Friday, December 12, 2003

Init Script

What is an initscript service and how do I start and stop it?

Linux has several methods for running programs automatically, without direct input from the user. One of these methods is the SysV initscripts. Programs started by these initscripts are called initscript services or simply services. Every initscript service has a name associated with it. You can get a list of the services installed on a system using the chkconfig command:

chkconfig --list

An initscript service can be setup to run, or not run, automatically when the system is booted:

chkconfig  on

causes the service to start when the system is booted, and

chkconfig  off

causes the service to not be started when the system is booted. The chkconfig command does not immediately start or stop a service, it only changes what happens to the service at the next reboot. To immediately start, stop, or check the current status of a service, use the service command:

service start
service stop
service status

For more information on the chkconfig command, refer to the chkconfig man page. For more information on SYSV initscripts in general, refer to the documentation included in the initscripts RPM.

Thursday, November 20, 2003

How can I quickly tell what file systems my current kernel can Handle ?

How can I quickly tell what file systems my current kernel can Handle ?

The kernel provides a list of file system types it is able to mount via the /proc file system. To view the list, run the command cat /proc/filesystems. The output will look something like:

nodev    proc
nodev nfs
nodev smbfs

In this output, the entry vfat means you can mount FAT/VFAT (Microsoft Windows) partitions. The entries ending with smbfs and nfs mean you can interact with file servers that use SMBFS (Microsoft's Server Message Block File System, accessed via Samba) or NFS (Sun's Network File System). The iso9660 indicates that you can mount standard CD-ROM file systems, and ext3 and ext2 indicate that you can mount those kinds of Linux file systems.

In the first column, nodev indicates that the file system is not associated with a physical device, like the /proc file system itself, which has information about state of the running kernel.

Sunday, October 12, 2003


I prefer to install software from native packages meant for my distribution, from the vendor or project that publishes the distro, as much as possible. This has a number of advantages, not the least of which is that I don't have to recompile the software myself whenever there's a security update or bug fix for the software.

However, there are a lot of instances where this just isn't possible. Maybe the software isn't available for the distro that I'm using, or I need to use a newer version that's not available from the vendor or project. In those cases, I still like to build a native package so that it's easier to manage than just installing directly from source code.

For those cases, I use CheckInstall to simplify creating a package. CheckInstall lets me create an RPM, Debian package, or Slackware package almost as easily as compiling software from source. Instead of running ./configure; make; make install I just run ./configure; make; checkinstall.

I've been using CheckInstall for several years, and I've never run into a problem with any of the packages it creates. It's also handy for rolling packages for limited distribution -- for example, when I want to install a piece of software on three or four machines without needing to compile it separately on each system.

Tuesday, September 30, 2003

How To - Wget

Download a Complete Site in u r system using Wget

wget --mirror -w 2 -p --HTML-extension --convert-links -P /home/sriram/websites/raid/mirror/

How can I make Wget ignore the robots.txt file?

wget -erobots=off

Sunday, August 03, 2003

Internet Sharing on Linux

For Internet sharing you need to enable packet forwarding on the PC which is connected to the Internet (the gateway PC). Also on the other PC you must set the default route to the IP address of the gateway PC (The gateway PC's default route must be set to your ISP's gateway IP address). The PCs should also have the default routes set to a DNS server - your ISP will give you these.

/proc/sys/net/ipv4/ip_forward - Turn the Value to 1

Friday, July 18, 2003

Sudooo Voodooo

Sudo is a handy little tool that is of value to both system administrators and common folks like us. What does it do? It allows you to temporarily assume the permissions of another user, up to and including root. If you belong to the camp that says you should only have root privileges at the time they are needed, sudo makes your life a little easier by making it easier to shape-shift between the permissions for a mere mortal and those of the super user.

