Open Source Mail Service: December 2017

Thursday, 14 December 2017

Reverse zone and PTR record

After configure master record now here we are Create Reverse zone file for convert ip Address to name. For hosting PTR record in DNS we need to create Reverse zone file entry in /etc/named.conf file. same like below
    zone "0.168.192.in-addr.arpa" IN {
              type master;
              file "192.168.0.zone";
    };

Edit reverse zone entry in /etc/named.conf
[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.10.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.10.0/24; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

//      dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "zmailtech.com" IN {
        type master;
        file "zmailtech.com.zone";
};

zone "10.168.192.in-addr.arpa" IN {
        type master;
        file "10.168.192.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@master ~]#

PTR records are used for the Reverse DNS (Domain Name System) lookup. Using the IP address you can get the associated domain/hostname. An A record should exist for every PTR record. The usage of a reverse DNS setup for a mail server is a good solution.

Now here we are hosting PTR Record in DNS service.
Create reverse zone file, we are copy named.loopback file into 10.168.192.zone file for revers zone

[root@master ~]# cat /var/named/named.loopback > /var/named/10.168.192.zone

Assigning proper permission and owenership on zmailtech.com.zone file.

[root@master ~]# ls -l /var/named
total 24
-rw-r--r--. 1 root root   168 Dec 14 16:19 10.168.192.zone
drwxrwx---. 2 named named   49 Dec 14 13:43 data
drwxrwx---. 2 named named   60 Dec 14 16:11 dynamic
-rw-r-----. 1 root named 2281 May 22 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named    6 Aug 4 13:43 slaves
-rw-r--r--. 1 root named 470 Dec 14 13:44 zmailtech.com.zone
[root@master ~]#

Change 10.168.192.zone reverse zone file group owner to named group owner

[root@master ~]# chgrp named /var/named/10.168.192.zone
[root@master ~]# ls -l /var/named
total 24
-rw-r--r--. 1 root named 168 Dec 14 16:19 10.168.192.zone
drwxrwx---. 2 named named   49 Dec 14 13:43 data
drwxrwx---. 2 named named   60 Dec 14 16:11 dynamic
-rw-r-----. 1 root named 2281 May 22 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named    6 Aug 4 13:43 slaves
-rw-r--r--. 1 root named 470 Dec 14 13:44 zmailtech.com.zone
[root@master ~]#

Edit PTR record in 10.168.192.zone Revers zone

[root@master ~]# vim /var/named/10.168.192.zone
[root@master ~]# cat /var/named/10.168.192.zone
$TTL 1D
@       IN SOA ns1.zmailtech.com. admin.zmailtech.com. (
                                        2017121501      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum

        IN      NS      ns1.zmailtech.com.
        IN      A       192.168.10.2

2       IN      PTR     ns1.zmailtech.com.
2       IN      PTR     mail.zmailtech.com.
[root@master ~]#

Need to restart bind (named) service after change in DNS Records zone file.
[root@master ~]# systemctl restart named

Lets check PTR record with dig -x command.

[root@master ~]# dig -x 192.168.10.2

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.10.2
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28756
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;2.10.168.192.in-addr.arpa.     IN      PTR

;; ANSWER SECTION:
2.10.168.192.in-addr.arpa. 86400 IN     PTR     ns1.zmailtech.com.
2.10.168.192.in-addr.arpa. 86400 IN     PTR     mail.zmailtech.com.

;; AUTHORITY SECTION:
10.168.192.in-addr.arpa. 86400 IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 1 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Thu Dec 14 16:10:57 IST 2017
;; MSG SIZE rcvd: 134

[root@master ~]#

Configure MX Record

A mail exchanger record (MX record) is a type of resource record in the Domain Name System that specifies a mail server responsible for accepting email messages on behalf of a recipient's domain, and a preference value used to prioritize mail delivery if multiple mail servers are available.

Edit MX Record in /var/named/zmailtech.com.zone file. for zmailtech.com domain.

