Nslookup results – Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Rudy>nslookup ?
*** Can't find server name for address 192.168.1.1: Non-existent domain
*** Default servers are not available
Server: UnKnown
Address: 192.168.1.1
Non-authoritative answer:
Name: ?
Address: 24.28.193.9
What is DNS? A Domain name system converts human readable names into machine readable IP
addresses. DNS uses a hierarchical system. The primary use for DNS is to resolve a name into an IP
address. This is known as a forward lookup. A reverse lookup can be used to find the name associated
with an IP address. BIND (Berkeley Internet Name Domain) is the most commonly used DNS server on
the internet. The latest version is BIND 9 which was written to support new security enhancements, and
other new features.
*(1)According to the Microsoft website the upgrade to windows 2003 included several new features.
Improved domain controller name resolution
In response to DNS name resolution failures that may be encountered during location of replication
partners and global catalog servers, domain controllers running Windows Server 2003 with SP1 request
other variations of the server name that might be registered, which results in fewer failures due to DNS
delays and misconfiguration. For more information about DNS name resolution, see How DNS Support
for Active Directory Works on the Microsoft Web site.
Conditional forwarders
Forward DNS queries according to the DNS domain name in the query using conditional forwarders. For
example, a DNS server can be configured to forward all the queries it receives for names ending with
widgets.example.com to the IP address of a specific DNS server or to the IP addresses of multiple DNS
servers.
Stub zones
Using stub zones, keep a DNS server hosting a parent zone aware of the authoritative DNS servers for its
child zone and, thereby, maintain DNS name resolution efficiency.
DNS zone replication in Active Directory
Choose from four default replication options for Active Directory-integrated DNS zone data.
Enhanced DNS security features
DNS provides greater precision in its security administration for the DNS Server service, the DNS Client
service, and DNS data.
Round robin all resource record (RR) types
By default, the DNS Server service will perform round-robin rotation for all resource record (RR) types.
Enhanced debug logging
Use the enhanced DNS Server service debug logging settings to troubleshoot DNS problems.
DNSSEC
DNS provides basic support of DNS Security Extensions (DNSSEC) protocol as defined in RFC 2535.
EDNS0
Enable DNS requestors to advertise the size of their UDP packets and facilitate the transfer of packets
larger than 512 octets, the original DNS restriction for UDP packet size (RFC 1035).
Control automatic NS resource record registration on a server and a zone basis
For more information, see Restrict NS resource record registration and Allow NS record creation for
specific domain controllers.
*(2)Upgrading from windows 2003 server to windows 2008 also new enhanced features such as :
 Background zone loading: DNS servers that host large DNS zones that are stored in Active
Directory Domain Services (AD DS) are able to respond to client queries more quickly when
they restart because zone data is now loaded in the background.
 IP version 6 (IPv6) support: The DNS Server service now fully supports the longer addresses
of the IPv6 specification.
 Support for read-only domain controllers (RODCs): The DNS Server role in Windows
Server 2008 provides primary read-only zones on RODCs.
 Global single names: The GlobalNames zone provides single-label name resolution for large
enterprise networks that do not deploy Windows Internet Name Service (WINS). The
GlobalNames zone is useful when using DNS name suffixes to provide single-label name
resolution is not practical.
 Global query block list: Clients of such protocols as the Web Proxy Auto-Discovery Protocol
(WPAD) and the Intra-site Automatic Tunnel Addressing Protocol (ISATAP) that rely on DNS
name resolution to resolve well-known host names are vulnerable to malicious users who use
dynamic update to register host computers that pose as legitimate servers. The DNS Server role
in Windows Server 2008 provides a global query block list that can help reduce this
vulnerability.
How to install DNS on Windows Server 2003
(3)Before You Start
Before you start to configure your DNS, you must gather some basic information. Internic must approve
some of this information for use on the Internet, but if you are configuring this server for internal use
only, you can decide what names and IP addresses to use.
You must have the following information:


Your domain name (approved by Internic).
The IP address and host name of each server that you want to provide name resolution for.
Note: The servers may be your mail servers, public access servers, FTP servers, WWW servers, and
others.
Before you configure your computer as a DNS, verify that the following conditions are true:



Your operating system is configured correctly. In the Windows Server 2003 family, the DNS
service depends on the correct configuration of the operating system and its services, such as
TCP/IP. If you have a new installation of a Windows Server 2003 operating system, then you can
use the default service settings. You do not have to take additional action.
You have allocated all the available disk space.