We'll start with an easy -- and not uncommon -- example. You need to make a change to a configuration file in order to take advantage of your latest hardware acquisition. Gedit is your editor of choice, but you need root privileges in order to write a modified version of the config. What to do? Sudo, of course. Open a console and enter this:

sudo gedit /etc/some.conf

Depending on which distribution you use, you'll be prompted for your user password or the root password. When you've entered it, you'll immediately have the file you want to edit in front of you. Better yet, when you're finished, you'll be able to save it.

It's important to note that after entering the password, you can use sudo again for a short period without needing to use the password again. The default is five minutes, though this can be changed in sudo's configuration file. You can bring the curtain down early on that condition by entering:

sudo -k

This tells sudo to invalidate your timestamp, so that you'll be prompted for a password the next time you use sudo.

But wait, I don't like gedit!

Don't worry, you can use the editor of your dreams instead. In fact, try this:

sudo -e /etc/some.conf

That does the same thing as the command above that specifies gedit, but it uses the editor in your EDITOR environment string, or the one noted in /etc/sudoers, which is the configuration file used by sudo.

And finally, if the -e argument is too hard for you to type, then just type:

sudoedit /etc/some.conf

It behaves exactly the same as the sudo command using the -e option.

Often, you'll need just to have root access in the shell, instead of root permissions for a single command. Sudo handles that circumstance, too. Just enter:

sudo -s

That will give you a shell with full root permissions, which will remain in effect until you exit the shell.

Sometimes you may need to run a command as a user other than root. This is no problem for sudo. The command is:

sudo -u username

Here is a list of other sudo options you may find handy:

  • -v Resets the time-stamp set when you've started sudo to extend the time available, without running a command.
  • -H Resets the HOME environment variable to that of root or the user whose ID is being used to satisfy permissions.
  • -K Similar to the -k option, except that it removes the time-stamp completely.
  • -b The command sudo is executing will be run in the background.
  • -l Lists the commands available to the user.

Sudo's configuration file, /etc/sudoers, describes to sudo who can do what. Some distros, like SUSE, include all users in the file by default. Others, like Ubuntu, include only the first user in the admin group. But for many distributions, you may need to add yourself to /etc/sudoers in order to use the sudo command.

To add a user to /etc/sudoers, you'll need to use the visudo command -- don't edit the file using another editor. Run visudo to add a user to the file. The basic format for adding users is:

user HOST = (otheruser) command

The first field is for the user that will run sudo. When using sudo, it will check to see if your username is in the /etc/sudoers file, or if you belong to a group that's in the /etc/sudoers file. If not, you'll usually get a message saying you're not in the sudoers file.

The HOST field lists servers that the user is allowed to use sudo on. If you're not setting up sudo for use on multiple machines, it's usually safe to just say "ALL" here. The command field lists one or more commands that the user is allowed to use with sudo, and the final field tells sudo what users the sudo'ing user may run a command as. Let's say you want to allow a user to run all commands, as any user, using sudo. Then you'd have an entry that looks like this:


On the other hand, if you want to restrict the user bob to one command that he can run as root, you could do so like this:

bob ALL=(root) /usr/sbin/tcpdump

This restricts bob to running the tcpdump command as root. He won't be able to run any other commands as root, nor will he be able to run tcpdump or any other commands as another user.

That is just the tip of the iceberg, of course. Advanced configuration of /etc/sudoers is really more on the sysadmin side of the house than we like to get into in this column, which is written with newcomers in mind. If you are the curious type, read the man pages for sudo, sudoers, and visudo.

That's it for this week. Remember to visit the man, and remember too, it's not who you know, it's who you sudo.

Friday, June 20, 2003

Allowing non-root users to shutdown a Linux box.

1. As root create a group shutdown.
#addgroup shutdown

2. Put /sbin/shutdown into the group shutdown.
#chown root.shutdown /sbin/shutdown

3. Change accessrights to make /sbin/shutdown setuid and disallow
other users from executing shutdown.
#chmod 4754 /sbin/shutdown

4. Make a link from /bin/shutdown to /sbin/shutdown
#ln -s /sbin/shutdown /bin/shutdown

Now anyone belonging to the group shutdown can execute shutdown but I just will
allow the person in control of the keyboard to be able to issue the shutdown
command. You might prefer something else.

