#verifies syntax of /etc/named.conf named-checkconf #check a specific zone file named-checkzone one.edu db.192.168.1 ================================================================================ Use logging (named.conf(4)) to cause the named process to write to a log file that you specify. Add the following to the top of the primary DNS system's /etc/named.conf file and restart the named daemon: logging { channel logfile { file "/var/named/bind-log"; print-time yes; severity debug 9; print-category yes; print-severity yes; }; category default { default_syslog; logfile; }; category queries { logfile; }; }; Logging starts as soon as the logging statement in the /etc/named.conf file is parsed, so the logging statement should be the first entry in that file. A logging channel controls the destination of the logged data. Following is a description of each of the example entries: * /var/named/bind-log - File to hold logged data * print-time yes - Print time of the event * severity debug 9 - Debug output of level 9 and below to be logged * print-category yes - Log category information * print-severity yes - Log severity information The category section describes how the channel information is used. Following is a description of each of the example entries: * category default { default_syslog; logfile; } - Log to syslog and logfile * category queries { logfile; } - Log queries ================================================================================ The named daemon sends messages to the syslogd daemon by using the daemon facility. Messages that are sent with level notice or higher are written to the /var/adm/messages file by default. The contents of this file often show where configuration errors were made. ================================================================================ Before the Solaris 9 OS, the primary test tool bundled with BIND was the nslookup utility. As of the Solaris 9 OS, the domain information groper (dig) utility was also bundled with the Solaris OS. In the Solaris 10 OS, the nslookup utility is included, but is marked as obsolete with a notification that it might be removed in a future release. The dig utility is now preferred and does the following: * Sends queries and displays replies for any of the valid resource record types * Queries the DNS server of your choice * Debugs almost any domain that is not protected by a firewall Executing Forward Queries The syntax used for forward queries is as follows: dig @DNS_server domain_name system_name dig @192.168.1.2 one.edu sys11.one.edu dig @192.168.1.2 one.edu -x 192.168.1.1 ================================================================================ The remote name daemon controller command, rndc, is used to dump the currently cached contents of the server. sys12# rndc dumpdb All of the options for the rndc utility are listed when it is invoked without any as follows: View syntax Clearing the Cache Clear the server's cached data by restarting the named daemon. For example: sys12# svcs -a | grep dns online 5:09:02 svc:/network/dns/client:default online 5:09:25 svc:/network/dns/server:default sys12# svcadm disable svc:/network/dns/server:default sys12# svcs -a | grep dns disabled 6:54:30 svc:/network/dns/server:default online 5:09:02 svc:/network/dns/client:default sys12# svcadm enable svc:/network/dns/server:default sys12# svcs -a | grep dns online 5:09:02 svc:/network/dns/client:default online 6:54:45 svc:/network/dns/server:default Verify that the cache has been cleared using the rndc command: sys12# rndc dumpdb sys12# cat /var/named/named_dump.db ; ; Cache dump of view '_default' ; $DATE 20050112135516 ================================================================================ You can use the rndc utility with the reconfig command to cause the named process to reload its configuration file and implement any changes to the zone files as follows: sys12# rndc reconfig ================================================================================ Administrators use the remote name daemon control program (rndc) to control the operation of a name server. Name servers have always been controlled by administrators sending signals, such as SIGHUP and SIGINT. The rndc utility provides a finer granularity of control, and it can be used both interactively and non-interactively. As of the Solaris 10 OS, the rndc utility replaces the ndc utility as the name daemon control application. A significant difference between ndc in BIND 8 and rndc in BIND 9 is that rndc uses its own configuration file, rndc.conf. Securing Control Sessions The rndc utility supports security using key-based authentication. Remote clients are authorized specifically to control the daemon by establishing, configuring and using secret keys. Implementing this security requires