BBS水木清华站∶精华区
发信人: reden (鱼 ~ 梦娜丽莎的微笑 流星的故事), 信区: Linux
标 题: DNS Tricks and Tips
发信站: BBS 水木清华站 (Wed Nov 25 01:51:41 1998)
DNS Tricks and Tips
Here are some common tricks and some tips for common problems.
Generating cache file with dig
Recovering from an SOA typo
Ultrix needs primaries in host file
SLIP and BIND
What is a Lame Delegation?
Terminology: domain, zone, label
CNAMEs as RR targets
Local dummy zones
Legal characters in hostnames
Checking if a domain is registered already
Setting up a resolver
Given a choice of servers, which one is queried?
Transferring zones from a server running Microsoft NT Server 4.0
Generating cache file with dig
From Paul A Vixie <paul@vix.com> and Ruediger Volk <rv@zeus.NIC.DTAG.DE>
Anyone with DiG installed (which includes anyone running BIND 4.9 or better) can generate a new cache file by typing
% dig @a.root-servers.net. . ns >root.cache
Check this file by hand before installing it, of course.
Recovering from an SOA typo
From Steve Hubert <hubert@cac.washington.edu>
It's only hard to recover from a typo if you're running an old BIND. If your secondaries are 4.9 or later, then you should
just need two serial number changes to get back in sync:
Let all the secondaries catch up to your typo serial number.
Reset it to (2^31 - a little bit) more than the typo and wait for all the secondaries to catch up again. You may have
to wrap the serial number back to zero in this or the next step.
Set it to the correct value and wait for all the secondaries to catch up.
Also refer to RFC 1982.
Ultrix needs primaries in host file
From William Gianopoulos <wag@swl.msd.ray.com>
With the stock Ultrix 4.3 name server (and possibly other releases), all primary nameservers must be in the /etc/hosts file.
Look out for the indicative "address of primary server not in local db:" message in the logs.
SLIP and DNS
Based on a message from Cricket Liu <cricket@hp.com>
Cricket Liu recommends not running a name server at the site that connects via SLIP, but instead pointing the resolver at
a single name server on the upstream side of the SLIP link. If the SLIP link isn't up, the resolver doesn't have a route to
the server, and since there's only one name server in resolv.conf, the resolver quickly backs off to using /etc/hosts. This
assumes a reasonable resolver, of course.
What is a Lame Delegation?
From Bryan Beecher <Bryan.Beecher@umich.edu>
A lame delegation is an instance when a nameserver has been listed as authoritative for a domain, but does not seem to
be performing authoritative service for that domain. That is, the nameserver appears to be answering out of its cache
instead of out of its data. Note that even a server which is performing secondary service for a domain is still an
authoritative server, and should be returning authoritative data.
Terminology: domain, zone, label
Based on a message from Paul Mockapetris <pvm@ISI.EDU>
A domain is a complete subtree. In the DNS tree, a domain is everything under a particular point in the tree.
Domains relate to the naming structure itself, not the way things are distributed.
A zone is a pruned domain. Pruning occurs when zones are delegated. Zones relate to the way the database is
partitioned and distributed.
A label is one component of a domain name. Labels need only be unique at a particular point in the tree, not in a
zone: it is acceptable to have both NAME.dom.ain and NAME.sub.dom.ain both in the zone dom.ain.
CNAMEs as RR targets
From RFC 1034, Domain Concepts and Facilities
Section 3.6.2, `Aliases and canonical names':
Domain names in RRs which point at another name should always point at the primary name and not the alias. In other
words, the names which are on the right hand side of a resource record (RR targets) should not be on the left hand side
of a CNAME resource record. Depending on how smart the resolver software is CNAME targets may work fine, but
depending on correct behaviour in resolvers all around the world is guaranteed to fail somewhere.
Local dummy zones
Based on a message from Dave Barr <barr@math.psu.edu>
To stop the DNS from doing a lookup when the request is to localhost, run a local caching-only nameserver which is set
up to be a primary for "localhost" as well as "127.in-addr.arpa" and include the necessary DNS data in those zones to
resolve the respective names/addresses. Then point your /etc/resolv.conf to your local machine. To be extra safe from
DNS corruption set the server up as a primary for "255.in-addr.arpa" and "0.in-addr.arpa" also.
Legal characters in hostnames
Domain names can contain almost any characters. However, host names and mail domain names have restrictions which
only allow the use of characters `a-z', `A-Z', `0-9', and `-' (dash or minus sign). The `/' and `_' (divide or slash and
underscore) characters are not legal. Note that hostnames include the owners of A and MX records and .in-addr.arpa
PTR records, and the data fields of MX and .in-addr.arpa PTR records: in other words, almost all currently used DNS
entries! The current releases of the BIND name server software enforce these restrictions. 20-Nov-1997, 10-Apr-1996
Checking if a domain is registered already
Based on a question by Plato <gking@GroupZ.net>
To check if a domain has been registered, there are a couple of approaches.