For the following to work you need to have "shadow password" installed but I
believe most have it.

5. Edit the file login.defs. Near the end of this file locate the line
#CONSOLE_GROUPS floppy:audio:cdrom
Remove the hashsign and add the group shutdown to this line and you get:
CONSOLE_GROUPS floppy:audio:cdrom:shutdown

Thats it. Everyone logged in via the console will belong to these groups so
you need not add anyone to them. I believe this is better than to just add
users to the group shutdown.

Sunday, May 18, 2003

Controlling login abilities

If you want the user to have full telnet/ftp/etc access, use a real shell in
/etc/passwd (as in /bin/bash)

Non-login access can be set by using /bin/true (because /bin/true is in /etc/shells)

No login and no FTP access by setting the shell as /bin/false
(because /bin/false is not in /etc/shells)

(note of the maintainer : in the latest case, the user can still have by
example POP3 access if there is a POP3 daemon, or access to other services
not doing a check of the user's shell)

Wednesday, April 30, 2003

Locking out non-root users

To disable all user logins (except for root) without taking down
the system into maintenance mode create a file /etc/nologin.
The content of this file will be displayed when a user tries to log
in. Useful when doing service on the system which might affect

Wednesday, April 09, 2003

How to monitor suspicious activity?

You can get the iplogger package, which will log every tcp connection made
to your machine. The lsof package is also useful for finding out if a
service is running on a port on your own machine. I believe lsof is
kernel version dependent, so you may have to expirement some....

[bash]$ lsof -i :22
sshd 32211 root 6u inet 0x0149ac0c 0t0 TCP *:ssh (LISTEN)

Also, if you are paranoid, I would suggest getting the tripwire package.
This will monitor your system for changed system files.

Friday, March 21, 2003

Webserver Tutorial - Part 3

n this concluding part of our three-part series on Apache Web server, we look at the remaining directives of main server configuration and understand virtual hosting.

Customizable error response

Customizable error response, the Apache style, comes in three flavors:

1) Plain text
ErrorDocument 500 "The server made a boo boo.
Note: The (") marks it as text, it does not get output.

2) Local redirects
ErrorDocument 404 /missing.html to redirect to local URL /missing.html
ErrorDocument 404 /cgi-bin/
Note: You can redirect to a script or a document using server-side-includes.

3) External redirects
ErrorDocument 402
Note: Many of the environment variables associated with the original request will not be available to such a script.

The following directives modify normal HTTP response behavior.
The first directive disables keepalive for Netscape 2.x and browsers that spoof it. There are known problems with these browser implementations. The second directive is for Microsoft Internet Explorer 4.0b2, which has a broken HTTP/1.1 implementation and does not properly support `keepalive' when it is used on 301 or 302 (redirect) responses.
BrowserMatch "Mozilla/2" nokeepalive
BrowserMatch "MSIE 4.0b2;" nokeepalive downgrade-1.0 force-response-1.0

The following directive disables HTTP/1.1 responses to browsers, which are in violation of the HTTP/1.0 spec by not being able to grok a basic 1.1 response.
BrowserMatch "RealPlayer 4.0" force-response-1.0
BrowserMatch "Java/1.0" force-response-1.0
BrowserMatch "JDK/1.0" force-response-1.0

If the perl module is installed, this will be enabled.

Alias /perl/ /home/httpd/perl/

SetHandler perl-script
PerlHandler Apache::Registry
Options +ExecCGI

Allow http put (such as Netscape Gold's publish feature)
Use htpasswd to generate /etc/httpd/conf/passwd

You must unremark these two lines at the top of this file as well:
LoadModule put_module modules/
AddModule mod_put.c
Alias /upload /tmp

EnablePut On
AuthType Basic
AuthName Temporary
AuthUserFile /etc/httpd/conf/passwd
EnableDelete Off
umask 007

require valid-user

To allow server status reports, use servername/server-status and change the "" to match your domain to enable.

