Chapter 11. Class #11 - DNS & SMTP

Table of Contents

Intro to DNS
Installing DNS
DNS Configuration
DNS as a Service
Commands to Manipulate DNS
Securing DNS
Additional Notes & Considerations for DNS
Intro to SMTP & postfix
Installing postfix
postfix Configuration
postfix as a Service
Commands to Manipulate postfix
Securing postfix
Additional Notes & Considerations for postfix
Reference Material for this Chapter

DNS & SMTP. Two crucial services that are ubiquitous and often not noticed until they're not available.

Intro to DNS

DNS (the Domain Name System) resolves numeric IP addresses to human-friendly names. The most popular software that enables this protocol is bind, which stands for Berkely Internet Name Daemon. There are other DNS servers available, such as dnsmasq, which is a lightweight caching DNS server designed for small networks behind NAT routing. For the purposes of this class, we'll focus on bind, but it is possible to satisfy the RHCE requirements using dnsmasq instead. Listed below are basic types of DNS servers.

Table 11.1. Types of DNS Servers

DNS Server Type Description
Master (primary) An authoritative DNS server that holds primary records for a DNS zone.[a]
Slave (secondary) An authoritative DNS server that contains copies of zone info that is replicated from the Master.
Caching A non-authoritative DNSserver that makes queries and holds the information for a specified amount of time.
Forwarding A non-authoritative DNS server that forwards requests as needed.

[a] authoritative means that the information contained on this server is the final authority for the zone or entry that it contains. All other servers that have information about the zone or entry in question get that information from the authoritative server.

The DNS forwarding facility of BIND can be used to create a large site-wide cache on a few servers, reducing traffic over links to external nameservers. It can also be used to allow queries by servers that do not have direct access to the Internet, but wish to look up exterior names anyway. Forwarding occurs only on those queries for which the server is not authoritative and does not have the answer in its cache.

Note that current RHCE Objectives only require the ability to configure a few behaviors of a caching-only name server. The default configuration is now a caching-only nameserver listening only to the localhost.

Installing DNS

The table below lists crucial bind packages and their descriptions.

Table 11.2. Crucial DNS (bind) Packages

Package Description
bind The Berkeley Internet Name Domain (bind) DNS server.
bind-utils Utilities for querying DNS name servers.
bind-chroot A chroot runtime environment for the bind DNS server.
bind-libs Libraries used by the bind DNS packages.
bind-devel Header files and additional libraries needed for bind DNS development.
bind-sdb bind server with database backends and DLZ support.[a]

[a] Optional, not necessary for small non-authoritative bind installations. "DLZ (Dynamically Loadable Zones) is a patch for BIND version 9 that simplifies BIND administration and reduces memory usage and startup time. DLZ allows you to store your zone data in a database. Unlike using scripts, the changes in your database are immediately reflected in BIND's response to DNS queries, so there is no need to reload or restart BIND. You see, BIND "dynamically loads" the "zone" data it needs to answer a query from the database." See BIND DLZ for details.

Installing and enabling bind is accomplished with the following command: `yum -y install bind`. Dependencies are automatically included and accounted for. When finished, ensure that the above packages are installed by running the command `rpm -qa | grep bind`.

DNS Configuration

Configuration files for the named daemon live at '/etc/named'. Zone files and the like live at '/var/named'.

DNS as a Service

The DNS service daemon is manipulated with the following (the typical "right hand -> left hand") approach: `service named start` & `chkconfig named on`.

Commands to Manipulate DNS

Listed below are several commands that are useful with DNS.

Table 11.3. Useful DNS Commands

Command Description
`rndc` Remote Name Daemon Controller, a multi-faceted interface to bind.
`host` Queries for DNS resolution. Uses '/etc/nsswitch' and '/etc/resolv.conf'.
`dig` Queries a DNS server directly, by-passing local config files if you want.

Securing DNS

The named daemon runs on port 53, which must be open for both UDP and TCP. The best way to open this port is with the `system-config-firewall-tui` command. The SELinux aspects that apply to named can be obtained with the following commands:

  1. `semanage fcontext -l | grep "dns\|named\|bind"`
  2. `semanage boolean -l | grep "dns\|named\|bind"`
  3. `semanage port -l | grep "dns\|named\|bind"`

Additional Notes & Considerations for DNS

There are several types of records that can exist for a DNS zone. Among them are A records, MX records, CNAME records, NS records, and more. When using the dig facility to query zone information, the type of record returned can be specified by stating the type explicitly: `dig ns`. Note the output in the listing.[31] Below the listing is a table of the most common zone record types.[32]

    ; <<>> DiG 9.9.3-rl.13207.22-P2-RedHat-9.9.3-15.P2.fc19 <<>> ns @
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10864
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

    ; EDNS: version: 0, flags:; udp: 512
    ;                   IN      NS

    ;; ANSWER SECTION:            15988   IN      NS            15988   IN      NS            15988   IN      NS            15988   IN      NS

    ;; Query time: 29 msec
    ;; SERVER:
    ;; WHEN: Thu May 22 15:27:35 CDT 2014
    ;; MSG SIZE  rcvd: 133

Table 11.4. DNS Record Types

Record Type Description
A (and AAAA) Authoritative record that lists an IP address for the name.
MX Mail eXchanger records have information about who handles mail for the domain.
CNAME A Canonical Name record. Typically, a name that points to another name.
NS Name Server records tell where the authoritative information about the domain is maintained.
SPF Sender Policy Framework records validate mail delivery to reduce and/or eliminate SPAM.
TXT Text records hold additional information about a domain.

[31] Note that the ns part of the statement as used will return the NS or Name Server record. Also note that the use of the @ symbol specifically states which DNS server I want to use for the query.

[32] See DNS Record Types Wikipedia Article for a more exhaustive list.