dns Flashcards
What configuration files can you use to filter incoming network traffic over TCP?
/etc/hosts.allow
/etc/hosts.deny
What configuration files can you use to restrict the use of the at command, which is a command that lets you do something at a single specific time
/etc/at.allow OR /etc/at.deny
TXT records:
what? any optional information that doesn’t have it’s own field
why? google analytics verification, SPF;
missing? optional, so no problems.
more than one? appended
what? any optional information that doesn’t have it’s own field
A TXT record is essentially a way to provide arbitrary “notes” to outside sources. These may be notes meant for human interpretation, or they may be notes meant to be interpreted and processed by an application or machine, such as the case with SPF records.
why? google analytics verification, SPF;
Services like Google Analytics, and verification methods like SPF, used TXT records in specific formats and syntaxes to be parsed and used by an application to handle them appropriately.
missing? optional, so no problems.
TXT records are entirely optional, and will not interrupt a zone’s ability to load or update if missing. They are not present by default unless through a modified template.
more than one? appended
If you have more than one TXT record, they will all be displayed. Any application reading them should automatically append any additional records.
A records
what? gives the IP address of the server that handles that domain
if missing? site won’t resolve
more than one? random selection for things like load balancing
what? gives the IP address of the server that handles that domain
An “A” record is used in a zone to instruct servers to resolve a domain name to a corresponding IP address.
if missing? site won’t resolve
At least one A record is required so that the base domain itself has instructions to translate to an IP address. Otherwise, there is no real destination. In effect, this is a good way to point out that, ultimately, the goal is to find out what the destination for your query is, and the IP address represents that destination.
more than one? random selection for things like load balancing
If more than one A record are provided for the same domain or hostname, they will be randomly selected to resolve for queries, which can be used for load balancing or, to a less effective extent, redundancy.
MX records
what? tells mail where to go.
missing? A record used
more than one? priorities (like for backup MXes)
remote vs local, implications?
what? tells mail where to go.
A MX record represents the “Mail Exchanger” that should be used for this zone in particular. The primary use of the MX record is for determining the appropriate mail servers to use based on an email address (user@domain.com - the MX record of “domain.com” would be resolved).
missing? A record used
If a domain’s zone is missing MX records, the A record for base domain is used instead, which may or may not be the desirable result, so it’s advisable to ensure that at least one MX record exists in each domain’s zone.
more than one? priorities (like for backup MXes)
Additional MX records can be created with varying priorities to create failover support, the lowest number representing the highest priority. Eg.:
MX 0 mx1.cpanel.net
MX 10 mx2.cpanel.net
MX 20 mx3.cpanel.net
In this example, mx1 is used first, then mx2, then mx3, as needed.
remote vs local, implications?
When setting the MX record, it is important to be aware of the resolving address for the hostname or domain that you’re using in that record.
Local Mail Exchanger:
If the resolving IP address is an IP address that exists on your server, then it should be considered a “local mail exchanger”. This relates to how mail destined for that domain is handled. If Exim is handling a message sent to a domain with local MX, the server knows that it doesn’t need to deal with any remote routing rules, and it can handle it locally.
Remote Mail Exchanger:
Some domains may be handled by a remote mail exchanger, or mail server that exists elsewhere, such as when a google apps setup is used, for example. This ensures that Exim knows that the mail bound for this domain needs to leave the server to properly reach its destination.
In general, you can leave this on the default of “Automatic”, which will determine whether the destination IP address exists on your server or not, and choose accordingly. However, it’s important to be aware that misconfigurations in can cause problems for mail delivery to/from your domains.
One common issue you might see when a domain has been selected as remote/local MX incorrectly is the Sender Verification Failure error. If this occurs, verify that all of your domain’s MX records are properly set with local/remote or that the automatic selection is using the correct option. If the automatic selection isn’t working correctly, this likely indicates that there may be other network-related configuration issues on the server.
NS records
what? confirms what nameservers should be authoritative. only for the zone (not subdomains - if subdomains, then it’s forwarding the domain)
missing? zone is not valid, but will load w/o issue.
more than one? should have more than one. random selection for load balancing
what? confirms what nameservers should be authoritative. only for the zone (not subdomains - if subdomains, then it’s forwarding the domain)
The NS (Name Server) records in a DNS zone are used to define what should be considered as the authoritative nameservers for that zone as a whole.
missing? zone is not valid, but will load w/o issue.
If the NS records are missing from the zone, which they will not be when using the default template at the beginning, the zone will technically fail a validity check performed by named, however the zone itself will still load.
more than one? should have more than one. random selection for load balancing
A typical zone should usually have at least 2 NS records defined for very basic redundancy. This is not required, but always highly recommended. The ideal scenario is that you have two separate nameservers on two separate hosts, so that if an issue occurs on one host, the domain can still be resolved using the other host.