SetHandler server-status
Order deny,allow
Deny from all
Allow from

To allow remote server configuration reports go to servername/server-info (requires that mod_info.c be loaded), and now change the "" to match your domain to enable.

SetHandler server-info
Order deny,allow
Deny from all
Allow from

You can allow access to local system documentation from localhost by:
Alias /doc/ /usr/doc/

order deny,allow
deny from all
allow from localhost
Options Indexes FollowSymLinks

Checking attacks

There have been reports of people trying to abuse an old bug from pre-1.1 days. This bug involved a CGI script distributed as a part of Apache. By uncommenting these lines you can redirect these attacks to a logging script on Or, you can record them yourself, using the script support/phf_abuse_log.cgi.

Deny from all
ErrorDocument 403 < href="">

Proxy Server directives

Uncomment the following lines to enable the proxy server

ProxyRequests On

Order deny,allow
Deny from all
Allow froms

Enable/disable the handling of HTTP/1.1 "Via:" headers.
( "Full" adds the server version; "Block" removes all outgoing Via: headers)
Set to one of: Off | On | Full | Block
ProxyVia On

To enable the cache as well, edit and uncomment the following lines:

(no cacheing without CacheRoot)
CacheRoot "/var/cache/httpd"
CacheSize 5
CacheGcInterval 4
CacheMaxExpire 24
CacheLastModifiedFactor 0.1
CacheDefaultExpire 1

Section 3: Virtual hosts

VirtualHost: If you want to maintain multiple domains/hostnames on your machine you can setup VirtualHost containers for them. Please see the documentation here for further details before you try to setup virtual hosts. You may use the command line option '-S' to verify your virtual host configuration.

If you want to use name-based virtual hosts, you need to define at least one IP address (and port number) for them.

VirtualHost example

Almost any Apache directive may go into a VirtualHost container.

DocumentRoot /www/docs/
ErrorLog logs/
CustomLog logs/ common

DocumentRoot /docfile
ErrorLog logs/err

DocumentRoot /htdoc
ErrorLog /home/err

DocumentRoot /home/chinu/public_html

DocumentRoot /home/

DocumentRoot /home/

After editing /etc/httpd/conf/httpd/conf properly, start /etc/rc.d/init.d/httpd restart.

Explanation of this file
1) note means comment (if removed then it means active state)

The main macro, which should be taken in to account for activation, are:

Now before we go on to explanations lets take an example to host it both, without password protection and with password protection. Lets design an html page and then communicate with the server. After this we will figure out where to put the html and the server programme, which communicates with html in all the three cases.

Normal Hosting
Lets say our machine ip is: and the machine name is And these entries are there in /etc/hosts file:

cd /home/httpd/html
vi index.html

then write

The above code says that a form and a button of submit type are made which will call when clicked.
cd /home/httpd/cgi-bin

Then write exactly whats given below if you are not aware of perl-cgi programming.
print "Content-type:text/html nn";
print "

Welcome to my site

print "you have accessed through $ENV";

hope u visit again


After this comes out, the very first thing you do is chmod 755 (very important) or else the file won't be executed due to the Web server architecture restriction on this particular directory.

So what happens is, when you write lynx lynx, or
, this or or is mapped with the directory /home/httpd/html/index.html by default.

Now people might ask why are we going /home/httpd/html for html files and why do we go for /home/httpd/cgi-bin. Well, it is just because of the macro.

Documentroot /home/httpd/html and
Script-alias /home/httpd/cgi-bin/ /cgi-bin/

Options Indexes Includes FollowSymLinks
AllowOverride all
Order allow,deny
Allow from all

In above directive, `options' is the facility on that directory.


