HOW TO BE A SYSTEM ENGINEER INFORMATION TECHNOLOGY (IT)

Saturday, September 20, 2008

PENGENALAN SYSTEM ENGINEER IT

write by: KURT_KABAYAN

system engineer ialah orang yang kerjaannya ngurusin:
1.NETWORK (cisco,mikrotik,pembagian IP, routing,subnetting)
2.HOSTING
3.MRTG (monitoring tool)
4.DNS SERVER
5.MAIL SERVER
6.PROXY SERVER
7.WINDOWS SERVER 2003
8.FIREWALL/SECURITY/IPTABLES
9.FTP SERVER
10.WINDOWS XP

banyak yah kerjaannya pusing2 dah lo....... wuakakakaka.Tulisan ini gw bikin dari pengalaman gw di interview di beeberapa perusahaan ISP.Dan disini gw coba bikin catetan kecil buat belajar supaya yah kalo mau jadi seorang system engineer yah harus tau hal2 itu.

maaf tulisannya panjang ke bawah dan boleh hasil copas 2008

1.

2. 3. MRTG

DESCRIPTION

MRTG comes to you in Source Code. This means that you have to compile parts of it before you can use it on a Unix machine. These instructions help you to do so.

PREPARATION

In order to compile and use mrtg you need a C compiler and a copy of perl installed on your machine. In most cases this will already be available. In case it is not, here are some starting points. Below I'll give you a detailed run through the whole compilation process.

GCC

The GNU C compiler comes preinstalled on most of the free Unicies out there. For commercial derivatives you may have to download and compile it first. If you have no compiler at all there is a chicken and egg problem, but there are also precompiled versions of gcc available for most operating systems.

 http://gcc.gnu.org/

Perl

Large parts of the MRTG system are written in the Perl scripting language. Make sure there is a recent copy of perl on your machine (try perl -v). At least version 5.005 is required for mrtg to work well. If you use SNMPV3 and other new features you should use at least 5.8.

You can get the latest perl from

 http://www.perl.com/

MRTG generates traffic graphs in the PNG format. To be able to do this it needs several 3rd party libraries. When compiling these libraries I urge you to make sure you compile them as static libraries. There is just much less trouble ahead if you are doing it like this. See the Instructions in the next section for inspiration. Note that many free unices have all the required libraries already in place so there is no need to install another copy. To check it is best to skip all the library instructions below and go straight into the mrtg compile.

If the first attempt fails and you do not get a working version of mrtg, try compiling new copies of all libraries as explained below. Do this BEFORE you send email to me about problems compiling mrtg.

gd

This is a basic graph drawing library created by Thomas Boutell. Note that all releases after Version 1.3 only create PNG images. This is because a) Thomas got into trouble because the GIF format which it used to produce uses a compression technology patented by Unisys. b) PNG is more efficient and patent free. MRTG can work with old and new version of the GD library. You can get a recent copy of GD from:

 http://www.boutell.com/gd/

libpng

Is required by gd in order to produce PNG graphics files. Get it from:

 http://www.libpng.org/pub/png/libpng.html

zlib

Is needed by libpng to compress the graphics files you create. Get a copy from

 http://www.gzip.org/zlib

And last but not least you also need mrtg itself. In case you have not yet downloaded it, you can find a copy on my website:

 http://oss.oetiker.ch/mrtg/pub

LIBRARY COMPILATION

In this section I will give you step by step instructions on how to compile the various libraries required for the compilation of mrtg. Note that these libaries may already be installed if you have a *BSD or Linux system so you can skip recompiling them. The wget program used below is a simple web downloader. You can also enter the address into your netscape if you don't have wget available.

First let's create a directory for the compilation. Note that this may already exist on your system. No problem, just use it.

 mkdir -p /usr/local/src
cd /usr/local/src

If you do not have zlib installed:

 wget http://www.gzip.org/zlib/zlib-1.1.4.tar.gz
gunzip -c zlib-*.tar.gz | tar xf -
rm zlib-*.tar.gz
mv zlib-* zlib
cd zlib
./configure
make
cd ..

If you don't have libpng installed

 wget http://public.planetmirror.com/pub/sourceforge/l/li/libpng/libpng-1.0.15.tar.gz
gunzip -c libpng-*.tar.gz |tar xf -
rm libpng-*.tar.gz
mv libpng-* libpng
cd libpng
make -f scripts/makefile.std CC=gcc ZLIBLIB=../zlib ZLIBINC=../zlib
rm *.so.* *.so
cd ..

And now you can compile gd

For versions up to 1.8.4, try:

 wget http://www.boutell.com/gd/http/gd-1.8.4.tar.gz
gunzip -c gd-*.tar.gz |tar xf -
rm gd-*.tar.gz
mv gd-* gd
cd gd

The \ characters at the end of the following lines mean that all the following material should actually be written on a single line.

 perl -i~ -p -e s/gd_jpeg.o//g Makefile        
make INCLUDEDIRS="-I. -I../zlib -I../libpng" \
  LIBDIRS="-L../zlib -L. -L../libpng" \
  LIBS="-lgd -lpng -lz -lm" \
  CFLAGS="-O -DHAVE_LIBPNG"
cd ..

For versions starting around 2.0.11, try:

 wget http://www.boutell.com/gd/http/gd-2.0.11.tar.gz
gunzip -c gd-2.0.11.tar.gz |tar xf -
mv gd-2.0.11 gd
cd gd
env CPPFLAGS="-I../zlib -I../libpng" LDFLAGS="-L../zlib -L../libpng" \
 ./configure --disable-shared --without-freetype --without-jpeg
make
cp .libs/* .

MRTG COMPILATION

Ok, now everything is ready for the mrtg compilation.

 cd /usr/local/src
gunzip -c mrtg-2.16.2.tar.gz | tar xvf -
cd mrtg-2.16.2

If all the libraries have been preinstalled on your system you can configure mrtg by doing a simple:

 ./configure --prefix=/usr/local/mrtg-2

Otherwise you may have to give some hints on where to find the various libraries required to compile mrtg:

 ./configure --prefix=/usr/local/mrtg-2       \
         --with-gd=/usr/local/src/gd      \
         --with-z=/usr/local/src/zlib     \
         --with-png=/usr/local/src/libpng

If you have RRDtool available you might want to tell mrtg about it so that you can opt to use rrdtool with mrtg. Check mrtg-rrd.

Configure will make sure your environment is fit for building mrtg. If it finds a problem, it will tell you so and it will also tell you what to do about it. If everything is OK, you will end up with a custom Makefile for your system. Now type:

 make

This builds the rateup binary and edits all the perl pathnames in the scripts. You can now install mrtg by typing

 make install   (requires gnu install)

All the software required by MRTG is now installed under the /usr/local/mrtg-2 subdirectory.

You can now safely delete the libraries we compiled above. Then again, you might want to keep them around so that you have them available when compiling the next version of mrtg.

CONFIGURATION

The next step is to configure mrtg for monitoring a network device. This is done by creating an mrtg.cfg file which defines what you want to monitor. Luckily, you don't have to dive straight in and start writing your own configuration file all by yourself. Together with mrtg you also got a copy of cfgmaker. This is a script you can point at a router of your choice; it will create a mrtg configuration file for you. You can find the script in the bin subdirectory.

 cfgmaker --global 'WorkDir: /home/httpd/mrtg'  \
      --global 'Options[_]: bits,growright' \
      --output /home/mrtg/cfg/mrtg.cfg    \
       community@router.abc.xyz

This example above will create an mrtg config file in /home/mrtg/cfg assuming this is a directory visible on your webserver. You can read all about cfgmaker in cfgmaker. One area you might want to look at is the possibility of using --ifref=ip to prevent interface renumbering troubles from catching you.

If you want to start rolling your own mrtg configuration files, make sure you read mrtg-reference to learn all about the possible configuration options.

RUNNING MRTG

Once you have created a configuration file, try the following:

 /usr/local/mrtg-2/bin/mrtg /home/mrtg/cfg/mrtg.cfg

This will query your router and also create your first mrtg trafic graphs and webpages. When you run mrtg for the first time there will be a lot of complaints about missing log files. Don't worry, this is normal for the first 2 times you start mrtg. If it keeps complaining after this time you might want to look into the problem.

Starting mrtg by hand is not ideal in the long run. So when you are satisfied with the results you can automate the process of running mrtg in regular intervals (this means every 5 minutes by default).

You can either add mrtg to your crontab with a line like this:

 0,5,10,15,20,25,30,35,40,45,50,55 * * * * \
   /mrtg /mrtg.cfg \
            --logging /var/log/mrtg.log

or if you live in Linux Land the line may look like this if you are using crontab -e

 */5 * * * *  /mrtg /mrtg.cfg \
                   --logging /var/log/mrtg.log

or like this if you use /etc/crontab

 */5 * * * *  mrtg-user  /mrtg /mrtg.cfg \
                             --logging /var/log/mrtg.log

You can also run mrtg as a daemon process by adding the line

 RunAsDaemon: Yes

to your mrtg configuration file and then creating a startup script in your system startup sequence. Unfortunately, adding startup scripts differs widely amongst different unix systems. The modern ones normally have a directory called /etc/init.d or /etc/rc.d/init.d where you put scripts which starts the process you want to run when the system boots. Further you must create a symbolic link in /etc/rc3.d or /etc/rc.d/rc?.d called S65mrtg (this is just a sample name ... it is just important that it starts with S followed by a two digit number). If you are not sure about this, make sure you consult the documentation of your system to make sure you get this right.

A minimal script to put into init.d might look like this:

 #! /bin/sh
cd /usr/local/mrtg-2.16.2/bin && ./mrtg --user=mrtg-user \
   /home/httpd/mrtg/mrtg.cfg  --logging /var/log/mrtg.log

Note that this will only work with RunAsDaemon: Yes in your mrtg.cfg file.

###################################################################
Kali ini, CHIP akan membahas penggunaan MRTG untuk memantau tingkat penggunaan bandwidth jaringan dari setiap PC client yang ada dalam suatu jaringan.

Artikel MRTG sudah pernah dibahas pada edisi CHIP Spesial terakhir yang bertema “Networking”. Dalam artikel tersebut dibahas cara pembuatan MRTG untuk memantau suatu interface dalam jaringan. Berbeda dengan CHIP Spesial, kali ini CHIP mengajak Anda memanfaatkan MRTG sebagai pemantau utilisasi setiap PC client dalam menggunakan jaringan.

Ide dari artikel ini sebenarnya sederhana saja. Anda akan mengaktifkan protokol SNMP pada setiap interface network card di PC client. Selanjutnya, Anda mengaktifkan MRTG pada salah satu PC (boleh juga pada server) untuk selanjutnya mencatat utilisasi dari setiap PC client. Dengan cara ini, Anda bisa melihat client mana saja yang memiliki utilisasi tinggi dalam penggunaan jaringan. Informasi ini bisa digunakan sebagai pertimbangan upgrade infratruktur dari PC client maupun jaringan. Misalkan saja client yang menggunakan interface Ethernet 100 Mbps terlihat hampir selalu memiliki utilisasi maksimum. Dalam kasus tersebut, melakukan upgrade ke interface yang lebih tinggi, seperti Gigabit 1000 Mbps, bisa dijadikan pertimbangan.
Pada akhir artikel, CHIP juga akan membahas sedikit cara pembuatan inter-face web yang lebih informatif untuk memantau semua client Anda.

1. Instalasi Perl

Perl merupakan bahasa yang digunakan oleh MRTG. Sayangnya, ia tidak tersedia secara native dalam Windows. Jadi, Anda harus terlebih dahulu meng-install Perl. Dalam percobaan, CHIP menggunakan ActivePerl versi 5.8.7 buatan ActiveState (www.activestate.com, ada di CHIP-DVD)

Bukalah file ZIP dan jalankan file "installer.bat". Anda akan dihadapkan pada beberapa pertanyaan yang berhubungan dengan konfigurasi instalasi dari Perl. Setelah selesai instalasi, pastikan direktori "\Perl\bin" sudah masuk ke dalam path Windows Anda.

Solusinya adalah dengan memasukkan direktori "\Perl\bin" ke dalam path Windows secara manual. Caranya adalah sebagai berikut. Klik kanan "My Computer" dan pilih "Properties". Selanjutnya, pilih tab menu "Advanced" dan tombol "Environment Variables". Perhatikan bagian "System variables" dan cari kolom yang berisi "Path". Pilih baris tersebut dan klik "Edit". Tambahkan path "C:\Perl\bin" dalam kolom "Variable Value". Sebagai contoh, digunakan drive "C" dengan direktori "Perl\bin" (tempat instalasi Perl). Anda bisa mengubah path ini sesuai dengan letak direktori instalasi Perl Anda. Setelah selesai, klik "OK" untuk menutup window yang ada dan restart PC Anda.

Cara mengeceknya adalah dengan mengetikkan "perl" pada sembarang direktori di console (ketik “cmd” di “Start | Run” untuk mengakses console). Jika Windows tidak menampilkan pesan kesalahan, maka seharusnya instalasi Perl sudah selesai. Jika Windows menampilkan pesan kesalahan yang menyatakan bahwa "perl tidak dikenal sebagai command", maka direktori "\Perl\bin" tampaknya belum dimasukkan ke dalam path. Alternatif lain adalah dengan mengetikkan "path" dalam Command Prompt. Periksa apakah ada direktori "\Perl\bin" dari teks yang muncul.

2. Instalasi MRTG

Sama seperti instalasi ActivePerl, proses instalasi MRTG juga sangat sederhana. Anda hanya perlu mengekstrak file instalasi ke direktori yang Anda inginkan. Sebaiknya, gunakan direktori mudah diingat seperti "C:\MRTG".

