SYSADMIN Admin Workshop: Resolvers

Insider Tips: Resolving Names in DNS THE NAME GAME www.sxc.hu

The resolver is the window from your to the global DNS system. Simply typing a URL

awakens a link to all over the world.

BY MARC ANDRÉ SELIG

emory artists can memorize a the server to resolve a name to an IP grams actually use the library functions. list of over 300 numbers, but address. Some of them just do their own thing. Mothers might find it hard to The idea behind this roll-your-own remember even the four numbers that The Resolver approach is to avoid the kinds of block- make up an IP address. Most people The interface that provides a means for ages that can occur when using the glibc agree that a name is easier to remember an application to access name resolution functions. Many shell tools were than a number. The advantage of associ- services is commonly known as the designed as debugging tools and thus ating an object with an alphanumeric resolver. One popular approach for inte- provide direct network access. And for name is the real reason for the existence grating name resolution with a another thing, many of these tools are of the huge, globally distributed Domain application is through the GNU C Library static builds, meaning that the resolver Naming System (DNS), a system that (glibc) functions. The most common routines use specific (and often obso- links computer names and addresses functions are gethostbyname(), which lete) library versions. around the world. translates a name into an IP address, and The DNS system has been the subject gethostbyaddr() for going the opposite Settings of countless articles and books, most of direction. This interface, and its auxil- The resolver can use various data them focused on the naming system iary functions, are increasingly being sources. The simplest data source is the itself or on DNS servers such as Berkeley replaced by a more flexible version, /etc/ file (Listing 1), which contains Name Domain (BIND). But on which uses getaddrinfo() to translate a list of numerical addresses and corre- the other end of the connection is an hostnames into IP addresses and sponding names. Each address can be application on a simple desktop com- getnameinfo() for the opposite direction. mapped to one or more names. puter that needs a means of contacting Most scripting languages provide com- The records in the hosts file consist of parable functions; for example, Perl has an address and one or more names, as Marc André Selig gethostbyname() and gethostbyaddr(). well as blank lines and comments. The spends half of his The more recent variants are not avail- listing has various types of entries: the time working as a able – in Perl’s case, they are part of a localhost 127.0.0.1 entry is common to scientific assistant separate module that provides IPv6 all /etc/hosts files, as it is required for at the University of Trier and as an compatibility. local interprocess communications. The ongoing medical Additional resolver tools are available second address block contains important doctor in the Schramberg hospital. at shell level, such as the now obsolete IPv6 addresses. The third block shows If he happens to find time for it, his nslookup tool or the more recent host how addresses on the local network can THEAUTHOR current preoccupation is program- and dig tools. be added to the local database, offering a ing web based databases on various The tricky thing about handling names simple way of handling domain names Unix platforms. and addresses is the fact that not all pro- outside of the local domain. If the

68 ISSUE 59 OCTOBER 2005 WWW.LINUX - MAGAZINE.COM resolver fails to find a order in which the methods �������� requested hostname in /etc/ should be applied. hosts rep- hosts, it can contact a net- resents the local address list work based DNS service such in the /etc/hosts file, and bind ��������������� as BIND. The client can refer refers to network-based to its /etc/resolv.conf file access to the DNS system. (Listing 2) for the address of The multi on entry shown the name server; the file can here means that /etc/hosts either be created manually or can have multiple entries for by the DHCP client. the same name. Normally, up to three dif- The file tells the resolver to ferent name server entries are check /etc/hosts first, to see if permitted. The second and the required name or address third entries are only used if is listed there. If this search the name servers with higher- does not come up with the ranking entries do not re- goods, the DNS service is spond. The options rotate then used; in this case, the entry in Listing 2 changes resolver uses the configura- this behavior for a LAN, tion in /etc/resolv.conf. providing a simple means Host.conf predates glibc of distributing the load across 2.x; that is, it corresponds to multiple machines. libc.so.5 or earlier. Current versions of glibc now use the Sources name service switch from The resolver needs to know Solaris 2 and support a flexi- which of these databases are ble configuration of arbitrary ���������������������������������� available to which Linux sys- lookup services in a freely ���������������������������� tem and in which order they configurable order. ��������������������������������� should be used. This infor- Name service switching is mation is stored in various configured in /etc/nsswitch. ���������������������������������� configuration files. conf (Listing 3). The file con- �������� The original configuration tains a list of services and file for this purpose was /etc/ data sources, as well as a ������������������������������ host.conf. The file might look description of the desired ������������������������������������ like this: behavior. The hosts service is relevant to name resolution; ��������������������������������� order hosts,bind the strategy indicated here, ��������������������������������� multi on files dns, is the default and means that /etc/hosts should ������������������������������ The most important keyword be used first, followed by a ��������������� here is order, followed by the DNS request. �������������������������������� Listing 1: /etc/ hosts �������������������������������� 01 127.0.0.1 localhost.localdomain localhost ishi ������������������������� 02 ������������������ 03 # The following lines are desirable for IPv6 capable hosts ���������� 04 ::1 localhost.localdomain localhost ip6-localhost ip6-loopback 05 fe00::0 ip6-localnet 06 ff00::0 ip6-mcastprefix 07 ff02::1 ip6-allnodes 08 ff02::2 ip6-allrouters 09 ff02::3 ip6-allhosts 10 ���������������� 11 172.16.45.1 natrouter ������������������� 12 216.92.94.3 sedacon.pair.com