The default file to be accessed is index.html.
`AllowOverrride' all or none: Sometimes user wants to put password protection to its directory of information. This can only be done if AllowOverrride all is written under the

Can you password protect any directory? Yes you can (discussed later in password protection topic).
Macro in /etc/httpd/conf/httpd.conf

You may ask why is action=/cgi-bin/ It is just because the script alis macro tells that there is no need to give such a long path its better to give the short alias naming of directory. So, in normal hosting of html, files should be in /home/httpd/html/. And normal cgi file should stay at /home/httpd/cgi-bin with 755 permissions.

Hosting in Virtual Directory

Why is it needed?

We have just seen that is mapped with /home/httpd/html/index.html. And if the file is not index.html, let's say a.html, then we have to call Now suppose a client also wants not to write the file name after the URL then in that case the Web server says, "create a login for each user who wants to host his site and then make a directory called "public_html" under login directory and now put index.html under that directory". For that, the directive in /etc/httpd/conf/httpd.conf should look like UserDir public_html

AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

Order allow,deny
Allow from all

Order deny,allow
Deny from all

Remember this directives are basically attached with " " so remove as shown above
Now, do the following:
1) adduser kshounish
2) passwd kshounish
3) exit


4)$ mkdir public_html
5)$cd public_html
6)$vi index.html

And write the code

see the virtual login hosting

7)$cd /home/httpd/cgi-bin/

And write

print "Content-type:text/html nn";
print "

welcome in my virtual site

print "you have accessed through $ENV"; print"

hope u visit again


Now go to Netscape and say or say `$lynx'. It will take you to /home/kshounish/public_html/index.html. Do it for other logins too.

Hosting in Virtual Domain

This is the actual way of hosting Web pages. In first case the way of accessing was < href="">
In second case it was < href="">

But what if you want and in the same machine? Then there are two ways of hosting:
Shared hosting: In this technique, multiple sites are placed in same IP address of same machine.
Independent hosting: In this case each site will have independent IP on the same Ethernet card of same machine.

For Shared Hosting the directive you need is NameVirtualHost

DocumentRoot /docfile
ErrorLog logs/err

DocumentRoot /htdoc
ErrorLog /home/err

DocumentRoot /chiku

Remember the entire directory in documentroot has to be manually created.

In above case /htdoc,/chiku,/docfile directory has to be created and each directory will have index.html in each DocumentRoot specified. The above-mentioned thing is done.

Independent Hosting
ifconfig eth0:1
ifconfig eth0 :2
ifconfig eth0:3

In this case the directive is BindAddress *

DocumentRoot /doc
ErrorLog logs/err

DocumentRoot /htoc
ErrorLog /home/err

DocumentRoot /chik

DNS Effect

Now in both the cases the DNS have to be upated in following way:
Assuming domain and machine kshounish1, see the following change
invi /var/named/

IN SOA ( 2000011602 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl

kshounish1 IN A
sudhir IN A
chiku IN A
goldie IN A
sudhu IN A
gold IN A
chik IN A

Then vi /var/named/192.192.192.reverse
@ IN SOA (
2000011601 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl


Then /etc/rc.d/init.d/named restart
Remember whenever you edit /etc/httpd/conf/httpd.conf after closing it restart /etc/rc.d/init.d/httpd restart

Password Protection to a Directory

Sometimes people want to get some important information. For this purpose, password authentication can be given to a directory and keep the important file out there, secure.
When we open the httpd.conf file we find something looks like:
AllowOverride none

make it AllowOverrride all, which means user can set the rules on that directory and override the default configuration for that directory and for that another few things have to be done
AccessFileName .htaccess
This directive means the directory where allowOverride is `ALL', should have the .htaccess in its directory
step vi /home/httpd/html/.htaccess

Then write
AuthName password needed
AuthUserFile /home/httpd/html/password(where to keep password)
AuthType basic
Require valid-user

Then come out from that file and run the command htpasswd -c -m /home/httpd/html/password goldie (remember this login is only for Web not for shell)
Then go to Netscape or IE of any machine and write

It will ask for the password give the login name as goldie and the password as the one, which was given by htpasswd command. And the process is over. With this we come to end of our three part tutorial on Web server. Hope this guide has helped you understand a Web server and its functioning.