Seperti password: Community String ini cukup penting karena fungsinya mirip password yang digunakan untuk meminta informasi SNMP.

Setelah selesai mengekstrak, langkah selanjutnya yang harus Anda lakukan adalah sebagai berikut. Masuklah ke direktori "\MRTG\bin" lalu ketikan "perl mrtg". Jika Anda menemukan tampilan pesan kesalahan yang menandakan bahwa MRTG belum memiliki file konfigurasi, maka bisa dikatakan proses konfigurasi Perl dan MRTG Anda sudah berhasil.

3. Konfigurasi protokol SNMP

Setiap device yang ingin Anda monitor (dalam hal ini network card pada setiap client) harus mendukung protokol Simple Network Management Protocol (SNMP). Selain itu, Anda juga harus memastikan bahwa protokol SNMP sudah dikonfigurasikan dengan benar.

Pertama-tama, Anda harus memastikan bahwa protokol SNMP sudah ter-install di PC. Caranya, klik kanan pada "My Computer" dan pilih "Manage". Selanjutnya, pilih "Service and Applications | Services". Lihat kolom pada bagian kanan window dan cari item "SNMP Service". Jika Anda tidak menemukan item tersebut, maka hal itu menandakan SNMP belum ter-install di PC Anda. Lakukan instalasi secara manual. Masuklah ke "Start | Settings | Control Panel | Add Remove Programs | Add Remove Windows Components". Dari menu yang muncul, pilihlah "Management and Monitoring Tools". Klik "Details" dan pastikan komponen "Simple Network Management Protocol" sudah dipilih. Tutup window yang ada dengan mengklik "OK". Windows akan melakukan instalasi komponen SNMP dan meminta CD Windows. Sampai saat ini seharusnya proses instalasi SNMP sudah selesai.

Selanjutnya, Anda masih harus melakukan konfigurasi SNMP. Caranya sebagai berikut. Klik kanan pada "My Computer" dan pilih "Manage". Selanjutnya, pilih "Service and Applications | Services". Carilah item "SNMP Service" dan klik dua kali untuk membuka window konfigurasi. Hal pertama yang harus Anda lakukan adalah memastikan service sudah berjalan (Started). Selanjutnya, pilih tab menu "Security". Ubahlah nama "Community" menjadi kata-kata yang unik seperti "ServerJim" dan ubah "Community Rights" menjadi "Read Only". Sebaiknya, Anda menggunakan nama yang cukup unik karena "Community String" ini juga sekaligus berfungsi sebagai password yang akan digunakan untuk mengambil data SNMP.

Hal terakhir yang harus Anda lakukan adalah membuka tab "Agent". Masukkan nama "Contact" dan "Location" pada kolom yang tersedia (opsional). Aktifkan juga semua pilihan Service yang ada pada window tersebut. Proses konfigurasi SNMP pada PC sudah selesai. PC Anda kini sudah siap untuk mengirimkan data SNMP sesuai dengan permintaan dari NMS.

4. Konfigurasi web server

Seperti sudah dibahas di awal, MRTG akan menghasilkan gambar dalam bentuk grafik pada halaman web. Anda memang bisa melihat file HTML yang dihasilkan secara manual pada direktori output dari MRTG, namun tentunya cara ini tidak efisien. Cara yang direkomendasikan adalah dengan membuat sebuah web server pada salah satu PC. Selanjutnya, output dari file HTML akan diarahkan ke dalam direktori kerja dari web server tersebut. Dengan cara ini, Anda bisa melihat file HTML yang dihasilkan oleh MRTG dengan mengunjungi alamat web server tersebut.

Harus dibuka: Firewall biasanya menutup port 80 sehingga web server Anda tidak bisa diakses oleh PC lain.

Anda bisa menggunakan web server seperti Internet Information Services (IIS) ataupun Apache. Apache harus Anda download manual, sedangkan IIS merupakan komponen Windows yang harus Anda tambahkan secara manual. Dalam praktek kali ini, CHIP menggunakan IIS pada Windows 2000.

Manual: Secara default, IIS tidak di-install. Anda harus meng-install-nya secara manual. Sebagai alternatif, web server seperti Apache juga bisa digunakan.

Berikut ini, CHIP akan membahas singkat tentang proses instalasi IIS. Masuklah ke "Start | Settings | Control Panel | Add Remove Programs | Add Remove Windows Components". Aktifkan pilihan "Internet Information Services" atau IIS. Ikuti langkah selanjutnya untuk melakukan instalasi IIS pada Windows Anda. Setelah proses instalasi selesai, cobalah untuk mengunjungi alamat "http:\\localhost" pada browser Anda. Seharusnya, Anda akan mendapatkan tampilan halaman web yang menandakan IIS sudah aktif. Bagi pengguna firewall, masukkan port 80 dalam exception agar IIS Anda bisa diakses dari PC lain dalam jaringan.

Penting: Teks “Jim3337” akan menjadi nama file HTML yang akan dihasilkan oleh MRTG.

5. File konfigurasi MRTG

Tahap ini merupakan tahap yang paling penting dari semua bagian yang harus Anda lakukan. Bagian ini akan mengatur pembuatan file konfigurasi yang nantinya akan digunakan oleh MRTG. Masuklah ke dalam direktori "\MRTG\bin" dan ketikkan perintah berikut.

"perl cfgmaker ServerJim@10.15.33.8 --global "WorkDir: c:\Inetpub\wwwroot\mrtg" --output mrtg.cfg"

Parameter yang dimasukkan di atas tentunya harus disesuaikan dengan konfigurasi sistem Anda. Nama "ServerJim" harus disesuaikan dengan "Community String" yang Anda gunakan. IP Address 10.15.33.8 juga harus diganti dengan IP interface yang akan Anda monitor. Bagian "c:\Inetpub\wwwroot\mrtg" merupakan direktori web server IIS yang akan menampung file grafik dan HTML yang dihasilkan oleh MRTG. Sebagai catatan, Anda harus membuat sendiri direktori "mrtg" di bawah direktori "c:\Inetpub\wwwroot".

6. Menentukan nama file HTML

Secara default, MRTG akan membuat file HTML berdasarkan kode IP. Cara ini bisa membingungkan Anda ketika melihat file yang dihasilkan oleh MRTG. Sebagai gantinya, Anda bisa mengubah nama file ini dalam file konfigurasi MRTG

Cara mengganti nama file HTML yang akan dihasilkan oleh MRTG ini sebenarnya cukup sederhana. Masuklah ke direktori instalasi "\MRTG\bin" dan bukalah file "mrtg.cfg" dengan menggunakan editor teks. Ubahlah kode yang berupa IP (seperti 10.15.33.8_16777220) dengan "pc-jim". Hal ini akan membuat MRTG menghasilkan file bernama “pc-jim. html”. Gunakan "Search and Replace All" untuk mengganti semua teks.

Setelah selesai, masuklah ke direktori "\MRTG\bin" dan ketikkan perintah "perl mrtg mrtg.cfg". Periksalah direktori "\Inetpub\wwwroot\mrtg" untuk melihat apakah ada file yang dihasilkan oleh MRTG. Jika Anda menemukan beberapa file dengan akhiran PNG dan file "pc-jim.html", berarti konfigurasi MRTG sudah benar.

7. Setup MRTG sebagai Daemon

File PNG dan HTML dalam direktori "\Inetpub\wwwroot\mrtg" otomatis akan di-update setiap kali Anda menjalankan perintah "perl mrtg". Agar MRTG otomatis di-update setiap 5 menit sekali, maka Anda harus menjalankan MRTG sebagai service atau daemon. Caranya sangat sederhana, yaitu Anda hanya perlu menambahkan satu baris perintah dalam file mrtg.cfg berikut.
RunAsDaemon: yes

Batch file: Anda harus membuat sebuah batch file sederhana sebagai shortcut untuk mengaktifkan MRTG.

Berhasil: MRTG yang berjalan di background sebagai service atau daemon. Ia akan otomatis meng-update data setiap lima menit sekali

Selanjutnya, setiap kali Anda menjalankan "perl mrtg", maka window command prompt akan selalu aktif sebagai background. Jangan tutup window ini karena menutup window ini sama dengan menonaktifkan MRTG.

Service: Dengan menambahkan satu baris perintah, MRTG akan dijalakan sebagai service. Update akan dilakukan secara otomatis setiap lima menit sekali.

8. MRTG dalam startup

Langkah ketujuh akan membuat MRTG dijalankan secara permanen. Namun, jika server Anda restart, MRTG tidak akan dijalankan secara otomatis. Anda harus kembali memasukkan perintah "perl mrtg" pada direktori "\mrtg\bin" agar MRTG aktif.

Agar MRTG otomatis dijalankan setiap kali server booting, maka MRTG harus dijalankan sebagai service. Ada berbagai cara untuk melakukan hal ini. CHIP akan menunjukkan salah satu cara termudah untuk melakukan hal tersebut.

Untuk keperluan ini, Anda akan bermain-main sedikit dengan batch file. Masuklah ke command prompt dan buatlah file mrtg.bat dengan mengetikkan "edit mrtg.bat". Sebuah editor teks sederhana akan muncul. Selanjutnya, ketikkan beberapa baris perintah berikut ini.

@echo off
cd c:\mrtg\bin
perl mrtg --logging=eventlog mrtg.cfg

Otomatis: Shortcut dipasang di Startup agar file batch dijalankan setiap kali PC booting.

Anda mungkin harus mengubah parameter direktori MRTG sesuai dengan direktori instalasi MRTG Anda. Setelah selesai, simpanlah file tersebut dan keluar dari program editor teks. Proses selanjutnya adalah membuat shortcut Windows untuk file batch tersebut. Klik kanan pada dekstop dan pilih "New | Shortcut". Pilih "Browse" dan temukan file batch tadi. Terakhir, beri nama untuk shortcut tersebut misalkan "MRTG Startup". Drag-and-drop shortcut ke dalam "Start Menu" pada folder "Startup". Setiap kali Anda restart, maka shortcut tersebut akan menjalankan MRTG secara otomatis.

SEKILAS - SNMP

Simple Network Management Protocol (SNMP) diciptakan pada sekitar tahun 1988. Tujuan awal diciptakannya protokol SNMP ini adalah untuk mengatur berbagai device yang semakin banyak seiring dengan berkembangnya jaringan Internet. SNMP sendiri merupakan "turunan" dari protokol Simple Gateway Management Protocol (SGMP). Sebenarnya, SNMP juga akan digantikan oleh beberapa protokol lain yang lebih modern (CMIS/CMIP). Namun, sampai saat ini SNMP masih menjadi protokol manajemen jaringan yang paling banyak digunakan.

Secara singkat, SNMP terdiri dari tiga bagian yaitu managed device, agent, dan Network Management System (NMS). Berikut ini deskripsi singkat mengenai fungsi dari ketiga elemen tersebut.
Managed Device: Node jaringan yang memiliki SNMP agent dan berada dalam jaringan yang di-manage. Managed device akan mengumpulkan informasi yang nantinya bisa diakses oleh NMS dengan menggunakan SNMP. Managed device bisa berupa router, switch, hub, ethernet/NIC, ataupun elemen network lainnya.
Agent: Software untuk manajemen network yang berada di managed device. Agent berperan untuk menerjemahkan informasi ke dalam "bahasa" yang kompatibel dengan SNMP.
Network Management System: Bagian dalam jaringan yang akan melakukan pengawasan ataupun mengatur managed device.

Sampai saat ini, standar SNMP baru mencapai versi 2. Sayangnya, SNMP versi 1 dan versi 2 ini tidak saling kompatibel. RFC1452 mendefinisikan metode untuk membuat SNMP versi 1 dan versi 2 ini agar bisa berjalan bersamaan, yaitu dengan menggunakan proxy agent atau bilingual NMS.

Solusi proxy agent akan menggunakan proxy yang berfungsi untuk saling menerjemahkan "bahasa" antara SNMP versi 1 dan versi 2. Solusi lain, yaitu bilingual NMS, akan menggunakan software NMS yang mendukung dua "bahasa" sekaligus, yaitu SNMP versi 1 dan versi 2. Dua metode ini bisa digunakan untuk menghubungkan SNMP versi 1 dan versi 2.

KNOW HOW - Menggabungkan Beberapa Grafik dalam Satu File HTML

Setelah menyelesaikan langkah-langkah di atas, seharusnya Anda sudah mendapatkan grafik pemakaian bandwidth jaringan dari sebuah PC. Pertanyaannya adalah bagaimana memantau banyak PC sekaligus dengan mudah? Berikut ini akan dijelaskan caranya.

1. Kenali file yang dibuat oleh MRTG

Perhatikan direktori web server untuk MRTG Anda. Jika tidak diubah, seharusnya berada di “\Inetpub\wwwroot\mrtg”. Lihatlah file-file yang dihasilkan oleh MRTG setelah dijalankan. Seharusnya Anda akan mendapatkan file seperti berikut.
Dari gambar di atas dapat ditarik kesimpulan bahwa ada lima file penting yang dihasilkan oleh MRTG yaitu file “jim3337.html” (file utama), “jim3337-day.png” (grafik harian), “jim3337-week.png” (grafik mingguan), “jim3337-months.png” (grafik bulanan), dan “jim3337-year.png” (grafik tahunan).

