Domain Name Server (DNS) configuration using Bind version 8 or 9

Two of the most popular ways to configure the program Bind (Berkeley Internet Domain software) to perform DNS services is in the role of (1) ISP or (2) Web Host.

1. In an ISP configuration for clients (web surfers) conected to the internet, the DNS server must resolve IP addresses for any URL the user wishes to visit.
2. In a purely web hosting configuration, Bind will only resolve for the IP addresses of the domains which are being hosted. This is the configuration which will be discussed and is often called an "Authoritative-only Nameserver".

When resolving IP addresses for a domain, Internic is expecting a "Primary" and a "Secondary" DNS name server. (Sometimes called Master and Slave) Each DNS name server requires the file /etc/named.conf and the files it points to. This is typically two separate computer systems hosted on two different IP addresses. It is not necesary that the Linux servers be dedicated to DNS as they may run a web server, mail server, etc.

Note on Bind versions: Red Hat versions 6.x used Bind version 8. Release 7.1 of Red Hat began using Bind version 9 and the GUI configuration tool bindconf was introduced for those of you that like a pretty point and click interface for configuration.

Installation Packages:

• Red Hat / Fedora Core / CentOS: bind, bind-chroot, bind-libs, bind-utils, system-config-bind
  • bind-chroot: Security jail for operation of bind.
  • bind-utils: Utility commands like nslookup, host, dig
  • system-config-bind: GUI config tool system-config-bind and related configuration files (/etc/security/console.apps/bindconf).
  • caching-nameserver: We will not be covering this as it is not required for web hosting. This is used by internet providers so their clients can cache the DNS entries of the sites they are visiting.
• Ubuntu (dapper/hardy) / Debian: bind9

Configuration files:

Red Hat / Fedora / CentOS:

File	Description	Directory	Chrooted Directory
named.conf	Primary/Secondary DNS server configuration. (See default file /usr/share/doc/bind-9.X.X/sample/etc/named.conf)	/etc/	/var/named/chroot/etc/
named.root.hints	Configuration for recursive service. Required for all zones. (See default file /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints)	/etc/	/var/named/chroot/etc/
named	Red Hat system variables.	/etc/sysconfig/	no change
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/named/chroot/etc/
Zone files	Configuration files for each domain. Create this file to resolve host name internet queries i.e. define IP address of web (www) and mail servers in the domain.	/var/named/	/var/named/chroot/var/named/

Debian / Ubuntu:

File	Description	Directory	Chrooted Directory
named.conf named.conf.options named.conf.local	Primary/Secondary DNS server configuration.	/etc/bind/	/var/bind/chroot/etc/bind/
rndc.key	Primary/Secondary DNS server configuration.	/etc/	/var/bind/chroot/etc/
Zone files	Configuration files for each domain.	/var/bind/data/	/var/bind/chroot/var/bind/data/

Primary server (master):

File: named.conf

Red Hat / Fedora Core / CentOS: /etc/named.conf (chroot dir: /var/named/chroot/etc/named.conf) and /etc/sysconfig/named for system variables.
Ubuntu / Debian: /etc/bind/named.conf Place local definitions in /etc/bind/named.conf.options and /etc/bind/named.conf.local

Simple example: (no views)

options { - Ubuntu stores options in /etc/bind/named.conf.options version "Bind"; - Don't disclose real version to hackers directory "/var/named"; - Specified so relative path names can be used. Full path names still allowed. allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS recursion no; auth-nxdomain no; - conform to RFC1035. (default) fetch-glue no; - Bind 8 only! Not used by version 9 }; zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "0.0.127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "your-domain.com"{ - Ubuntu separates the zone definitions into /etc/bind/named.conf.local type master; - Specify master, slave, forward or hint file "data/named.your-domain.com"; notify yes; - slave servers are notified when the zone is updated. allow-update { none; }; - deny updates from other hosts (default: none) allow-query { any; }; - allow clients to query this server (default: any) }; zone "your-domain-2.com"{ type master; file "data/named.your-domain-2.com"; notify yes; };

Note:

• The omission of zone ".". Required if providing a recursive service.
• Ubuntu includes the separated file of zone directives using the directive:
  include "/etc/bind/named.conf.local";

BIND Views: The BIND naming service can support "views" which allow various sub-networks (i.e. private internal or public external networks) to have a different domain name resolution result.