All the existing disk volumes use the NTFS file system. FAT32 volumes are not secure, and they
do not support file and folder compression, disk quotas, file encryption, or individual file
permissions
Back to the top
Install DNS
1. Open Windows Components Wizard. To do so, use the following steps:
a. Click Start, click Control Panel, and then click Add or Remove Programs.
b. Click Add/Remove Windows Components.
2. In Components, select the Networking Services check box, and then click Details.
3. InSubcomponents of Networking Services, select the Domain Name System (DNS) check box,
click OK, and then click Next.
4. If you are prompted, in Copy files from, type the full path of the distribution files, and then click
OK.
Back to the top
Configure DNS
1. Start the Configure Your Server Wizard. To do so, click Start, point to All Programs, point to
Administrative Tools, and then click Configure Your Server Wizard.
2. On the Server Role page, click DNS server, and then click Next.
3. On the Summary of Selections page, view and confirm the options that you have selected. The
following items should appear on this page:
o Install DNS
o Run the Configure a DNS Wizard to configure DNS
If the Summary of Selections page lists these two items, click Next. If the Summary of
Selections page does not list these two items, click Back to return to the Server Role page, click
DNS, and then click Next.
4. When the Configure Your Server Wizard installs the DNS service, it first determines whether the
IP address for this server is static or is configured automatically. If your server is currently
configured to obtain its IP address automatically, the Configuring Components page of the
Windows Components Wizard prompts you to configure this server with a static IP address. To
do so:
a. In the Local Area Connection Properties dialog box, click Internet Protocol (TCP/IP), and then
click Properties.
b. In the Internet Protocols (TCP/IP) Properties dialog box, click Use the following IP
address, and then type the static IP address, subnet mask, and default gateway for this
server.
c. In Preferred DNS, type the IP address of this server.
d. In Alternate DNS, type the IP address of another internal DNS server, or leave this box
blank.
e. When you finish setting up the static addresses for your DNS, click OK, and then click
Close.
5. After you click Close, the Configure a DNS Server Wizard starts. In the wizard, follow these steps:
.
On the Select Configuration Action page, select the Create a forward lookup zone check box,
and then click Next.
a. To specify that this DNS hosts a DNS zone that contains DNS resource records for your
network resources, on the Primary Server Location page, click This server maintains the
zone, and then click Next.
b. On the Zone Name page, in Zone name, specify the name of the DNS zone for your
network, and then click Next. The name of the zone is the same as the name of the DNS
domain for your small organization or branch office.
c. On the Dynamic Update page, click Allow both nonsecure and secure dynamic updates,
and then click Next. This makes sure that the DNS resource records for the resources in
your network update automatically.
d. On the Forwarders page, click Yes, it should forward queries to DNS servers with the
following IP addresses, and then click Next. When you select this configuration, you
forward all DNS queries for DNS names outside your network to a DNS at either your ISP
or central office. Type one or more IP addresses that either your ISP or central office
DNS servers use.
e. On the Completing the Configure a DNS Wizard page of the Configure a DNS Wizard,
you can click Back to change any of the settings. To apply your selections, click Finish.
After you finish the Configure a DNS Wizard, the Configure Your Server Wizard displays the This Server is
Now a DNS Server page. To review all the changes that you made to your server in the Configure Your
Server Wizard or to make sure that a new role was installed successfully, click Configure Your Server log.
The Configure Your Server Wizard log is located at %systemroot%\Debug\Configure Your Server.log. To
close the Configure Your Server Wizard, click Finish.
How to install DNS on Windows Server 2008
(4) As many of you are probably aware, the Domain Name System (DNS) is now the name
resolution system of choice in Windows. Without it, computers would have a very tough time
communicating with each other.
However, most Windows administrators still rely on the Windows Internet Name Service
(WINS) for name resolution on local area networks and some have little or no experience with
DNS. If you fall into this category, read on. We'll explain how to install, configure, and
troubleshoot a Windows Server 2008 DNS server.
Installation
You can install a DNS server from the Control Panel or when promoting a member server to a
domain controller (DC) (Figure A).
During the promotion, if a DNS server is not found, you will have the option of installing it.
Figure A
Domain controller
To install a DNS server from the Control Panel, follow these steps:




From the Start menu, select | Control Panel | Administrative Tools | Server Manager.
Expand and click Roles (Figure B).
Choose Add Roles and follow the wizard by selecting the DNS role (Figure C).
Click Install to install DNS in Windows Server 2008 (Figure D).
