Domains - DNS - Apache - Certificate SSL

DNS (Domain Name System) is a magical thing, when it works... Or well, it is not as much that it wouldn't work, the trick is often on how to set it up right. DNS is the service that allows users to use a FQDN and which translates it to the corresponding IP address (and vice-versa, the reverse resolution). Example :

C:\>nslookup www.alterlinks.nl
Serveur : dns.alterlinks.com
Address: 212.180.60.130
Aliases: 130.60.180.212.in-addr.arpa

Nom : www.alterlinks.nl
Address: 212.180.60.244

If for instance you registered your domainname and you have your own DNS servers, you'll need to make sure that your DNS server is setup correctly for the domainname.

In this example, we will be using the Bind DNS server.

Lets imagine we just registered the domainname alterlinks.nl with an accredited Registrar like Gandi SAS and we want the DNS servers

  • dns.alterlinks.com
  • dns2.alterlinks.com

to be responsible for it. It should already be noted that at least two DNS servers are needed; a Primary and a Secondary, by preference in different networks. This means that, while not even talking about the zone itself, the DNS servers should be set up as a Primary and Secondary, where the Secondary allows zone transfers coming from the Primary.

Primary DNS server configuration example :

acl alter2 {
     195.114.89.64/26;
     };
acl alter1 {
     212.180.60.128/25;
     };
options {
     directory "/var/named";
     allow-recursion {
          212.180.60.128/25;
          195.114.89.64/26;
          };
     forwarders {
          195.114.64.193;
          212.180.1.79;
          };
     allow-transfer {
          212.180.60.215;
          212.180.60.170;
          195.114.64.193;
          };
     listen-on {
          212.180.60.130;
          };
     notify yes;
     multiple-cnames yes;
     fetch-glue no;
     version "Not available";
};


Secondary DNS server configuration exemple :

acl alter2 {
     195.114.89.64/26;
     };
acl alter1 {
     212.180.60.128/25;
     };
options {
     directory "/var/named";
     pid-file "/var/run/named/named.pid";
     query-source address 212.180.60.215;
     allow-recursion {
          212.180.60.128/25;
          195.114.89.64/26;
          };
     forwarders {
          195.114.64.193;
          212.180.1.79;
          };
     listen-on {
          212.180.60.215;
          };
     topology {
          212.180.60.130;
          212.180.60.215;
          };
     fetch-glue no;
     version "Not available";
};


When the DNS servers are configured (and protected!) to your liking, the zone for the domainname can be created


Zone for alterlinks.nl on the Primary DNS server :

$ttl 604900
alterlinks.nl.   IN     SOA     dns.alterlinks.com. administrator.alterlinks.fr. (
          2001020140
          28800
          1800
          2419200
          7200     )
alterlinks.nl.TXT"v=spf1 mx ptr -all"
alterlinks.nl.INNSdns.alterlinks.com.
INNSdns2.alterlinks.com.
INA212.180.60.244
INMX2smtp.alterlinks.com.
localhostINA127.0.0.1
wwwINA212.180.60.244


Zone for alterlinks.nl on the Secondary DNS server :

$ORIGIN .
$TTL 604900     ; 1 week 1 minute 40 seconds
alterlinks.nl     IN SOA   dns.alterlinks.com.  administrator.alterlinks.fr. (
          2001020140 ; serial
          28800    ; refresh (8 hours)
          1800     ; retry (30 minutes)
          2419200   ; expire (4 weeks)
          7200     ; minimum (2 hours)
          )
NSdns.alterlinks.com.
NSdns2.alterlinks.com.
A212.180.60.244
MX2smtp.alterlinks.com.
TXT"v=spf1 mx ptr -all"
$ORIGIN alterlinks.nl.
localhostA127.0.0.1
wwwA212.180.60.244

Note how the serial number (2001020140) is the same for this zone on the Primary and Secondary DNS server, which means that they're synchronised.
Also note the MX entry; some NIC's may require this to be a SMTP server in the same domainname to be considered a valid zone. The MX entry is also very important when, later on, requesting SSL certificates for instance. The SMTP refered to by the MX entry needs to have mandatory an address "postmaster".