������������������������������������ SYSADMIN Admin Workshop: Resolvers

Listing 2: /etc/ resolv.conf an hourly rate, avoiding DNS queries can suggest using firewall rules to prevent save you a lot of money. undesirable DNS queries. 01 nameserver 172.16.45.2 Admins can delete the bind from /etc/ 02 nameserver 172.16.45.3 host.conf and dns from /etc/nsswitch. Keeping in Line 03 options rotate conf to stop the glibc resolver from All of the mechanisms we have dis- accessing the network. However, this cussed are implementation specific. There are more configuration files. will also stop the client from talking to a Although each flavor of Unix has its own Sendmail is just one example of a pro- name server on the LAN. default resolver, the details of the gram that has its own resolver library. If you need to use a tunnel – such as a implementations will differ. For example, The configuration is similar to glibc’s VPN – for confidential work, you will BSD uses a different host.conf format, service switch but not identical. The either need to avoid DNS queries or and Solaris has /etc/netconfig, a method private configuration file for sendmail is direct them through the tunnel. In many that replaces the service switch with a titled /etc/mail/service.switch. It only cases, all you need to do is to configure private library. ■ supports the , hosts, and aliases the system to dispatch email via IP services. Sendmail does not use colons addresses or add the domain name to / Listing 3: /etc/ nsswitch. to separate service names, but other etc/hosts. This leaves the browser as the conf Example than that, /etc/mail/service.switch is very most common instigator of DNS queries. 01 passwd: compat similar to /etc/nsswitch.conf. A Socks-4a proxy, such as privoxy for 02 group: compat example, will serve you well in this case 03 shadow: compat No Net because it allows you to reroute DNS 04 In some circumstances network requests lookups to the other end of the tunnel. may be undesirable. For example, if you Considering the variety of potential 05 hosts: files dns have a modem or DSL, and are charged resolvers, best security practices would 06 networks: files

How DNS Came About and How it Still Works The future was looking bleak. With user recipe for success is decentralization. and the addresses they map to for a numbers booming, the procedures that Instead of a single authority for an domain. The name server may assign had served ARPANET, the Internet prede- unimaginably large number of net- responsibility for subdomains to other cessor, well in the seventies now were worked computers, the system calls for a name servers. collapsing. And one of these procedures kind of group leadership, where an entity If a client is interested in discovering the was the process for mapping names to is responsible for a group of computers address for a specific name, it contacts addresses. The network's admins had known as a domain, and domains them- the name server for its own domain. If simply maintained a large file for this selves can be subdivided into subdo- the name server does not have the purpose, and everyone on the network mains. The graph representing the answer in its database or cache, it then had just used FTP to download a copy. groups and subgroups is a tree, which is contacts the name server that it consid- Anyone wanting to add a new computer very similar to the directory tree in a file- ers to be closest to the target, or at least to the network would simply notify the system. passes this server’s name on to the cli- Network Information Center (NIC) by To address a specific host, you need to ent. In this way, the request navigates email, and NIC would update the central enter its name and domain, and any the domain hierarchy in a targeted way, hosts file and put it up for grabs. superordinate domains up to the root of until it reaches a name server that has Increasing numbers of hosts led to more the tree. This string is referred to as a the answer in its cache or address list traffic due to the need to download the fully qualified domain name (FQDN). A and can respond to the client or the hosts file. The size of the network also name server manages the list of names requesting name server (Figure 1). posed a seemingly unsolvable problem for the network administrators: although Name- it was possible to assign unique server B addresses, there was no way to avoid Name- name conflicts. Unfortunately, duplicate server C names could also cause serious disrup- tions by making possibly more impor- � � � tant namesakes unreachable. Addition- � ally, information had a tendency to become obsolete on the way from the � � NIC to the outer reaches of the network, Resolver Name- Name- server A server D meaning that there was no way to � � ensure consistency. Research into a solution finally led to a Figure 1: Name resolution sometimes requires a chain of several requests and responses: system which – after a few corrections  Client sends request to name server A.  Name server B receives request.  Server B and enhancements – has stood firm in responds with a reference to C.  Server C receives the request from A.  Server C the face of the Internet boom, the responds with a reference to D.  A queries D.  Server D responds with address.  Server (DNS). DNS’s A replies to client.

70 ISSUE 59 OCTOBER 2005 WWW.LINUX - MAGAZINE.COM