ndc</tt></td>
<td>name daemon control program</td>
</tr>

<tr>
<td><tt class="FILENAME">/etc/namedb</tt></td>
<td>directory where BIND zone information resides</td>
</tr>

<tr>
<td><tt class="FILENAME">/etc/namedb/named.conf</tt></td>
<td>daemon configuration file</td>
</tr>
</tbody>
</table>
</div>

<p>Zone files are usually contained within the <tt class="FILENAME">/etc/namedb</tt>
directory, and contain the DNS zone information served by the name server.</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN34894" name="AEN34894">23.6.5 Starting BIND</a></h2>

<p>Since BIND is installed by default, configuring it all is relatively simple.</p>

<p>To ensure the <b class="APPLICATION">named</b> daemon is started at boot, put the
following line in <tt class="FILENAME">/etc/rc.conf</tt>:</p>

<pre class="PROGRAMLISTING">
named_enable="YES"
</pre>

<p>To start the daemon manually (after configuring it):</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">ndc start</kbd>
</pre>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN34908" name="AEN34908">23.6.6 Configuration Files</a></h2>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN34913" name="AEN34913">23.6.6.1 Using <tt
class="COMMAND">make-localhost</tt></a></h3>

<p>Be sure to:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /etc/namedb</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">sh make-localhost</kbd>
</pre>

<p>to properly create the local reverse DNS zone file in <tt
class="FILENAME">/etc/namedb/localhost.rev</tt>.</p>
</div>

<div class="SECT3">
<h3 class="SECT3"><a id="AEN34924" name="AEN34924">23.6.6.2 <tt
class="FILENAME">/etc/namedb/named.conf</tt></a></h3>

<pre class="PROGRAMLISTING">
// $FreeBSD$
//
// Refer to the named(8) manual page for details.  If you are ever going
// to setup a primary server, make sure you've understood the hairy
// details of how DNS is working.  Even with simple mistakes, you can
// break connectivity for affected parties, or cause huge amount of
// useless Internet traffic.

options {
        directory "/etc/namedb";

// In addition to the "forwarders" clause, you can force your name
// server to never initiate queries of its own, but always ask its
// forwarders only, by enabling the following line:
//
//      forward only;

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the
Internet.
/*
        forwarders {
                127.0.0.1;
        };
*/
</pre>

<p>Just as the comment says, to benefit from an uplink's cache, <var
class="LITERAL">forwarders</var> can be enabled here. Under normal circumstances, a name
server will recursively query the Internet looking at certain name servers until it finds
the answer it is looking for. Having this enabled will have it query the uplink's name
server (or name server provided) first, taking advantage of its cache. If the uplink name
server in question is a heavily trafficked, fast name server, enabling this may be
worthwhile.</p>

<div class="WARNING">
<blockquote class="WARNING">
<p><b>Warning:</b> <tt class="HOSTID">127.0.0.1</tt> will <span class="emphasis"><i
class="EMPHASIS">not</i></span> work here. Change this IP address to a name server at
your uplink.</p>
</blockquote>
</div>

<pre class="PROGRAMLISTING">
        /*
         * If there is a firewall between you and name servers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        // query-source address * port 53;

        /*
         * If running in a sandbox, you may have to specify a different
         * location for the dumpfile.
         */
        // dump-file "s/named_dump.db";
};

// Note: the following will be supported in a future release.
/*
host { any; } {
        topology {
                127.0.0.0/8;
        };
};
*/

// Setting up secondaries is way easier and the rough picture for this
// is explained below.
//
// If you enable a local name server, don't forget to enter 127.0.0.1
// into your /etc/resolv.conf so this server will be queried first.