To make this zone active, all one needs is to add the zone to the Primary DNS server :

zone "alterlinks.nl" {
          type master;
          file "/var/named/alterlinks.nl.hosts";
          also-notify {
                    195.114.64.193;
                    212.180.60.215;
                    212.180.60.170;
                    };
          allow-transfer {
                    195.114.64.193;
                    212.180.60.215;
                    212.180.60.170;
                    localhost;
                    };
          notify yes;
     };


And add the zone to the Secondary DNS server :

zone "alterlinks.nl" {
          type slave;
          masters {
                    212.180.60.130;
                    };
          file "/var/named/alterlinks.nl.hosts";
          notify yes;
          allow-transfer {
                    212.180.60.130;
                    195.114.64.193;
                    localhost;
                    };
          also-notify {
                    195.114.64.193;
                    };
     };



After the newly created zones on both Primary and Secondary (or Master and Slave) DNS servers checked out correctly with absolutely no errors using a Zone Check tool, the DNS entries on the domain registration record can be changed. After this change, the Registrar will update the ICANN ROOT DNS servers which now says that any DNS resolution for the domain alterlink.nl can be obtained from dns.alterlinks.com and dns2.alterlinks.com.
Now, if one wanted to create for instance myserver.alterlinks.nl, all one has to do is add the line

myserver    IN    A    212.180.60.nnn

to the Primary DNS server zone for alterlinks.nl and it it will then exist and resolve to the IP address 212.180.60.nnn

If the DNS servers are set up correctly, notifying the Secondary server(s) should look like this :

Jun 12 14:41:27 dns named[8928]: client 212.180.60.170#60931: transfer of 'alterlinks.nl/IN': AXFR-style IXFR started
Jun 12 14:41:27 dns named[8928]: client 212.180.60.170#60931: transfer of 'alterlinks.nl/IN': AXFR-style IXFR ended
Jun 12 14:41:27 dns named[8928]: client 195.114.64.193#58125: transfer of 'alterlinks.nl/IN': AXFR-style IXFR started
Jun 12 14:41:27 dns named[8928]: client 195.114.64.193#58125: transfer of 'alterlinks.nl/IN': AXFR-style IXFR ended

Note however that DNS changes and propagation may take up to 72 hours and meanwhile clients may obtain a cached resolution result.



How does a client, for instance an user using a webbrowser on the other side of the world, resolve when he types "http://www.alterlinks.nl" to the right IP address?

Each PC is usually configured with TCP/IP networking. One of the configuration settings are the "prefered DNS servers". One can either configure them or can obtain them dynamically when TCP/IP is configured for DHCP. For instance, an user Lamba uses an Internet connection from TCSN.net, an USA west-coast Internet provider. When he's connected to the Internet, user Lamba will use an IP from TCSN as well as their DNS servers as being the client's prefered DNS servers. For instance dns1.tcsn.net and dns2.tcsn.net. When user Lamba starts his webbrowser and types in the address field :

http://www.alterlinks.nl       and hits <enter>

then first his PC needs to resolve this FQDN to an IP address (gethostbyaddr/gethostbyname) before it can even physically try to connect. To obtain the answer, the PC will query the prefered DNS servers. If these servers do not know the answer to the question, which is very likely, the DNS server will (or should) be configured to forward DNS queries to a neighbour DNS server higher up in the hierarchie up to the ICANN ROOT DNS servers. The Root DNS server will answer that the requested resolution may be found from dns.alterlinks.com, and who will in turn provide the resolved answer. Meanwhile, as well the DNS servers of TCSN as the PC who requested this resolution may cache the answer to avoid having to re-ask again next time. Finally, the PC of user Lamba now has the right answer, 212.180.60.244 and will connect to this IP address at port 80 using the HTTP protocol.

Where, if all goes well, a webserver like Apache is listening at port 80 to serve the user's Lamba request.


Reverse DNS resolution :


Reverse DNS resolution is, as the name may already give away, the resolution from an IP address to its name. Though not used as often as the straight forward DNS resolution, some services, like for instance security related services, may require that both match, meaning that that forward and the Reverse resolution resolve to the same host.

C:\>nslookup 212.180.60.244
Serveur : dns.alterlinks.com
Address: 212.180.60.130
Aliases: 130.60.180.212.in-addr.arpa

Nom : www.alterlinks.nl
Address: 212.180.60.244
Aliases: 244.60.180.212.in-addr.arpa

To obtain this, the Primary and Secondary DNS server responsible for the domainname should be configured with a reverse zone.

Example of a corresponding Reverse zone for the network 212.180.60.128/25 in which 212.180.60.244 (thus www.alterlinks.nl) is located :

[root@dns named]# cat 212.180.60.rev | more
$ttl 604900
alter.60.180.212.in-addr.arpa.  IN     SOA     dns.alterlinks.com.  administrator.alterlinks.com. (
          2001020321
          3600
          1800
          2419200
          7200 )
alter.60.180.212.in-addr.arpa.INNSdns.alterlinks.com.
INNSdns2.alterlinks.com.
INMX1mail.alterlinks.com.
129.alter.60.180.212.in-addr.arpa.INPTRrtr-dsl-paris1.alterlinks.com.
130.alter.60.180.212.in-addr.arpa.INPTRdns.alterlinks.com.
.....
244.alter.60.180.212.in-addr.arpa.INPTRwww.alterlinks.nl.
.....



Valid HTML 4.01 Transitional