Figure B
Expand and click Roles
Figure C
DNS role
Figure D
Install DNS
DNS console and configuration
After installing DNS, you can find the DNS console from Start | All Programs | Administrative
Tools | DNS. Windows 2008 provides a wizard to help configure DNS.
When configuring your DNS server, you must be familiar with the following concepts:



Forward lookup zone
Reverse lookup zone
Zone types
A forward lookup zone is simply a way to resolve host names to IP addresses. A reverse lookup
zone allows a DNS server to discover the DNS name of the host. Basically, it is the exact
opposite of a forward lookup zone. A reverse lookup zone is not required, but it is easy to
configure and will allow for your Windows Server 2008 Server to have full DNS functionality.
When selecting a DNS zone type, you have the following options: Active Directory (AD)
Integrated, Standard Primary, and Standard Secondary. AD Integrated stores the database
information in AD and allows for secure updates to the database file. This option will appear
only if AD is configured. If it is configured and you select this option, AD will store and
replicate your zone files.
A Standard Primary zone stores the database in a text file. This text file can be shared with other
DNS servers that store their information in a text file. Finally, a Standard Secondary zone simply
creates a copy of the existing database from another DNS server. This is primarily used for load
balancing.
To open the DNS server configuration tool:
1. Select DNS from the Administrative Tools folder to open the DNS console.
2. Highlight your computer name and choose Action | Configure a DNS Server' to launch the
Configure DNS Server Wizard.
3. Click Next and choose to configure the following: forward lookup zone, forward and reverse
lookup zone, root hints only (Figure E).
4. Click Next and then click Yes to create a forward lookup zone (Figure F).
5. Select the appropriate radio button to install the desired Zone Type (Figure G).
6. Click Next and type the name of the zone you are creating.
7. Click Next and then click Yes to create a reverse lookup zone.
8. Repeat Step 5.
9. Choose whether you want an IPv4 or IPv6 Reverse Lookup Zone (Figure H).
10. Click Next and enter the information to identify the reverse lookup zone (Figure I).
11. You can choose to create a new file or use an existing DNS file (Figure J).
12. On the Dynamic Update window, specify how DNS accepts secure, nonsecure, or no dynamic
updates.
13. If you need to apply a DNS forwarder, you can apply it on the Forwarders window. (Figure K).
14. Click Finish (Figure L).
Figure E
Configure
Figure F
Forward lookup zone
Figure G
Desired zone
Figure H
IPv4 or IPv6
Figure I
Reverse lookup zone
Figure J
Choose new or existing DNS file
Figure K
Forwarders window
Figure L
Finish
Managing DNS records
You have now installed and configured your first DNS server, and you're ready to add records to
the zone(s) you created. There are various types of DNS records available. Many of them you
will never use. We'll be looking at these commonly used DNS records:






Start of Authority (SOA)
Name Servers
Host (A)
Pointer (PTR)
Canonical Name (CNAME) or Alias
Mail Exchange (MX)
Start of Authority (SOA) record
The Start of Authority (SOA) resource record is always first in any standard zone. The Start of
Authority (SOA) tab allows you to make any adjustments necessary. You can change the
primary server that holds the SOA record, and you can change the person responsible for
managing the SOA. Finally, one of the most important features of Windows 2000 is that you can
change your DNS server configuration without deleting your zones and having to re-create the
wheel (Figure M).
Figure M
Change configuration
Name Servers
Name Servers specify all name servers for a particular domain. You set up all primary and
secondary name servers through this record.
To create a Name Server, follow these steps:
1.
2.
3.
4.
5.
Select DNS from the Administrative Tools folder to open the DNS console.
Expand the Forward Lookup Zone.
Right-click on the appropriate domain and choose Properties (Figure N).
Select the Name Servers tab and click Add.
Enter the appropriate FQDN Server name and IP address of the DNS server you want to add.
Figure N
Name Server
Host (A) records
A Host (A) record maps a host name to an IP address. These records help you easily identify
another server in a forward lookup zone. Host records improve query performance in multiplezone environments, and you can also create a Pointer (PTR) record at the same time. A PTR
record resolves an IP address to a host name.
To create a Host record:
1.
2.
3.
4.
5.
Select DNS from the Administrative Tools folder to open the DNS console.
Expand the Forward Lookup Zone and click on the folder representing your domain.
From the Action menu, select New Host.
Enter the Name and IP Address of the host you are creating (Figure O).
Select the Create Associated Pointer (PTR) Record check box if you want to create the PTR
record at the same time. Otherwise, you can create it later.
