wk2 dns

Question 1

When is the cache in the ISP’s own caching nameservers updated?

Answer 1

This cache is updated periodically (generally defined by TTL, or ‘time to live’, though servers can choose to disregard these values), and if it observes that a domain’s serial number has changed, the new information will be loaded into that cache.

Question 2

One of the first things to setup on the server (imo specifically cpanel server)?

Answer 2

One of the first things you will set up on your server is the hostname. A hostname should ideally be a publicly resolvable, fully-qualified domain name (FQDN), particularly if you intend to operate a mail server.

Question 3

Break down this: host.domain.tld

Answer 3

An example of a fully-qualified domain name (FQDN). In this example, host is the subdomain, cpanel is the domain name, and .net is the top-level domain. In a lot of cases, instead of host you might see www. This is still considered an FQDN.

Question 4

Why do remote mail servers want your hostname to be a fqdn?

Answer 4

Remote mail servers, in an effort to reduce the risk of spoofing and spam incidents, will very frequently rely on the ability to confirm the validity of its hostname, and its ability to verify that the server’s IP address points (via reverse lookup) back to that particular hostname.

Question 5

What is TTL?

Answer 5

The TTL, or “time to live”, defines how long (in seconds) a zone should be cached by caching nameservers before it is checked for updates.

This acts primarily as a preference, however, because some caching name servers will set their own minimums and may ignore the TTL value defined on your server to prevent abuse and to accommodate for their individual environments.

If they have not been changed, the defaults (86400 seconds, which equates to 24 hours) will be present on initial zone creation.

Question 6

What is AAAA

Answer 6

AAAA Records (IPv6 Address)
–

cPanel environments support the use of IPv6, including its use in DNS zones via AAAA records, which function like a typical A record, except that rather than mapping a host to a typical IPv4 address (e.g.. 10.1.2.3), it would map the host to an IPv6 address.

When IPv6 is installed onto a cPanel server, DNS zones retain the original IPv4 address mapping, but a new IPv6 AAAA record is added into the zone files. The address assigned is determined by the address that is given to each account automatically by the system upon IPv6 installation.

NOTE:

At this time, only Bind and PowerDNS support IPv6.

Question 7

What is CAA

Answer 7

CAA Records (Certification Authority Authorization)
–

CAA records are for specifying which certificate authorities should be permitted to create SSL certificates for a domain.

These are inherited from the parent, so you only need to set a CAA record for example.com, which will then provide the same functionality for foo.example.com and any other subdomains of example.com.

CAA records are optional. If a domain does not have one, then any certificate authority may issue an SSL certificate for that domain.

A domain can have more than one CAA record. When there is more than one CAA record, all the listed certificate authorities are permitted to issue certificates for the domain.

Question 8

Tell me about BIND/named

Answer 8

BIND/named is the default DNS server provided with cPanel. It is considered the most stable, and is the most prevalent in use on the internet.

All record types are supported by BIND, and it allows for significant flexibility in configuring it, which provides for most web hosting scenarios and requirements. It also provides additional IPv6 support that is not available through other selections.

One downside to the use of BIND/named is that it is more memory-intensive than the other available options, and performs a bit slower due to its need to load all of its zones with each change or start-up.

Question 9

Tell me about MyDNS

Answer 9

NOTE: MyDNS is considered deprecated and will be removed in future versions.

MyDNS is a MySQL-based DNS server, allowing it to load faster and handle a larger quantity of zones than BIND/named.

MyDNS’s record support is more limited than BIND/named in that, while it does support the most commonly required records, it does not provide support for other alternative records such as DNSSEC.

By relying on MySQL, MyDNS can load new zones and zone changes “live”, without having to load all of its zones each time. This is a significant benefit to administrators that have very large quantities of zones.

Question 10

Tell me about PowerDNS

Answer 10

PowerDNS is a fast nameserver with low memory usage. It is also the only nameserver that can be configured to handle DNSSEC within cPanel & WHM.

It can use any database backend, but within cPanel it uses a SQLite database for DNSSEC and the same BIND zone files that are used for the other nameserver options.

The /etc/named.conf file is used to locate the zone files. Due to a feature change in newer versions of cPanel, DNSSEC, and therefor PowerDNS can now be used in clustering.

Question 11

Tell me about NSD

Answer 11

NOTE: NSD is considered deprecated and will be removed in future versions.

NSD, created by NLnet Labs, has a very small footprint, and is a fast option for very minimal DNS server requirements, or that need DNS functionality on very limited servers.

Because of its lightweight operation, it only supports the most commonly required DNS records, and may not be functional for more customized setups.