• If no views are specified then use the configuration shown above.
• The match-up between the "view" and the view client which receives the DNS information is specified by the match-clients statement.
• If even one view is specified, then ALL zones MUST be associated with a "view".
• Bind 9 allows for views which allow different zones to be served to different types of clients, localhost, private networks and public networks. This maps to the three view names "localhost_resolver", "internal" and "external":
  • localhost_resolver: Supports name resolution for the system (localhost) using BIND. Support for use of bind also has to be configured in /etc/nsswitch.conf
  • internal: User specified Local Area Network (LAN). If not used to support a local private LAN, remove (or comment out) this view.
  • external: The general public internet defined as client "any".
• If you are only setting up a caching name server, then only specify the view "localhost_resolver" (delete all other views).
• In order to support a DNS for internet domains using views, one will have to configure an "external" view

Typical Red Hat Enterprise 5 example: (Bind 9.3.4 with three "views")

options { directory "/var/named"; // the default dump-file "data/cache_dump.db"; statistics-file "data/named_stats.txt"; memstatistics-file "data/named_mem_stats.txt"; }; logging { // By default, SELinux policy does not allow named to modify the /var/named // directory, so put the default debug log file in data/ : channel default_debug { file "data/named.run"; severity dynamic; }; }; view "localhost_resolver" { // This view sets up named to be a localhost resolver ( caching only nameserver ). // If all you want is a caching-only nameserver, then you need only define this view: match-clients { localhost; }; ... }; view "internal" { // This view will contain zones you want to serve only to "internal" clients // that connect via your directly attached LAN interfaces - "localnets" . // For local private LAN. Not covered in this tutorial. // Delete this view if web hosting with no local LAN. match-clients { localnets; }; ... }; key ddns_key { algorithm hmac-md5; secret "use /usr/sbin/dns-keygen to generate TSIG keys"; }; view "external" { // This view will contain zones you want to serve only to "external" // public internet clients. This is covered below. match-clients { any; }; ... .. };

Default configuration files: Red Hat may supply the default configuration in: /usr/share/doc/bind-9.X.X/sample/etc/named.conf

• cp /usr/share/doc/bind-9.X.X/sample/etc/named.conf /var/named/chroot/etc
• cp /usr/share/doc/bind-9.X.X/sample/etc/named.root.hints /var/named/chroot/etc
• chcon -u system_u -r object_r -t named_conf_t /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.root.hints

view "localhost_resolver": If supporting a caching DNS server (not required to support a web domain) you will also need the files:

• cp /usr/share/doc/bind-9.X.X/sample/etc/named.rfc1912.zones /var/named/chroot/etc
• cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zones /var/named/chroot/var/named
  also from /usr/share/doc/bind-9.X.X/sample/var/named/: localhost.zones, named.local, named.zero, named.broadcast, named.ip6.local, named.root

view "external": (master) - details -

view "external" { /* This view will contain zones you want to serve only to "external" clients * that have addresses that are not on your directly attached LAN interface subnets: */ match-clients { any; }; match-destinations { any; }; allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS recursion no; // you'd probably want to deny recursion to external clients, so you don't // end up providing free DNS service to all takers // all views must contain the root hints zone: include "/etc/named.root.hints"; // These are your "authoritative" external zones, and would probably // contain entries for just your web and mail servers: zone "your-domain.com" { type master; file "/var/named/data/external/named.your-domain.com"; notify yes; allow-update { none; }; }; // You can also add the zones as a separate file like they do in Ubuntu by adding the following statement include "/etc/named.conf.local"; };

DNS key:

Use the following command /usr/sbin/dns-keygen to create a key. Add this key to the "secret" statement as follows:

key ddns_key { algorithm hmac-md5; secret "XlYKYLF5Y7YOYFFFY6YiYYXyFFFFBYYYYFfYYYJiYFYFYYLVrnrWrrrqrrrq"; };

Man Pages:

• named.conf

Forward Zone File: /var/named/named.your-domain.com

Red Hat 9 / CentOS 3: /var/named/named.your-domain.com
Red Hat EL4/5, Fedora 3+, CentOS 4/5: [Chrooted] /var/named/chroot/var/named/data/named.your-domain.com
Red Hat EL4/5, Fedora 3+, CentOS 4/5: /var/named/data/named.your-domain.com
Ubuntu / Debian: /etc/bind/data/named.your-domain.com

$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. Measured in seconds. This value is 7 days. your-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. ( 2000021600 ; serial - Many people use year+month+day+integer as a system. Never greater than 2147483647 for a 32 bit processor. 86400 ; refresh - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs) 7200 ; retry - How long secondary server should wait for a retry if contact failed. 1209600 ; expire - Secondary server to purge info after this length of time. 86400 ) ; default_ttl - How long data is held in cache by remote servers. IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain. I put the web server IP address here so that domain.com points to the same servers as www.domain.com ; ; Name servers for the domain ; IN NS ns1.your-domain.com. IN NS ns2.your-domain.com. ; ; Mail server for domain ; IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address! ; ; Nodes in domain ; node1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1 ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1 ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2 mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail. IN MX 5 XXX.XXX.XXX.XXX - Identify the IP address for mail server named "mail". ; ; Aliases to existing nodes in domain ; www IN CNAME node1 - Define the webserver "www" to be node1. ftp IN CNAME node1 - Define the ftp server to be node1.

MX records for 3rd party off-site mail servers:

your-domain.com. IN MX 10 mail1.offsitemail.com. your-domain.com. IN MX 20 mail2.offsitemail.com.

Append to the above file.

Initial configuration: Note that Red Hat may supply the default zone configuration in: /usr/share/doc/bind-9.X.X/sample/var/named/

• cp /usr/share/doc/bind-9.X.X/sample/var/named/localhost.zone /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/localdomain.zone /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.broadcast /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.ip6.local /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.zero /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.local /var/named/chroot/var/named/data/
• cp /usr/share/doc/bind-9.X.X/sample/var/named/named.root /var/named/chroot/var/named/data/
• cd /var/named/chroot/var/named/data/
• chcon -u system_u -r object_r -t named_cache_t localhost.zone localdomain.zone named.broadcast named.ip6.local named.zero named.root named.local

A file suffix of "zone" is also common i.e. your-domain.com.zone

Secondary server (slave):

File: named.conf

Red Hat / Fedora Core / CentOS: /etc/named.conf
Ubuntu / Debian: /etc/bind/named.conf
Simple example with no views:

options { - Ubuntu stores options in /etc/bind/named.conf.options version "Bind"; - Don't disclose real version to hackers directory "/var/named"; allow-transfer { none; }; - Slave is not transfering updates to anyone else recursion no; auth-nxdomain no; - conform to RFC1035. (default) fetch-glue no; - Bind 8 only! Not used by version 9 }; zone "localhost" { type master; file "/etc/bind/db.local"; - Ubutu: /etc/bind/db.local, Red Hat: /var/named/named.local }; zone "0.0.127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "your-domain.com"{ type slave; file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RHEL4/5 chrooted bind masters { XXX.XXX.XXX.XXX; }; - IP address of primary DNS }; zone "your-domain-2.com"{ type slave; file "named.your-domain-2.com"; masters { XXX.XXX.XXX.XXX; }; };

view "external": (slave)

view "external" { match-clients { any; }; match-destinations { any; }; allow-transfer { none; }; - Slave does not transfer to anyone, slave receives recursion no; include "/etc/named.root.hints"; zone "your-domain.com" { type slave; file "/var/named/slaves/external/named.your-domain.com"; notify no; - Slave does not notify, slave is notified by master masters { XXX.XXX.XXX.XXX; }; - State IP of master server }; };

Note: RHEL4/5, CentOS 4/5, Fedora 3+ use chrooted directory structure permissions which require the use of the slaves subdirectory /var/named/slaves

Slave Zone Files: These are transfered from master to slave and chached by slave. There is no need to generate a zone file on the slave.