2. File MRTG.CFG untuk banyak PC

Untuk memantau lebih dari satu PC, maka Anda harus mengubah sedikit pada langkah kelima. Setelah menjalankan langkah kelima, maka Anda harus mengecek direktori "mrtg\bin". Perhatikan file "mrtg.cfg". Ubahlah nama file tersebut menjadi nama lain, misalkan "pcjim.cfg". Selanjutnya, kembali ulangi langkah kelima untuk PC lain (dengan parameter Community String dan IP yang telah disesuaikan). Kembali rename file "mrtg.cfg" menjadi nama lain yang sesuai sebagai identitas. Ulangi sampai semua PC telah dibuat file cfg-nya.

Lengkap: File HTML utama bisa digunakan untuk menampilkan informasi dari banyak client sekaligus.

Selanjutnya, buka salah satu file cfg yang akan dijadikan sebagai file utama (dipilih secara bebas). Selanjutnya, buka file cfg lain dan copy baris perintah seperti gambar di samping ke file cfg utama. Baris yang di-copy dimulai dari paling bawah (tepat sebelum baris "WorkDir...") sampai teks "### Interface..." pertama dari bawah.

Paste ke file cfg utama. Tempat paste dimulai persis di atas baris "WorkDir...". Lakukan hal ini untuk semua file cfg lain, sampai Anda mendapatkan sebuah file cfg utama yang telah berisi gabungan hasil copy dari file cfg lainnya.

Copy: Copy bagian dari file cfg setiap PC seperti contoh di atas.

Paste: Paste pada posisi seperti contoh gambar di atas ke file cfg utama.

Ubah nama file HTML dalam "mrtg. cfg" seperti pada langkah keenam jika diperlukan. Setelah selesai, jalankan MRTG dengan mengetikkan perintah "perl mrtg mrtg.cfg". Periksa direktori "MRTG" di bawah "Inetpub\www". Seharusnya Anda akan menemukan banyak file HTML yang dihasilkan oleh MRTG.

3. Membuat file HTML sendiri

Untuk menggabungkan semua grafik ini sangatlah sederhana. Apalagi jika Anda telah mengerti struktur dari file yang gambar dihasilkan oleh MRTG.

Anda hanya perlu membuat sebuah dokumen HTML yang berisi link ke semua gambar yang dihasilkan oleh MRTG (grafik harian, mingguan, bulanan, dan tahunan). Tampilan file HTML ini bisa dibuat secara manual ataupun menggunakan bantuan tool seperti FrontPage atau Microsoft Word. Tentu saja Anda bisa menambahkan link yang lebih detail dari setiap gambar (misalkan jika gambar diklik maka file HTML asli yang dihasilkan oleh MRTG akan dipanggil). Hasilnya bisa Anda lihat seperti pada gambar di samping ini.

Diambil dari Chip Edisi 02/2006.

5. MAIL SERVER (squirrelmail)

Pada tulisan ini akan dibahas cara instalasi squirrel mail. Caranya cukup mudah dan simple.
Lalu apa sebenarnya squirrel mail itu ?

SquirrelMail is a standards-based webmail package written in PHP. It includes built-in pure PHP support for the IMAP and SMTP protocols, and all pages render in pure HTML 4.0 (with no JavaScript required) for maximum compatibility across browsers.

Yah singkatnya, squirrel mail adalah sebuah web mail client yang memungkinkan untuk mengecek email.

Pada tulisan ini, diasumsikan service web server anda dan mail server anda sudah jalan.

Langung saja :
1. Download mail client squirrel mail disini
2. Extract squirrel mail di direktori web server anda
3. Jalankan /config/conf.pl, lalu lakukan beberapa setting
4. Pilih bagian Server Setting, disini setting yang perlu diperhatikan adalah Domain (ganti dengan domain anda) mis : http://abc.com dan Sendmail or SMTP (Server mail anda)
5. Pilih bagian Folder Default untuk mengubah beberapa setting seperti nama untuk Inbox, Sent, dll
6. Pilih bagian General Option untuk mengubah beberapa setting seperti direktori untuk data dan direktori untuk attachment.
Direktori untuk data dan attachment lebih baik disarankan terpisah dari root folder-nya squirrel.
Jika belum ada direktori tersebut maka buatlah direktori dengan nama data dan attach
7. Atur permission untuk direktori data, ketikkan saja berikut :

chown -R [user webserver]:[group webserver] /path/to/data

Misalnya letak dari direktori data adalah /var/squirelmail/data dan hak kepemilikan dari web server anda adalah user:apache dan group:apache jadinya begini :

chown -R apache:apache /var/squirelmail/data

8. Atur permission untuk direktori attach, ketikkan saja berikut :

chgrp -R [group webserver] /path/to/attach
chmod -R 730 /path/to/attach

Misalnya letak dari direktori attach adalah /var/squirelmail/attach dan hak kepemilikan dari web server anda adalah user:apache dan group:apache jadinya begini :

chgrp -R apache /var/squirelmail/attach
chmod -R 730 /var/squirelmail/attach

9. Jika sudah selesai setting semuanya, maka jangan lupa berikan command "S" untuk menyimpan konfigurasi dari squirrel
10. Setelah itu buka browser anda dan ketikkan alamat dari mail squirrel anda : http://lokasi-squirrelmail-anda/src/configtest.php
Ini dilakukan untuk mengecek apakah konfigurasi squirrel mail anda ada yang salah atau error.
Jika tidak ada yang salah maka, anda sudah bisa menggunakan squirrel mail anda dengan mengetikkan alamat : http://lokasi-squirrelmail-anda
source

6.PROXY SERVER (squid)

download tutorial squid

4. DNS (bind)

Konsep & Cara Kerja DNS
DNS (Domain Name System) adalah suatu system yang mengubah nama host (seperti linux.or.id) menjadi alamat IP (seperti 64.29.24.175) atas semua komputer yang terhubung langsung ke Internet. DNS juga dapat mengubah alamat IP menjadi nama host.
DNS bekerja secara hirarki dan berbentuk seperti pohon (tree). Bagian atas adalah Top Level Domain(TLD) seperti COM, ORG, EDU, MIL dsb. Seperti pohon DNS mempunyai cabang-cabang yang dicari dari pangkal sampai ke ujung. Pada waktu kita mencari alamat misalnya linux.or.id pertama-tama DNS bertanya pada TLD server tentang DNS Server yang melayani domain .id misalnya dijawab ns1.id, setelah itu dia bertanya pada ns1.id tentang DNS Server yang bertanggung jawab atas .or.id misalnya ns.or.id kemudian dia bertanya pada ns.or.id tentang linux.or.id dan dijawab 64.29.24.175
Sedangkan untuk mengubah IP menjadi nama host melibatkan domain in-addr.arpa. Seperti domain lainnya domain in-addr.arpa pun bercabang-cabang. Yang penting diingat adalah alamat IP-nya ditulis dalam urutan terbalik di bawah in-addr.arpa. Misalnya untuk alamat IP 64.29.24.275 prosesnya seperti contoh linux.or.id: cari server untuk arpa, cari server untuk in-addr.arpa, cari server untuk 64.in-addr.arpa, cari server 29.64.in-addr.arpa, cari server untuk 24.29.64.in-addr.arpa. Dan cari informasi untuk 275.24.29.64.in-addr.arpa. Pembalikan urutan angkanya memang bisa membingungkan.
DNS Server di Linux
DNS Server di linux biasanya dijalankan oleh program yang bernama named. Program ini merupakan bagian dari paket bind yang dikoordinasikan oleh Paul Vixie dari The Internet Software Consortium. Biasanya program ini terletak di /usr/sbin/named dan dijalankan pada waktu booting dari /etc/rc.d/init.d/named start. Agar named dijalankan pada setiap booting masukkan named ke daftar server yang harus distart dengan menggunakan ntsysv.
File Konfigurasi
File konfigurasi untuk named adalah /etc/named.conf yang seperti biasa adalah text file. Format file ini seperti format program C atau Pascal yakni tiap perintah diakhiri dengan ';' dan blok perintah di kurung dengan '{' dan '}'. Ada beberapa blok yang sering digunakan yaitu:
options
untuk mengatur konfigurasi server secara global dan menentukan default
zone
untuk mengatur konfigurasi zona DNS.
Caching Only DNS Server
Caching Only DNS Server akan mencari jawaban dari pertanyaan DNS dan mengingat jawabannya ketika anda bertanya lagi. Ini akan mempersingkat waktu tunggu pada pertanyaan DNS berikutnya terutama jika anda menggunakan koneksi yang lambat seperti modem.
Konfigurasi
File konfigurasi Caching Only DNS sudah disediakan oleh RedHat dalam paket caching-nameserver anda tinggal menginstal paketnya dan mengedit file /etc/named.conf dan menambahkan baris berikut pada blok options:
=====================
forward first;
forwarders {
202.158.3.6;
202.158.3.7;
};
=====================
Kedua alamat IP diatas adalah alamat IP untuk DNS Server ISP saya yaitu CBN jika ISP anda berbeda anda harus menggantinya.
Membuat Domain Sendiri
Pada bagian ini kita akan membuat domain untuk jaringan lokal (LAN) misalnya intra.aki. Ada baiknya menggunakan domain yang benar-benar tidak ada di Internet sehingga kita tidak mengganggu domain siapa pun. Perlu diingat bahwa tidak semua karakter diperbolehkan untuk menjadi nama host yang dibolehkan hanya A-Z, a-z, 0-9 dan karakter '-'. Selain itu nama hostitu tidak bergantung pada huruf besar atau huruf kecil, jadi linux.intra.aki dan LINUX.Intra.AKI adalah sama. Kita masih mengedit file yang berasal dari paket caching-nameserver.
Tambahan di /etc/named.conf
Pertama kita mengedit file /etc/named.conf untuk menambahkan baris berikut:
======================
zone "intra.aki" {
type master;
notify no;
file "intra.aki";
}
======================
Yang berarti bahwa kita membuat zona domain intra.aki dimana kita adalah penguasa domain tersebut (type master) tetapi kita tidak ingin domain ini tersebar ke internet (notify no) dan informasi tentang anggota domainnya itu sendiri disimpan di file intra.aki di direktori yang ditentukan oleh keyword direktory dari blok options yang berisi /var/named
File Zona intra.aki
Kemudian kita membuat file zona intra.aki yang berisi informasi tentang anggota domain
========================================
; Zone file for intra.aki
@ IN SOA ns.intra.aki. root.intra.aki. (
2000091401 ; serial
8H ; refresh
3H ; retry
1W ; expire
1D ; default_ttl
)
NS ns
A 192.168.1.100
MX 10 linux.intra.aki.
MX 20 other.extra.aki.
localhost A 127.0.0.1
linux A 192.168.1.100
ns A 192.168.1.100
ftp CNAME linux
pop CNAME linux
www CNAME linux.intra.aki
cctv A 192.168.1.3
====================================
Perhatikan tanda '.' pada akhir dari nama domain di file ini. File zona ini mengandung 9 Resource Record(RR): satu SOA RR, satu NS RR, tiga CNAME RR dan empat AA RR. SOA merupakan singkatan dari Start Of Authority. Karakter “@” berarti nama domain dari zona yaitu intra.aki jadi baris kedua diatas berarti
======================
intra.aki. IN SOA ....
======================
NS adalah Name Server RR. Tidak ada “@” pada awal baris karena baris diatasnya dimulai dengan '@'. Menghemat waktu mengetiknya. Jadi baris NS bisa juga di tulis
======================
intra.aki. IN NS ns
======================
Ini memberitahu DNS host mana yang menjadi name server bagi domain intra.aki yakni ns.intra.aki. 'ns' adalah nama yang biasa dipakai untuk name server, tetapi seperti web server yang biasa dinamakan www.anu namanya bisa diubah menjadi apapun.
Baris SOA adalah pembuka bagi semua file zona dan harus ada satu dalam setiap file zona. Baris tersebut menjelaskan zona, darimana dia datang (host bernama ns.intra.aki), siapa yang bertanggung jawab atas isinya (root@intra.aki), versi zona file (serial: 2000091401) dan parameter lainnya yang berhubungan dengan caching dan secondary DNS Server. Perlu diperhatikan bahwa ns.intra.aki haruslah nama host dengan A RR. Tidak diperbolehkan membuat CNAME RR untuk nama yang disebutkan di SOA.
RR A mendefinisikan alamat IP dari suatu nama host sedangkan CNAME mendefinisikan nama alias dari suatu host yang harus merujuk ke RR lainnya.
Ada satu lagi tipe RR pada file ini yaitu MX atau Mail eXchanger. RR ini berfungsi untuk memberitahukan sistem mail kemana harus mengirim e-mail yang di alamatkan ke seseorang@intra.aki dalam hal ini linux.intra.aki atau other.extra.aki. Angka sebelum nama host adalah prioritas MX. RR dengan angka terendah (10) adalah host yang harus dikirimkan email pertama kali. Jika tidak berhasil maka e-mail bisa dikirim ke host lain dengan angka yang lebih besar misalnya other.extra.aki yang mempunyai prioritas 20.
Zona Reverse
Zona Reverse diperlukan untuk mengubah dari alamat IP menjadi nama. Nama ini digunakan oleh berbagai macam server (FTP, IRC, WWW dsb) untuk menentukan apakah anda diperbolehkan mengakses layanan tersebut atau sejauh mana prioritas yang diberikan kepada anda. Untuk mendapatkan akses yang penuh pada semua layanan di Internet diperlukan zona reverse.
Tambahan di /etc/named.conf
Tambahkan baris berikut di /etc/named.conf
=============================
zone "1.168.192.in-addr.arpa" {
notify no;
type master;
file "192.168.1";
}
=============================
Seperti sebelumnya artinya kita membuat zona domain 1.168.192.in-addr.arpa yang tidak disebar ke internet dan disimpan di file /var/named/192.168.1
File zona 192.168.1
Sekarang kita membuat file zona 192.168.1 untuk domain 1.168.192.in-addr.arpa seperti berikut:
=================================================
; Zone file for reverse zone 1.168.192.in-addr.arpa (192.168.1.x)
@ IN SOA ns.intra.aki. root.intra.aki. (
2000072801 ; serial
28800 ; refresh
7200 ; retry
604800 ; expire
86400 ; default_ttl
)
@ IN NS ns.intra.aki.
100 IN PTR linux.intra.aki.
3 IN PTR cctv.intra.aki.
==========================================
Ada RR baru disini yakni PTR yang berfungsi untuk memetakan IP ke nama host
Security
Jika anda memasang DNS server pada komputer yang berfungsi sebagai gateway antara jaringan internal anda dengan jaringan Internet serta DNS Server anda tidak melayani request dari luar (caching only DNS atau DNS untuk jaringan lokal saja) maka anda bisa membuat named untuk melayani hanya jaringan lokal saja dengan menambah baris berikut di dalam blok options:
=============================
listen-on { 127.0.0.1; 192.168.1.100; };
=============================
Sehingga named hanya membuka port pada interface loopback (127.0.0.1) dan eth0 (192.168.1.100).
Sumber Lebih Lanjut:
man named.conf
man named
dns howto
source
#################################################################
Ada banyak program untuk membuat DNS server, berhubung yang default terinstall di slackware adalah bind9 maka kita akan menggunakan itu saja. Jika bind9 terinstall maka akan terdapat beberapa file – file instalasi default seperti :

var/named/caching-example/named.ca
var/named/caching-example/named.local
var/named/caching-example/localhost.zone
etc/rc.d/rc.bind
etc/named.conf

Tiga file awal adalah contoh dari konfigurasi bind9, file selanjutnya adalah init script (rc.bind) dan konfigurasi dari bind (named.conf).