Recursion is also not supported in an NSD environment.

Question 12

Where are the DNS zone files actually stored?

Answer 12

DNS zones, stored on the file system within the /var/named folder and ending in “.db” extensions, are at the core of how all DNS resolution is handled. Without a zone stored somewhere containing the correct information, a domain may as well not exist.

Because each domain requires its own zone file, the management of these can easily get out of hand on a server that frequently adds/removes domains or handles a large number of zones on a single environment.

Question 13

How do you reload the named utility? (that’s dns)

Answer 13

rndc reload

Question 14

What is ACL

Answer 14

Access Control List, is a list of IP addresses that are either allowed to or restricted from querying the server, based on a specific set of rules

Question 15

Explain dns recursion

Answer 15

Recursion is the concept of passing on a received query over to another nameserver - essentially bouncing off one server onto another

Question 16

Explain dns transfer

Answer 16

In the context of BIND/named, to transfer a zone means to provide or take a copy of all the informtion related to a zone, to/from the local server or a remote server

Question 17

Explain subnet

Answer 17

A subnet is a block of IP addreses allocated for use by your network provider or internet service provider

Question 18

What is a subnet mask

Answer 18

a subnet mask is a way to concisely define a range or group of IP addresses based on a “mask” number. This number describes how much of a particular IP address should be matched or to what quantity a particular octet of an IP address should be allocated or implied

Question 19

A list of domains that can be resolved without the internet

Answer 19

/etc/hosts

Question 20

Stores a list of servers to ask when the local server is not authoritative for the zone

Answer 20

/etc/resolv.conf

Question 21

a list of the files and services that are responsible for various types of DNS lookups

Answer 21

/etc/nsswitch.conf

Question 22

The folder where DNS zone files are stored

Answer 22

/var/named

Question 23

The directory in which named’s PID (process ID) file and the session key are contained in

Answer 23

/var/run/named

Question 24

The general kernel message log, which includes the majority of BIND/named’s log entries by default.

Answer 24

/var/log/messages

Question 25

Any BIND/named log entries that are not stored in “messages” may be stored here.

Answer 25

/var/log/named/named.log

Question 26

The configuration file that lists all the zones that the nameserver handles, along with important server options and settings.

Answer 26

/etc/named.conf

Question 27

Stores the named process options

Answer 27

/etc/sysconfig/named

Question 28

Remote Name Daemon Control, a control program for named, stores its configuration file here. We will go over rndc further a bit later in the course.

Answer 28

/etc/rndc.conf

Question 29

The shared secret a client needs to have before rndc will obey a command.

Answer 29

/etc/rndc.key

Question 30

The primary MyDNS configuration file used for fine tuning MyDNS functionality.

Answer 30

/etc/mydns.conf

Question 31

The primary NSD configuration file, used for light tweakinug of its minimal available options

Answer 31

/etc/nsd.conf

Question 32

The database for DNSSEC of each domain handled by this nameserver.

Answer 32

/var/cpanel/pdns/dnssec.db

Question 33

The primary powerdns configuration file

Answer 33

/etc/pdns/pdns.conf

Question 34

The general kernal message log, which includes the majority of powerDNS’s log entries by default

Answer 34

/var/log/messages

Question 35

Location of the powerdns binaries in a cpanel environment

Answer 35

/usr/bin/pdnsutil

Question 36

Improve your server’s mail reputation by enabling the following options:

Answer 36

DKIM - which uses digital signatures to verify a message with its host to prevent email spoofing.

SPF - uses DNS records to provide remote mail hosts with a way of verifying whether the sending host is actually authorized to send mail from your domain or not.

DMARC - to assist servers receiving messages claiming to be from your domain but failing either DKIM or SPF on the proper handling of such messages.

The primary IP address of your server - or the outbound IP address configured for Exim, if altered from default - should be set up with a PTR record, so that reverse DNS queries can resolve your hostname from that IP address. Refer to the earlier steps for information on determining how and where these should be set up.

Question 37

Why use DNS clustering?

Answer 37

One reason is redundancy. Clustering allows your zones to be stored across a distributed set of servers, so that, if a client is unable to reach one server, it can fail over on to one of the other servers in the cluster, depending on the configuration and the defined, authoritative servers.
Load reduction.

Also load reduction: In addition to redundancy, clustering also allows you to distribute the overall query load across multiple servers so that the impact is not concentrated all on to one or two servers alone. In heavy traffic scenarios, the load improvement here can be quite significant.

Question 38

What’s the licensing cost for DNS Only software

Answer 38

no cost