Additional Information:

• Man page on named.conf
• Man page on named DNS server
• Full DNS manual

[Potential Pitfall]: Ubuntu dapper/hardy - Path names used can not violate Apparmor security rules as defined in /etc/apparmor.d/usr.sbin.named. Note that the slave files are typically named "/var/lib/bind/named.your-domain.com" as permitted by the security configuration.

[Potential Pitfall]: Ubuntu dapper/hardy - Create log file and set ownership and permission for file not created by installation:

• touch /var/log/bindlog
• chown root.bind /var/log/bindlog
• chmod 664 /var/log/bindlog

[Potential Pitfall]: Error in /var/log/messages:

transfer of 'yolinux.com/IN' from XXX.XXX.XXX.XXX#53: failed while receiving responses: permission denied

Named needs write permission on the directory containing the file. This condition often occurs for a new "slave" or "secondary" name server where the zone files do not yet exist.
The default (RHEL4/5, CentOS 4/5, Fedora Core 3+, ...):

• drwxr-x--- 4 root named 4096 Aug 25 2004 named
• drwxrwx--- 2 named named 4096 Sep 17 20:37 slaves

Fix: In named.conf specify that the slaves to go to slaves directory /var/named/chroot/var/named/slaves with the directive:

file "slaves/named.your-domain.com";

Bind Defaults:

• Uses port 53 if none is specified with the listen-on port statement.
• Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement in /etc/named.conf

  query-source address * port 53; query-source-v6 port 53;

• Logging is to /var/log/messages

After the configuration files have been edited, restart the name daemon.

/etc/init.d/named restart

(Note: Ubuntu / Debian restart: /etc/init.d/bind9 restart)

Bind zone transfers work best if the clocks of the two systems are synchronised.
File: /var/named/named.your-domain.com This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.

---

Test DNS:

Must install packages:

• Red Hat / Fedora Core / SuSE: bind-utils
• Ubuntu (dapper/hardy) / Debian: bind9-host

Test the name server with the host command in interactive mode:

   host  node.domain-to-test.com your-nameserver-to-test.domain.com
          

Note: The name server may also be specified by IP address.

or

Test the name server with the nslookup command in interactive mode:

   nslookup

   > server your-nameserver-to-test.domain.com
   > node.domain-to-test.com
   > exit
          

Test the MX record if appropriate:

   nslookup -querytype=mx domain-to-test.com
   
   OR

   host -t mx domain-to-test.com
          

Test using the dig command:

   dig @name-server domain-to-query

   OR

   dig @IP-address-of-name-server domain-to-query
          

Test your DNS with the following DNS diagnostics web site: DnsStuff.com

---

Extra logging to monitor Bind:

Add the following to your /etc/named.conf file.

logging { channel bindlog { file "/var/log/bindlog" versions 5 size 1m; - Keep five old versions of the log-file (rotates logs) print-time yes; print-category yes; print-severity yes; }; /* If you want to enable debugging, eg. using the 'rndc trace' command, * named will try to write the 'named.run' file in the $directory (/var/named). * By default, SELinux policy does not allow named to modify the /var/named directory, * so put the default debug log file in data/ : */ channel default_debug { file "data/named.run"; severity dynamic; }; category xfer-out { bindlog; }; - Zone transfers category xfer-in { bindlog; }; - Zone transfers category security { bindlog; }; - Approved/unapproved requests // The following logging statements, panic, insist and response-checks are valid for Bind 8 only. Do not user for version 9. category panic { bindlog; }; - System shutdowns category insist { bindlog; }; - Internal consistency check failures category response-checks { bindlog; }; - Messages };

---

Chroot Bind for extra security:

Note: Most modern Linux distributions default to a "chrooted" installation. This technique runs the Bind name service with a view of the filesystem which changes the definition of the root directory "/" to a directory in which Bind will operate. i.e. /var/named/chroot.

