cc/td/doc/product/rtrmgmt/ciscoasu/nr/nr3-5
hometocprevnextglossaryfeedbacksearchhelp
PDF

Table of Contents

Configuring DNS

Configuring DNS

The Domain Name System (DNS) is a distributed database for objects in a computer network. The basic function of name servers is to provide information about network objects by answering queries. By using a name server approach, the network can be organized into a hierarchy of autonomous domains. The name space is organized as a tree that often resembles the organizations that are responsible for the administration boundaries.

You can configure the Network Registrar DNS server and zones by accepting the system defaults or changing them through the Network Registrar graphical user interface (GUI) or the (CLI) tool.

This chapter assumes that you have already installed your software by following the instructions in Getting Started with Network Registrar. It describes the Network Registrar DNS server configuration in more detail. If you want more information about how to configure DNS zones, see "Configuring DNS" in this guide.

Table 4-1 lists the topics and sections you need to configure a Network Registrar DNS server.


Table 4-1: DNS Configuration Topics
If you want to... Go to this section...

Know more about DNS zones before you start configuring your DNS server

"About DNS Zones" section

Configure the first zone as a primary name server

"Configuring the First Zone as a Primary Name Server" section

Configure a Reverse zone

"Configuring a Reverse Zone" section

View a Primary zone name server's configuration, such as Start of Authority (SOA) record

"Viewing a Primary Zone Name Server's Configuration" section

Configure a zone's secondary name server and add additional name servers

"Configuring a Zone's Secondary Name Server" section

Add a caching-only server

"About Caching-Only Servers" section

Save and Reload the DNS server

"Saving and Reloading the DNS Server" section

Define DNS forwarding servers, which includes viewing current forwarders, and adding, editing, and removing forwarders

"Defining DNS Forwarding Servers" section

Define root name servers, which includes adding and removing a root name server

"Defining Root Name Servers" section

Specify the exception list, which includes adding a domain name and address to exception resolution or removing a domain name and address from it

"Specifying the Exception List" section

Setting options, such as enabling recursive queries, round-robin, subnet sorting, incremental transfer (IXFR), and NOTIFY.

"Setting DNS Server Options" section

Setting Advanced options, such as prefetching glue records, reporting lame delegation, enabling relaxed dynamic update, setting cache time limits and size, setting local and external port numbers, setting debug, and rebuilding resource records indexes.

"Setting Advanced Options" section

About DNS Zones

A zone is a point of delegation in the DNS tree. It contains all the names from a certain point downward, except those that have been further delegated to other zones. A zone delegation point has one or more Name Server (NS) records in the parent zone that should be matched by equivalent NS records at the root of the delegated zone.

The sample company, QuickExample, has registered the domain example.com. Because its parent zone is com., there is an NS record for example.com in the com zone as well as in the example.com zone (Figure 4-1).


Figure 4-1: Registered in Parent Domain


Programs that store information about the domain name space are called name servers. Name servers usually have complete information about some part of the domain name space, called the zone. Each zone has one primary server, which loads the zone's contents from a local configuration database. Each zone can also have any number of secondary servers, which load the zone contents by fetching the data from the primary server
(Figure 4-2).


Figure 4-2: Primary and Secondary Name Servers


You must add a zone for which you configure primary or secondary servers. When you configure a name server as the primary server for the zone, you can enter zone data at that time or you can choose to import zone data from an existing BIND data file.

Note If the domain name you specify in the Resource Records does not have a trailing dot, Network Registrar considers the data to be relative to the current domain. Because Network Registrar stores all names as fully qualified domain names, it will append the current domain name to this name. Remember to specify a trailing dot if you specify the Fully Qualified Domain Name.

Proceed to the "Configuring the First Zone as a Primary Name Server" section to get started. In addition, "Configuring Hosts" section provides detailed information on how to add or delete a host(s) from a zone and other configuration information you will need later to configure DNS zones.

Configuring the First Zone as a Primary Name Server

When you configure your first DNS zone, you must configure two types of primary name servers: a primary zone name server and a reverse zone name server.

You do not need to create a loopback zone because Network Registrar automatically creates one. A loopback zone is a reverse zone that enables a host to resolve the loopback address (127.0.0.1) to the name localhost. The host uses the loopback address to enable it to direct network traffic to itself. If you inadvertently delete your loopback zone, see "Configuring a Loopback Zone" in this guide for information about how to manually configure one.

The procedure is the same for all primary name servers; they just differ in the zone name. For example, if your primary zone name is example.com with the address of 192.168.1.1, then your reverse zone is 1.168.192.in-addr.arpa. and your loopback zone is 127.in-addr.arpa.

Adding a Forward Zone's Primary Name Server

This section explains how to configure a primary forward name server. When you are done with this procedure, follow the procedure in "Configuring a Reverse Zone" section to configure a reverse zone for each network you are using.

Using the GUI:

Step 1 From the Server Manager window (Figure 2-10), select the DNS server that you want to configure as a primary name server for the zone.

Step 2 Click the Add toolbar button to display the Add Zone dialog box (Figure 4-3).


Figure 4-3: Add Zone Dialog Box (DNS Server Manager)


Step 3 Enter the primary name server's zone name.

Step 4 Click the Primary button.

Step 5 Click OK.