Brute force search of DNS zone file
If the relevant zone file corresponding to the domain can be obtained, standard text searching tools can be used to
check the file for the domain or variants. This procedure is flexible and quick once the file has been obtained since
it is performed off line. The zones ARPA, COM, EDU, GOV, INADDR.ARPA, MIL, NET, and ORG are available at
the InterNIC. Other zones may be available via ftp, but will usually need to be downloaded using the zone transfer
mechanism of DNS. If a server is configured to disallow zone transfers, it may not be possible to easily obtain a
copy of the zone file.
WHOIS lookups
If the domain being sought is in one of the InterNIC maintained zones, information about the domain will be stored
in the InterNIC WHOIS database. A standard whois client can be used to query this database, currently located at
rs.internic.net. In the absence of a client, rs.internic.net also offers telnet access to the database. For some
domains, information is kept in WHOIS-like services like RWHOIS or in domain-specific WHOIS registries.
Checking the DNS
Using DNS query tools like dig or nslookup with query types NS, MX or A, information about the existence of a
domain name can be obtained. This is the most general method, although it requires an exact guess to be made
both of the type of records associated with the domain name and the name itself. Using a query type ANY can
sometimes be effective, but can also result in misleading answers.
Setting up a resolver
Based on a question by Aidan N.R. Low <aidan@MIT.EDU>
Setting up the client side of DNS depends on the operating environment of the client. For a Unix machine, the resolver is
configured through a text file, usually /etc/resolv.conf which commonly contains the IP address of the name server or
servers which will be used to do the actual work. An adequate resolv.conf file contains just the one line
nameserver x.y.z.w
where x.y.z.w is the IP address of a suitable name server. Often this will be a server provided by the Internet service
provider. It is a bad idea to point resolvers to name servers controlled by organisations with which there is no
organisational relationship: the name server could be configured to return bogus information, especially if permission was
not sought first for using the server.
For PC type resolvers there is usually a network configuration option which specifies the same information as resolv.conf.
Each network stack tends to have its own set of configuration information. However, on MacOS, there are moves towards
central network configuration.
For SunOS 4.x, the resolver is by default not set up to use DNS. The standard operating procedure to get SunOS to use
DNS is in the comp.sys.sun FAQ, last I looked these were questions 1 and 2. In short,
add the DNS trapdoor to NIS, or
rebuild libc.a using resolv+ or the BIND 4.9.3 resolver routines.
Of these, the BIND 4.9.3 option is recommended.
Solaris 2.x is also not set up to use DNS by default. In the file /etc/nsswitch.conf there is a line
hosts: files
which needs to be changed to
hosts: files dns
for the machine to use DNS.
Given a choice of servers, which one is queried?
Based on a question by Mark A. Dohm <mark.dohm@teldta.com> and answer by Paul A Vixie <paul@vix.com>
Every recursive BIND name server (that is, one which is willing to go out and find something if asked something it doesn't
know) will remember the measured round trip time (RTT) to each server it sends queries to. If it has a choice of several
servers for some domain (like "." for example) it will use the one whose measured RTT is lowest.
Since the measured RTT of all NS RRs starts at zero (0), every one is tried once. Once all have responded, all RTT's will
be nonzero, and the "fastest server" will get all queries henceforth, until it slows down for some reason.
To promote dispersion and good recordkeeping, BIND will penalize the RTT by a little bit each time a server is reused,
and it will penalize the RTT a _lot_ if it ever has to retransmit a query. For a server to stay "#1", it has to keep on
answering quickly and consistently.
Note that this is something BIND does that the DNS Specification does not mention at all. So other servers, those not
based on BIND, might behave very differently.
Transferring zones from a server running Microsoft NT Server 4.0
Based on an answer by Stuart Kwan <skwan@microsoft.com>
If Microsoft's DNS server is integrated with WINS, it needs to be explicitly configured to interoperate with non-Microsoft
name servers. Microsoft represents WINS information in the DNS using a nonstandard resource record type. This can
cause a name server to fail when attempting a zone transfer from a Microsoft server. Older BIND servers may actually
terminate when receiving such resource records in a zone transfer.
To correct the problem, ensure that the option "Zone Properties -> WINS Lookup -> Settings only affect local server" is
set for each such zone on the Microsoft server.
andras@is.co.za / The Internet Solution
--
白马带著她一步步的回到中原。白马已经老了,只能慢慢的走,
但终是能回到中原的。江南有杨柳、桃花,有燕子、金鱼……
汉人中有的是英俊勇武的少年,倜傥潇洒的少年……但这个美
丽的姑娘就像古高昌国人那样固执:
「那都是很好很好的,可是我偏不喜欢。」
※ 来源:·BBS 水木清华站 bbs.net.tsinghua.edu.cn·[FROM: 159.226.21.172]
BBS水木清华站∶精华区