This can be expanded as much as needed, and there is no unreasonable limit on NS records.
CNAME
what? acts as an “alias”, should point to a resolving FQDN, or another A record that exists in the same zone.
missing? not required.
more than one? can only have one for one domain, and cannot have equivalent A record
what? acts as an “alias”, should point to a resolving FQDN, or another A record that exists in the same zone.
A CNAME record is essentially what amounts to an alias for another record. For example, say you have your base domain record:
cars.tld. IN A 1.2.3.4
This represents the domain “cars.tld”, and points to the IP address 1.2.3.4. What if we want to add in a few subdomains, but we know that they’re also going to go to 1.2.3.4? One easy way to do this would be to add CNAMEs, and point them to “cars.tld”. For example, let’s add mail, www, and ftp CNAMEs, such as those that are in our default template:
mail IN CNAME cars.tld.
www IN CNAME cars.tld.
ftp IN CNAME cars.tld.
Now, resolution will be handled like this:
mail. cars.tld -> cars.tld -> 1.2.3.4
www. cars.tld -> cars.tld -> 1.2.3.4
ftp. cars.ld -> cars.tld -> 1.2.3.4
Alternatively, you can also specify full, remote domain names to direct a CNAME to, as some load balancing or proxy services require. The important thing to note here is that, if you’re including the full domain name as the CNAME record destination, you’ll need to make sure that the trailing “.” is included to indicate that this domain is complete, and that it does not need to subsequently add the base domain onto it.
missing? not required.
These are not required to load or validate a zone successfully.
more than one? can only have one for one domain, and cannot have equivalent A record
A CNAME should be independent of any conflicting names, and the host it uses should be exclusive. For example, if you’ve defined a “mail” CNAME to point somewhere, you should not have a “mail” A record elsewhere in the zone, and there should only be one “mail” CNAME in place.
explanation of TTL and its implications?
what? server’s preferred (“recommended”) length of time that clients should cache DNS zone data.
missing? a value for this is needed for the zone to load, but defaults will be present if none are changed
what? server’s preferred (“recommended”) length of time that clients should cache DNS zone data.
The TTL, or “time to live”, defines how long (in seconds) a zone should be cached by caching nameservers before it is checked for updates. This acts primarily as a “preference”, however, because many, if not most, caching nameservers will set their own minimums and may ignore the TTL value defined on your server, to prevent abuse, and to accommodate for their individual environments.
missing? a value for this is needed for the zone to load, but defaults will be present if none are changed.
Values for TTL are needed for the zone to load, however, if they have not been changed, the defaults (86400, which equates to 24 hours) will be present on initial zone creation
What is a Nameserver and how does it work?
why you need it:
turns domain names into IPs (and vice versa)
email systems use it as part of spam prevention algorithms
DNS root servers and how the authoritative server is found
root nameservers get info from whois system.
answers cascade down as folks ask for the info
setting up your cPanel server as authoritative at the registrar
every registrar is different; consult your registrar for instructions
propagation
not much of a prob anymore, now like 10 min instead of a day or two
Role of the hostname?
FQDN
Mail verification
Better as its own zone with an existing domain, or as an independent A or CNAME record?
BIND
By far the most widely used DNS software, making it essentially the standard. It’s age and extensive development make it a good choice for most servers. That said, it comes with a hefty footprint on your server, and in situations where a very, very large number of zones are going to be in use, BIND’s start-up process of loading all of the zones can take significantly longer to complete.
MyDNS
This DNS software is different in that it stores zone data within a MySQL database, which may or may not be a good thing, depending on your pre-existing reliance on MySQL, and your existing MySQL performance or optimizations. In addition to that, memory cache is utilized to boost the speed of DNS queries. In contrast to BIND’s performance issues when loading a very large number of zones, MyDNS is able to circumvent this with its zone handling, and as a result it can be the preferred choice in situations where a huge number of zones are involved.
NSD
NSD works as a very lightweight nameserver with a tiny footprint on the server, making it optimal on very limited systems or on systems with only a handful of zones and no need for caching capability or additional configuration.
3 nameserver softwares provided by whm?
WHM provides you with 3 different options for hosting your DNS environment, each providing their own strengths and weaknesses. For most environments, we recommend using the default of BIND, due to its reliability, integration, and established standards, however you may wish to try one of the alternative options if they work better for your circumstances:
SPF
An SPF (Sender Policy Framework) record is one way that mail servers can validate legitimacy of mail servers, to lessen the chances of spoofed spam messages being sent out using one of your domains. The SPF record format provides a way of identifying which servers can send email for a domain, and supporting mail servers on either end of a mail transaction can choose to enforce this. It’s used commonly enough today that it’s almost always recommended as a standard way of improving your mail server’s credibility.