The following example uses the Red Hat RPM bind-8.2.3-0.6.x.i386.rpm. Applies to Bind version 9 as well.

The latest RedHat bind updates run the named as user "named" to avoid a lot of earlier hacker exploits. To chroot the process is to create an even more secure environment by limiting the view of the system that the process can access. The process is limited to the chrooted directory assigned.

The chroot of the named process to a directory under a given user will prevent the possibility of an exploit which at one time would result in root access. The original default RedHat configuration (6.2) ran the named process as root, thus if an exploit was found, the named process will allow the hacker to use the privileges of the root user. (no longer true)

Named Command Sytax:

   named -u user -g group -t directory-to-chroot-to
          

Example:

    named -u named -g named -t /opt/named

When chrooted, the process does not have access to system libraries thus a local lib directory is required with the appropriate library files - theoretically. This does not seem to be the case here and as noted above in chrooted FTP. It's a mystery to me but it works???? Another method to handle libraries is to re-compile the named binary with everything statically linked. Add -static to the compile options. The chrooted process should also require a local /etc/named.conf etc... but doesn't seem to???

Script to create a chrooted bind environment:

#!/bin/sh cd /opt mkdir named cd named mkdir etc mkdir bin mkdir var cd var mkdir named mkdir run cd .. chown -R named.named bin etc var

You can probably stop here. If your system acts like a chrooted system should, then continue with the following:

cp -p /etc/named.conf etc cp -p /etc/localtime etc cp -p /bin/false bin echo "named:x:25:25:Named:/var/named:/bin/false" > etc/passwd echo "named:x:25:" > etc/group touch var/run/named.pid if [ -f /etc/namedb ] then cp -p /etc/namedb etc/namedb fi mkdir dev cd dev # Create a character unbuffered file. mknod -m ugo+rw null c 1 3 cd .. chown -R named.named bin etc var

Add changes to the init script: /etc/rc.d/init.d/named

#!/bin/bash # # named This shell script takes care of starting and stopping # named (BIND DNS server). # # chkconfig: - 55 45 # description: named (BIND) is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. # probe: true # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /etc/sysconfig/named ] && . /etc/sysconfig/named - Added in Red Hat version 7.1 [ -f /usr/sbin/named ] || exit 0 [ -f /etc/named.conf ] || exit 0 RETVAL=0 start() { # Start daemons. echo -n "Starting named: " daemon named -u named -g named -t /opt/named - Change made here RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named echo return $RETVAL } stop() { # Stop daemons. echo -n "Shutting down named: " killproc named RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named echo return $RETVAL } rhstatus() { /usr/sbin/ndc status return $? } restart() { stop start } reload() { /usr/sbin/ndc reload return $? } probe() { # named knows how to reload intelligently; we don't want linuxconf # to offer to restart every time /usr/sbin/ndc reload >/dev/null 2>&1 || echo start return $? } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) rhstatus ;; restart) restart ;; condrestart) [ -f /var/lock/subsys/named ] && restart || : ;; reload) reload ;; probe) probe ;; *) echo "Usage: named {start|stop|status|restart|condrestart|reload|probe}" exit 1 esac exit $?

Note: The current version of bind from the RedHat errata updates and security fixes (http://www.redhat.com/support/errata/) runs the named process as user "named" in the home (not chrooted) directory /var/named with no shell available. (named -u named) This should be secure enough. Proceed with a chrooted installation if your are paranoid.

See:

• Securing DNS: How to use chroot bind features

---

Chrooted DNS configuration:

Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured to use "chrooted" bind. This security feature forces even an exploited version of bind to only operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:

• /var/named/chroot/etc: Configuration files
• /var/named/chroot/dev: devices used by bind:
  • /dev/null
  • /dev/random
  • /dev/zero
  (Real devices created with the mknod command.)
• /var/named/chroot/var: Zone files and configuration information.

