6 - DNS | Help Centre

DNS Zones

What is a DNS SOA record?

The DNS ‘start of authority’ (SOA) record stores important information about a domain or zone such as the email address of the administrator, when the domain was last updated, and how long the server should wait between refreshes.

All DNS zones need an SOA record in order to conform to IETF standards. SOA records are also important for zone transfers.

name	example.com
record type	SOA
MNAME	ns.primaryserver.com
RNAME	admin.example.com
SERIAL	1111111111
REFRESH	86400
RETRY	7200
EXPIRE	4000000
TTL	11200

The 'RNAME' value here represents the administrator's email address, which can be confusing because it is missing the ‘@’ sign, but in an SOA record admin.example.com is the equivalent of [email protected].

$ORIGIN

DNS uses a zone file to translate names into IP addresses. There are four ways to specify a name in the zone file. You can specify a fully qualified domain name, a relative name, a single @ character, and a blank space.

If you use an FQDN name, DNS uses the name as it is.
If you use a relative name, DNS uses the $ORIGIN directive's value to convert it into the FQDN name.
If you use a single character @, DNS uses the value of the $ORIGIN directive.
If you use a blank space or leave the field empty, DNS uses the value of the name field of the previous record. If the previous record is not available, it uses the value of the $ORIGIN directive.

The $ORIGIN directive defines the domain or zone name. You can use it anywhere in the zone file. DNS uses it to convert all relative names that come after it into FQDN names. In the zone file, all names that do not end with a dot are considered relative names.

An FQDN (fully qualified domain name) ends with a dot and denotes the complete name.

The $ORIGIN directive is optional. If you do not set its value, DNS uses the domain or zone name configured in the named.conf file as the default value of this directive to process all records.

Linux Zoo

The Linux Zoo Lab can be found here.

Question 3: Forward Zone

/etc/named.conf

sillynet.zone

Question 4: Reverse Zone

/etc/named.conf

sillynet.rev

No $ORIGIN for reverse lookup as the origin should be the network address.

Question 5: Advanced Zone

advanced.zone

advanced.rev

Full /etc/named.conf file

options {
    listen-on port 53 { 127.0.0.1; };
    listen-on-v6 port 53 { ::1; };
    directory       "/var/named";
    dump-file       "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";
    memstatistics-file "/var/named/data/named_mem_stats.txt";
    allow-query     { localhost; };

/* 
        - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
        - If you are building a RECURSIVE (caching) DNS server, you need to enable 
        recursion. 
        - If your recursive DNS server has a public IP address, you MUST enable access 
        control to limit queries to your legitimate users. Failing to do so will
        cause your server to become part of large scale DNS amplification 
        attacks. Implementing BCP38 within your network would greatly
        reduce such attack surface 
    */
    recursion yes;

dnssec-enable yes;
    dnssec-validation yes;

/* Path to ISC DLV key */
    bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/named.pid";
    session-keyfile "/run/named/session.key";

forwarders { 10.200.0.1; };
    forward only;
};

logging {
    channel default_debug {
            file "data/named.run";
            severity dynamic;
    };
};

zone "." IN {
    type hint;
    file "named.ca";
};

zone "sillynet.net" IN {
    type master;
    file "sillynet.zone";
    allow-update { none; };
};

zone "0.0.12.in-addr.arpa" IN {
    type master;
    file "sillynet.rev";
    allow-update { none; };
};

zone "advanced.com" IN {
    type master;
    file "advanced.zone";
    allow-update { none; };
};

zone "1.16.172.in-addr.arpa" IN {
    type master;
    file "advanced.rev";
    allow-update { none; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

Mentimeter

The answer is test.com.test.com

Since, MX 10 email failed, so the next line is MX 20 server 1, which is an alias for test.com which is not fully qualified (since is missing a '.') so becomes test.com.test.com