Step 6 From the Adding Primary DNS Zone dialog box (Figure 4-4), enter the appropriate information on the associated tab. The minimum information you must supply is SOA, Name Servers, and Hosts.

Step 7 Click the Primary button.

Step 8 Click OK.

Step 9 From the Add Primary DNS Zone dialog box, click the SOA (Start of Authority) tab (Figure 4-3).

Step 10 In the Contact email address field, enter the e-mail address of the administrator. Remember to use "." instead of "@."

Step 11 In the Name of primary server host field, enter the name of the primary server.

Use either the host name (ns) or the full name. If you use the full name, such as ns.example.com., remember to end the name with a period.

Step 12 In the remaining fields, enter the appropriate values for the various times or accept the defaults.

Step 13 Click the Name Servers tab (Figure 4-3).

Step 14 Enter the authoritative servers for this zone that are registered authorities with InterNIC.

Use either the host name (ns) or the full name, ns.example.com. If you use the full name, remember to end the name with a period.


Figure 4-4: SOA Tab (DNS Zone Properties Dialog Box)


Step 15 Reload the DNS server.

Step 16 Click the Resource Records tab to verify your zone configuration now. Review the Resource Records created thus far. You should see one of each record: SOA, NS, and A.

Step 17 Click OK.

Using the CLI:

Step 1 Use the zone create command to create a primary zone.

The following example adds the zone, example.com, specifying that it is a primary zone and the name server is nameserver and the hostmaster is hostmaster.

nrcmd> zone example.com create primary nameserver hostmaster

Step 2 Use the zone set command to set the values of the zone.

You can accept the defaults or set the remaining values: expiration time, minimum TTL, refresh time, retry time, and serial number. The following are the default values. 

nrcmd> zone example.com set expire=604800
nrcmd> zone example.com set minttl=86400
nrcmd> zone example.com set refresh=10800
nrcmd> zone example.com set retry=3600
nrcmd> zone example.com set serial=1

Step 3 Use the zone addRR command to add the Address (A) resource record.

Although the zone command automatically creates the NS and SOA record for you, use the addRR command to create an A record for the name server named in the ns field.

nrcmd> zone example.com addRR nameserver A 192.168.1.1

Step 4 Use the zone addHost command to add hosts.

The following example adds the host bethpc with an IP address of 192.168.1.68.

nrcmd> zone example.com addHost bethpc 192.168.1.68

Importing Zone Data From a Bind Zone File

The easiest and quickest way to create a primary zone is to import an existing BIND format zone file.

Note "Resource Records" describes the BIND formats that Network Registrar supports.
Using the GUI:

Step 1 From the Server Manager window (Figure 2-10), select the DNS server to configure as a primary server for the zone.

Step 2 Click the Add toolbar button to display the Add Zone dialog box.

Step 3 Enter the zone's name.

Step 4 Click the Primary button.

Step 5 Type the name of the BIND file or click the Browse button to locate the BIND file.

Step 6 Click OK.

Step 7 Reload the DNS server.

Using the CLI:

Use the zone create command to create a primary zone by importing an existing file that is in BIND format.

The following example adds the zone, example.com, specifying that it is a primary zone and to import the BIND file, hosts.local.

nrcmd> zone example.com create primary file=hosts.local

To import your entire named.boot configuration, use the import command.

nrcmd> import named.boot /etc/named.boot

Configuring a Reverse Zone

To have a correct DNS configuration, you must create a reverse zone for each network you are using. A reverse zone is a primary zone that allows the Internet to convert IP addresses back to host names. Reverse zones are all in the special domain, in-addr.arpa.

To create a reverse zone manually, follow these instructions.

Using the GUI:

Step 1 From the Server Manager window (Figure 2-10), select the DNS server, for example DNS@localhost.

Step 2 Click the Add toolbar button to display the Add Zone dialog box.

Step 3 Enter the reverse zone name.

Your reverse zone's name is the inverse of your Internet network number, added to the special domain in-addr.arpa. For example, if your network number is 1.2.3.0, then your inverse zone name is 3.2.1.in-addr.arpa. On the other hand, if your network number is 1.2.0.0, then your inverse zone name is 2.1.in-addr.arpa.

Step 4 Click the Primary button.

Step 5 Click OK.

Step 6 From the Add Primary DNS Zone dialog box, click the SOA (Start of Authority) tab (Figure 4-3).

Step 7 In the Contact email address field, enter the e-mail address of the administrator. Remember to use "." instead of "@."

Step 8 In the Name of primary server host field, enter the name of the primary server.

Use either the host name (ns) or the full name. If you use the full name, such as ns.example.com., remember to end the name with a period.

Step 9 In the remaining fields, enter the appropriate values for the various times or accept the defaults.

Step 10 Click the Name Servers tab (Figure 4-3).

Step 11 Enter the authoritative servers for this zone that are registered authorities with InterNIC.

Use either the host name (ns) or the full name, ns.example.com. If you use the full name, remember to end the name with a period.

Step 12 Click Close.

Step 13 Reload the DNS server.

Step 14 Click the Resource Records tab to verify your zone configuration now. Review the Resource Records created thus far. You should see one of each record: SOA, NS, and A.

Step 15 Click OK.

