[PLUG] Victor is trying to understand DNS

Carlos Konstanski ckonstanski at pippiandcarlos.com
Sun Oct 14 17:11:32 UTC 2007


At Sat, 13 Oct 2007 23:40:14 -0700,
Victor Soich wrote:
> In order to set up a primary name server and secondary name server I
> have to have a static IP address, i.e.  I can't set up the
> aforementioned name servers because dyndns.org takes care of finding
> my host computer.

I'm not sure you want or need 2 nameservers.  That configuration is
used in situations where you have a class 3 subnet all to yourself
(256 IP addresses, not one), and the root nameserver point directly to
you.  You can't even get a class 3 subnet unless you can prove to
ICANN that you really need one.  If you're like me, you don't.  If you
are the head of IT at a brand-new corporate entity, then you might,
though you wouldn't be messing around with DHCP addresses from Comcast
in that case.

A picture is worth a thousand words.  I'll explain the setup that has
been working for me, with a static IP.  I am absolutely clueless on
dyndns.  If it were me, I'd spring for a static IP.  My explanation
will be told in the first person because it's my actual setup I will
be showing to you.

First, I go to my favorite domain name registrar.  I use 1planhost for
historical reasons, though godaddy, directnic, or most others are just
as good.  The key is finding one that allows you a feature called
"Total DNS Control".  Directnic charges an extra $5 for this feature,
so they suck.

Once I have purchased a domain name and it shows up in my list, I
click on it to enter the details page.  Then I look for that "Total
DNS Control" feature and click that.  This brings me to a web interace
that allows me to set the DNS entries on their nameserver.  Once
there, I set the following rules:

A records:

    HOST    Points to       TTL
    @       72.214.132.23   1 hour
    *       72.214.132.23   1 hour

MX records:

   Priority     Host    Goes to         TTL
   0            @       mail.wrlug.org  1 hour

That's it!  Notice that you use IP addresses in the A records, but
hostnames in the MX records.  BTW, this setup assumes you're running
your own mailserver, and its address can be resolved by the DNS server
running at the IP address specified in the A records.  If your mail is
being served from someone else's mailserver, you need the MX record to
point to them.

At this point, I have two nameservers (go on, do a whois lookup on
"wrlug.org") which are kept running by a 24/7 staff of IT guys, on a
big ol' pipe, and it costs me only $10 per year.  They happen to be
called park3.secureserver.net and park4.secureserver.net.  But all
these nameservers do is forward DNS requests to my own private DNS
server and mailserver.  You'd think the MX record would be redundant
because my private DNS server can resolve it, but DNS checking tools
balk unless there is an MX record on the authoratative nameserver, and
picky mailservers won't accept your mail.

There's actually another nameserver between 1planhost and me: Cox
Communications, the folks I pay for my static IP address and internet
access (the "Comcast" of Idaho).  Since I never have to call them for
any DNS-related stuff with my setup, I just pretend they're not there.
But as you'll see, remote pings and nslookups won't make sense unless
you're aware of their presence.  Cox's nameserver is the one that
actually has the power to tell remote users how to resolve my IP
address.  The IP address I entered in my A record at 1planhost would
be meaningless without Cox's ability to say "That IP address goes to
this node on my network, and I'll send you there."

Now I need a single DNS server listening at the IP address listed in
my A record (72.214.132.23), which is my home IP address.  Any DNS
requests for wrlug.org will go to the 1planhost nameservers first
(since theirs come before me in the Great DNS Hierarchy, starting with
the root nameserves at the top), and those nameservers will forward
the request to me (ignoring Cox in this discussion, but they're right
there, don't worry about that).  Once the DNS request is at my front
door, I can do anything I need with it.  Here's my forward zone file
for wrlug.org:

$TTL 1h                                                                         
@                       IN  SOA     ns.wrlug.org. postmaster.wrlug.org. (       
                                    2007062700  ; Serial                        
                                    1h          ; Refresh                       
                                    15m         ; Retry                         
                                    1w          ; Expire                        
                                    1h )        ; Minimum                       
                        IN  NS              ns.wrlug.org.                       
wrlug.org.              IN  MX      10      mail.wrlug.org.                     
wrlug.org.              IN  TXT     "v=spf1 a mx ~all"                          
                                                                                
