Red Hat Enterprise Linux 5 Administration Unleashed

340CHAPTER 16Hostname Resolution with BINDFQDN such as .com or .net is called the top level domain, with the remaining parts ofthe FQDN, which are separated by periods, being sub-domains.These sub-domains are used to divide FQDNs into zones, with the DNS information foreach zone being maintained by at least one authoritative name server. Multiple authoritativename servers for a zone can be implemented and are useful when server or networkfailures occur. The authoritative server that contains the master zone file, which can bemodified to update DNS information about the zone, is called the primary master server, orjust master server. The additional name servers for the zone are called secondary servers orslave servers. Secondary servers retrieve information about the zone through a zone transferfrom the master server or from another secondary server. DNS information about a zoneis never modified directly on the secondary server because it would then be out of syncwith the master server, which is considered to be the most authoritative.Some name servers cache lookup data because they depend on other name servers forinformation and can’t talk to authoritative servers directly. The amount of time a record isstored in cache is set with the Time To Live (TTL) field for each resource record. There arealso name servers that forward requests to one or more name servers in a list until thelookup is achieved or until all the name servers in the list have been contacted.A name server can act in multiple roles. For example, a server can be an authoritative serverfor some zones but a slave server for others. Or, a slave server can also be a caching server.Allowing ConnectionsDNS servers use port 53 by default. Incoming and outgoing packets should be allowed onport 53. Also allow connections on port 921 if you configure a lightweight resolver server.The DNS control utility, rndc, connects to the DNS server with TCP port 953 by default. Ifyou are running rndc on the name server, connections on this TCP port from localhostshould be allowed. If you are running rndc on additional systems, allow connections toport 953 (or whatever port you have chosen to configure) from these additional systems.If custom IPTables rules are being used, refer to Chapter 24, “Configuring a Firewall,” fordetails on how to allow connections from a specific port.If using a default security level in Red Hat Enterprise Linux, use the Security LevelConfiguration tool. Start it by selecting Administration, Security Level and Firewallfrom the System menu on the top panel of the desktop or by executing the systemconfig-securitylevelcommand. Enter the root password when prompted if running asa user. Click the Add button next to the Other ports table to add a port.Configuring BINDBIND uses /etc/named.conf as its main configuration file, the /etc/rndc.conf file as theconfiguration file for name server control utility rndc, and the /var/named/ directory forzone files and the like. All these files can be configured with a simple text editor, or theycan be configured with the graphical Red Hat tool, system-config-bind. Refer to thesection “Configuring BIND Graphically” at the end of this chapter for details on usingsystem-config-bind.