Berikut adalah isi dari file named.conf yang masih perawan :

options {
directory “/var/named”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
zone “.” IN {
type hint;
file “caching-example/named.ca”;
};

zone “localhost” IN {
type master;
file “caching-example/localhost.zone”;
allow-update { none; };
};

zone “0.0.127.in-addr.arpa” IN {
type master;
file “caching-example/named.local”;
allow-update { none; };
};

Kita akan bahas per blok, dan apa saja modifikasi yang akan kita buat.

Blok pertama

options {
directory “/var/named”;
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};

Blok ini merupakan global setting dari bind, directory “/var/named” adalah direktory kerja dari bind, di direktory tersebut di tempatkan file – file konfgurasi domain yang biasa di sebut zone. Tidak disarankan untuk mengutak – atik blok ini kecuali Anda tahu apa yang Anda kerjakan. Atau dengan kata lain, biarkan mi saja begitu.

Blok Kedua

zone “.” IN {
type hint;
file “caching-example/named.ca”;
};

Blok ini merupakan blok root zone atau kasarnya alamat – alamat dari domain – domain internasional. Kita membutuhkan blok root zone ini. Biasanya saya melakukan perubahan dengan menghilangkan “caching-example/” pada baris file sehingga hanya berbentuk seperti ini :

file “named.ca”;

Ini soal kebiasaan saja, saya lebih senang melihat semua file – file zone berada di bawah direktori /var/named, jadi tinggal ganti saja baris file tersebut dan pindahkan filenya :

# mv /var/named/caching-example/* /var/named

Blok Ketiga
zone “localhost” IN {
type master;
file “localhost.zone”;
allow-update { none; };
};

Blok ini adalah forward localhost, Dalam artian jika dns server mendapatkan perintah untuk mengetahui alamat ip dari localhost maka bagian blok ini yang mengurusnya.
saya sarankan untuk tetap menyimpan blok ini tapi berhubung sudah memindahkan file /var/named/caching-example/ jadi bari file menjadi :

file “localhost.zone”;

Blok Keempat
zone “0.0.127.in-addr.arpa” IN {
type master;
file “named.local”;
allow-update { none; };
};

Blok ini merupakan kebalikan dari blok localhost atau biasa disebut reverse, karena kebalikan reverse kerjanya juga terbalik yaitu mencari nama dari ip yang di”query”kan ke DNS server.

Semua konfigurasi diatas jika betul (termasuk nama filenya dan direktorinya) maka DNS server kita sudah bisa digunakan, kita tinggal mengaktifkannya mengeksekusi file rc.bind

# /etc/rc.d/rc.bind start

Jika tidak ada error maka kita bisa meng”query” domain – domain luar misalnya yahoo, google dll dengan syarat kita terhubung ke internet. Perintah untuk megquery domain bisa menggunakan dig atau nslookup :

arman@oridecon:~$ dig yahoo.com

; <<>> DiG 9.4.1 <<>> yahoo.com
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 14210 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 7, ADDITIONAL: 2 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 300 IN A 66.94.234.13 yahoo.com. 300 IN A 216.109.112.135 ;; AUTHORITY SECTION: yahoo.com. 162027 IN NS ns6.yahoo.com. yahoo.com. 162027 IN NS ns8.yahoo.com. yahoo.com. 162027 IN NS ns1.yahoo.com. yahoo.com. 162027 IN NS ns2.yahoo.com. yahoo.com. 162027 IN NS ns3.yahoo.com. yahoo.com. 162027 IN NS ns4.yahoo.com. yahoo.com. 162027 IN NS ns5.yahoo.com. ;; ADDITIONAL SECTION: ns6.yahoo.com. 162027 IN A 202.43.223.170 ns8.yahoo.com. 76086 IN A 202.165.104.22 ;; Query time: 415 msec ;; SERVER: 192.168.10.254#53(192.168.10.254) ;; WHEN: Wed Aug 8 17:25:00 2007 ;; MSG SIZE rcvd: 217 Jika keluar seperti diatas berarti dns kita sudah berfungsi, kita juga bisa menggunakan nslookup arman@oridecon:~$ nslookup > server localhost

Ketikkan perintah server localhost untuk memastikan bahwa dns server yang digunakan oleh nslookup adalah dns server yang kita buat, karena secara default nslookup menggunakan dns server sesuai dengan entry pada file /etc/resolv.conf

Default server: localhost
Address: 127.0.0.1#53

Dengan ini maka nslookup menggunakan server localhost. Selanjutnya tinggal masukkan saja domain yang akan kita query misalnya yahoo.com

> yahoo.com
Server: localhost
Address: 127.0.0.1#53
Non-authoritative answer:
Name: yahoo.com
Address: 216.109.112.135
Name: yahoo.com
Address: 66.94.234.13

Jika keluarnya seperti ini maka dns kita sudah siap untuk di kaccaki (oprek) lagi.
Untuk menambahkan domain lain (jika kita punya domain yang terdaftar atau sekedar iseng saja) kita bisa mengcopy konfigurasi dari localhost.zone.

Misalnya kita ingin membuat domain gorilla.com dengan ip 192.168.1.1 maka kita buat entry dari gorilla.zone seperti ini :
zone “gorilla.com” IN {
type master;
file “gorilla.zone”;
allow-update { none; };
};
zone “1.168.192.in-addr.arpa” IN {
type master;
file “192.168.1.zone”;
allow-update { none; };
};

Yang perlu diperhatikan adalah :

zone “gorilla.com” IN {

Ini kita sesuaikan dengan nama domain yang kita buat. Jika kita membuat domain kingkong.com maka baris zone itu juga berisi “kingkong.com”, selanjutnya adalah jenis dari domain tersebut apakah merupakan domain master atau slave, untuk lebih detil tentang master dan slave dari domain silahkan baca dokumentasi tentang dns. Baris berikut adalah file dari domain. File bisa kita namakan terserah kita namun yang pasti sama dengan yang ada pada blok zone, dalam hal ini kita menggunakan nama file “gorilla.zone”, saya sarankan nama file yang digunakan representatif sehingga untuk administrasi ataupun trouble shooting tidak lagi pusing soal nama file dan domain.
Blok terakhir yang kita buat adalah reverse dari domain gorilla.com, berhubung karena kita dalam tahap belajar maka kita menggunakan ip address lokal saja, dalam hal ini kita defenisikan adalah 192.168.1.X, yang perlu diperhatikan pada pendefenisian reverse, penulisan alamat ip itu ditulis terbalik (namanya juga reverse) jadi jika kita menggunakan ip 192.168.1.X maka yang dituliskan di zone reverse adalah “1.168.192.in-addr.arpa”, demikian juga halnya jika menggunakan ip - ip yang lain atau ip publik. Baris selanjutnya sama dengan forward dari gorilla.com yaitu type domain dan file zone, dalam hal ini kita menset “192.168.1.zone” untuk file dari reverse kita.

File – file zone

Setelah file named.conf kita acak – acak sekarang kita berurusan sama yang berwajib, eh file – file zone. Seperti kita definisikan sebelumnya di file named conf bahwa direktory dari bind berada di /var/named/ :

directory “/var/named”;

Karena kita juga sudah memindahkan file di /var/named/caching-example/, sekarang di direktori /var/named terdapat file – file berikut :

arman@oridecon:~$ ls /var/named/ -l

total 12
-rw-r–r– 1 root root 195 2007-06-08 13:42 localhost.zone
-rw-r–r– 1 root root 2517 2007-06-08 13:42 named.ca
-rw-r–r– 1 root root 433 2007-06-08 13:42 named.local

Seperti yang kita sudah defenisikan sebelumnya pada file named.conf terdapat tiga file zone dari instalasi default. File named.ca adalah file dari root zone, kita bisa saja membuat file ini tapi sebaiknya gunakan saja file dari instalasi default. File localhost.zone adalah file dari domain “localhost” sedangkan “named.local” adalah reverse dari domain

“localhost”.

Untuk lebih jelasnya kita lihat saja langsung kedua file tersebut.

arman@oridecon:/var/named$ cat localhost.zone
$TTL 86400
$ORIGIN localhost.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS @
1D IN A 127.0.0.1

Yang perlu diperhatikan adalah dua baris terakhir. Baris kedua dari terakhir, entry tenang NS, ns inilah yang akan digunakan pada pencarian sebuah domain. Entry pada kolom terakhir yaitu “@”, yang menunjuk ke A record. Pada baris terakhir menentukan alamat ip yang digunakan pada domain dalam hal ini adalah “localhost” dengan ip

127.0.0.1.

Selanjutnya adalah file reversed dari localhost yaitu named.local :

arman@oridecon:/var/named$ cat named.local
$TTL 86400
@ IN SOA localhost. root.localhost. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.

Perhatikan pada baris terakhir yang entry pada kolom pertama adalah “1”, berarti reverse mempunyai ip 127.0.0.1 karena telah disebutkan di file named.conf.
Yang juga perlu diperhatikan adalah entry serial, jika mengunakan dns slave setiap kali mengganti entry dari file zone kita juga harus mengganti serial (formatnya biasanya sesuai dengan tanggal) sehingga server dns slave bisa menyesuaikan setiap perubahan seperti yang di dns master.

Domain Kita
Setelah file localhsot dan reversenya kita intip sekarang kita mo buat domain buat kita, seperti yang disinggung diatas kita bisa membuat domain untuk kita, seperti contoh kita diatas “gorrilla.com” dengan ip 192.168.1.1, tambahkan bari berikut di named.conf

zone “gorilla.com” IN {
type master;
file “gorilla.zone”;
allow-update { none; };
};
zone “1.168.192.in-addr.arpa” IN {
type master;
file “192.168.1.zone”;
allow-update { none; };
};

Saya sarankan untuk mengcopy saja entry dari localhost dan reversenya, untuk menghindari kesalahan pengetikan kecuali anda termasuk orang yang teliti dan suka buang waktu :P.
Setelah membuat perubahan pada file named.conf sekarang kita buat filenya, seperti yang telah di defenisikan bahwa file yang digunakan oleh domain “gorilla.com” adalah “gorilla.zone” dan reversenya adalah “192.168.1.zone”. Saya juga menyarankan untuk mengcopy saja dari file zone localhost.

# cp localhost.zone gorilla.zone
# cp named.local 192.168.1.zone

Selanjutnya adalah menyesuaikan dengan domain kita, ganti semua kata localhost dengan gorilla.com pada file tersebut seperti ini :

$TTL 86400
$ORIGIN gorilla.com.
@ 1D IN SOA @ root (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS dns.gorilla.com.
1D IN A 192.168.1.1
dns 1D IN CNAME @
www 1D IN CNAME @
arman 1D IN A 192.168.1.99

Pada konfigurasi ini kita juga menambahkan subdomain, yaitu dns.gorilla.com, www.gorilla.com dan arman.gorilla.com. Untuk dns.gorilla.com dan www.gorilla.com menunjuk pada ip yang sama yaitu 192.168.1.1 . Kita bahas baris yang menurut saya penting.

$ORIGIN gorilla.com.

Biasanya berisikan nama domain yang digunakan. Pada kasus kita gorilla.com.

1D IN NS dns.gorilla.com.

Bagian ini merupakan entry dari NS server dari domain kita. Jika kita menggunakan lebih dari satu NS untuk domain kita tinggal tambahkan saja NS entry berikutnya. Umumnya jika kita mendaftarkan domian di registrant domain dibutuhkan lebih dari satu NS.