[root@master ~]# vim /var/named/zmailtech.com.zone
[root@master ~]# cat /var/named/zmailtech.com.zone
$TTL 1D
@       IN SOA ns1.zmailtech.com. admin.zmailtech.com. (
                                        2017121501      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN      NS      ns1.zmailtech.com.
ns1     IN      A       192.168.10.2
master IN      A       192.168.10.2
mail    IN      A       192.168.10.2

;CNAME Record
www     IN      CNAME   master.zmailtech.com.
ftp     IN      CNAME   master.zmailtech.com.
smtp    IN      CNAME   mail.zmailtech.com.

;MX Record
zmailtech.com. IN      MX      10      mail.zmailtech.com.
zmailtech.com. IN      MX      20      smtp.zmailtech.com.
[root@master ~]#

Check MX Record with dig command.

[root@master ~]# dig mx zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> mx zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 41221
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 3

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;zmailtech.com.                 IN      MX

;; ANSWER SECTION:
zmailtech.com.          86400   IN      MX      20 smtp.zmailtech.com.
zmailtech.com.          86400   IN      MX      10 mail.zmailtech.com.

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
mail.zmailtech.com.     86400   IN      A       192.168.10.2
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Thu Dec 14 13:46:49 IST 2017
;; MSG SIZE rcvd: 134

[root@master ~]#

Check zmailtech.com mx record with host command

[root@master ~]# host -t mx zmailtech.com
zmailtech.com mail is handled by 20 smtp.zmailtech.com.
zmailtech.com mail is handled by 10 mail.zmailtech.com.
[root@master ~]#

Wednesday, 13 December 2017

Configure CNAME Record

CNAME records are referred to as alias records since they map an alias to its canonical name. CNAME records allow an administrator to point multiple systems to one IP without specifically assigning an A record to each host name. If your server IP ever changes, you only have to change one A record’s IP address to update all associated records.

# Edit below line in /var/named/zmailtech.com.zone file.

[root@master ~]# vim /var/named/zmailtech.com.zone
[root@master ~]# cat /var/named/zmailtech.com.zone
$TTL 1D
@       IN SOA ns1.zmailtech.com. admin.zmailtech.com. (
                                        2017121501      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN      NS      ns1.zmailtech.com.
ns1     IN      A       192.168.10.2
master IN      A       192.168.10.2

;CNAME Record
www     IN      CNAME   master.zmailtech.com.
ftp     IN      CNAME   master.zmailtech.com.
smtp    IN      CNAME   master.zmailtech.com.[root@master ~]#

After Edit CNAME Record we need to restart named service.

[root@master ~]# systemctl restart named

Now we test CNAME Record www.zmailtech.com via dig command

[root@master ~]# dig www.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> www.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52896
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.zmailtech.com.             IN      A

;; ANSWER SECTION:
www.zmailtech.com.      86400   IN      CNAME   master.zmailtech.com.
master.zmailtech.com.   86400   IN      A       192.168.10.2

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 2 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Thu Dec 14 13:18:19 IST 2017
;; MSG SIZE rcvd: 117

[root@master ~]#

Now we test CNAME Record ftp.zmailtech.com via dig command

[root@master ~]# dig ftp.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> ftp.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31273
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;ftp.zmailtech.com.             IN      A

;; ANSWER SECTION:
ftp.zmailtech.com.      86400   IN      CNAME   master.zmailtech.com.
master.zmailtech.com.   86400   IN      A       192.168.10.2

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Thu Dec 14 13:19:01 IST 2017
;; MSG SIZE rcvd: 117

[root@master ~]#

Now we test CNAME Record smtp.zmailtech.com via dig command

[root@master ~]# dig smtp.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> smtp.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7689
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;smtp.zmailtech.com.            IN      A

;; ANSWER SECTION:
smtp.zmailtech.com.     86400   IN      CNAME   master.zmailtech.com.
master.zmailtech.com.   86400   IN      A       192.168.10.2

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec

;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Thu Dec 14 13:19:12 IST 2017
;; MSG SIZE rcvd: 118