6. Click the Add Host button.
Figure O
A Host (A) record
Pointer (PTR) records
A Pointer (PTR) record creates the appropriate entry in the reverse lookup zone for reverse
queries. As you saw in Figure H, you have the option of creating a PTR record when creating a
Host record. If you did not choose to create your PTR record at that time, you can do it at any
point.
To create a PTR record:
1.
2.
3.
4.
5.
Select DNS from the Administrative Tools folder to open the DNS console.
Choose the reverse lookup zone where you want your PTR record created.
From the Action menu, select New Pointer (Figure P).
Enter the Host IP Number and Host Name.
Click OK.
Figure P
New Pointer
Canonical Name (CNAME) or Alias records
A Canonical Name (CNAME) or Alias record allows a DNS server to have multiple names for a
single host. For example, an Alias record can have several records that point to a single server in
your environment. This is a common approach if you have both your Web server and your mail
server running on the same machine.
To create a DNS Alias:
1.
2.
3.
4.
5.
6.
Select DNS from the Administrative Tools folder to open the DNS console.
Expand the Forward Lookup Zone and highlight the folder representing your domain.
From the Action menu, select New Alias.
Enter your Alias Name (Figure Q).
Enter the fully qualified domain name (FQDN).
Click OK.
Figure Q
Alias Name
Mail Exchange (MX) records
Mail Exchange records help you identify mail servers within a zone in your DNS database. With
this feature, you can prioritize which mail servers will receive the highest priority. Creating MX
records will help you keep track of the location of all of your mail servers.
To create a Mail Exchange (MX) record:
1.
2.
3.
4.
5.
6.
Select DNS from the Administrative Tools folder to open the DNS console.
Expand the Forward Lookup Zone and highlight the folder representing your domain.
From the Action menu, select New Mail Exchanger.
Enter the Host Or Domain (Figure R).
Enter the Mail Server and Mail Server Priority.
Click OK.
Figure R
Host or Domain
Other new records
You can create many other types of records. For a complete description, choose Action | Other
New Records from the DNS console (Figure S). Select the record of your choice and view the
description.
Figure S
Create records from the DNS console
Troubleshooting DNS servers
When troubleshooting DNS servers, the nslookup utility will become your best friend. This
utility is easy to use and very versatile. It's a command-line utility that is included within
Windows 2008. With nslookup, you can perform query testing of your DNS servers. This
information is useful in troubleshooting name resolution problems and debugging other serverrelated problems. You can access nslookup (Figure T) right from the DNS console.
Figure T
Nslookup utility
How to setup DNS on Linux systems
(5) Domain-less DNS For Free
If you have a broadband Internet connection without a static IP and have no desire to have your
own domain name, you can use a free service offered by dyndns.org to set up a home Web/email/ftp server. It offers a dynamic DNS service which will redirect traffic to your server using
their domain name.
With this free service you use your server's hostname but dyndns.org's domain name. You're
basically just adding/modifying an A record for your server in their zone file. Your Web server
would have a URL like:
http://your-hostname.dyndns.org
E-mail addressed to your server would have to have an address like:
you@your-hostname.dyndns.org
Because you'll be using your hostname with dyndns.org's domain name, you have to make sure
your hostname isn't the same as that of anyone else using their service. As a result, you'll want
to come up with a hostname for your server that's really unique. Recall that you set the
hostname during the installation. You can always change it by editing the /etc/hosts
file. However, you'll also need to check for the current hostname in the configuration files of any
server applications that may use it, such as Sendmail and Apache, and edit those files as well.
If you connect your Linux server to the Internet using a modem (we show you how on the
Modems page), you'll need to a way to keep your connection up long enough for any dynamic
DNS changes to take effect and this could take up to 45 minutes. Most ISPs will drop an
inactive connection before that. You can use the ping command to keep your PPP connection
up. The trick is to run it in the background and set it so it only sends a ping once every five
minutes. Pick a Web site and enter:
ping -i 300 www.chosen-site.com > /dev/null &
Just don't forget to bring it to the foreground and stop it once you've disconnected your modem
connection. To bring it to the foreground simply type:
fg ping
and then press Ctrl-C to exit the ping program.
ddclient Configuration File for dyndns.org
If you selected the dyndns.org service when you installed ddclient your
/etc/ddclient.conf file should look something like this:
# Configuration file for ddclient generated by debconf
#
# /etc/ddclient.conf
pid=/var/run/ddclient.pid
protocol=dyndns2
use=if, if=ppp0
server=members.dyndns.org
login=bgates
password=luvlinux
your-debian-box-hostname.dyndns.org
Note that this file indicates the ppp0 (dialup modem) interface was entered during the
installation rather than the 'eth0' that you would use for a network card.