Note After you have configured a reverse zone, Network Registrar automatically creates all the appropriate host address-to-name entries as you add hosts from the Add Hosts dialog box, in the forward zone.
Using the CLI:
nrcmd>  zone 3.2.1.in-addr.arpa create primary ns andy

For adding additional NS records, type

nrcmd> zone 3.2.1.in-addr.arpa addRR ns2 ns ns2.3.2.1.in-addr.arpa

This command creates an additional resource record called ns2 in the reverse zone 3.2.1.in-addr.arpa. Its type is ns its value is ns2.3.2.1.in-addr.arpa.

Importing a Reverse Zone From BIND

To import a reverse zone from BIND, perform these procedures:

Using the GUI:

Step 1 From the Server Manager (Figure 2-10), select the DNS server, for example DNS@localhost.

Step 2 Click the Add toolbar button to display the Add Zone dialog box.

Step 3 In the Name field, enter the reverse zone name.

Step 4 Click the Primary button.

Step 5 Do one of the following:

Step 6 Click OK.

Network Registrar imports the contents of your BIND zone file, except for any comments.

Note After you have configured a reverse zone, Network Registrar automatically creates all the appropriate host address-to-name entries as you add hosts from the Add Hosts dialog box in the corresponding forward zone.
Using the CLI:

Use the zone create command to import a reverse zone from BIND. The following example imports the reverse zone myzone, using the BIND zone file hosts.rev.zone_number.

nrcmd>  zone myzone create primary file=hosts.rev.zone_number

Viewing a Primary Zone Name Server's Configuration

You can view a name server's configuration by displaying its SOA record. The SOA record designates the top of the zone in the DNS inverted -tree namespace.

For a description of all the Network Registrar system icons, see the "Network Registrar Icons" section.

From the GUI:

Step 1 From the Server Manager window (Figure 2-10), double-click the primary zone.

You can identify a primary zone by its icon displayed in the Server Manager.

Step 2 Click the SOA tab.

Network Registrar displays the zone's SOA record (Figure 4-4). For more information about the SOA Record tab, see the "Setting Start of Authority" section.

From the CLI:

Use the zone list command to view a primary zone name server's SOA record.

nrcmd> zone list
100 Ok
lisad.com. (primary):
auth-servers =
dynamic = enabled
dynupdate-set =
expire = 604800
minttl = 86400
notify =
notify-set =
ns = ns.lisad.com.
origin = lisad.com.
person = me.lisad.com.
refresh = 10800
restrict-xfer = disabled
restricted-set =
retry = 3600
serial = 2
type = primary

Configuring a Zone's Secondary Name Server

When you initially configure a domain, you should choose a primary name server, and at least one secondary server. If you have only one secondary server, remove it geographically from the primary server. It should not be on the same network as the primary server. If you have only one name server and it goes down, no one can look up names. A secondary name server splits the load with the primary name server or handles the whole load if the primary name server is down.

If you want to reduce the load on the primary server as it answers queries from machines within its domain, you should configure another secondary server. Because the secondary server gets its zone data from the primary server. It contains all the local data.

If you want the secondary server to be authoritative for the zone, create a zone NS record referring to it or add it in the Name Servers dialog box of the primary server. By adding the zone to the Network Registrar list of zones within DNS, you make it authoritative.

Adding a Zone's Secondary Name Server

Before you add a secondary name server, understand that the crucial difference between a primary name server and a secondary name server is where the server gets its data. A primary name server reads its data from files. A secondary name server loads is data over the network from another name server. When a secondary server starts up, it contacts the primary name server it updates from and pulls the zone data over. This is referred to as a zone transfer.

From the GUI:

Step 1 From the Server Manager window (Figure 2-10), select the DNS server to configure as a secondary server for the zone.

Step 2 Click the Add toolbar button to display the Add Zone dialog box (Figure 4-5).


Figure 4-5: Add Zone Dialog Box (DNS Server Manager)


Step 3 Enter the zone's name.

This is the same name that you eterd when configuring the primary zone on the other server.

Step 4 Click the Secondary button.

Step 5 Click OK.

Step 6 Click the Secondary Zone Configuration tab in the Add Secondary DNS Zone dialog box, and enter the IP address of the primary server (from which the data will be transferred).


Figure 4-6: Secondary Zone Configuration Dialog Box (DNS Server Manager)


Step 7 Click the Zone Transfers tab, and select to enable or restrict zone transfers.

If you want to restrict zone transfers, enter the IP addresses of those servers from which this secondary zone will accept transfer requestss.

Step 8 Click OK.

Step 9 Reload the DNS server.

From the CLI:

Step 1 Use the zone create command to create a secondary zone.

The following example adds the zone, ns1.example.com, whose primary zone's address is 192.168.1.5.

nrcmd> zone example.com create secondary 192.168.1.5

Step 2 Optionally, use the zone enable command to restrict zone transfers for this particular zone.

nrcmd> zone example.com enable restrict-xfer

Step 3 Optionally, use the zone set command set to indicate which servers are allowed to request a zone transfer from this secondary server.

nrcmd> zone example.com set
restricted-set=192.168.1.1,192.168.1.20

Adding Additional Name Servers

If it is important that the outside world can always reach you or you need robustness, then you should configure several secondary servers to ensure that at least one of them can supply information about the domain at all times.