1D IN A 192.168.1.1

Baris merupakan alamat ip dari domain yang digunakan, yaitu 192.168.1.1.

www 1D IN CNAME @
arman 1D IN A 192.168.1.99

Baris pertama merupakan subdomain www yang menunjuk pada A record, jadi jika mengakses www.gorilla.com maka yang ip address yang di tuju adalah 192.168.1.1. Untuk baris berikutnya adalah sebuah sub domain dengan nama “arman” yang menunjuk ke ip 192.168.1.99, baris ini tidak lagi menggunakan CNAME melainkan A karena ip yang digunakan adalah berbeda dengan ip dari default domain yaitu gorilla.com. Jika kita mengakses arman.gorilla.com sebetulnya mengakses ke 192.168.1.99. Hal yang sama juga kita buat untuk membuat domain dengan ip public. Silahkan menambahkan sub – sub domain yang lain lagi jika memang dibutuhkan.
Selanjutnya adalah reverse dari gorilla.com.

$TTL 86400
@ IN SOA gorilla.com. root.gorilla.com. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS gorilla.com.
1 IN PTR gorilla.com.
99 IN PTR arman.gorilla.com.

Seperti halnya reverse dari localhost kita juga hanya mengisikan ip dari daftar domain dan sub domain yang kita buat.
Jika sudah selesai, silahkan merestart bind :

# /etc/rc.d/rc.bind restart

Jika tidak ada kesalahan (sebaiknya periksa /var/log/message) maka kita sudah bisa mengquery domain yang kita buat.
source
#################################################################
Ada tiga teknik yang membantu DNS Intranet/Internet.

1.Root hints. Kita beri petunjuk pada DNS server agar bertanya pada DNS server root (induk), yaitu pengelola nama paling dasar (.com, .org, dll). Nanti DNS server root tersebut akan mencarikan nama cabangnya (yahoo.com, kernel.org, dll).

2.Forwarding. Dengan teknik ini DNS server kita akan bertanya ke DNS server lain, tidak langsung ke root. Teknik ini lebih efisien, dan kita bisa manfaatkan DNS server internet provider (kalau langganan pasti dikasih).

3.Caching. DNS server kita akan menyimpan sementara peta nama-domain/alamat IP. Jadi saat client minta lagi, bisa langsung dijawab tanpa harus cari-cari lagi ke DNS server lain.

Jika anda sudah pasang DNS server Intranet. Maka menambahkan kemampuan Internet tidak begitu susah. Anda hanya perlu:

Siapkan informasi DNS yang mau jadi forwarder. Tinggal tanya provider.

Siapkan file /var/named/root.hints

Edit file /etc/named.conf

Reload DNS server

Uji Coba
SIAPKAN FILE ROOT.HINTS
Paket DNS di distro anda biasanya sudah menyertakan root.hints standar. Tapi root.hints itu bisa kedaluwarsa (karena DNS server root mungkin mati atau tambah). Anda dianjurkan untuk mengupdatenya sebulan sekali, misalnya dari: ftp://dns.vrx.net/pub/db.root
Download saja, lalu taruh sebagai /var/named/root.hints. Jangan lupa chown jadi named:named.

EDIT FILE NAMED.CONF
Trik penting disini, Jika network anda punya koneksi tetap ke Internet, forwarding, root hints dan caching semuanya aktif. Jika pakai dial-up, saat tersambung forwarding dan caching aktif, saat putus semua harus tidak aktif.

Dari setting sebelumnya, hanya perlu tambah setting untuk forwarding di options, dan satu zone root untuk caching maupun root-hints. Edit saja pakai vim (biar kelihatan syntax highlight-nya).
options {
directory "/var/named";
listen-on {10.0.0.5; }; // sesuai IP server ini
forwarders {123.123.123.123;}; // sesuai IP DNS provider
//forward first; // kalau koneksi statik
forward only; // kalau koneksi dial-up
query-source address * port 53; // supaya bisa lewat firewall
};

// Root HINTS (sekaligus chaching)
zone "." IN {
type hint;
file "root.hints";
};

// Zone intranet.
// Kalau anda tidak perlu nama domain intranet,
// buang saja dua blok ini
zone "vnet" {
type master;
file "vnet.zone";
allow-update { none; };
};
zone "0.10.in-addr.arpa" IN {
type master;
file "10.addr";
allow-update { none; };
};

RELOAD
Wohoo selesai. Tinggal reload. Jadi dari awal, total perintah yang kita perlu adalah:
root@papua# cd /var/named
root@papua# wget ftp://dns.vrx.net/pub/db.root
root@papua# cp db.root root.hints
root@papua# chown named:named root.hints
root@papua# vi /etc/named.conf
root@papua# rndc reload

Cuma enam jurus :) Gampang kan ???
TESTING
Coba saja dari client. Pastikan DNS-nya sudah di set ke server.
tux@jawa$ nslookup -sil papua.vnet
tux@jawa$ ping papua.vnet
tux@jawa$ nslookup -sil www.yahoo.com
tux@jawa$ ping www.yahoo.com

Mestinya semua akan terjawab.
BATASAN
Setting ini hanya untuk topologi Intranet/Internet. Jalan tapi tidak aman untuk Intranet/Internet dengan server Publik. Sementara itu sama sekali tidak mendukung Ektranet.
Jika anda pakai dial-up, saat terputus anda akan mengalami:
nslookup dapat nama domain (dari caching), tapi anda tidak bisa ping (kan terputus).
nslookup tidak jawab nama domain (tidak ada di caching), mungkin pakai delay yang lama.
Kondisi yang sempurna, kalau putus DNS server langsung bisa bilang kalau nama domain tidak dikenal (tanpa delay). Solusi ini perlu trik yang rada njlimet. Silahkan cari di Internet
source

TLDP linux
############################################################

A resolving, caching name server.

A first stab at DNS config, very useful for dialup, cable-modem, ADSL and similar users.
On Red Hat and Red Hat related distributions you can achieve the same practical result as this HOWTO's first section by installing the packages bind, bind-utils and caching-nameserver. If you use Debian simply install bind (or bind9, as of this writing, BIND 9 is not supported by Debian Stable (potato)) and bind-doc. Of course just installing those packages won't teach you as much as reading this HOWTO. So install the packages, and then read along verifying the files they installed.

A caching only name server will find the answer to name queries and remember the answer the next time you need it. This will shorten the waiting time the next time significantly, especially if you're on a slow connection.
First you need a file called /etc/named.conf (Debian: /etc/bind/named.conf). This is read when named starts. For now it should simply contain:

// Config file for caching only name server
//
// The version of the HOWTO you read may contain leading spaces
// (spaces in front of the characters on these lines ) in this and
// other files. You must remove them for things to work.
//
// Note that the filenames and directory names may differ, the
// ultimate contents of should be quite similar though.

options {
directory "/var/named";

// Uncommenting this might help if you have to go through a
// firewall and things are not working out. But you probably
// need to talk to your firewall admin.

// query-source port 53;
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

zone "." {
type hint;
file "root.hints";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
};

The Linux distribution packages may use different file names for each kind of file mentioned here; they will still contain about the same things.
The `directory' line tells named where to look for files. All files named subsequently will be relative to this. Thus pz is a directory under /var/named, i.e., /var/named/pz. /var/named is the right directory according to the Linux File system Standard.
The file named /var/named/root.hints is named in this. /var/named/root.hints should contain this:
;
; There might be opening comments here if you already have this file.
; If not don't worry.
;
; About any leading spaces in front of the lines here: remove them!
; Lines should start in a ;, . or character, not blanks.
;
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 198.41.0.10
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33

The file describes the root name servers in the world. The servers change over time and must be maintained now and then. See the maintenance section for how to keep it up to date.
The next section in named.conf is the last zone. I will explain its use in a later chapter; for now just make this a file named 127.0.0 in the subdirectory pz: (Again, please remove leading spaces if you cut and paste this)
$TTL 3D
@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ns.linux.bogus.
1 PTR localhost.

The sections called key and controls together specify that your named can be remotely controlled by a program called rndc if it connects from the local host, and identifis itself with the encoded secret key. This key is like a password. For rndc to work you need /etc/rndc.conf to match this:
key rndc_key {
algorithm "hmac-md5";
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

options {
default-server localhost;
default-key rndc_key;
};

As you see the secret is identical. If you want to use rndc from other machines their times need to be within 5 minutes of eachother. I recommend using the ntp (xntpd and ntpdate) software to do this.
Next, you need a /etc/resolv.conf looking something like this: (Again: Remove spaces!)
search subdomain.your-domain.edu your-domain.edu
nameserver 127.0.0.1

The `search' line specifies what domains should be searched for any host names you want to connect to. The `nameserver' line specifies the address of your nameserver, in this case your own machine since that is where your named runs (127.0.0.1 is right, no matter if your machine has another address too). If you want to list several name servers put in one `nameserver' line for each. (Note: Named never reads this file, the resolver that uses named does. Note 2: In some resolv.conf files you find a line saying "domain". That's fine, but don't use both "search" and "domain", only one of them will work).
To illustrate what this file does: If a client tries to look up foo, then foo.subdomain.your-domain.edu is tried first, then foo.your-domain.edu, and finally foo. You may not want to put in too many domains in the search line, as it takes time to search them all.
The example assumes you belong in the domain subdomain.your-domain.edu; your machine, then, is probably called your-machine.subdomain.your-domain.edu. The search line should not contain your TLD (Top Level Domain, `edu' in this case). If you frequently need to connect to hosts in another domain you can add that domain to the search line like this: (Remember to remove the leading spaces, if any)
search subdomain.your-domain.edu your-domain.edu other-domain.com

and so on. Obviously you need to put real domain names in instead. Please note the lack of periods at the end of the domain names. This is important; please note the lack of periods at the end of the domain names.
3.1 Starting named
After all this it's time to start named. If you're using a dialup connection connect first. Now run named, either by running the boot script: /etc/init.d/named start or named directly: /usr/sbin/named. If you have tried previous versions of BIND you're probably used to ndc. I BIND 9 it has been replaced with rndc, which can controll your named remotely, but it can't start named anymore. If you view your syslog message file (usually called /var/log/messages, Debian calls it /var/log/daemon, another directory to look is the other files /var/log) while starting named (do tail -f /var/log/messages) you should see something like:
(the lines ending in \ continues on the next line)

Dec 23 02:21:12 lookfar named[11031]: starting BIND 9.1.3
Dec 23 02:21:12 lookfar named[11031]: using 1 CPU
Dec 23 02:21:12 lookfar named[11034]: loading configuration from \
'/etc/named.conf'
Dec 23 02:21:12 lookfar named[11034]: the default for the \
'auth-nxdomain' option is now 'no'
Dec 23 02:21:12 lookfar named[11034]: no IPv6 interfaces found
Dec 23 02:21:12 lookfar named[11034]: listening on IPv4 interface lo, \
127.0.0.1#53
Dec 23 02:21:12 lookfar named[11034]: listening on IPv4 interface eth0, \
10.0.0.129#53
Dec 23 02:21:12 lookfar named[11034]: command channel listening on \
127.0.0.1#953
Dec 23 02:21:13 lookfar named[11034]: running

If there are any messages about errors then there is a mistake. Named will name the file it is reading. Go back and check the file. Start named over when it is fixed.
Now you can test your setup. Traditionally a program called nslookup is used for this. These days dig is recommended:

$ dig -x 127.0.0.1
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26669 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.0.0.127.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.0.0.127.in-addr.arpa. 259200 IN PTR localhost. ;; AUTHORITY SECTION: 0.0.127.in-addr.arpa. 259200 IN NS ns.linux.bogus. ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 23 02:26:17 2001 ;; MSG SIZE rcvd: 91 If that's what you get it's working. We hope. Anything very different, go back and check everything. Each time you change a file you need to run rndc reload. Now you can enter a query. Try looking up some machine close to you. pat.uio.no is close to me, at the University of Oslo: $ dig pat.uio.no ; <<>> DiG 9.1.3 <<>> pat.uio.no
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15574 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 0 ;; QUESTION SECTION: ;pat.uio.no. IN A ;; ANSWER SECTION: pat.uio.no. 86400 IN A 129.240.130.16 ;; AUTHORITY SECTION: uio.no. 86400 IN NS nissen.uio.no. uio.no. 86400 IN NS nn.uninett.no. uio.no. 86400 IN NS ifi.uio.no. ;; Query time: 651 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 23 02:28:35 2001 ;; MSG SIZE rcvd: 108 This time dig asked your named to look for the machine pat.uio.no. It then contacted one of the name server machines named in your root.hints file, and asked its way from there. It might take tiny while before you get the result as it may need to search all the domains you named in /etc/resolv.conf. If you ask the same again you get this: $ dig pat.uio.no ; <<>> DiG 8.2 <<>> pat.uio.no
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3 ;; QUERY SECTION: ;; pat.uio.no, type = A, class = IN ;; ANSWER SECTION: pat.uio.no. 23h59m58s IN A 129.240.130.16 ;; AUTHORITY SECTION: UIO.NO. 23h59m58s IN NS nissen.UIO.NO. UIO.NO. 23h59m58s IN NS ifi.UIO.NO. UIO.NO. 23h59m58s IN NS nn.uninett.NO. ;; ADDITIONAL SECTION: nissen.UIO.NO. 23h59m58s IN A 129.240.2.3 ifi.UIO.NO. 1d23h59m58s IN A 129.240.64.2 nn.uninett.NO. 1d23h59m58s IN A 158.38.0.181 ;; Total query time: 4 msec ;; FROM: lookfar to SERVER: default -- 127.0.0.1 ;; WHEN: Sat Dec 16 00:23:09 2000 ;; MSG SIZE sent: 28 rcvd: 162 As you can plainly see this time it was much faster, 4ms versus more than half a second earlier. The answer was cached. With cached answers there is the possibility that the answer is out of date, but the origin servers can control the time cached answers should be considered valid, so there is a high probability that the answer you get is valid. Resolvers All OSes implementing the standard C API has the calls gethostbyname and gethostbyaddr. These can get information from several different sources. Which sources it gets it from is configured in /etc/nsswitch.conf on Linux (and some other Unixes). This is a long file specifying from which file or database to get different kinds of data types. It usually contains helpful comments at the top, which you should consider reading. After that find the line starting with `hosts:'; it should read: hosts: files dns (You remembered about the leading spaces, right? I won't mention them again.) If there is no line starting with `hosts:' then put in the one above. It says that programs should first look in the /etc/hosts file, then check DNS according to resolv.conf. Congratulations Now you know how to set up a caching named. Take a beer, milk, or whatever you prefer to celebrate it. Forwarding In large, well organized, academic or ISP (Internet Service Provider) networks you will sometimes find that the network people have set up a forwarder hierarchy of DNS servers which helps lighten the internal network load and the load on the outside servers as well. It's not easy to know if you're inside such a network or not. But by using the DNS server of your network provider as a ``forwarder'' you can make the responses to queries faster and less of a load on your network. This works by your nameserver forwarding queries to your ISP nameserver. Each time this happens you will dip into the big cache of your ISPs nameserver, thus speeding your queries up, your nameserver does not have to do all the work itself. If you use a modem this can be quite a win. For the sake of this example we assume that your network provider has two name servers they want you to use, with IP numbers 10.0.0.1 and 10.1.0.1. Then, in your named.conf file, inside the opening section called ``options'', insert these lines: forward first; forwarders { 10.0.0.1; 10.1.0.1; }; There is also a nice trick for dialup machines using forwarders, it is described in the qanda section. Restart your nameserver and test it with dig. Should still work fine. A simple domain. How to set up your own domain. But first some dry theory First of all: you read all the stuff before here right? You have to. Before we really start this section I'm going to serve you some theory on and an example of how DNS works. And you're going to read it because it's good for you. If you don't want to you should at least skim it very quickly. Stop skimming when you get to what should go in your named.conf file. DNS is a hierarchical, tree structured system. The top is written `.' and pronounced `root', as is usual for tree data-structures. Under . there are a number of Top Level Domains (TLDs); the best known ones are ORG, COM, EDU and NET, but there are many more. Just like a tree it has a root and it branches out. If you have any computer science background you will recognize DNS as a search tree, and you will be able to find nodes, leaf nodes and edges. The dots are nodes, the edges are on the names. When looking for a machine the query proceeds recursively into the hierarchy starting at the root. If you want to find the address of prep.ai.mit.edu., your nameserver has to start asking somewhere. It starts by looking it its cache. If it knows the answer, having cached it before, it will answer right away as we saw in the last section. If it does not know it will see how closely it can match the requested name and use whatever information it has cached. In the worst case there is no match but the `.' (root) of the name, and the root servers have to be consulted. It will remove the leftmost parts one at a time, checking if it knows anything about ai.mit.edu., then mit.edu., then edu., and if not that it does know about . because that was in the hints file. It will then ask a . server about prep.ai.mit.edu. This . server will not know the answer, but it will help your server on its way by giving a referral, telling it where to look instead. These referrals will eventually lead your server to a nameserver that knows the answer. I will illustrate that now. +norec means that dig is asking non-recursive questions so that we get to do the recursion ourselves. The other options are to reduce the amount of dig produces so this won't go on for too many pages: $ ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 980 ;; flags: qr ra; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 0 ;; AUTHORITY SECTION: . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. This is a referral. It is giving us an "Authority section" only, no "Answer section". Our own nameserver refers us to a nameserver. Pick one at random: $ dig +norec +noques +nostats +nocmd prep.ai.mit.edu. @D.ROOT-SERVERS.NET. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58260 ;; flags: qr; QUERY: 1, ANSWER: 0, AUTHORITY: 3, ADDITIONAL: 3 ;; AUTHORITY SECTION: mit.edu. 172800 IN NS BITSY.mit.edu. mit.edu. 172800 IN NS STRAWB.mit.edu. mit.edu. 172800 IN NS W20NS.mit.edu. ;; ADDITIONAL SECTION: BITSY.mit.edu. 172800 IN A 18.72.0.3 STRAWB.mit.edu. 172800 IN A 18.71.0.151 W20NS.mit.edu. 172800 IN A 18.70.0.160 It refers us to MIT.EDU servers at once. Again pick one at random: $ dig +norec +noques +nostats +nocmd prep.ai.mit.edu. @BITSY.mit.edu. ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29227 ;; flags: qr ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 4 ;; ANSWER SECTION: prep.ai.mit.edu. 10562 IN A 198.186.203.77 ;; AUTHORITY SECTION: ai.mit.edu. 21600 IN NS FEDEX.ai.mit.edu. ai.mit.edu. 21600 IN NS LIFE.ai.mit.edu. ai.mit.edu. 21600 IN NS ALPHA-BITS.ai.mit.edu. ai.mit.edu. 21600 IN NS BEET-CHEX.ai.mit.edu. ;; ADDITIONAL SECTION: FEDEX.ai.mit.edu. 21600 IN A 192.148.252.43 LIFE.ai.mit.edu. 21600 IN A 128.52.32.80 ALPHA-BITS.ai.mit.edu. 21600 IN A 128.52.32.5 BEET-CHEX.ai.mit.edu. 21600 IN A 128.52.32.22 This time we got a "ANSWER SECTION", and an answer for our question. The "AUTHORITY SECTION" contains information about which servers to ask about ai.mit.edu the next time. So you can ask them directly the next time you wonder about ai.mit.edu names. Named also gathered information about mit.edu, so of www.mit.edu is requested it is much closer to being able to answer the question. So starting at . we found the successive name servers for each level in the domain name by referral. If you had used your own DNS server instead of using all those other servers, your named would of-course cache all the information it found while digging this out for you, and it would not have to ask again for a while. In the tree analogue each ``.'' in the name is a branching point. And each part between the ``.''s are the names of individual branches in the tree. One climbs the tree by taking the name we want (prep.ai.mit.edu) asking the root (.) or whatever servers father from the root toward prep.ai.mit.edu we have information about in the cache. Once the cache limits are reached the recursive resolver goes out asking servers, pursuing referrals (edges) further into the name. A much less talked about, but just as important domain is in-addr.arpa. It too is nested like the `normal' domains. in-addr.arpa allows us to get the host's name when we have its address. A important thing to note here is that the IP addresses are written in reverse order in the in-addr.arpa domain. If you have the address of a machine: 198.186.203.77 named proceeds to find the named 77.203.168.198.in-addr.arpa/ just like it did for prep.ai.mit.edu. Example: Finding no cache entry for any match but `.', ask a root server, m.root-servers.net refers you to some other root servers. b.root-servers.net refers you directly to bitsy.mit.edu/. You should be able to take it from there. Our own domain Now to define our own domain. We're going to make the domain linux.bogus and define machines in it. I use a totally bogus domain name to make sure we disturb no-one Out There. One more thing before we start: Not all characters are allowed in host names. We're restricted to the characters of the English alphabet: a-z, and numbers 0-9 and the character '-' (dash). Keep to those characters (BIND 9 will not bug you if you break this rule, BIND 8 will). Upper and lower-case characters are the same for DNS, so pat.uio.no is identical to Pat.UiO.No. We've already started this part with this line in named.conf: zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; Please note the lack of `.' at the end of the domain names in this file. This says that now we will define the zone 0.0.127.in-addr.arpa, that we're the master server for it and that it is stored in a file called pz/127.0.0. We've already set up this file, it reads: $TTL 3D @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.linux.bogus. 1 PTR localhost. Please note the `.' at the end of all the full domain names in this file, in contrast to the named.conf file above. Some people like to start each zone file with a $ORIGIN directive, but this is superfluous. The origin (where in the DNS hierarchy it belongs) of a zone file is specified in the zone section of the named.conf file; in this case it's 0.0.127.in-addr.arpa. This `zone file' contains 3 `resource records' (RRs): A SOA RR. A NS RR and a PTR RR. SOA is short for Start Of Authority. The `@' is a special notation meaning the origin, and since the `domain' column for this file says 0.0.127.in-addr.arpa the first line really means 0.0.127.in-addr.arpa. IN SOA ... NS is the Name Server RR. There is no '@' at the start of this line; it is implicit since the previous line started with a '@'. Saves some typing that. So the NS line could also be written 0.0.127.in-addr.arpa. IN NS ns.linux.bogus It tells DNS what machine is the name server of the domain 0.0.127.in-addr.arpa, it is ns.linux.bogus. 'ns' is a customary name for name-servers, but as with web servers who are customarily named www.something. The name may be anything. And finally the PTR (Domain Name Pointer) record says that the host at address 1 in the subnet 0.0.127.in-addr.arpa, i.e., 127.0.0.1 is named localhost. The SOA record is the preamble to all zone files, and there should be exactly one in each zone file, at the top (but after the $TTL directive). It describes the zone, where it comes from (a machine called ns.linux.bogus), who is responsible for its contents (hostmaster@linux.bogus; you should insert your e-mail address here), what version of the zone file this is (serial: 1), and other things having to do with caching and secondary DNS servers. For the rest of the fields (refresh, retry, expire and minimum) use the numbers used in this HOWTO and you should be safe. Before the SOA comes a mandatory line, the $TTL 3D line. Put it in all your zone files. Now restart your named (rndc stop; named) and use dig to examine your handy work. -x asks for the inverse query: $ dig -x 127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30944 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.0.0.127.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.0.0.127.in-addr.arpa. 259200 IN PTR localhost. ;; AUTHORITY SECTION: 0.0.127.in-addr.arpa. 259200 IN NS ns.linux.bogus. ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 23 03:02:39 2001 ;; MSG SIZE rcvd: 91 So it manages to get localhost from 127.0.0.1, good. Now for our main task, the linux.bogus domain, insert a new 'zone' section in named.conf: zone "linux.bogus" { type master; notify no; file "pz/linux.bogus"; }; Note again the lack of ending `.' on the domain name in the named.conf file. In the linux.bogus zone file we'll put some totally bogus data: ; ; Zone file for linux.bogus ; ; The full zone file ; $TTL 3D @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds ; NS ns ; Inet Address of name server MX 10 mail.linux.bogus ; Primary Mail Exchanger MX 20 mail.friend.bogus. ; Secondary Mail Exchanger ; localhost A 127.0.0.1 ns A 192.168.196.2 mail A 192.168.196.4 Two things must be noted about the SOA record. ns.linux.bogus must be a actual machine with a A record. It is not legal to have a CNAME record for the machine mentioned in the SOA record. Its name need not be `ns', it could be any legal host name. Next, hostmaster.linux.bogus should be read as hostmaster@linux.bogus. This should be a mail alias, or a mailbox, where the person(s) maintaining DNS should read mail frequently. Any mail regarding the domain will be sent to the address listed here. The name need not be `hostmaster', it can be your normal e-mail address, but the e-mail address `hostmaster' is often expected to work as well. There is one new RR type in this file, the MX, or Mail eXchanger RR. It tells mail systems where to send mail that is addressed to someone@linux.bogus, namely to mail.linux.bogus or mail.friend.bogus. The number before each machine name is that MX RR's priority. The RR with the lowest number (10) is the one mail should be sent to if possible. If that fails the mail can be sent to one with a higher number, a secondary mail handler, i.e., mail.friend.bogus which has priority 20 here. Reload named by running rndc reload. Examine the results with dig: $ dig any linux.bogus ; <<>> DiG 9.1.3 <<>> any linux.bogus
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55239 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;linux.bogus. IN ANY ;; ANSWER SECTION: linux.bogus. 259200 IN SOA ns.linux.bogus. \ hostmaster.linux.bogus. 199802151 28800 7200 2419200 86400 linux.bogus. 259200 IN NS ns.linux.bogus. linux.bogus. 259200 IN MX 20 mail.friend.bogus. linux.bogus. 259200 IN MX 10 mail.linux.bogus.linux.bogus. ;; AUTHORITY SECTION: linux.bogus. 259200 IN NS ns.linux.bogus. ;; ADDITIONAL SECTION: ns.linux.bogus. 259200 IN A 192.168.196.2 ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 23 03:06:45 2001 ;; MSG SIZE rcvd: 184 Upon careful examination you will discover a bug. The line linux.bogus. 259200 IN MX 10 mail.linux.bogus.linux.bogus. is all wrong. It should be linux.bogus. 259200 IN MX 10 mail.linux.bogus. I deliberately made a mistake so you could learn from it :-) Looking in the zone file we find this line: MX 10 mail.linux.bogus ; Primary Mail Exchanger It is missing a period. Or has a 'linux.bogus' too many. If a machine name does not end in a period in a zone file the origin is added to its end causing the double linux.bogus.linux.bogus. So either MX 10 mail.linux.bogus. ; Primary Mail Exchanger or MX 10 mail ; Primary Mail Exchanger is correct. I prefer the latter form, it's less to type. There are some BIND experts that disagree, and some that agree with this. In a zone file the domain should either be written out and ended with a `.' or it should not be included at all, in which case it defaults to the origin. I must stress that in the named.conf file there should not be `.'s after the domain names. You have no idea how many times a `.' too many or few have fouled up things and confused the h*ll out of people. So having made my point here is the new zone file, with some extra information in it as well: ; ; Zone file for linux.bogus ; ; The full zone file ; $TTL 3D @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds ; TXT "Linux.Bogus, your DNS consultants" NS ns ; Inet Address of name server NS ns.friend.bogus. MX 10 mail ; Primary Mail Exchanger MX 20 mail.friend.bogus. ; Secondary Mail Exchanger localhost A 127.0.0.1 gw A 192.168.196.1 TXT "The router" ns A 192.168.196.2 MX 10 mail MX 20 mail.friend.bogus. www CNAME ns donald A 192.168.196.3 MX 10 mail MX 20 mail.friend.bogus. TXT "DEK" mail A 192.168.196.4 MX 10 mail MX 20 mail.friend.bogus. ftp A 192.168.196.5 MX 10 mail MX 20 mail.friend.bogus. CNAME (Canonical NAME) is a way to give each machine several names. So www is an alias for ns. CNAME record usage is a bit controversial. But it's safe to follow the rule that a MX, CNAME or SOA record should never refer to a CNAME record, they should only refer to something with an A record, so it is inadvisable to have foobar CNAME www ; NO! but correct to have foobar CNAME ns ; Yes! Load the new database by running rndc reload, which causes named to read its files again. $ dig linux.bogus axfr ; <<>> DiG 9.1.3 <<>> linux.bogus axfr
;; global options: printcmd
linux.bogus. 259200 IN SOA ns.linux.bogus. hostmaster.linux.bogus. 199802151 28800 7200 2419200 86400
linux.bogus. 259200 IN NS ns.linux.bogus.
linux.bogus. 259200 IN MX 10 mail.linux.bogus.
linux.bogus. 259200 IN MX 20 mail.friend.bogus.
donald.linux.bogus. 259200 IN A 192.168.196.3
donald.linux.bogus. 259200 IN MX 10 mail.linux.bogus.
donald.linux.bogus. 259200 IN MX 20 mail.friend.bogus.
donald.linux.bogus. 259200 IN TXT "DEK"
ftp.linux.bogus. 259200 IN A 192.168.196.5
ftp.linux.bogus. 259200 IN MX 10 mail.linux.bogus.
ftp.linux.bogus. 259200 IN MX 20 mail.friend.bogus.
gw.linux.bogus. 259200 IN A 192.168.196.1
gw.linux.bogus. 259200 IN TXT "The router"
localhost.linux.bogus. 259200 IN A 127.0.0.1
mail.linux.bogus. 259200 IN A 192.168.196.4
mail.linux.bogus. 259200 IN MX 10 mail.linux.bogus.
mail.linux.bogus. 259200 IN MX 20 mail.friend.bogus.
ns.linux.bogus. 259200 IN MX 10 mail.linux.bogus.
ns.linux.bogus. 259200 IN MX 20 mail.friend.bogus.
ns.linux.bogus. 259200 IN A 192.168.196.2
www.linux.bogus. 259200 IN CNAME ns.linux.bogus.
linux.bogus. 259200 IN SOA ns.linux.bogus. hostmaster.linux.bogus. 199802151 28800 7200 2419200 86400
;; Query time: 41 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 23 03:12:31 2001
;; XFR size: 23 records