If your server is behind a cable/DSL router (such as a Linksys, DLink, or Netgear) or some other
type of firewall or proxy server, replace the line:
use=if, if=ppp0
with the line:
use=web, web=checkip.dyndns.com/, web-skip='Current IP Address:'
This simply uses a page on dyndns.org's Web site to display your 'outside' IP address. The
ddclient software will read the IP address off the returned HTML code.
Security Note: Even home Web/e-mail servers need to be set up securely. Spammers have a
talent for quickly locating improperly secured e-mail servers and using them as spam relay
points. This not only puts your server at risk but gobbles up all your bandwidth. If you are going
to set up a home Web/e-mail server, be sure to do it securely. That not only involves setting up
the server in a secure fashion during the initial install, but also includes configuring Apache and
Sendmail in a secure manner. The procedures on these pages do not result in secure
servers. If you are going to set up your own Web/e-mail server you'll need to buy some books
and do some research to learn how to do it securely. More information is given on the Securing
Servers page. You'll also want to take a look at the Firewall page for information on how to use
IPTABLES entries to help protect your server and your home network. (Remember that if you
only have one server Apache and Sendmail are going to be running on the same system that is
acting as your NAT/firewall system.) In addition, the Packages page shows you how to use the
cron scheduler and a shell script to automatically keep your system up to date with the latest
security patches.
Dynamic DNS is OK for home servers, but it's not really appropriate for businesses. Static IP
addresses and having your ISP or a third party like EasyDNS host your DNS records would be
more appropriate for Internet server implementations by businesses.
Installing ddclient
Before installing this package be sure to sign up for an account with EasyDNS or dyndns.org.
You'll need your account username and password when you install the package. With your
account set up you install the package by typing in
apt-get install ddclient
at the shell prompt. You'll then be prompted for the following:
1. Select the service you want to use.
2. The next screen may seem confusing if you selected EasyDNS in Step 1 because it
prompts you for "your DynDNS fully qualified domain names" and then gives examples
for dyndns.org. What they mean by the "DynDNS" is "Dynamic DNS", not "DynDNS.org".
The "fully qualified" is also a bit misleading. You don't need to enter a trailing period
after the TLD (.com, .net, or .org Top Level Domain). All you need to do is enter your
server's hostname followed by your, or dyndns.org's, domain name. Examples:
debian.gates.com
or
very-unique-hostname.dyndns.org
3. Enter the username you chose when you signed up with your service.
4. Enter the password you chose when you signed up with your service.
5. Enter the interface that will be connecting to the service. This will most likely be 'eth0' for
an ethernet card (even if it is connected to a LAN which has a firewall router) or 'ppp0'
for modem use (note that that's a zero on the end, not the letter O).
6. If you entered 'ppp0' you'll be asked if you want ddcleint to run automatically every time
you connect. You may want to select No here so you have the option of running it or not.
7. You'll then be asked if you want to run ddclient as a daemon. If this server is going to be
a full-time Web or e-mail server with a broadband connection you should answer Yes to
this.
The client will now be installed and the appropriate configuration file like the ones shown above
will be created. Even though the file was created for you, we showed you the typical files for
both dyndns.org and EasyDNS services in case you need to edit them at a later point. If you
want to examine your config file you can do so using the nano text editor with the command:
nano /etc/ddclient.conf
If you're using a modem connection you'll want to first connect to your ISP with the pon
command. If you didn't set ddclient to run as a daemon then just type in:
ddclient
at the shell prompt once you're connected. The resulting message will tell you what IP address
your external interface has (and what the DNS record will be updated with.
As mentioned earlier, it will take awhile for this update to take affect. To see if it has taken affect
yet, try pinging using your domain name and see if the returned IP address matches what was
indicated in the message when you started ddclient. Note that even if you used the above ping
command in the background to keep your connection up you can still issue a second ping
command in the foreground to check the returned IP address.
Other DNS Server Files
Given that a DNS server can host the zone files for many different domains, each having two
zone files, it needs a way to tell which zone files are for which domains. It does this in the
named.conf file which, like the zone files themselves, is located in the /etc/bind directory
(which you'll see when we install Bind shortly).