These directories are generated and configured by the Red Hat/Fedora RPM package "bind-chroot".

If building from source you will have to generate this configuration manually:

• mkdir -p /var/named/chroot
• mkdir /var/named/chroot/dev
• mknod /var/named/chroot/dev/null c 1 3
• mknod /var/named/chroot/dev/zero c 1 5
• mknod /var/named/chroot/dev/random c 1 8
• chmod 666 -R /var/named/chroot/dev
• mkdir -p /var/named/chroot/etc
• ln -s /var/named/chroot/etc/named.conf /etc/named.conf
• mkdir -p /var/named/chroot/var/named
• ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
• ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
• ...
• mkdir -p /var/named/chroot/var/named/slaves
• mkdir -p /var/named/chroot/var/named/data
• mkdir -p /var/named/chroot/var/run
• mkdir -p /var/named/chroot/var/tmp
• chown -R named:named /var/named/chroot
• chown -R root:named /var/named/chroot/var/named

---

Load Balancing of servers using Bind: DNS Round-Robin

This will populate name servers around the world with different IP addresses for your web server www.your-domain.com

www0 IN A XXX.XXX.XXX.1 www1 IN A XXX.XXX.XXX.2 www2 IN A XXX.XXX.XXX.3 www3 IN A XXX.XXX.XXX.4 www4 IN A XXX.XXX.XXX.5 www5 IN A XXX.XXX.XXX.6 www IN CNAME www0.your-domain.com. IN CNAME www1.your-domain.com. IN CNAME www2.your-domain.com. IN CNAME www3.your-domain.com. IN CNAME www4.your-domain.com. IN CNAME www5.your-domain.com. IN CNAME www6.your-domain.com.

Also see lbnamed: lbnamed load balancing named

---

Bind/DNS Links:

• Internet Software Consortium (ISC) Home Page - ISC Bind Home
• Bind FAQ, pitfalls and answers
• Zytrax Bind 9 manual - Bind for rocket scientists
• comp.protocols.tcp-ip.domains FAQ - HTML version
• More on load balancing and round robin schemes
• LDP DNS-HOWTO
• ACME: DNS resources
• DNS Security presentation - Cricket Liu (coauthor of DNS and Bind)
• DNS Security Paper - Craig Rowland
• GraniteCanyon.com: Free DNS hosting - If you don't want to set it up, have someone do it for you.
• EveryDNS.net - Free DNS
• DNS2GO - Domain hosting for DHCP clients.
• Secondary.com - Free secondary names server hosting (five or fewer domains)
• TZO.com - Dynamic, secondary DNS services.
• UltraDNS.com - Outsourced DNS management and service
• OpenDNS.com - Can allow forwarding to OpenDNS servers.
  Add to "options" section: forwarders { 208.67.222.222; 208.67.222.220; };
• DynDNS.org
  Command: ipcheck.py -i eth0 DynDNS-user-id password node.dnsalias.net
  Then add script update.dyndns.ip to directory /etc/cron.daily/ to update IP.
  This host must also be allowed access through any firewall rules.
• DynDNS/TODD - Dynamic DNS for those with dynamic IP addresses. (i.e. dial-up game servers etc.)

Domain name registration:

• Domain Name Registrars:
  • NetworkSolutions.com
  • Register.com
  • Registrar.GoDaddy.com - Domain name registration for only $8.95/year!!!
  • Dotster.com - Domain name registration for only $14.95/year
  • DomainsNext.com - $11.95/year
  • EasyDNS.com - $25.00/year
  • Aplus.net - Domain Registration $7.95/year - Not good
  • Gandi.net - European
• AfterNic.com - Domain name exchange and auction.
• BuyDomains.com - Buy a domain name that a squatter is holding.

Note that the Name registrations policies for the registrars are stated at ICANN.org.

• You must renew with the same registrar within five days BEFORE the expiration date. There is no rule for afterwards.
• Most free a domain name 30 days after it expires.