Using the CLI:

Use the zone addRR command to add the NS record with the Fully Qualified Domain Name (FQDN). The following example adds an NS record to the zone for the name server with the name ns4..example.com.

nrcmd> zone example.com addRR example.com ns ns4.example.com

Follow the instructions in the "Adding a Zone's Secondary Name Server" section.

Using the GUI:

Step 1 From the Server Manager window (Figure 2-10), select the zone to add additional secondary servers.

Step 2 Click the Show Properties toolbar button to display the Zone Properties dialog box (Figure 4-4).

Step 3 Click the Name Servers tab.

Step 4 Type the name of the secondary name server.

Step 5 Click the Hosts tab.

Step 6 Click OK.

Step 7 Click Add.

Step 8 Re-specify the name of the secondary name server.

Step 9 In the Address field, enter the IP address of the secondary name server.

Step 10 Click Close.

Step 11 Click OK.

Step 12 Reload the DNS server.

Follow the instructions in the "Adding a Zone's Secondary Name Server" section.

Removing Secondary Name Servers

If the capacity of your system changes or you need to reconfigure your network, you can remove a secondary name server.

From the GUI:

Step 1 From the Server Manager (Figure 2-10), select the secondary zone.

Step 2 Click the Remove toolbar button.

Step 3 Click Yes to remove the zone.

Step 4 Reload the DNS server.

Step 5 If the server is listed as authoritative in any other zones, you need to remove it, as follows:

From the CLI:

The zone removeHost command deletes an NS record from the zone for the name server with the name ns4.example.com

nrcmd> zone example.com delete

If the name server is listed as authoritative in any primary zone, you need to remove it as follows:

nrcmd> zone example.com removeRR @ NS ns4.example.com.
nrcmd> zone example.com removeRR ns4 A

About Caching-Only Servers

Although all servers are caching servers because they save the information received until the data expires, you can create a caching-only server that is not authoritative for any zone. The caching-only name server's only function is to answers queries by asking other servers, who have the authority, for the information needed. They can then "learn" or cache the information for answering subsequent queries.

The true value of using a cache-only name server comes in after it builds its cache. Each time a caching-only name server queries an authoritative name server and receives its answer, it caches the records. Over time, the cache grows to include the most often requested information. And, it allows you to avoid the overhead of zone transfers because a caching-only name server does not need to do them.

When you first install Network Registrar on a system connected to the Internet, it automatically is a caching-only server. It can pose and answer DNS queries about information that it has cached, but is not authoritative, because you have not yet configured any zones.

Creating a Caching-Only Name Server

Because you can have only one DNS server per physical host, if you make this DNS server a caching-only server, you must install another DNS server on another system to create any primary or secondary zones.

From the GUI:

Step 1 From the Server Manager (Figure 2-10), select the DNS server that you want to designate as a caching-only server.

Step 2 Click the Show Properties toolbar button to display the DNS Server Properties dialog box.

Step 3 Click the Options tab (Figure 4-13) and verify that the default, Enable recursive queries check box is selected.

Step 4 Click OK.

Step 5 Reload your server to save the changes.

From the CLI:

Use the dns get command to check that the no-recurse feature is disabled.

nrcmd> dns get no-recurse
100 Ok
no-recurse=disabled

Saving and Reloading the DNS Server

After you have configured the DNS server, you must save the data. To have the changes take effect on the live network, you must reload the DNS server.

Using the GUI:

Step 1 From the Server Manager window (Figure 2-10), select the server you want to reload.

Step 2 From the Servers menu, select Reload.

Step 3 Click OK.

Network Registrar stops the server you have selected, updates the database with the new configuration information, and restarts the server.

Using the CLI:

Use the save command to save your changes to Network Registrar's configuration database.

nrcmd> save

Use the server command to reload the server.

nrcmd> server DNS reload

Configuring DNS Servers

You can enable or disable the DNS server features. Since there is only one DNS server per cluster, you do not need to reference the server by name.

You can also specify server-wide parameters, such as the server's name, its forwarding servers, its root name servers, and a number of advanced options.

Note Whenever you make changes, you must reload the server to write the configuration information to the Network Registrar database. For procedures for reloading, stopping, and starting the server, see the "Servers Commands (Server Menu)" section.

Displaying General Properties

You can display DNS general server properties, such as the server's cluster name, which is the name of the cluster or host machine to which this server belongs and the version number, which is the software release number of the Network Regisrtar DNS server software.

You can change the internal name of the DNS server by deleting the current name and typing a new name. This name is used for notation, and does not reflect the server's official name. Network Registrar uses the server's IP address for official name lookups, and to tie it to dynamic DNS update

Using the GUI:

Use the the General tab in the DNS Server Properties dialog box to display the cluster name and the version number (Figure 4-7).


Figure 4-7: General Tab (DNS Server Properties Dialog Box)


Using the CLI:

Use the dns show command to display the DNS server's properties.

nrcmd> dns show
100 Ok
DNS@hughpc:
    hide-subzones = disabled
    ixfr-enable = enabled
    ixfr-expire-interval = 7d
    lame-deleg-notify = enabled
    local-port-num = 53
    max-cache-ttl = 7d
    mem-cache-size = 200
    neg-cache-ttl = 10m
    no-fetch-glue = disabled
    no-recurse = disabled
    notify = enabled
    notify-defer-cnt = 100
    notify-min-interval = 2s
    notify-rcv-interval = 5s
    notify-send-stagger = 1s
    notify-wait = 5s
    remote-port-num = 53
    round-robin = enabled
    slave-mode = disabled
    subnet-sorting = disabled
    update-relax-zone-name = disabled

Defining DNS Forwarding Servers

Sites that must limit their network traffic for security reasons, because they pay by the packet, or because the network connection is a slow link, can designate one or more servers to be forwarders for the current server. These servers handle all off-site requests before the local server searches for the answer through the Internet. Over time, the forwarders build up a rich cache of data that can satisfy most requests.