[root@master ~]#

Master Zone DNS service configurations

To creating Master DNS for example.com zone we will add one new zone. as below to host and configure domain, two steps to be needed

1. Edit domain entry in /etc/named.conf
2. Population zone file with RR

Zone definition / creation of zone in /etc/named.conf
create entry in /etc/named.conf

following configuration is for “example.com” and the Resource Record will be stored at “/var/named/example.com.zone” file

zone "example.com" IN {
    type master;
    file "example.com.zone";
};

# Edit zmailtech.com domain entry in /etc/named.conf file.

[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.10.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.10.0/24; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

//      dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "zmailtech.com" IN {
        type master;
        file "zmailtech.com.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@master ~]#

Population / creating entry RR (Resource Record) in zone file
To populate resource record named.localhost can be used as template.
[root@master ~]# cat /var/named/named.localhost
$TTL 1D
@       IN SOA @ rname.invalid. (
                                        0       ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        NS      @
        A       127.0.0.1
        AAAA    ::1
[root@master ~]#

For Create Zone file copy /var/named/named.localhost in /var/named/zmailtech.com.zone

[root@master ~]# cat /var/named/named.localhost > /var/named/zmailtech.com.zone

[root@master ~]# ls -l /var/named
total 20
drwxrwx---. 2 named named   23 Dec 5 12:56 data
drwxrwx---. 2 named named   60 Dec 12 21:15 dynamic
-rw-r-----. 1 root named 2281 May 22 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named    6 Aug 4 13:43 slaves
-rw-r--r--. 1 root root   152 Dec 12 21:24 zmailtech.com.zone
[root@master ~]#

Assigning proper permission and owenership on zmailtech.com.zone file.

[root@master ~]# chgrp named /var/named/zmailtech.com.zone

[root@master ~]# ls -l /var/named/
total 20
drwxrwx---. 2 named named   23 Dec 5 12:56 data
drwxrwx---. 2 named named   60 Dec 12 21:15 dynamic
-rw-r-----. 1 root named 2281 May 22 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named    6 Aug 4 13:43 slaves
-rw-r--r--. 1 root named 152 Dec 12 21:32 zmailtech.com.zone
[root@master ~]#

Edit zone file as like below

[root@master ~]# vim /var/named/zmailtech.com.zone
[root@master ~]# cat /var/named/zmailtech.com.zone
$TTL 1D
@       IN SOA ns1.zmailtech.com. admin.zmailtech.com. (
                                        2017121501      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum
        IN      NS      ns1.zmailtech.com.
ns1     IN      A       192.168.10.2
master IN      A       192.168.10.2
[root@master ~]#

need to restart bind (named) service after change in DNS Records

[root@master ~]# systemctl restart named

Testing DNS A Record with dig command.

[root@master ~]# dig @127.0.0.1 master.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @127.0.0.1 master.zmailtech.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62530
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;master.zmailtech.com.          IN      A

;; ANSWER SECTION:
master.zmailtech.com.   86400   IN      A       192.168.10.2

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Dec 12 21:37:43 IST 2017
;; MSG SIZE rcvd: 99

[root@master ~]#

Understanding of DNS ZONE file

Zone files are nothing but simple text files, that can be easily modified by using text editors such as VIM, gedit, neno etc. This file contains the complete details of all resource records for that domain. In other words it will contains the entire ip to domain mapping of the domain. During this blog post I will be using a zone file made for BIND(Berkeley Internet Name Domain) DNS server from CentOS 7 Linux operating system, which is a very widely used DNS server package. Zone files are made in such a way that it can be made portable for any DNS server.

The main purpose of this blog post is to understand the contents of a zone file, and how they play a major role in the DNS system(we will also be studying some of the widely used resource records in DNS). We will be discussing bind related configurations in a separate post, as it requires special attention.

TTL (Time To Live)

In the above shown example configuration file, there a TTL value assigned by the below method.
@TTL 1d
TTL stands for Time To Live, which mentions the time in seconds for which caching name servers can cache the data. Here the TTL value mentioned in the beginning of the file, is the bind's method of specifying the default TTL value for the domain, if not explicitly mentioned.
Let's take an example to understand TTL. I will do a simple dig against google.com, to see

What's the TTL ??