That's good. As you see it looks a bit like the zone file itself. Let's check what it says for www alone:

$ dig www.linux.bogus

; <<>> DiG 9.1.3 <<>> www.linux.bogus
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16633 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;www.linux.bogus. IN A ;; ANSWER SECTION: www.linux.bogus. 259200 IN CNAME ns.linux.bogus. ns.linux.bogus. 259200 IN A 192.168.196.2 ;; AUTHORITY SECTION: linux.bogus. 259200 IN NS ns.linux.bogus. ;; Query time: 5 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 23 03:14:14 2001 ;; MSG SIZE rcvd: 80 In other words, the real name of www.linux.bogus is ns.linux.bogus, and it gives you some of the information it has about ns as well, enough to connect to it if you were a program. Now we're halfway. The reverse zone Now programs can convert the names in linux.bogus to addresses which they can connect to. But also required is a reverse zone, one making DNS able to convert from an address to a name. This name is used by a lot of servers of different kinds (FTP, IRC, WWW and others) to decide if they want to talk to you or not, and if so, maybe even how much priority you should be given. For full access to all services on the Internet a reverse zone is required. Put this in named.conf: zone "196.168.192.in-addr.arpa" { type master; notify no; file "pz/192.168.196"; }; This is exactly as with the 0.0.127.in-addr.arpa, and the contents are similar: $TTL 3D @ IN SOA ns.linux.bogus. hostmaster.linux.bogus. ( 199802151 ; Serial, todays date + todays serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.linux.bogus. 1 PTR gw.linux.bogus. 2 PTR ns.linux.bogus. 3 PTR donald.linux.bogus. 4 PTR mail.linux.bogus. 5 PTR ftp.linux.bogus. Now you reload your named (rndc reload) and examine your work with dig again: $ dig -x 192.168.196.4 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58451 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;4.196.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 4.196.168.192.in-addr.arpa. 259200 IN PTR mail.linux.bogus. ;; AUTHORITY SECTION: 196.168.192.in-addr.arpa. 259200 IN NS ns.linux.bogus. ;; ADDITIONAL SECTION: ns.linux.bogus. 259200 IN A 192.168.196.2 ;; Query time: 4 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 23 03:16:05 2001 ;; MSG SIZE rcvd: 107 so, it looks OK, dump the whole thing to examine that too: $ dig 196.168.192.in-addr.arpa. AXFR ; <<>> DiG 9.1.3 <<>> 196.168.192.in-addr.arpa. AXFR
;; global options: printcmd
196.168.192.in-addr.arpa. 259200 IN SOA ns.linux.bogus. \
hostmaster.linux.bogus. 199802151 28800 7200 2419200 86400
196.168.192.in-addr.arpa. 259200 IN NS ns.linux.bogus.
1.196.168.192.in-addr.arpa. 259200 IN PTR gw.linux.bogus.
2.196.168.192.in-addr.arpa. 259200 IN PTR ns.linux.bogus.
3.196.168.192.in-addr.arpa. 259200 IN PTR donald.linux.bogus.
4.196.168.192.in-addr.arpa. 259200 IN PTR mail.linux.bogus.
5.196.168.192.in-addr.arpa. 259200 IN PTR ftp.linux.bogus.
196.168.192.in-addr.arpa. 259200 IN SOA ns.linux.bogus. \
hostmaster.linux.bogus. 199802151 28800 7200 2419200 86400
;; Query time: 6 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 23 03:16:58 2001
;; XFR size: 9 records

Looks good! If your output didn't look like that look for error-messages in your syslog, I explained how to do that in the first section under the heading Starting named

Words of caution
There are some things I should add here. The IP numbers used in the examples above are taken from one of the blocks of 'private nets', i.e., they are not allowed to be used publicly on the Internet. So they are safe to use in an example in a HOWTO. The second thing is the notify no; line. It tells named not to notify its secondary (slave) servers when it has gotten a update to one of its zone files. In BIND 8 and later the named can notify the other servers listed in NS records in the zone file when a zone is updated. This is handy for ordinary use. But for private experiments with zones this feature should be off --- we don't want the experiment to pollute the Internet do we?
And, of course, this domain is highly bogus, and so are all the addresses in it. For a real example of a real-life domain see the next main-section.

Why reverse lookups don't work.
There are a couple of ``gotchas'' that normally are avoided with name lookups that are often seen when setting up reverse zones. Before you go on you need reverse lookups of your machines working on your own nameserver. If it isn't go back and fix it before continuing.
I will discuss two failures of reverse lookups as seen from outside your network:
The reverse zone isn't delegated.

When you ask a service provider for a network-address range and a domain name the domain name is normally delegated as a matter of course. A delegation is the glue NS record that helps you get from one nameserver to another as explained in the dry theory section above. You read that, right? If your reverse zone doesn't work go back and read it. Now.
The reverse zone also needs to be delegated. If you got the 192.168.196 net with the linux.bogus domain from your provider they need to put NS records in for your reverse zone as well as for your forward zone. If you follow the chain from in-addr.arpa and up to your net you will probably find a break in the chain, most probably at your service provider. Having found the break in the chain contact your service-provider and ask them to correct the error.

You've got a classless subnet
This is a somewhat advanced topic, but classless subnets are very common these days and you probably have one if you're a small company.
A classless subnet is what keeps the Internet going these days. Some years ago there was much ado about the shortage of IP numbers. The smart people in IETF (the Internet Engineering Task Force, they keep the Internet working) stuck their heads together and solved the problem. At a price. The price is in part that you'll get less than a ``C'' subnet and some things may break. Please see Ask Mr. DNS for an good explanation of this and how to handle it.

Did you read it? I'm not going to explain it so please read it.
The first part of the problem is that your ISP must understand the technique described by Mr. DNS. Not all small ISPs have a working understanding of this. If so you might have to explain to them and be persistent. But be sure you understand it first ;-). They will then set up a nice reverse zone at their server which you can examine for correctness with dig.
The second and last part of the problem is that you must understand the technique. If you're unsure go back and read about it again. Then you can set up your own classless reverse zone as described by Mr. DNS.

There is another trap lurking here. (Very) Old resolvers will not be able to follow the CNAME trick in the resolving chain and will fail to reverse-resolve your machine. This can result in the service assigning it an incorrect access class, deny access or something along those lines. If you stumble into such a service the only solution (that I know of) is for your ISP to insert your PTR record directly into their trick classless zone file instead of the trick CNAME record.

Some ISPs will offer other ways to handle this, like Web based forms for you to input your reverse-mappings in or other automagical systems.

Slave servers
Once you have set up your zones correctly on the master servers you need to set up at least one slave server. Slave servers are needed for robustness. If your master goes down the people out there on the net will still be able to get information about your domain from the slave. A slave should be as long away from you as possible. Your master and slave should share as few as possible of these: Power supply, LAN, ISP, city and country. If all of these things are different for your master and slave you've found a really good slave.
A slave is simply a nameserver that copies zone files from a master. You set it up like this:
zone "linux.bogus" {
type slave;
file "sz/linux.bogus";
masters { 192.168.196.2; };
};

A mechanism called zone-transfer is used to copy the data. The zone transfer is controlled by your SOA record:
@ IN SOA ns.linux.bogus. hostmaster.linux.bogus. (
199802151 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds

A zone is only transferred if the serial number on the master is larger than on the slave. Every refresh interval the slave will check if the master has been updated. If the check fails (because the master is unavailable) it will retry the check every retry interval. If it continues to fail as long as the expire interval the slave will remove the zone from it's filesystem and no longer be a server for it.

Basic security options.
By Jamie Norrish
Setting configuration options to reduce the possibility of problems.
There are a few simple steps that you can take which will both make your server more secure and potentially reduce its load. The material presented here is nothing more than a starting point; if you are concerned about security (and you should be), please consult other resources on the net (see the last chapter).

The following configuration directives occur in named.conf. If a directive occurs in the options section of the file, it applies to all zones listed in that file. If it occurs within a zone entry, it applies only to that zone. A zone entry overrides an options entry.

Restricting zone transfers
In order for your slave server(s) to be able to answer queries about your domain, they must be able to transfer the zone information from your primary server. Very few others have a need to do so. Therefore restrict zone transfers using the allow-transfer option, assuming 192.168.1.4 is the IP address of ns.friend.bogus and adding yourself for debugging purposes:
zone "linux.bogus" {
allow-transfer { 192.168.1.4; localhost; };
};

By restricting zone transfers you ensure that the only information available to people is that which they ask for directly - no one can just ask for all the details about your set-up.

Protecting against spoofing
Firstly, disable any queries for domains you don't own, except from your internal/local machines. This not only helps prevent malicious use of your DNS server, but also reduces unnecessary use of your server.
options {
allow-query { 192.168.196.0/24; localhost; };
};

zone "linux.bogus" {
allow-query { any; };
};

zone "196.168.192.in-addr.arpa" {
allow-query { any; };
};

Further, disable recursive queries except from internal/local sources. This reduces the risk of cache poisoning attacks (where false data is fed to your server).
options {
allow-recursion { 192.168.196.0/24; localhost; };
};

Running named as non-root
It is a good idea to run named as a user other than root, so that if it is compromised the privileges gained by the cracker are as limited as possible. You first have to create a user for named to run under, and then modify whatever init script you use that starts named. Pass the new user name and group to named using the -u and -g flags.
For example, in Debian GNU/Linux 2.2 you might modify your /etc/init.d/bind script to have the following line (where user named have been created):
start-stop-daemon --start --quiet --exec /usr/sbin/named -- -u named

The same can be done with Red Hat and the other distributions.
Dave Lugo has described a secure dual chroot setup http://www.etherboy.com/dns/chrootdns.html which you may find interesting to read, it makes the host your run your named on even more secure.

A real domain example
Where we list some real zone files
Users have suggested that I include a real example of a working domain as well as the tutorial example.
I use this example with permission from David Bullock of LAND-5. These files were current 24th of September 1996, and were then edited to fit BIND 8 restrictions and use extensions by me. So, what you see here differs a bit from what you find if you query LAND-5's name servers now.

/etc/named.conf (or /var/named/named.conf)
Here we find master zone sections for the two reverse zones needed: the 127.0.0 net, as well as LAND-5's 206.6.177 subnet, and a primary line for land-5's forward zone land-5.com. Also note that instead of stuffing the files in a directory called pz, as I do in this HOWTO, he puts them in a directory called zone.