Of the two zone files for each domain the one we've been talking about all along has been for
forward lookups (resolving names to IP addresses). This zone file is typically named db.mylast-name.net.
DNS also offers a "reverse lookup" function that allows you to translate IP addresses to
host/domain names. The information that allows this to happen is stored in the second zone file.
Here's a reverse-lookup zone file that corresponds to the simpler zone file we showed earlier:
$TTL 86400
1.168.192.in-addr.arpa. IN
51
@
@
SOA
2004011522
21600
3600
604800
3600
)
IN
PTR
IN
NS
IN
NS
;
;
;
;
;
ns1.easydns.com. \
me.my-name.com. (
Serial no., based on date
Refresh after 6 hours
Retry after 1 hour
Expire after 7 days
Minimum TTL of 1 hour
debian
ns1.easydns.com.
ns2.easydns.com.
Note that the NS records are the same but there's no A records. And since we only have one
system handling all three Web, e-mail, and FTP server functions we only need one PTR record.
A PTR (Pointer) record is the opposite of an A record. It has the host part of the IP address and
gives the corresponding hostname. Typically you want a PTR record for every A record in the
forward-lookup file provided the server is in the domain. We don't have PTR records for the
name servers above because they're in a different domain (and thus in a different address
space).
Why is only the host part of the IP address needed in this file? Because the network portion of
the IP address is used when naming the reverse-lookup zone file, and it's reversed. Because
192.168.1.x is a Class C network, the first three octets make up the network portion of the IP
address so it's used in the zone file name. Only the last octet specifies the individual host so it's
used to specify the host in PTR records. With the above example IP address, the zone file
would be named:
db.1.168.192
The reverse-lookup zone file is also located in the /etc/bind directory. There's another
place this naming convention is used. Take a look at the start of the SOA record. The domain is
specified as
1.168.192.in-addr.arpa
in-addr.arpa is the default domain for all reverse lookups. As you'll see below, the
shorthand method of specifying this with the '@' is normally used.
DNS Tools, Testing, and Troubleshooting
When you're testing changes to your DNS records things may not act the way you expect them
to. What you need is some patience. Most DNS servers cache lookups. If you make a change to
a zone record on EasyDNS or dyndns.org, or the IP address you pulled from your ISP changes
and ddclient sends the update, it'll take the DNS servers at EasyDNS or dyndns.org up to 15
minutes to update. Then the DNS server that your desktop system is using to resolve names
may cache the old information for another 20 to 30 minutes.
If you're using a Windows system to test DNS changes don't forget that it also has a DNS
cache. You can clear it manually in a DOS window with the command:
ipconfig /flushdns
As a result, if you make a change to your zone records give it at least 45 minutes before you try
to see if the changes had the desired effect. Web browsers also cache name-to-address
information. If you're using a Web browser to test your changes, you may want to go and delete
all the files in the browser's cache directory as well.
The above makes playing around with dynamic DNS when using a modem kind of a pain. You
have to keep the connection up for for at least 45 minutes because if you disconnect, you'll pull
a different IP address when you reconnect and your DNS records will have invalid IP addresses.
That's why I showed you how to run the ping command in the background to keep the dial-up
connection alive.
A DNS problem will likely be in one of three places:



The DNS server addresses specified in the TCP/IP configuration on the PC you are
using to do the pinging are not correct.
The registrar's domain record does not contain the correct name server hostnames
and/or addresses.
The authoritative DNS servers for the domain do not have the domain's zone records
configured correctly.
The most basic tool for testing DNS is the ping command. If you can ping a Web server using its
IP address but not it's domain name, you have a DNS problem. If you can ping a server using
its domain name you'll notice that the server's IP address is also displayed. Verifying that this is
the correct IP address will verify that DNS is working properly. Another thing ping can tell you is
if you're pinging an actual server or an alias. Using the MIT example again, you may type in
ping www.mit.edu
but the response will be something like
Pinging DANDELION-PATCH.mit.edu
Another common tool for testing DNS is nslookup (name server lookup) and it's available on
Linux systems and NT-class Windows systems (NT-WS, 2000 Pro). As you saw earlier in this
page this command will show you what name server your PC is using to resolve names, as well
as return hostname and address information on the server that's specified as the target of the
command. However, it also has an interactive mode that increase its usefulness. If you simply
type in:
nslookup
and you'll get a > prompt. There are several statements that you can enter at his prompt. One
helpful one is when you want your system to send queries to a different, other than the default,
name server. At the prompt type in the 'server' command followed by the IP address of the DNS
server to use:
server 192.168.10.10
Then you just type in the domain name you want information on at the prompt. You'll see in the
response that the name server being queried has changed to the one you specified. Type 'exit'
at the prompt when you're done. Another similar tool on Linux systems is the dig command.