[root@master ~]# dig @127.0.0.1 master.zmailtech.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @127.0.0.1 master.zmailtech.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 13237
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;master.zmailtech.com.          IN      A

;; ANSWER SECTION:
master.zmailtech.com.   86400   IN      A       192.168.10.2

;; AUTHORITY SECTION:
zmailtech.com.          86400   IN      NS      ns1.zmailtech.com.

;; ADDITIONAL SECTION:
ns1.zmailtech.com.      86400   IN      A       192.168.10.2

;; Query time: 0 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 13 21:47:11 IST 2017
;; MSG SIZE rcvd: 99

[root@master ~]#

In the above example, the TTL value of 86400 mentioned in the second column of the output is the number of seconds remaining for the TTL to expire. Please note the fact that, the above reply is given by your local name server which you have in your resolv.conf file. 86400 seconds means, that after 86400 seconds, your local DNS server will follow the entire procedure of fetching A record for zmailtech.com

But until that TTL expires, your local DNS server will sit and serve the cached records to all the clients. So if you repeatedly do a dig for google.com, you will always get a different value in TTL field(because its in seconds and goes on reducing).
If you really want to know the TTL of any record of any domain, you either need to do a dig to the authoritative name server for that domain, or do a dig + trace for that domain. So let's find out the exact TTL value for Google.com by doing a dig against its authoritative name server(which you will get by doing a dig NS google.com or a dig + trace)

[root@master ~]$ dig @ns1.google.com google.com
;; QUESTION SECTION:
;google.com.                    IN      A

;; ANSWER SECTION:
google.com.             300     IN      A       173.194.203.100
google.com.             300     IN      A       173.194.203.138
google.com.             300     IN      A       173.194.203.113
google.com.             300     IN      A       173.194.203.102
google.com.             300     IN      A       173.194.203.139
google.com.             300     IN      A       173.194.203.101

So you will always get the TTL value of 300, when you do a dig by using ns1.google.com. Doing @<server> while using dig will ask dig to send the DNS query to that server, instead of your local DNS server mentioned in resolv.conf There are two things that you need to consider about TTL value.

A low TTL value means, that your authoritative name server will get a higher number of queries, because the TTL gets expired fast, due to which resolvers, and DNS servers will query the server more often. But yeah if you change the records too often, then its advisable to keep a low TTL value, so that the latest entry gets updated fast. So for example you have a website www.example.com with an A record (we will be discussing A records in some time)of 172.16.140.43, and you want to change the IP address to something else, then in that case if you have a higher TTL value, the resolvers and DNS server's who already have the old entry will not refetch the current data until the TTL expires. So if you change records more often its advisable to keep a low value of TTL
Keeping a higher value TTL will result in less number of queries hitting your authoritative name server. This is because once a record is cached in a local name server, it will not refetch the value until the TTL expires, and a high value TTL means less number of query, which intern means less load on your authoritative name server.

If you remember the dig + trace we did, the reply from TLD name servers always had a higher TTL value. Which means the servers which gives you the address of authoritative name server for a domain, has a higher value TTL. The default value of that TTL most of the times is 48 hours(2 days). The below shown snippet from the dig + trace shows the TTL value given by gTLD servers.

facebook.com. 172800 IN NS a.ns.facebook.com.
facebook.com. 172800 IN NS b.ns.facebook.com.
;; Received 153 bytes from 192.33.14.30#53(192.33.14.30) in 187 ms
172800 seconds in the above shown result means 48 hours. That large value is correct, because its very less often that people change the authoritative name server IP addresses(note the fact that the above output is the data given by a.ns.facebook.com showing the name servers for the domain facebook.com).

SOA or Start of Authority in a Zone file.

SOA is the mandatory record that must be there in all zone files. It specifies the main properties and characteristics of a domain. We will walk through each of them one by one. The default format of specifying a SOA record is shown below.