Forwarders are useful in the following situations:

Note You may want to restrict the name server even more by stopping it from even attempting to contact an off-site server. A slave server is a type of server that uses forwarders exclusively. It answers queries from its authoritative and cache data, but it relies completely on the forwarders for data not in its cache. If the forwarders do not provide an answer, it does not try to contact other servers to find information.
Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Forwarders tab (Figure 4-8).


Figure 4-8: Forwarders Tab (DNS Server Properties Dialog Box)


Step 2 Enter the address of the forwarder you want to add.

Step 3 If you want to make the server a slave server, then select the Slave mode check box.

Using the CLI:

The dns addForwarder command lets you specify the addresses of any name servers that you want your Network Registrar DNS server to use as forwarders. For example, to add the forwarder server 192.168.1.4, type:

nrcmd> dns addForwarder 192.168.1.4


Use the dns command slave-mode feature to designate this server as a slave server. For example, to enable slave mode, type:

nrcmd> dns enable slave-mode

Viewing Current Forwarders

You can view current forwarders so you can determine if your current forwarder configuration suits your needs.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Forwarders tab (Figure 4-8).

The address of the forwarder or forwarders assigned appears in the list.

Using the CLI:

Use the dns listForwarders command to list all the forwarders for this server.

nrcmd> dns listForwarders

Adding New Forwarders

You can specify multiple forwarders. If the first forwarder does not respond after eight seconds, Network Registrar asks each remaining forwarder in sequence until it receives an answer or until it exhausts the list.

If the DNS server receives no answer, the next step depends on whether you have slave mode on or off.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Forwarders tab (Figure 4-8).

Step 2 Enter the address of the forwarder or forwarders.

Step 3 Click OK.

Removing Forwarders

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Forwarders tab (Figure 4-8).

Step 2 Select the address of the forwarder you want to remove and press Delete.

Step 3 Click OK.

Using the CLI:

You can use the dns removeForwarder command to remove forwarders. The following example removes the forwarder 192.168.1.4.

nrcmd> dns removeForwarder 192.168.1.4

Editing Forwarders

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Forwarders tab (Figure 4-8).

Step 2 Select and delete the address of the forwarder you want to edit. Enter the address of the forwarder you want to add.

Step 3 Click OK.

Using the CLI:

To change the IP address of a forwarder, remove the forwarder and add a new one.

Step 1 Use the dns command removeForwarder method to delete the forwarder.

nrcmd> dns removeForwarder 192.168.1.4

Step 2 Use the dns command addForwarder method to add the new forwarder.

nrcmd> dns addForwarder 192.168.1.1

Defining Root Name Servers

The root name servers know the addresses of the authoritative name servers for all the top-level domains. When you first start a newly installed Network Registrar DNS server, it uses a set of preconfigured hints (sometimes called root hints) as authorities to ask for the current root name servers.

When Network Registrar gets a response to this root-server query, it caches it just like other response records. Network Registrar uses these cached records as its root-server list. When the cached records expire, Network Registrar repeats the process. Because Network Registrar has a persistent cache, it does not need to requery this data when it restarts.

The time to live (TTL) on the official root-server records is currently six days, so Network Registrar will requery every six days, unless you have specified a lower Max. Cache TTL value. For more information about TTLs, see the Glossary.

Because the configured servers are only hints, they do not need to be a complete set. You should periodically (every month to six months) look up the root servers to see if the information needs to be altered or augmented. You can do this by running either the nslookup or the dig command.

Adding a Root Name Server

You can add as many names and addresses as you want. It is important to configure only valid root name servers for proper operation. Network Registrar checks that you are entering a valid name and address, and displays an error message if the information is incorrect.

Using the GUI:

The Root Name Servers tab of the DNS Server Properties dialog box contains a set of hints about root name servers (Figure 4-9).


Figure 4-9: Root Name Servers Tab (DNS Server Properties Dialog Box)


Step 1 In the DNS Server Properties dialog box, click the Root Name Servers tab (Figure 4-9).

Step 2 Enter the name and address you want to add.

Step 3 Click OK.

Using the CLI:

You can use the dns addRootHint command to add root name servers. Specify both the name and address of the server.

nrcmd> dns addRootHint a.root-servers.net 198.41.0.4

Removing a Root Name Server

Perform these steps to remove a root name server.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Root Name Servers tab (Figure 4-9).

You can remove as many names and addresses as you want, by continually selecting and deleting. You must remove both the name and address. If you leave text in either field, Network Registrar displays an error message.

Step 2 Select and delete the name you want to remove.

Step 3 Select and delete the address you want to remove.

Step 4 Click OK.