You can specify the alternate DNS server to use on the command line:
dig 192.168.10.10 mit.edu any
The any parameter tells it to return information on all record types. Check the man pages for
dig and nslookup for more information.
If you want to make sure that BIND isn't having a problem with your zone files, you can check
the syslog after you boot the system (which is when BIND starts up and reads the zone files). At
a shell prompt just type in:
nano /var/log/syslog
and look near the bottom of the file. You'll see messages when BIND was started. Check to see
if any of them refer to any errors that were encountered. If it didn't have a problem with the zone
file you'll see it referenced along with:
loaded serial 1
indicating that it has set the serial number (version) to 1.
Your Own DNS Server
Don't set up your Debian system as a DNS server if it doesn't have access to the Internet. It will
try and use external DNS servers (called "root hints" which we explain later) to resolve names
and they won't be accessible. This will cause problems trying to FTP or telnet to your Debian
server even over a local LAN using only IP addresses.
DNS is simply another server application. You can use your Linux system as an authoritative,
LAN, or simple DNS server. Simple DNS servers and LAN servers which also provide simple
DNS services (resolving Internet host/domain names) need to be connected to the Internet but
being behind a firewall should not present a problem as long as you have UDP port 53 is open
on the firewall. If you're going to set up and test a secondary authoritative DNS server you'll also
need to have TCP port 53 open on the firewall as well for zone transfers.
We'll show you how to set up simple and LAN DNS servers in this section. Setting up production
("real") authoritative DNS servers (remember that you need at least two) is beyond the scope of
this page because you'll need to do quite a bit more reading to learn about zone transfers
(insecure and secure) between primary and secondary servers and you'll need to know a lot
more about the named.conf file. The issue of server security also becomes more important.
However, seeing how to set up DNS server files for a LAN DNS server will be a good start.
A Simple DNS Server
As mentioned earlier, the most widely used DNS application is called BIND and
installing it is simply a matter of entering the command:
apt-get install bind9
Congratulations! You now have a simple DNS server. Now just change the DNS server
settings in the TCP/IP configuration files on the workstations on your LAN so that they
start using this server as their preferred DNS server. You can use your ISP's DNS
server(s) as alternate servers as this will provide some redundancy if your server ever
goes down. You'll also want to modify the /etc/resolv.conf file on the DNS server
itself so that it points to itself. Do that by opening the file in a text editor with the
command:
nano /etc/resolv.conf
and making sure the first nameserver line is:
nameserver 127.0.0.1
Why is setting up a simple DNS server so easy? Because of things called "root hints".
The root hints are a list of root-level DNS servers in the /etc/bind/db.root file.
Your simple DNS server will query a root server to get the addresses of authoritative
DNS servers for each given domain (so it can contact those authoritative DNS servers
to get the IP addresses of the desired hosts).
Just remember that your simple DNS server needs a 24/7 connection to the Internet. Or
it at least needs to be connected to the Internet any time any system on your LAN
needs to access anything on the Internet.
A LAN DNS Server
We'll cover setting up a LAN DNS server for a small LAN where the workstation
addresses are statically assigned. If you have a larger LAN that uses DHCP, you'll need
to set up the server to respond to DDNS update requests because a system's A record
will need to be updated when DHCP assigns the system a different address.
In setting up a LAN DNS server we need to:



Create the forward and reverse zone files.
Update the named.conf configuration file with things called "forwarders"
Update the named.conf configuration file so that the server knows it's
authoritative for the LAN domain.
The zone files are just like the zone files we have above. You can even copy/paste the
following zone files into a text editor and edit them accordingly if you want. If you're
viewing this page on a Windows system, you can copy/paste them into Notepad and
FTP them to your Debian system (remember to use ASCII mode when you FTP).
Because the zone file names aren't Windows-friendly just save them in Notepad using
names like forward.txt and reverse.txt. You can rename them when we copy them from
your home directory to the /etc/bind directory. Remember that FTP won't work with
the root account (it's a security thing) so use the user account you created when you
installed Debian. When you FTP the files to your Debian system they'll go into this
account's home directory. We'll copy them over to the right place in a bit.