NAME TTL CLASS RR NAMESERVER EMAIL SERIALNUMBER REFRESH RETRY EXPIRY MIN

NAME: This specifies the name of the domain. As mentioned before, i am using a zone file made for bind DNS server. If you see our SOA begins with the following line

@ IN SOA ns1.zmailtech.com. admin.zmailtech.com.
@ shown in the above line is the NAME value for this SOA record. Using @ at this place will replace it with zmailtech.com as we have mentioned it in $ORIGIN. One important thing to understand here is the $ORIGIN entry, which is used to make all other entires in the zone file a FQDN. FQDN stands for Fully Qualified Domain Name, and it always ends with a dot (.).
So www.zmailtech.com is not a FQDN but www.zmailtech.com. is. The final DOT specifies the root name servers.

TTL: You can give different TTL values to different records, however we have already defined a default TTL value of 1 day in the beginning of the zone file. This default TTL value gets applied for all records that does not have an explicit TTL defined. So in case of our SOA record, the default TTL value of 1 day gets applied, as there is no TTL specific to SOA is defined.

CLASS: The default path used for all resource records are IN, which stands for internet(there are few other class as well which are mentioned in the RFC 2929).

RR: This specifies the resource record name. so its SOA here.

NAMESERVER: This is the primary name server for this domain/zone. Please note the fact that there must be a A record for this name server later in the same zone file that will specify the IP address of that name server. We will be discussing A records in some time.

EMAIL: This specifies the administrative contact email address for this domain. But if you see our example zone file, you will see that its admin.zmailltech.com instead of any email address. That's simiply because @ sign in zone file has some different meaning other than email address.

SERIALNUMBER: Its one of the important entries inside the SOA record in a zone file. Serial number tells the modification date of the zone file. Every time you modify the zone file, you also need to modify the serial number. Serial numbers in zone file follows a date format of
yyyymmddss. Which means if you have edited your zone file on 12th September 2013, your serial number will be 2013091200. This entry of serial number is mostly used for zone transfer to confirm the last modification of the zone. We will be discussing the zone transfer stuff in a dedicated post.

REFRESH: Indicates the time after which the secondary or slave DNS server for this domain re-fetches the SOA record for this zone.

RETRY: Specifies the retry interval if the slave will take, in case of a failure.

EXPIRY: This specifies the duration after which the slave name server will stop responding to DNS queries if the connection to master server cannot be established by following retry interval.

MIN: You might have seen something like NXDOMAIN, while digging for any domain name. for example lets dig for a non existent domain name.

[root@master ~]$ dig xyz.zmailtech.com

; <<>> DiG 9.8.2rc1-RedHat-9.8.2-0.30.rc1.el6_6.2 <<>> xyz.zmailtech.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23931
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;xyz.zmailtech.com.             IN      A

If you see the above dig command, i have used a domain name that does not exist. So the name server for google.com replied with the status of NXDOMAIN, which is evident from the line ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 23931, in the above output.
NXDOMAIN means non-existent domain name. So this MIN, filed in the SOA indicates the duration for which caching name servers (like your local name server) will cache the NXDOMAIN value.
Hence our final zone file SOA record will look something like below, which was also previously shown in the image.

@       IN SOA ns1.zmailtech.com. admin.zmailtech.com. (
                                        2017121501      ; serial
                                        1D      ; refresh
                                        1H      ; retry
                                        1W      ; expire
                                        3H )    ; minimum

Forwarders and Caching dns /named configuration

BIND (Berkely Internet Name Domain) is a popular software for translating domain names into IP addresses and usually found on Linux servers. this blog post explain configure DNS Bind service Forwarders and Caching server in linux step by step for your local Network.

