| Hosting your own internet domain | ||
|---|---|---|
| Prev | ||
Now you have a decision. Are you hosting your own DNS or is someone else doing it for you? If someone else is handling DNS for you, you simply need to contact that person and send them all the information about your domain if you haven't already. They'll need the names and IP addresses of all your machines. They'll also need to know if any machines are acting as email servers and if you have an machines that have multiple names (ie. mail.yourdomain.com = smtp.yourdomain.com for convenience)
You can also go with a subdomain off a free DNS service such as www.dhs.org. That is how we had nolug.dhs.org set up for a while. They manage the actually primary and secondary DNS servers, you create and manage your <name>.dhs.org domain through a web interface on the site. It's really handy if you just want to have a dirt-cheap presence on the net. There are some methods for dealing with dynamically assigned IPs via dhs.org and some free tools but that can only work so well. You really need to try to scare up a static IP if you can. Note that in many cases, the "dynamic" IP assigned by your DSL or Cable provider rarely changes, if ever. The same is not true of dialup accounts, though
Maybe, though, you're hosting your own DNS server right off of the same connection you plan to provide your other services on. You've already registered your box as a DNS host and the record for your domain has your box and IP as the primary DNS server (we'll get to the secondary server in a minute).
So now you need to choose and setup the software you're going to use to handle DNS requests. In the free software world, you can choose either BIND 4.9x, BIND 8.2.x, or Dan Bernsteins djbdns.
Chances are, your Linux distribution already provides a version of BIND pre-packaged. You need to make certain though that it is up to date; check your vendor's security updates page and check for BIND vulnerabilities on www.securityfocus.com . You should also be aware that some vendor's install BIND in a potentially more insecure fashion than they should. They let named, the actual BIND daemon, run as root. This is simply not necessary yet some unix vendors have installed their prepackaged BIND in this way rather than making sure BIND runs as it's own user with limited priveleges. For this reason, you may be better of going to www.isc.org and downloading BIND source and building it that way.
You may also note that I mentioned an alternative freely-available DNS server, djbdns. Dan Bernstein is the author of qmail and he designs his software with security in mind. djbdns follow's his usual methodology and consists of multiple daemons with limited jobs running each as a limited user. This designs minimizes the potential damage should a security flaw be found. This may make it a little bit harder to set up initially but I have always found qmail and other djb-authored programs to be a snap to manage once setup. You can read up and download djbdns from http://cr.yp.to/djbdns.html. The information on his site is worth a read even if you decide to work with BIND. You may decide to switch at a later time when you're more comfortable with DNS.
I'm actually using neither package at ns1.scottharney.com. My company uses Cisco Network Registrar for DNS and DHCP for a variety of reasons. It's adequate for the task and I manage the machine it's running on which has a reliable connection to the net, so I'm using that instead of my machine at home. I plan to install djbdns on my machine at home and may eventually change ns1.scottharney.com to go there instead but it's really not that important to do.
Now's the part where I cheat a bit and tell you to RTFM. Actually it's not cheating. The only way for you to realistically learn setting up DNS is to get the software and set it up. And there's boatloads of documentation on doing just that with the software and scattered about the internet. What I will talk about is the Resource Records that represent the domain for nolug.org so you can see a real live sample.
The best tool for digging up DNS information is dig (1) (most distributions should have it with their other DNS tools), so lets run dig and take a look at the contents of nolug.org.
$dig @ns1.scottharney.com any nolug.org ; <<>> DiG 8.2 <<>> @ns1.scottharney.com any nolug.org ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 4, ADDITIONAL: 4 ;; QUERY SECTION: ;; nolug.org, type = ANY, class = IN ;; ANSWER SECTION: nolug.org. 1D IN SOA ns.nolug.org. scotth.nolug.org. ( 3 ; serial 3H ; refresh 1H ; retry 1W ; expiry 1D ) ; minimum nolug.org. 1D IN MX 10 mail.nolug.org. nolug.org. 1D IN NS ns2.scottharney.com. nolug.org. 1D IN NS ns1.scottharney.com. nolug.org. 1D IN NS ns.scottharney.com. nolug.org. 1D IN NS ns.nolug.org. nolug.org. 1D IN A 216.227.104.189 ;; AUTHORITY SECTION: nolug.org. 1D IN NS ns.nolug.org. nolug.org. 1D IN NS ns2.scottharney.com. nolug.org. 1D IN NS ns1.scottharney.com. nolug.org. 1D IN NS ns.scottharney.com. ;; ADDITIONAL SECTION: mail.nolug.org. 1D IN A 216.227.108.209 ns2.scottharney.com. 1D IN A 24.216.138.176 ns1.scottharney.com. 1D IN A 24.216.138.9 ns.nolug.org. 1D IN A 24.216.138.9 ;; Total query time: 12 msec ;; FROM: blackflag to SERVER: ns1.scottharney.com 24.216.138.9 ;; WHEN: Thu Aug 24 15:58:50 2000 ;; MSG SIZE sent: 27 rcvd: 312 |
$ nslookup www.nolug.org Server: 24-216-138-9.hsacorp.net Address: 24.216.138.9 Name: nolug.org Address: 216.227.104.189 Aliases: www.nolug.org |
I then set up mail.nolug.org to point to my machine at home at 216.227.108.209. The MX record points to mail.nolug.org so email for nolug.org will be passed of to my machine for handling. And that's pretty much all there is to it.
"But wait!" you're saying, "where's the reverse lookup file?" Well since we host our machines on Telocity they have the reverse records for our IP addresses. I could set up a reverse lookup file, but they would never be accessed. All reverese requests will go to Telocity.
I also have the luxury of controlling a secondary DNS server. All the secondary (or "slave" in BIND terminology) does is check with the primary at the periods defined in the SOA part of the DNS record for nolug.org. If there's been and update, the secondary transfers the entire contents of the domain to match the update. If the primary fails to answer a request, the requestor will then try to reach the secondary DNS server.
So I'm lucky in that I have control of at least two machines with reliable net connections to host DNS. You might have only your one IP. Your best bet is to get a friend to handle secondary for you. Of course they have to have a domain and a DNS host record set up with a registrar as well. But someone may want to team up with you to share the load. Or <begin subterfuge> you can just select a valid DNS host record and register it as your secondary server even though it won't actually be acting as one. Later when you find someone who can help you out with secondary, you can update registration appropriatly <end subterfuge>. Of course whoever you're "borrowing" from might find out and get annoyed, but that's doubtful. The "right thing" to do is definitely get a friend to do secondary or stick to dhs.org until you can.
| [1] | I am now assuming you've looked at your DNS server software documentation and you have some familarity with DNS Resource Records. No matter what software you run, it's going to comply with the definitions found in (RFC1034,RFC1035, and RFC2136). |