Using the CLI:

Use the dns removeRootHint command to delete the server.

nrcmd> dns removeRootHint a.root-servers.net

Specifying the Exception List

If you do not want the DNS servers to use the standard resolution method of querying the root name server for certain particular names outside its domain, use resolution exception to handle your corporation's internal name.

Note This facility known as Resolution Exception or Intranet Builder handles this.

Resolution exception handles your corporation's internal name resolution by explicitly listing the domains and name servers you want each DNS server to use for specific queries. By specifying the name servers you want DNS to use, Network Registrar can resolve names without resorting to querying the standard root name servers.

For example, the sample company, QuickExample, has four subsidiaries: red, blue, yellow, and green. Each of them has its own domain under the .com domain. When users at red.com want to use resources at blue.com, their DNS server knows that it is not authoritative for blue.com, and attempts to locate blue.com by asking the root name servers.

These queries cause unnecessary traffic, and in some cases fail because internal resources are often barred from external queries or sites that use private networks that cannot be located because their network addresses are not unique. The Network Registrar exception handling solves these problems.

To use exception handling, the administrator at red.com. lists all the domains that users might want to access, and at least one corresponding name server. In this case, the administrator would list the three other domains for the QuickExample company.

Now when a user at red.com wants to access a server at blue.com, the red DNS server queries the specified blue.com's name server instead of querying the root name server.

Adding an Exception

Exception resolution is a DNS server property that you can assign.

Using the GUI:

Use the Exception tab (Figure 4-10) to add the exception server.

Step 1 In the DNS Server Properties dialog box, click the Exception tab (Figure 4-10).


Figure 4-10: Exception Tab (DNS Server Properties Dialog Box)


Step 2 Click Add domain name.

Step 3 Enter the domain name of the subsidiary you want to access (Figure 4-11).


Figure 4-11: Add Domain Name (DNS Server Properties Dialog Box Exception Tab)


Step 4 Click OK.

Step 5 Enter the address of a name server for that domain (Figure 4-12).

Note that you can specify multiple address (name servers) for each exception domain.

Step 6 Click OK.


Figure 4-12: Add Name Server Address Dialog Box (DNS Server Properties Dialog Box Exception Tab)


Using the CLI:

Use the dns addException command to add the exception server. The following example specifies multiple addresses:

nrcmd> dns addException blue.com. 192.168.1.4,192.168.1.7

Removing a Domain Name and Address

You can remove exception properties from a domain name.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Exception tab (Figure 4-10).

Step 2 Select the domain name you want to remove.

Step 3 Click Remove domain name.

Both the name and address are removed.

Using the CLI:

Use the dns removeException command to remove the exception server.

nrcmd> dns removeException blue.com.

Setting DNS Server Options

You can enable or disable DNS server options, such as:

Enabling Recursive Queries

There are two types of queries: recursive and iterative or nonrecursive. DNS clients typically generate recursive queries. When the query is recursive, the name server asks other DNS servers for any nonauthoritative data not in its own cache. When the query is nonrecursive, the name server either answers the query if it is authoritative for the zone, or has the answer in its cache, or tells the client which name server to ask next.

To enable recursive queries, you must disable the no-recurse property.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Options tab (Figure 4-13).

Step 2 Click the Enable recursive queries check box to enable recursive queries.


Figure 4-13: Options Tab (DNS Server Properties Dialog Box)


Using the CLI:

Use the dns disable command to set the no-recurse property. By default, no-recurse is disabled.

nrcmd> dns disable no-recurse

Enabling Round-Robin

A query may result in multiple Resource Records of the same name and type being returned. To compensate for the fact that most DNS clients start with (and most limit their use to) the first record in the list, you can enable round-robin. Enabling Round-Robin ensures successive clients resolving the same name will connect to different addresses. This operation causes the Network Registrar DNS server to rearrange the order of the records each time it is queried.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Options tab (Figure 4-13).

Step 2 Click the Enable round-robin check box to enable round robin.

Using the CLI:

Use the dns enable command to set the round-robin property. By default, round-robin is enabled.

nrcmd> dns enable round-robin

Hiding a Subzone

Hiding a subzone hides its internal infrastructure from outside the zone. When enabled, it must include the top-level domain.

Using the CLI:

Use the dns hide-subzones command to configure a server hide subzone information about the subzone hierarchy for all zones delegated from this server. This feature collapses a portion of the domain namespace into one virtual zone.

nrcmd>dns enable hide-subzones

To disable a hide-subzone state, use the dns hide-subzone command as follows:

nrcmd>dns disable hide-subzones

Enabling Subnet Sorting

If you enable subnet sorting (as implemented in BIND 4.9.7), the Network Registrar DNS server checks the network address of the client before responding to a query. If the client, the DNS server, and the target of the query are on the same subnet, and the target has multiple addresses (multiple A records), the server attempts to reorder the address records within the answer by putting the target's closest address first in the response packet. DNS servers always return all a target's addresses, but most clients use the first address and ignore the others.

If you enable both round-robin and subnet sorting, Network Registrar first applies round-robin sorting and then applies subnet sorting. The result is that if you have a local answer it will remain at the top of the list, and if you have multiple local A records, Network Registrar will cycle through them.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Options tab (Figure 4-13).

Step 2 Click the Enable subnet sorting check box to enable subnet sorting.