# Set hostname of server.

[root@localhost ~]# hostnamectl set-hostname master.zmailtech.com
[root@localhost ~]# hostname
master.zmailtech.com
[root@localhost ~]#

[root@localhost ~]# cat /etc/sysconfig/network
# Created by anaconda
HOSTNAME=master.zmailtech.com
[root@localhost ~]#

# Check ip address.

[root@localhost ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN qlen 1
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host
       valid_lft forever preferred_lft forever
2: enp0s3: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP qlen 1000
    link/ether 08:00:27:e0:d3:c5 brd ff:ff:ff:ff:ff:ff
    inet 192.168.10.2/24 brd 192.168.10.255 scope global dynamic enp0s3
       valid_lft 736sec preferred_lft 736sec
    inet6 fe80::61e1:d548:2e53:232b/64 scope link
       valid_lft forever preferred_lft forever
[root@localhost ~]#

# Install bind bind-utils packages via yum command.

[root@localhost ~]# yum install bind bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
Resolving Dependencies
--> Running transaction check
---> Package bind.x86_64 32:9.9.4-50.el7 will be installed
--> Processing Dependency: bind-libs = 32:9.9.4-50.el7 for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: liblwres.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccfg.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisccc.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libisc.so.95()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libdns.so.100()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
--> Processing Dependency: libbind9.so.90()(64bit) for package: 32:bind-9.9.4-50.el7.x86_64
---> Package bind-utils.x86_64 32:9.9.4-50.el7 will be installed
--> Running transaction check
---> Package bind-libs.x86_64 32:9.9.4-50.el7 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

================================================================================
Package           Arch          Version                  Repository       Size
================================================================================
Installing:
bind              x86_64        32:9.9.4-50.el7          c7-media        1.8 M
bind-utils        x86_64        32:9.9.4-50.el7          c7-media        203 k
Installing for dependencies:
bind-libs         x86_64        32:9.9.4-50.el7          c7-media        1.0 M

Transaction Summary
================================================================================
Install 2 Packages (+1 Dependent package)

Total download size: 3.0 M
Installed size: 7.3 M
Is this ok [y/d/N]: y
Downloading packages:
--------------------------------------------------------------------------------
Total                                              149 MB/s | 3.0 MB 00:00
Running transaction check
Running transaction test
Transaction test succeeded
Running transaction
Installing : 32:bind-libs-9.9.4-50.el7.x86_64                             1/3
Installing : 32:bind-9.9.4-50.el7.x86_64                                  2/3
Installing : 32:bind-utils-9.9.4-50.el7.x86_64                            3/3
Verifying : 32:bind-9.9.4-50.el7.x86_64                                  1/3
Verifying : 32:bind-libs-9.9.4-50.el7.x86_64                             2/3
Verifying : 32:bind-utils-9.9.4-50.el7.x86_64                            3/3

Installed:
bind.x86_64 32:9.9.4-50.el7         bind-utils.x86_64 32:9.9.4-50.el7

Dependency Installed:
bind-libs.x86_64 32:9.9.4-50.el7

Complete!
[root@localhost ~]#

# Now check named service is named status

[root@localhost ~]# systemctl status named
â named.service - Berkeley Internet Name Domain (DNS)
   Loaded: loaded (/usr/lib/systemd/system/named.service; disabled; vendor preset: disabled)
   Active: inactive (dead)
[root@localhost ~]#

# check bind service file in /etc/ folder

[root@localhost ~]# ls -l /etc/named*
-rw-r-----. 1 root named 1705 Mar 22 2016 /etc/named.conf
-rw-r--r--. 1 root named 3923 Aug 4 13:43 /etc/named.iscdlv.key
-rw-r-----. 1 root named 931 Jun 21 2007 /etc/named.rfc1912.zones
-rw-r--r--. 1 root named 1587 May 22 2017 /etc/named.root.key

/etc/named:
total 0
[root@localhost ~]#

# Now Start named service.

[root@master ~]# systemctl start named

# Check DNS service via netstat command

[root@master ~]# netstat -ntpul | grep named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      1173/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      1173/named
tcp6       0      0 ::1:53                  :::*                    LISTEN      1173/named
tcp6       0      0 ::1:953                 :::*                    LISTEN      1173/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           1173/named
udp6       0      0 ::1:53                  :::*                                1173/named
[root@master ~]#

# Named is working on tcp / udp port number 53 and rndc work on 953

Let us check the default configuration access with nc from local and other remote computer.

