UNIX System Administration Handbook - Evi Nemeth [287]
See page 675 for more information about firewalls.
In this setup, your hints file should point to local name servers, not to the root servers of the Internet. You should still get a registered domain name and legitimate IP addresses, or perhaps use the RFC1918 private addresses described on page 279.
16.16 VENDOR SPECIFICS
This section describes the atrocities committed on ISC’s freely distributed BIND code by our helpful vendors. We include pointers to the configuration files, the release of BIND on which each vendor’s software is based, and information about how to integrate BIND with other sources of administrative data such as flat files or NIS.
A more complete discussion of this last topic is presented in Chapter 18. In particular, refer to the material beginning on page 523.
Specifics for Solaris
Both Solaris 7 and 8 currently ship with BIND 8.1.2. Solaris uses a service order file called /etc/nsswitch.conf to specify how BIND, NIS, NIS+, and the /etc/hosts file interact. Modifying the hosts line in that file to
hosts: files dns
causes name resolution to try /etc/hosts first and then try DNS. Putting crucial servers and routers in the /etc/hosts file eases the chicken-and-egg problems that sometimes occur at boot time before name service is available.
The Sun manual recommends that you run your NIS servers in DNS forwarding mode, in which they forward queries that cannot be answered from the local database to a DNS server. Thus, the vendor-recommended configuration is
hosts: nis [NOTFOUND=return] files
We disagree. A local NIS server is no faster than a local DNS server and the data must be in DNS in order for the outside world to access your site anyway. Even if your site uses NIS, it’s best to keep the two systems separate.
Table 16.17 summarizes the BIND filenames and locations for Solaris.
Table 16.17 BIND files in Solaris
a. The directory specified in /etc/named.conf as the home for BIND files
The Solaris man page for in.named contains several lies. It mentions dumping the statistics with the IOT signal, which the Solaris kill command doesn’t support; it has been replaced with the ABRT signal. However, even ABRT does not dump the statistics—it kills named dead. We found by reading the source code that it’s the ILL signal that dumps the statistics file.
The man page also says that the database is dumped into the file nameddump.db, but that’s wrong too. The correct filename is named_dump.db. The switch from BIND 4 to BIND 8 may not have included a careful rewrite of the man page (perhaps not even by the BIND folks).
Specifics for HP-UX
HP-UX 11.00’s BIND is based on BIND 4.9.7. It uses the same nsswitch.conf system that Solaris does. The raw system ships with several sample files in the /etc directory, but none named nsswitch.conf. (Try ls /etc/nssw* to see your options.)
To create an nsswitch.conf file, read the man page to see what configuration you want to implement and then steal the right bits from the samples provided. One of the samples is /etc/nsswitch.hp_defaults, which shows the behavior you’ll get if the nsswitch.conf file does not exist or if it contains a syntax error. With respect to host lookups, it is the following:
hosts: dns [NOTFOUND=return] nis [NOTFOUND=return] files
This configuration uses DNS first, but if DNS is unavailable or not configured, the lookup next tries NIS and then the /etc/hosts file. If DNS is available but is unable to find the name in question, the lookup returns with a “host unknown” error.
To be sure that DNS and booting do not conflict, we recommend a configuration more like this:
hosts: files [NOTFOUND=continue] dns
If you use NIS, put it between files and DNS, again with continue as the action to take when an error occurs. It’s important to be able to configure