Here's the forward-lookup zone file for a LAN with the domain name kplan.net. Note
that the A records are grouped together, as are the other record types, and that there
are no blank lines. However, when trying to get my DNS server to work I did see an
error in the syslog file about the reverse-lookup zone file not ending in a "new line" so
make sure there's a blank line at the bottom of the file.
$TTL 86400
kplan.net.
potato-gw
w2kpro
ntserver
IN
SOA
2004011522
21600
3600
604800
3600
)
IN
A
IN
A
IN
A
;
;
;
;
;
woody.kplan.net. \
keith.kplan.net. (
Serial no., based on date
Refresh after 6 hours
Retry after 1 hour
Expire after 7 days
Minimum TTL of 1 hour
192.168.10.1
192.168.10.10
192.168.10.20
solarisintel
solarissparc
woody
@
@
www
ftp
woody
IN
IN
IN
IN
IN
IN
IN
IN
A
A
A
NS
MX
CNAME
CNAME
CNAME
192.168.10.30
192.168.10.40
192.168.10.50
woody
10 woody
woody
woody
@
And here's the reverse-lookup zone file for the same domain:
$TTL 86400
@
1
10
20
30
40
50
@
IN
SOA
2004011522
21600
3600
604800
3600
)
IN
PTR
IN
PTR
IN
PTR
IN
PTR
IN
PTR
IN
PTR
IN
NS
;
;
;
;
;
woody.kplan.net. \
keith.kplan.net. (
Serial no., based on date
Refresh after 6 hours
Retry after 1 hour
Expire after 7 days
Minimum TTL of 1 hour
potato-gw
w2kpro
ntserver
solarisintel
solarissparc
woody
woody
Notice that instead of using 10.168.192.in-addr.arpa at the start of the SOA
record I just used the shortcut. Now when I add a new system to my network I can just
add entries to these two files rather than editing the HOSTS files on all of the servers
and workstations.
If you created these files on a Windows system using Notepad and FTPed them to your
Debian server, go into the directory you FTPed them into and move/rename them like
so:
mv forward.txt /etc/bind/db.kplan.net
and
mv reverse.txt /etc/bind/db.10.168.192
While the zone file naming convention that BIND uses by default is db. followed by the
domain name, and the reverse-lookup zone file is similar except that the domain name
is replaced by the reversed network address, you can actually name them whatever you
want. You tell the server what zone files to use in the named.conf file.
named.conf
The named.conf file is the main configuration file for a DNS server. In it you tell the
server what, if any, forwarders to use, what domains it's authoritative for, and which
zone files it should use for each domain.
Forwarders let you specify other DNS servers to use when your DNS server receives a
query for a domain it isn't authoritative for. Your LAN DNS server will be authoritative for
your LAN's domain name, but it won't know about domains on the Internet. When it gets
a query for an Internet domain it will forward the request out to a DNS server specified
in the forwarders section of the named.conf file.
Open the /etc/bind/named.conf file using the ee text editor. In the options
section you'll see an indented block of text like this:
// forwarders {
//
0.0.0.0;
// };
You typically want to put your ISP's DNS servers here. The '//' are comment
characters in this file so you'll need to remove those also. You should end up with a
block of text that looks like this:
forwarders {
192.168.243.9;
192.168.253.9;
};
We used private addresses in the above example but naturally these would be
publically-accessible DNS servers (your ISP's). Now we have to add the content to the
file so the server knows it knows it's authoritative for the kplan.net domain. At the
bottom of the file you'll see the line:
// add entries for other zones below here
Below this line we'll enter the following for the forward and reverse zone files:
zone "kplan.net" {
type master;
file "/etc/bind/db.kplan.net";
};
zone "10.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.10.168.192";
};
Save the file and we're in business from a server perspective. The named daemon is
running, we already have a root hints database, our zone files our set up, and our
forwarders are set up in the configuration file. Now just change the
/etc/resolv.conf file on any Debian and UNIX systems so it looks like this:
search kplan.net
nameserver 192.168.10.50
On Windows systems you'd have to change the "Preferred DNS server" in the TCP/IP
properties to the 192.168.10.50 address.
Now that you've got a feel for what DNS does for you, and possibly have your own
domain name with name resolution capabilities, it's time to start setting up some
servers.
Sources:
(1)
(2)
(3)
(4)
(5)
http://technet.microsoft.com/en-us/library/cc784698.aspx
http://technet.microsoft.com/en-us/library/cc753143.aspx
http://support.microsoft.com/kb/814591
http://www.zdnetasia.com/techguide/windows/0,39044904,62040433,00.htm
http://www.aboutdebian.com/dns.htm