Default configuration not allow to access 53 number port from remote computer

[root@master ~]# nc -v localhost 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to ::1:53.
^C
[root@master ~]#

# Forwarders and Caching dns /named configuration
Configuration of below in /etc/named.conf

[root@master ~]# vim /etc/named.conf
[root@master ~]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
// See the BIND Administrator's Reference Manual (ARM) for details about the
// configuration located in /usr/share/doc/bind-{version}/Bv9ARM.html

options {
        listen-on port 53 { 127.0.0.1; 192.168.10.2; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; 192.168.10.0/24; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

//      dnssec-enable yes;
//      dnssec-validation yes;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

[root@master ~]#

# After configure /etc/named.conf file need to restart named service

[root@master ~]# systemctl restart named

# Now lets check again the ports and ip via netstat command

[root@master ~]# netstat -ntpul | grep named
tcp        0      0 192.168.10.2:53         0.0.0.0:*               LISTEN      10692/named
tcp        0      0 127.0.0.1:53            0.0.0.0:*               LISTEN      10692/named
tcp        0      0 127.0.0.1:953           0.0.0.0:*               LISTEN      10692/named
tcp6       0      0 ::1:53                  :::*                    LISTEN      10692/named
tcp6       0      0 ::1:953                 :::*                    LISTEN      10692/named
udp        0      0 192.168.10.2:53         0.0.0.0:*                           10692/named
udp        0      0 127.0.0.1:53            0.0.0.0:*                           10692/named
udp6       0      0 ::1:53                  :::*                                10692/named
[root@master ~]#

# Add 53 port number in firewalld service

[root@master ~]# firewall-cmd --permanent --add-port=53/tcp
success
[root@master ~]# firewall-cmd --permanent --add-port=53/udp
success
[root@master ~]# firewall-cmd --reload
success
[root@master ~]#

[root@master ~]# nc -v 192.168.10.2 53
Ncat: Version 6.40 ( http://nmap.org/ncat )
Ncat: Connected to 192.168.10.2:53.
^C
[root@master ~]#

# Check DNS service Caching via dig command

[root@master ~]# dig @192.168.10.2 www.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @192.168.10.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 60894
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         300     IN      A       172.217.26.196

;; AUTHORITY SECTION:
google.com.             172799 IN      NS      ns1.google.com.
google.com.             172799 IN      NS      ns4.google.com.
google.com.             172799 IN      NS      ns2.google.com.
google.com.             172799 IN      NS      ns3.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         172799 IN      A       216.239.34.10
ns1.google.com.         172799 IN      A       216.239.32.10
ns3.google.com.         172799 IN      A       216.239.36.10
ns4.google.com.         172799 IN      A       216.239.38.10

;; Query time: 1280 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Mon Dec 25 22:02:56 IST 2017
;; MSG SIZE rcvd: 195
[root@master ~]#

[root@master ~]# dig @192.168.10.2 www.google.com

; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> @192.168.10.2 www.google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 16173
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 4, ADDITIONAL: 5

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.google.com.                        IN      A

;; ANSWER SECTION:
www.google.com.         293     IN      A       172.217.26.196

;; AUTHORITY SECTION:
google.com.             172792 IN      NS      ns4.google.com.
google.com.             172792 IN      NS      ns1.google.com.
google.com.             172792 IN      NS      ns3.google.com.
google.com.             172792 IN      NS      ns2.google.com.

;; ADDITIONAL SECTION:
ns2.google.com.         172792 IN      A       216.239.34.10
ns1.google.com.         172792 IN      A       216.239.32.10
ns3.google.com.         172792 IN      A       216.239.36.10
ns4.google.com.         172792 IN      A       216.239.38.10

;; Query time: 0 msec
;; SERVER: 192.168.10.2#53(192.168.10.2)
;; WHEN: Mon Dec 25 22:03:03 IST 2017
;; MSG SIZE rcvd: 195
[root@master ~]#

Pages