Saturday, March 15, 2003

Web Server Tutorial - Part 2

n the first part of this series on Apache Web server, we looked at how Web communication takes place. Here we deal with DSO and the main server configuration.

Dynamic Shared Object (DSO) Support

To be able to use the functionality of a module which was built as a DSO you have to place corresponding 'LoadModule' lines at this location so the directives contained in it are actually available before they are used. Please read the file README.DSO in the Apache 1.3 distribution for more details about the DSO mechanism and run 'httpd -l' for the list of already built-in (statically linked and thus always available) modules in your httpd binary.

Note: The order in which modules are loaded is important. Don't change the order below without expert advice.


LoadModule foo_module modules/
LoadModule mmap_static_module modules/
LoadModule vhost_alias_module modules/
LoadModule env_module modules/
LoadModule config_log_module modules/
LoadModule agent_log_module modules/
LoadModule referer_log_module modules/
LoadModule mime_magic_module modules/
LoadModule mime_module modules/
LoadModule negotiation_module modules/
LoadModule status_module modules/
LoadModule info_module modules/
LoadModule includes_module modules/
LoadModule autoindex_module modules/
LoadModule dir_module modules/
LoadModule cgi_module modules/
LoadModule asis_module modules/
LoadModule imap_module modules/
LoadModule action_module modules/
LoadModule speling_module modules/
LoadModule userdir_module modules/
LoadModule alias_module modules/
LoadModule rewrite_module modules/
LoadModule access_module modules/
LoadModule auth_module modules/
LoadModule anon_auth_module modules/
LoadModule db_auth_module modules/
LoadModule digest_module modules/
LoadModule proxy_module modules/
LoadModule cern_meta_module modules/
LoadModule expires_module modules/
LoadModule headers_module modules/
LoadModule usertrack_module modules/
LoadModule example_module modules/
LoadModule unique_id_module modules/
LoadModule setenvif_module modules/
LoadModule bandwidth_module modules/
LoadModule put_module modules/

Extra Modules

LoadModule perl_module modules/
LoadModule php_module modules/
LoadModule php3_module modules/

Reconstruction of the complete module list from all available modules (static and shared ones) to achieve correct module execution order is necessary (whenever you change the LoadModule section above update this too).

AddModule mod_mmap_static.c
AddModule mod_vhost_alias.c
AddModule mod_env.c
AddModule mod_log_config.c
AddModule mod_log_agent.c
AddModule mod_log_referer.c
AddModule mod_mime_magic.c
AddModule mod_mime.c
AddModule mod_negotiation.c
AddModule mod_status.c
AddModule mod_info.c
AddModule mod_include.c
AddModule mod_autoindex.c
AddModule mod_dir.c
AddModule mod_cgi.c
AddModule mod_asis.c
AddModule mod_imap.c
AddModule mod_actions.c
AddModule mod_speling.c
AddModule mod_userdir.c
AddModule mod_alias.c
AddModule mod_rewrite.c
AddModule mod_access.c
AddModule mod_auth.c
AddModule mod_auth_anon.c
AddModule mod_auth_db.c
AddModule mod_digest.c
AddModule mod_proxy.c
AddModule mod_cern_meta.c
AddModule mod_expires.c
AddModule mod_headers.c
AddModule mod_usertrack.c
AddModule mod_example.c
AddModule mod_unique_id.c
AddModule mod_so.c
AddModule mod_setenvif.c
AddModule mod_bandwidth.c
AddModule mod_put.c

Extra Modules

AddModule mod_perl.c
AddModule mod_php.c
AddModule mod_php3.c

ExtendedStatus: Controls whether Apache will generate "full" status information (ExtendedStatus On) or just basic information (ExtendedStatus Off) when the "server-status" handler is called. The default is Off.
ExtendedStatus On

Section 2: 'Main' server configuration

The directives in this section set up the values used by the 'main' server, which responds to any requests that aren't handled by a definition. These values also provide defaults for any containers you may define later in the file. All of these directives may appear inside containers, in which case these default settings will be overridden for the virtual host being defined.