// Boot file for LAND-5 name server

options {
directory "/var/named";
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
algorithm hmac-md5;
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
};

zone "." {
type hint;
file "root.hints";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "zone/127.0.0";
};

zone "land-5.com" {
type master;
file "zone/land-5.com";
};

zone "177.6.206.in-addr.arpa" {
type master;
file "zone/206.6.177";
};

If you put this in your named.conf file to play with PLEASE put ``notify no;'' in the zone sections for the two land-5 zones so as to avoid accidents.

/var/named/root.hints
Keep in mind that this file is dynamic, and the one listed here is old. You're better off using a new one as explained earlier.
; <<>> DiG 8.1 <<>> @A.ROOT-SERVERS.NET.
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUERY SECTION: ;; ., type = NS, class = IN ;; ANSWER SECTION: . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: G.ROOT-SERVERS.NET. 5w6d16h IN A 192.112.36.4 J.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.10 K.ROOT-SERVERS.NET. 5w6d16h IN A 193.0.14.129 L.ROOT-SERVERS.NET. 5w6d16h IN A 198.32.64.12 M.ROOT-SERVERS.NET. 5w6d16h IN A 202.12.27.33 A.ROOT-SERVERS.NET. 5w6d16h IN A 198.41.0.4 H.ROOT-SERVERS.NET. 5w6d16h IN A 128.63.2.53 B.ROOT-SERVERS.NET. 5w6d16h IN A 128.9.0.107 C.ROOT-SERVERS.NET. 5w6d16h IN A 192.33.4.12 D.ROOT-SERVERS.NET. 5w6d16h IN A 128.8.10.90 E.ROOT-SERVERS.NET. 5w6d16h IN A 192.203.230.10 I.ROOT-SERVERS.NET. 5w6d16h IN A 192.36.148.17 F.ROOT-SERVERS.NET. 5w6d16h IN A 192.5.5.241 ;; Total query time: 215 msec ;; FROM: roke.uio.no to SERVER: A.ROOT-SERVERS.NET. 198.41.0.4 ;; WHEN: Sun Feb 15 01:22:51 1998 ;; MSG SIZE sent: 17 rcvd: 436 /var/named/zone/127.0.0 Just the basics, the obligatory SOA record, and a record that maps 127.0.0.1 to localhost. Both are required. No more should be in this file. It will probably never need to be updated, unless your nameserver or hostmaster address changes. $TTL 3D @ IN SOA land-5.com. root.land-5.com. ( 199609203 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400) ; Minimum TTL NS land-5.com. 1 PTR localhost. If you look at a random BIND installation you will probably find that the $TTL line is missing as it is here. It was not used before, and only version 8.2 of BIND has started to warn about its absence. BIND 9 requires the $TTL. /var/named/zone/land-5.com Here we see the mandatory SOA record, the needed NS records. We can see that he has a secondary name server at ns2.psi.net. This is as it should be, always have a off site secondary server as backup. We can also see that he has a master host called land-5 which takes care of many of the different Internet services, and that he's done it with CNAMEs (a alternative is using A records). As you see from the SOA record, the zone file originates at land-5.com, the contact person is root@land-5.com. hostmaster is another oft used address for the contact person. The serial number is in the customary yyyymmdd format with todays serial number appended; this is probably the sixth version of zone file on the 20th of September 1996. Remember that the serial number must increase monotonically, here there is only one digit for todays serial#, so after 9 edits he has to wait until tomorrow before he can edit the file again. Consider using two digits. $TTL 3D @ IN SOA land-5.com. root.land-5.com. ( 199609206 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D ) ; minimum, seconds NS land-5.com. NS ns2.psi.net. MX 10 land-5.com. ; Primary Mail Exchanger TXT "LAND-5 Corporation" localhost A 127.0.0.1 router A 206.6.177.1 land-5.com. A 206.6.177.2 ns A 206.6.177.3 www A 207.159.141.192 ftp CNAME land-5.com. mail CNAME land-5.com. news CNAME land-5.com. funn A 206.6.177.2 ; ; Workstations ; ws-177200 A 206.6.177.200 MX 10 land-5.com. ; Primary Mail Host ws-177201 A 206.6.177.201 MX 10 land-5.com. ; Primary Mail Host ws-177202 A 206.6.177.202 MX 10 land-5.com. ; Primary Mail Host ws-177203 A 206.6.177.203 MX 10 land-5.com. ; Primary Mail Host ws-177204 A 206.6.177.204 MX 10 land-5.com. ; Primary Mail Host ws-177205 A 206.6.177.205 MX 10 land-5.com. ; Primary Mail Host ; {Many repetitive definitions deleted - SNIP} ws-177250 A 206.6.177.250 MX 10 land-5.com. ; Primary Mail Host ws-177251 A 206.6.177.251 MX 10 land-5.com. ; Primary Mail Host ws-177252 A 206.6.177.252 MX 10 land-5.com. ; Primary Mail Host ws-177253 A 206.6.177.253 MX 10 land-5.com. ; Primary Mail Host ws-177254 A 206.6.177.254 MX 10 land-5.com. ; Primary Mail Host If you examine land-5s nameserver you will find that the host names are of the form ws_number. As of late BIND 4 versions named started enforcing the restrictions on what characters may be used in host names. So that does not work with BIND 8 at all, and I substituted '-' (dash) for '_' (underline) for use in this HOWTO. But, as mentioned earlier, BIND 9 no longer enforces this restriction. Another thing to note is that the workstations don't have individual names, but rather a prefix followed by the two last parts of the IP numbers. Using such a convention can simplify maintenance significantly, but can be a bit impersonal, and, in fact, be a source of irritation among your customers. We also see that funn.land-5.com is an alias for land-5.com, but using an A record, not a CNAME record. /var/named/zone/206.6.177 I'll comment on this file below $TTL 3D @ IN SOA land-5.com. root.land-5.com. ( 199609206 ; Serial 28800 ; Refresh 7200 ; Retry 604800 ; Expire 86400) ; Minimum TTL NS land-5.com. NS ns2.psi.net. ; ; Servers ; 1 PTR router.land-5.com. 2 PTR land-5.com. 2 PTR funn.land-5.com. ; ; Workstations ; 200 PTR ws-177200.land-5.com. 201 PTR ws-177201.land-5.com. 202 PTR ws-177202.land-5.com. 203 PTR ws-177203.land-5.com. 204 PTR ws-177204.land-5.com. 205 PTR ws-177205.land-5.com. ; {Many repetitive definitions deleted - SNIP} 250 PTR ws-177250.land-5.com. 251 PTR ws-177251.land-5.com. 252 PTR ws-177252.land-5.com. 253 PTR ws-177253.land-5.com. 254 PTR ws-177254.land-5.com. The reverse zone is the bit of the setup that seems to cause the most grief. It is used to find the host name if you have the IP number of a machine. Example: you are an FTP server and accept connections from FTP clients. As you are a Norwegian FTP server you want to accept more connections from clients in Norway and other Scandinavian countries and less from the rest of the world. When you get a connection from a client the C library is able to tell you the IP number of the connecting machine because the IP number of the client is contained in all the packets that are passed over the network. Now you can call a function called gethostbyaddr that looks up the name of a host given the IP number. Gethostbyaddr will ask a DNS server, which will then traverse the DNS looking for the machine. Supposing the client connection is from ws-177200.land-5.com. The IP number the C library provides to the FTP server is 206.6.177.200. To find out the name of that machine we need to find 200.177.6.206.in-addr.arpa. The DNS server will first find the arpa. servers, then find in-addr.arpa. servers, following the reverse trail through 206, then 6 and at last finding the server for the 177.6.206.in-addr.arpa zone at LAND-5. From which it will finally get the answer that for 200.177.6.206.in-addr.arpa we have a ``PTR ws-177200.land-5.com'' record, meaning that the name that goes with 206.6.177.200 is ws-177200.land-5.com. The FTP server prioritizes connections from the Scandinavian countries, i.e., *.no, *.se, *.dk, the name ws-177200.land-5.com clearly does not match any of those, and the server will put the connection in a connection class with less bandwidth and fewer clients allowed. If there was no reverse mapping of 206.2.177.200 through the in-addr.arpa zone the server would have been unable to find the name at all and would have to settle to comparing 206.2.177.200 with *.no, *.se and *.dk, none of which will match at all, it may even deny the connection for lack of classification. Some people will tell you that reverse lookup mappings are only important for servers, or not important at all. Not so: Many ftp, news, IRC and even some http (WWW) servers will not accept connections from machines of which they are not able to find the name. So reverse mappings for machines are in fact mandatory. Maintenance Keeping it working. There is one maintenance task you have to do on nameds, other than keeping them running. That's keeping the root.hints file updated. The easiest way is using dig. First run dig with no arguments you will get the root.hints according to your own server. Then ask one of the listed root servers with dig @rootserver. You will note that the output looks terribly like a root.hints file. Save it to a file (dig @e.root-servers.net . ns >root.hints.new) and replace the old root.hints with it.
Remember to reload named after replacing the cache file.
Al Longyear sent me this script that can be run automatically to update root.hints. Install a crontab entry to run it once a month and forget it. The script assumes you have mail working and that the mail-alias `hostmaster' is defined. You must hack it to suit your setup.
#!/bin/sh
#
# Update the nameserver cache information file once per month.
# This is run automatically by a cron entry.
#
# Original by Al Longyear
# Updated for BIND 8 by Nicolai Langfeldt
# Miscelanious error-conditions reported by David A. Ranch
# Ping test suggested by Martin Foster
# named up-test suggested by Erik Bryer.
#
(
echo "To: hostmaster "
echo "From: system "

# Is named up? Check the status of named.
case `rndc status 2>&1` in
*refused*)
echo "named is DOWN. root.hints was NOT updated"
echo
exit 0
;;
esac

PATH=/sbin:/usr/sbin:/bin:/usr/bin:
export PATH
# NOTE: /var/named must be writable only by trusted users or this script
# will cause root compromise/denial of service opportunities.
cd /var/named 2>/dev/null || {
echo "Subject: Cannot cd to /var/named, error $?"
echo
echo "The subject says it all"
exit 1
}

# Are we online? Ping a server at your ISP
case `ping -qnc 1 some.machine.net 2>&1` in
*'100% packet loss'*)
echo "Subject: root.hints NOT updated. The network is DOWN."
echo
echo "The subject says it all"
exit 1
;;
esac

dig @e.root-servers.net . ns >root.hints.new 2> errors

case `cat root.hints.new` in
*NOERROR*)
# It worked
:;;
*)
echo "Subject: The root.hints file update has FAILED."
echo
echo "The root.hints update has failed"
echo "This is the dig output reported:"
echo
cat root.hints.new errors
exit 1
;;
esac

echo "Subject: The root.hints file has been updated"
echo
echo "The root.hints file has been updated to contain the following
information:"
echo
cat root.hints.new

chown root.root root.hints.new
chmod 444 root.hints.new
rm -f root.hints.old errors
mv root.hints root.hints.old
mv root.hints.new root.hints
rndc restart
echo
echo "The nameserver has been restarted to ensure that the update is complete."
echo "The previous root.hints file is now called
/var/named/root.hints.old."
) 2>&1 | /usr/lib/sendmail -t
exit 0

Some of you might have picked up that the root.hints file is also available by ftp from Internic. Please don't use ftp to update root.hints, the above method is much more friendly to the net, and Internic.

Migrating to BIND 9
The BIND 9 distribution, and the prepackaged versions too, contains a document called migration that contains notes about how to migrate from BIND 8 to BIND 9. The document is very straight forward. If you installed binary packages it's likely stored in /usr/share/doc/bind* or /usr/doc/bind* somewhere.
If you're running BIND 4, you may find a document called migration-4to9 in the same place.

HOW TO BE A SYSTEM ENGINEER INFORMATION TECHNOLOGY (IT)

Saturday, September 20, 2008

PENGENALAN SYSTEM ENGINEER IT

1.

2.

3. MRTG

DESCRIPTION

PREPARATION

LIBRARY COMPILATION

MRTG COMPILATION

CONFIGURATION

RUNNING MRTG

1. Instalasi Perl

2. Instalasi MRTG

3. Konfigurasi protokol SNMP

4. Konfigurasi web server

5. File konfigurasi MRTG

6. Menentukan nama file HTML

7. Setup MRTG sebagai Daemon

8. MRTG dalam startup

SEKILAS - SNMP

KNOW HOW - Menggabungkan Beberapa Grafik dalam Satu File HTML

1. Kenali file yang dibuat oleh MRTG

2. File MRTG.CFG untuk banyak PC

3. Membuat file HTML sendiri

5. MAIL SERVER (squirrelmail)

6.PROXY SERVER (squid)

4. DNS (bind)

Blog Archive

LINK

HOW TO BE A SYSTEM ENGINEER INFORMATION TECHNOLOGY (IT)

Saturday, September 20, 2008

PENGENALAN SYSTEM ENGINEER IT

1.

2.

3. MRTG

DESCRIPTION

PREPARATION

LIBRARY COMPILATION

MRTG COMPILATION

CONFIGURATION

RUNNING MRTG

1. Instalasi Perl

2. Instalasi MRTG

3. Konfigurasi protokol SNMP

4. Konfigurasi web server

5. File konfigurasi MRTG

6. Menentukan nama file HTML

7. Setup MRTG sebagai Daemon

8. MRTG dalam startup

SEKILAS - SNMP

KNOW HOW - Menggabungkan Beberapa Grafik dalam Satu File HTML

1. Kenali file yang dibuat oleh MRTG

2. File MRTG.CFG untuk banyak PC

3. Membuat file HTML sendiri

5. MAIL SERVER (squirrelmail)

6.PROXY SERVER (squid)

4. DNS (bind)

Blog Archive

langganan info

LINK