Using the CLI:

Use the dns command to enable or disable the subnet-sorting feature. By default, subnet-sorting is disabled.

nrcmd> dns enable subnet-sorting

Enabling Incremental Transfer (IXFR)

IXFR controls whether or not secondary zones can request incremental transfer from their primary zone.

Note NOTIFY, which enables the primary zone to inform its secondary zones when changes have been made, can be used in conjunction with IXFR. They they work well together and ensure more efficient zone updates. For more information about IXFR, see RFC 1995 and the "Enabling NOTIFY" section in this guide.
Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Options tab (Figure 4-13).

Step 2 Click the Enable incremental transfer (IXFR) checkbox to enable incremental transfer.

Using the CLI:

Use the dns command to enable incremental transfer for all zones for which you have not configured specific behavior. By default, ixfr-enable is enabled.

nrcmd> dns enable ixfr-enable

In addition, the following optional commands allow you to fine tune IXFR:

Use the zone command to disable incremental transfer for a single zone. The value for incremental transfer is inherited from the dns ixfr-enable command, unless you override it.

nrcmd> zone example.com disable ixfr

Use the remote-dns command to allow only some servers to perform incremental transfer.

nrcmd> remote-dns 192.169.1.15 create
nrcmd> remote-dns 192.169.1.15 disable ixfr

Use the dns ixfr-expire-interval command to change the incremental transfer interval.

nrcmd> dns set ixfr-expire-interval=7d

Enabling NOTIFY

NOTIFY enables the Network Registrar DNS master (primary zone) to inform its slaves (secondary zones) that changes have been made to its zone. The changes are not communicated in the NOTIFY packet, instead the slaves initiate a zone transfer in response.

Because a master server for a zone does not know specifically which slaves transfer from it, Network Registrar notifies all registered name servers for the zone (name servers listed in the name server Resource Records) when the zone changes. The sole exception to this policy is that Network Registrar does not notify the server named in the SOA mname field (the primary master). For more information about NOTIFY, see RFC 1996.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Options tab (Figure 4-13).

Step 2 Click the Enable NOTIFY check box to enable NOTIFY.

Using the CLI:

Use the dns command to send notification for all zones for which you have not configured specific behavior. By default, notify is enabled.

nrcmd> dns enable notify

NOTIFY also notifies the servers you have specified in the notify-set list.

Use the zone command to specify an optional comma-separated list of servers to notify.

nrcmd> zone example.com set notify-set=1.1.1.1,2.2.2.2

To see a list of servers that have been set, use the zone get notify-set command.

nrcmd> zone example.com get notify-set

Setting Advanced Options

You can set advanced options, such as:

Prefetching Glue Records

Glue records are informational records that are included in a response to a query. For example, most answers include Name Server (NS) records, which then cause the inclusion of A records to resolve the NS record name into an address. These A records are the glue records. Selecting the Prefetch glue records option tells the server to find records it would not normally, so it can include them in answers to subsequent queries.

Note A glue record is a DNS A (address) record that specifies the address of a subdomain's authoritative name server.
Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Click the Prefetch glue records check box to enable this propery.


Figure 4-14: Advanced Tab (DNS Server Properties Dialog Box)


Using the CLI:

Use the dns command to enable or disable the no-fetch-glue feature. By default, no-fetch-glue is disabled.

nrcmd> dns enable no-fetch-glue

Reporting Lame Delegation

Lame delegation occurs when a DNS server listed in the parent's delegation of a zone does not know that it is authoritative for the zone. The server can detect and report this when, in the process of tracking down an answer, it is referred to a server that in turn refers it to another server for a domain closer to the root (actually farther from the answer).

Note This does not indicate a problem with the DNS configuration, but with the configuration at the DNS server you are querying. You cannot do anything to correct lame delegation at other domains.
Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Click the Report lame delegation check box to enable lame delegation.

Using the CLI:

Use the dns command to enable or disable the lame-deleg-notify feature. By default, lame-deleg-notify is disabled.

nrcmd> dns enable lame-deleg-notify

Enabling Relaxed Dynamic Update

You can choose to enable relaxation of the RFC 2136 restriction on the dynamic update zone name record. This feature allows the name to be any name within an authoritative zone.
Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Click the Enable relaxed dynamic update check box to enable this property.

Using the CLI:

Use the dns command to enable or disable the update-relax-zone-name feature. By default, update-relax-zone-name is disabled.

nrcmd> dns enable update-relax-zone-name

Setting Negative Cache Time

To ensure a quick response to repeated requests for the same information, the DNS server maintains a cache of information it has learned from other DNS servers on behalf of its DNS clients. It also remembers negative information, such as "no such name" or "no such data," that it has learned in the same way. It is important to discard this information at some point to accommodate changes that may occur at the authoritative source. The positive information the server learns is always accompanied by a Time To Live (TTL) parameter indicating how long it may be considered valid; negative information is not.

The value of the negative cache time represents the length of time negative information will be considered valid. It should be a relatively short period in order to be responsive to the creation of new data at the authoritative source, yet long enough to serve some value to other clients looking for the same nonexistent information, or retries from a single client.

The default value is 600 seconds or 10 minutes.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Use the Negative cache time field (Figure 4-14) to set the negative cache time in minutes.