If your ServerType directive (set earlier in the 'Global Environment' section) is set to "inetd", the next few directives don't have any effect since their settings are defined by the inetd configuration.
Skip ahead to the ServerAdmin directive.

Port: The port to which the standalone server listens. For ports <1023,>User/Group: The name (or number) of the user/group to run httpd as:
On SCO (ODT 3) use "User nouser" and "Group nogroup".
On HPUX you may not be able to use shared memory as anybody, and the suggested workaround is to create a user www and use that user.

Note: Some kernels refuse to setgid(Group) or semctl(IPC_SET) when the value of (unsigned)Group is above 60000; don't use Group nobody on these systems!
User nobody
Group nobody

ServerAdmin: Your address, where problems with the server should be emailed. This address appears on some server-generated pages, such as error documents.
ServerAdmin root@localhost

ServerName: Allows you to set a host name which is sent back to your server if it's different than the one the program would get (i.e., use "www" instead of the host's real name).

Note: You cannot just invent host names and hope they work. The name you define here must be a valid DNS name for your host. If you don't understand this, ask your network administrator.
If your host doesn't have a registered DNS name, enter its IP address here.
You will have to access it by its address (e.g., anyway, and this will make redirections work in a sensible way.
ServerName localhost

DocumentRoot: The directory out of which you will serve your documents. By default, all requests are taken from this directory, but symbolic links and aliases may be used to point to other locations.
DocumentRoot "/home/httpd/html"
Each directory to which Apache has access, can be configured with respect to which services and features are allowed and/or disabled in that directory (and its subdirectories).
First, we configure the "default" to be a very restrictive set of permissions.

Options FollowSymLinks
AllowOverride None

Note: From this point forward you must specifically allow particular features to be enabled - so if something's not working as you might expect, make sure that you have specifically enabled it below.
This should be changed to whatever you set DocumentRoot to.

This may also be "None", "All", or any combination of "Indexes", "Includes", "FollowSymLinks", "ExecCGI", or "MultiViews".
Note: "MultiViews" must be named explicitly --- "Options All" doesn't give it to you.
Options Indexes Includes FollowSymLinks
This controls which options the .htaccess files in directories can override. Can also be "All", or any combination of "Options", "FileInfo", "AuthConfig", and "Limit"
AllowOverride all

Controls who can get stuff from this server.
Order allow,deny
Allow from all

UserDir: The name of the directory which is appended onto a user's home directory if a ~user request is received.
UserDir public_html

Control access to UserDir directories. The following is an example for a site where these directories are restricted to read-only.

AllowOverride FileInfo AuthConfig Limit
Options MultiViews Indexes SymLinksIfOwnerMatch IncludesNoExec

Order allow,deny
Allow from all

Order deny,allow
Deny from all

DirectoryIndex: Name of the file or files to use as a pre-written HTML directory index. Separate multiple entries with spaces.
DirectoryIndex index.html index.htm index.shtml index.cgi

AccessFileName: The name of the file to look for in each directory for access control information.
AccessFileName .htaccess

The following lines prevent .htaccess files from being viewed by Web clients. Since .htaccess files often contain authorization information, access is disallowed for security reasons. Comment these lines out if you want Web visitors to see the contents of .htaccess files. If you change the AccessFileName directive above, be sure to make the corresponding changes here.
Also, folks tend to use names such as .htpasswd for password files, so this will protect those as well.

Order allow,deny
Deny from all

CacheNegotiatedDocs: By default, Apache sends "Pragma: no-cache" with each document that was negotiated on the basis of content. This asks proxy servers not to cache the document. Uncommenting the following line disables this behavior, and proxies will be allowed to cache the documents.

