Preventing Vexation and Woe: DNS Fundamentals, Part 2
DNS makes the Internet world go 'round. Carla Schroder takes a look at how DNS works on the server side in the second article of her two-part tutorial on DNS fundamentals.
In Part 1 of our tutorial on DNS fundamentals, we looked at what happens on the client side of DNS. Today we leap into managing DNS on the server side.
Running your own DNS server offers greater control and flexibility. I want to emphasize the importance of being careful when running a public DNS server. Please be sure you know what you are doing and are willing to do what it takes to manage it competently. Any connected machine has the potential to spread havoc far and wide.
Note that it isn't necessary to run a DNS server to manage your own DNS, as there are all kinds of third-party DNS services available. They bear the headaches of keeping the machines running -- all the customer needs to know is how to enter their own configurations.
When studying DNS, you'll notice that teaching materials and training courses are very BIND-centric. While standards are supposed to be application- and platform-agnostic, horrid BIND hacks such as TSIG, IXFR, and NOTIFY have somehow wormed their way into DNS standards. Admins who choose DNS servers other than BIND must pay extra-close attention to their documentation. To quote my favorite guru, Ed Sawicki of Alcpress.com:
"The djbdns folks think it's silly to use these BIND-specific mechanisms when we already have excellent general purpose protocols and software to do these things. If you want to move zone files between computers -- and the files might be large -- you can use rsync, which only moves changes. If you're concerned that these file transfers should be secure, run rsync on top of SSL. If you want to be sure you're sending a zone file to a legitimate secondary and you're not being spoofed, configure your firewall and, optionally, use certificates."
djbdns is a collection of DNS-management programs, including tinydns (the name server) and dnscache (the caching component). In my opinion, djbdns is preferable in every way -- it's small, fast, stable, scalable, and secure. See Resources for further discussions of the technical merits of BIND and djbdns. The examples on the following pages use tinydns syntax.