Using the CLI:

Use the dns command to set the neg-cache-ttl property to specify the negative cache time in minutes.

nrcmd> dns set neg-cache-ttl=5m

Setting Maximum Cache TTL

The Max. cache TTL option allows you to specify the maximum amount of time you want Network Registrar to retain cached information. TTL is the amount of time that any name server is allowed to cache data learned from other name servers. Each record that is added to the cache arrives with some TTL value. When the TTL period expires, the name server must discard the cached data and get new data from the authoritative name servers the next time information is queried. This parameter limits the lifetime of records in the cache whose TTL values are very large.

The default value is 7 days.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Use the Max. cache TTL field (Figure 4-14) to set the maximum cache TTL value in minutes.

Using the CLI:

Use the dns command to set the max-cache-ttl property. You can specify the time in days. 

nrcmd> dns set max-cache-ttl=5d

Setting Maximum Memory Cache Size

The Maximum memory cache size option allows you to specify how much memory space you want to reserve for the DNS name cache. The more memory allocated for the cache, the less frequently the server will access the disk cache.

The default is 200 KB. One entry is approximately 100 bytes.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Use the Max. memory cache size field (Figure 4-14) to specify how much memory space you want to reserve for the DNS name cache.

Using the CLI:

Use the dns command to set the mem-cache-size property. Specify the size in kilobytes. The default is 200 kilobytes.

nrcmd> dns set mem-cache-size=100

Flushing the DNS Cache

The Flush now option allows you to stop the disk cache file from growing, but the actual behavior depends on whether the DNS server is running or stopped.

If you flush the cache while the server is running, Network Registrar clears all expendable entries from the cache database file. Flushing the cache does not cause the file to shrink in size because of to the nature of the database, but does create free space within it. Because the memory cache is unaffected by this operation, recently in-use cache entries are not lost, and performance is not significantly affected.

If you flush the cache when the server is stopped, Network Registrar interprets the request to flush all entries, and removes the cache database file. Network Registrar will reinitialize the database when you restart the server.

Note If you have added a host and want to look for it by using a query tool, such as nslookup, you may need to flush the cache on the other servers (but not on the server where it was added or on a secondary for the zone) to clear previously cached negative information.
Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Click Flush now (Figure 4-14) to stop the disk cache from growing, but the actual behavior depends on whether your DNS server is running or stopped.

To completely clear a cache that has grown too large, stop the server, and then click
Flush now.

Using the CLI:

Use the dns flushCache command to stop the disk cache file from growing, but the actual behavior depends on whether your DNS server is running or stopped.

Use the dns flushCache command to stop the disk cache file from growing.

nrcmd> dns flushCache

Setting Local and External Port Numbers

If you were experimenting with a new group of name servers, you might want to use nonstandard ports for answering requests and for asking for remote information. The local port and external port settings control which TCP and UDP port the server listens to for name resolution requests, and which port it connects to when making requests to other name servers. The standard values are 53.

In normal operation, if you change these values, the server will appear to be unavailable.

Using the GUI:

Step 1 In the DNS Server Properties dialog box, click the Advanced tab (Figure 4-14).

Step 2 Use the Local port field (Figure 4-14) to specify the local port that the server will list to.

Using the CLI:

Use the dns command to set the local-port-num property. The default is 53.

nrcmd> dns set local-port-num=45

Use the dns command to set the remote-port-num property. The default is 53.

nrcmd> dns set remote-port-num=40

Setting Debug

The debug option allows you to collect debug information about the DNS server. You should only need to set debug settings if you have been instructed by Technical Support.

Note If you reboot the DNS server after enabling the debug settings, Network Registrar disables debug. You must enable the debug settings again.
From the GUI:

Step 1 From the Server Manager (Figure 2-10), select the DNS server for which you want to set debug options.

Step 2 Click the Show Properties toolbar button.

Step 3 Click the Advanced tab on the DNS Server Properties dialog box (Figure 4-14).

Step 4 Click Debug settings.

Step 5 From the Debug Settings dialog box, click Enable Debug.

Step 6 Type in the category as supplied by Technical Support.

Step 7 Check the output destination:

MLOG is the recommended choice.

Step 8 Click OK.

From the CLI:

Use the server setDebug command to specify the debugging level. The following example provides extensive DNS logging.

nrcmd> server DNS setDebug D=5


To turn off debugging without reloading your server, use the server unsetDebug command.

nrcmd> server DNS unsetDebug

Rebuilding Resource Records Indexes

You may need to rebuild the Resource Records indexes if you observe resource or host list data that appears inconsistent or if data appears to be missing.

Rebuilding the Resource Records should correct any inconsistencies.

Using the GUI:

Step 1 From the Server Manager window (Figure 2-10), select the DNS server whose Resource Record indexes you want to refresh.

Step 2 Click the Show Properties toolbar button.

Step 3 Click the Advanced tab of the DNS Server Properties dialog box (Figure 4-14).

Step 4 Click Debug settings.

Step 5 From the Rebuild Resource Records dialog box, choose to rebuild indexes for all zones now.

Step 6 Click OK.

Using the CLI:

Use the dns rebuildRR-Indexes command to rebuild the Resource Record Indexes.

nrcmd> dns rebuildRR-Indexes

hometocprevnextglossaryfeedbacksearchhelp
Posted: Thu Feb 3 10:59:45 PST 2000
Copyright 1989 - 2000©Cisco Systems Inc.