; A records                                                                     
@                       IN  A       192.168.1.1                                 
ns                      IN  A       192.168.1.1                                 
mail                    IN  A       192.168.1.1                                 
localhost               IN  A       127.0.0.1                                   
                                                                                
; CNAME records                                                                 
www                     IN  CNAME   ns.wrlug.org.                               
ftp                     IN  CNAME   ns.wrlug.org.                               
forums                  IN  CNAME   ns.wrlug.org.
mirror                  IN  CNAME   ns.wrlug.org.
blog                    IN  CNAME   ns.wrlug.org.
wiki                    IN  CNAME   ns.wrlug.org.
static                  IN  CNAME   ns.wrlug.org.

In my case, I run DNS, mail, web, wiki, blog, and mail on one physical
machine.  That's why all the CNAME records point to ns.wrlug.org.
This is not a requirement by any means.

ns.wrlug.org is a dual-homed box.  One nic card has the address
72.214.132.23, and it hangs out on the internet.  The other nic card
has the address 192.168.1.1, and it feeds my local subnet.  That's
right: my DNS, mail, web, wiki, blog, and mail server is also a router
and firewall.  "A bit dodgy", as the English say.  I use the local IP
addresses in my zone file because they work in all cases.  You might
think that a remote user's DNS request wouldn't resolve, but it does.
If I ping, nslookup and reverse-nslookup wrlug.org from a remote
location, I get this:

;;
ckonstanski at hly20666lx.powereng.com:~$ ping wrlug.org
PING wrlug.org (72.214.132.23) 56(84) bytes of data.
64 bytes from wsip-72-214-132-23.sv.om.cox.net (72.214.132.23): icmp_seq=1 ttl=48 time=131 ms

ckonstanski at hly20666lx.powereng.com:~$ nslookup wrlug.org
Server:         10.102.1.33
Address:        10.102.1.33#53

Non-authoritative answer:
Name:   wrlug.org
Address: 72.214.132.23

ckonstanski at hly20666lx.powereng.com:~$ nslookup 72.214.132.23
Server:         10.102.1.33
Address:        10.102.1.33#53

Non-authoritative answer:
23.132.214.72.in-addr.arpa      name = wsip-72-214-132-23.sv.om.cox.net.
;;

While if I ping, nslookup and reverse-nslookup wrlug.org locally, I
get this:

;;
root at ns.wrlug.org:/etc/named/pri# ping wrlug.org
PING wrlug.org (192.168.1.1) 56(84) bytes of data.
64 bytes from ns.pippiandcarlos.com (192.168.1.1): icmp_seq=1 ttl=64 time=0.077 ms

root at ns.wrlug.org:/etc/named/pri# nslookup wrlug.org
Server:         192.168.1.1
Address:        192.168.1.1#53

root at ns.wrlug.org:/etc/named/pri# nslookup 192.168.1.1
Name:   wrlug.org
Address: 192.168.1.1

Server:         192.168.1.1
Address:        192.168.1.1#53

1.1.168.192.in-addr.arpa        name = ns.pippiandcarlos.com.
;;

(Note: pippiandcarlos.com is my primary domain at home.  It's the only
one listed in my reverse zone file.  That's why 192.168.1.1
reverse-resolves to pippiandcarlos.com in my subnet.  This is of NO
CONSEQUENCE to remote users.)

But if you open a web browser and type in "www.wrlug.org", the IP
address listed by ping in the remote example above eventually resolves
to my DNS server, and once it's there I can further resolve the
request to my local web server, using a local IP address.  My DNS
setup only has to worry about what to do with the request once it
comes to me.  I don't know or care who the client is from a DNS
standpoint.  My webserver cares, but it has its own mechanism for
finding the client.

This is my recipe for success in a nutshell.  I'm sure it's not the
only way to go.  Others might attack it viciously.  I only care about
the people who own the 40 domain names that resolve nicely with this
setup.  None of them are complaining.



More information about the PLUG mailing list