System Administration: Another Step toward the BIND - V
OK, we had an extended breather from our last look at BIND's zone file pri.example.org. It's time to finish up and get a sense of what these records mean.
To go off-topic a little, recently, I had the task of setting up two OpenLDAP servers and putting together a test environment for a project with several developers and several applications including some LAMP applications. Without a working knowledge of DNS, the project would have gone amuck.
So, I take DNS seriously and consider it an essential skill set for Linux system administrators. If you're on the path or have the goal of functioning on the server side of the house, get to know this area.
Now, back to the program.
The records designate how one receives email in a domain from other mail transfer agents (MTAs). To receive email on example.org, we list the mail exchanger(s) for the domain. This is done with a MX record:
MX 10 server1.example.org.
This record says that emails for example.org should be delivered to server1.example.org (which is the mailserver for the domain) with a priority of 10. You can list more than one mail exchanger:
MX 10 server1.example.org. MX 20 mail.someotherdomain.com.
Now if mail goes to example.org, the originating MTA attempts to connect to server1.example.org since the DNS directory denotes its priority of 10.
If server1.example.org cannot be reached (for whatever reason), then the originating MTA will use the next server mail.someotherdomain.com. Notice that it has a priority of 20. This may not seem intuitive but the higher the number to the right of the MX record, the lower priority that server receives. In this case, 10 is higher than 20.
Until now we have defined MX records for email addressed to firstname.lastname@example.org. Let's say we want to route email to different departments in a company or sections within a governmental agency. We can do that by adding a subdomain to the mail records.
email@example.com would simply require another mx record:
subdomain.example.org. MX 10 server1.example.org.
Note the '.' at the end of subdomain.example.org. If you do not add the period, then the origin of the zone is appended to the name. For example, if you wrote
subdomain.example.org MX 10 server1.example.org.
without a '.', this would transform to
Up to now we have used the domain names example.org, server1.example.org, and server2.example.org, but we did not specify the IP addresses to which these names should map. We use A records to accomplish the mapping. Many observers consider them the most important DNS records; since you can use them to create host addresses such as www.example.org where www is the host.
Let's create our first A record:
example.org. A 188.8.131.52
This means that example.org has the IP address 184.108.40.206.
Remember to use the period.
Now in a browser you are used to typing www.example.org instead of example.org, aren't you? www.example.org is technically totally different from example.org, but obviously you expect to see the same web site for both. Therefore we create this record:
www A 220.127.116.11
which is the same as
www.example.org. A 18.104.22.168
Finally we specify server1.example.org and ns0.example.org:
server1 A 22.214.171.124 server2 A 126.96.36.199
server2.example.org points to a different IP address which makes sense because it is our secondary nameserver which should be on a different system in case our primary nameserver goes down.
The Bootstrapping Problem -Glue Records
You might wonder how server1.example.org and server2.example.org can be used to look up records for example.org if they are in the zone that is to be looked up. When the TLD servers for org tell us the name servers for example.org, they normally give us a name instead of an IP address (server1.example.org instead of 188.8.131.52).
For situations where the authoritative DNS servers exist in the zone looked up, a glue record exists on the TLD server that maps a name to an IP address (in our case server1.example.org to 184.108.40.206), and the TLD servers deliver the IP address instead of the name of the name server. So I don't have to find you before I can ask where you are.
CNAME is short for "canonical name", you can think of it as an alias to an A record. For example,
ftp CNAME www
means, ftp.example.org is an alias for www.example.org, so ftp.example.org points to the same machine as www.example.org. You may encounter situations, especially downloading Linux packages, where the repository looks like http://ftp.mirrors.kernel.org. This allows someone to reach an ftp site with a browser and download files. CNAMEs permit you to accomplish this.
A CNAME must always point to an A record; not to another CNAME. In addition to that, you must not use CNAME records for MX and SOA records. For example, MX 10 ftp is not allowed.
The use of CNAMEs has pros and cons. Many DNS specialists consider CNAMEs deprecated. Still you might find that CNAME records have some usefulness. For example, if your DNS directory contains many names written as A records, which point to the same IP address.
If you move to another hosting service using different IP address, you would have to update every A record. If you had just one A record and all your other records used CNAMEs, you'd just have to update one A record. So, we still consider that they have a place in the DNS hierarchy.
TXT records give you the ability to assign text to a zone. People primarily use TXT with SPF (Sender Policy Framework) records. Administrators use SPFs to control email from initiating MTAs.
Technically, you can send email from any machine, but the larger email providers such as Yahoo or Hotmail now rely heavily on SPF records to make sure the sending domain has an SPF record. If email arrives from a machine that is not listed in the SPF record, then an MTA could classify you mail as spam.
A wizard exists for creating SPF records at http://www.openspf.org/wizard.html?mydomain=&x=26&y=8. We used this wizard to create an SPF record for example.org, and added it to our zone file:
example.org. TXT "v=spf1 a mx ~all" server1.example.org. TXT "v=spf1 a -all"
Putting It All Together
Now let's look at our zone file pri.example.org. It has changed from the first iteration you read earlier. Notice that we added a CNAME and SPF files.
@ IN SOA server1.example.org. root.localhost. ( 2006012103; serial 28800; refresh, seconds 7200; retry, seconds 604800; expire, seconds 86400 ); minimum, seconds ; NS server1.example.org.; NS server2.example.org. ; ; MX 10 server1.example.org. ; example.org. A 220.127.116.11 www A 18.104.22.168 server1 A 22.214.171.124 server2 A 126.96.36.199 ftp CNAME www example.org. TXT "v=spf1 a mx ~all" server1.example.org. TXT "v=spf1 a -all
Fast/Flexible Linux OS Recovery
On Demand Now
In this live one-hour webinar, learn how to enhance your existing backup strategies for complete disaster recovery preparedness using Storix System Backup Administrator (SBAdmin), a highly flexible full-system recovery solution for UNIX and Linux systems.
Join Linux Journal's Shawn Powers and David Huffman, President/CEO, Storix, Inc.
Free to Linux Journal readers.Register Now!
- Server Hardening
- BitTorrent Inc.'s Sync
- The Death of RoboVM
- The Humble Hacker?
- Open-Source Project Secretly Funded by CIA
- EnterpriseDB's EDB Postgres Advanced Server and EDB Postgres Enterprise Manager
- Download "Linux Management with Red Hat Satellite: Measuring Business Impact and ROI"
- New Container Image Standard Promises More Portable Apps
- The US Government and Open-Source Software
- ACI Worldwide's UP Retail Payments
In modern computer systems, privacy and security are mandatory. However, connections from the outside over public networks automatically imply risks. One easily available solution to avoid eavesdroppers’ attempts is SSH. But, its wide adoption during the past 21 years has made it a target for attackers, so hardening your system properly is a must.
Additionally, in highly regulated markets, you must comply with specific operational requirements, proving that you conform to standards and even that you have included new mandatory authentication methods, such as two-factor authentication. In this ebook, I discuss SSH and how to configure and manage it to guarantee that your network is safe, your data is secure and that you comply with relevant regulations.Get the Guide