an rndc-key reference entry in the /etc/name.conf file and the appropriate key information in the rndc.conf file. Without a rndc-key reference in the /etc/named.conf file, the following messages appear in the /var/adm/messages file: Jan 12 08:22:12 sys12 named[1346]: [ID 873579 daemon.notice] / command channel listening on 127.0.0.1#953 Jan 12 08:22:12 sys12 named[1346]: [ID 873579 daemon.notice] / couldn't add command channel ::1#953: address not available You can continue to use the rndc utility, albeit in a non-secure manner. Use the rndc-confgen utility to generate the proper contents for the rndc.conf and /etc/named.conf files. The rndc.conf file specifies which server controls and algorithm the server should use. You need only a rndc.conf file in place if the named.conf file has an entry for a rndc-key. sys12# /usr/sbin/rndc-confgen # Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "jZOP5nh//i9t7BwHivvNzA=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-md5; # secret "jZOP5nh//i9t7BwHivvNzA=="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf sys12# Copy the rndc-key section into a new file called /etc/rndc.conf. sys12# cat /etc/rndc.conf key "rndc-key" { algorithm hmac-md5; secret "jZOP5nh//i9t7BwHivvNzA=="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; Add the named.conf section to the /etc/named.conf file. Be sure to remove the comment indentifiers (#). The following is an example of a finished /etc/named.conf file: sys12# cat /etc/named.conf options { directory "/var/named"; }; // added to stop couldn't add command channel ::1#953 messages // from showing up in /var/adm/messages // following is output from /usr/sbin/rndc-confgen key "rndc-key" { algorithm hmac-md5; secret "jZOP5nh//i9t7BwHivvNzA=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; }; // end of rndc.key addition ... Testing Test the rndc.key by stopping and starting the named process, using the rndc utility, and examining the resulting /var/adm/messages file entries: sys12# svcadm disable svc:/network/dns/server:default sys12# svcadm enable svc:/network/dns/server:default sys12# tail -4 /var/adm/messages Jan 12 08:58:48 sys12 named[1402]: [ID 873579 daemon.notice] / starting BIND 9.2.4 Jan 12 08:58:48 sys12 named[1402]: [ID 873579 daemon.notice] / command channel listening on 127.0.0.1#953 Jan 12 08:58:48 sys12 named[1402]: [ID 873579 daemon.notice] running The daemon starting without the command channel message implies a successful key configuration The rndc command can now be used securely. You will see an error message similar to the following if either there is a problem with the contents of the rndc.conf file: sys12# rndc dumpdb Jan 12 10:13:40 sys12 named[1431]: invalid command from 127.0.0.1#32839: bad auth rndc: connection to remote host closed This may indicate that the remote server is using an older version of the command protocol, this host is not authorized to connect, or the key is invalid. sys12# Server Status The rndc utility can be used to query server status and report statistics. Now test to verify that the rndc utility works as expected: sys12# rndc status number of zones: 5 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON server is up and running Flushing the Memory Cache You can use the rndc utility to flush the memory cache. sys12# rndc flush sys12# rndc dumpdb sys12# cat /var/named/named_dump.db ; ; Cache dump of view '_default' ; $DATE 20050113141237 sys12# Changing the Debug Level of the Daemon Use the rndc utility to change the debug level of the server. Before making any changes, determine the current debug level of the daemon. sys12# rndc status number of zones: 5 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON server is up and running Increment the debug level by one. sys12# rndc trace sys12# rndc status number of zones: 5 debug level: 1 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON server is up and running Assign the debug level to a specific level. sys12# rndc trace 8 sys12# rndc status number of zones: 5 debug level: 8 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is ON server is up and running sys12# If logging is enabled, the debug level is shown along with the logged messages: sys12# tail -f /var/named/bind-log Jan 13 07:12:37.548 general: debug 1: received control channel command 'dumpdb' Jan 13 07:17:02.598 general: debug 1: received control channel command 'status' Jan 13 07:17:15.249 general: debug 1: received control channel command 'trace' Jan 13 07:17:17.929 general: debug 1: received control channel command 'status' Jan 13 07:17:34.838 general: debug 1: received control channel command 'trace 8' Jan 13 07:17:37.149 general: debug 1: received control channel command 'status' ================================================================================