UseCanonicalName: (new for 1.3) With this setting turned on, whenever Apache needs to construct a self-referencing URL (a URL that refers back to the server the response is coming from) it will use ServerName and Port to form a "canonical" name. With this setting off, Apache will use the hostname:port that the client supplied, when possible. This also affects SERVER_NAME and SERVER_PORT in CGI scripts.
UseCanonicalName On

TypesConfig: Describes where the mime.types file (or equivalent) is to be found.
TypesConfig /etc/mime.types

DefaultType is the default MIME type the server will use for a document if it cannot otherwise determine one, such as from filename extensions.
If your server contains mostly text or HTML documents, "text/plain" is a good value. If most of your content is binary, such as applications or images, you may want to use "application/octet-stream" instead to keep browsers from trying to display binary files as though they are text.
DefaultType text/plain

The mod_mime_magic module allows the server to use various hints from the contents of the file itself to determine its type. The MIMEMagicFile directive tells the module where the hint definitions are located.
mod_mime_magic is not part of the default server (you have to add it yourself with a LoadModule [see the DSO paragraph in the 'Global Environment' section], or recompile the server and include mod_mime_magic as part of the configuration), so it's enclosed in an container.
This means that the MIMEMagicFile directive will only be processed if the module is part of the server.

MIMEMagicFile share/magic

HostnameLookups: Log the names of clients or just their IP addresses e.g., (on) or (off).
The default is off because it'd be overall better for the net if people had to knowingly turn this feature on, since enabling it means that each client request will result in AT LEAST one lookup request to thenameserver.
HostnameLookups Off

ErrorLog: The location of the error log file.
If you do not specify an ErrorLog directive within a container, error messages relating to that virtual host will be logged here. If you do define an error logfile for a container, that host's errors will be logged there and not here.
ErrorLog /var/log/httpd/error_log

LogLevel: Control the number of messages logged to the error_log.
Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
LogLevel warn

The following directives define some format nicknames for use with a CustomLog directive (see below).
LogFormat "%h %l %u %t "%r" %>s %b "%{Referer}i" "%{User-Agent}i"" combined
LogFormat "%h %l %u %t "%r" %>s %b" common
LogFormat "%{Referer}i -> %U" referer
LogFormat "%{User-agent}i" agent

The location and format of the access logfile (Common Logfile Format).
If you do not define any access logfiles within a container, they will be logged here. Contrariwise, if you do define per- access logfiles, transactions will be logged therein and not in this file.
CustomLog /var/log/httpd/access_log common

If you would like to have agent and referer logfiles, uncomment the following directives.
CustomLog /var/log/httpd/referer_log referer
CustomLog /var/log/httpd/agent_log agent

If you prefer a single logfile with access, agent, and referrer information (Combined Logfile Format) you can use the following directive.
CustomLog /var/log/httpd/access_log combined

Optionally add a line containing the server version and virtual host name to server-generated pages (error documents, FTP directory listings, mod_status and mod_info output etc., but not CGI generated documents).
Set to "EMail" to also include a mailto: link to the ServerAdmin.
Set to one of: On | Off | EMail
ServerSignature On

Aliases: Add here as many aliases as you need (with no limit). The format is
Alias fakename realname
Note: If you include a trailing / on fakename then the server will require it to be present in the URL. So "/icons" isn't aliased in this example, only "/icons/"..
Alias /icons/ "/home/httpd/icons/"

Options Indexes MultiViews
AllowOverride None
Order allow,deny
Allow from all

ScriptAlias: This controls which directories contain server scripts.
ScriptAliases are essentially the same as Aliases, except that documents in the realname directory are treated as applications and run by the server when requested rather than as documents sent to the client.
The same rules about trailing "/" apply to ScriptAlias directives as to Alias.
ScriptAlias /cgi-bin/ "/home/httpd/cgi-bin/"

"/home/httpd/cgi-bin" should be changed to whatever your ScriptAliased
CGI directory exists, if you have that configured.

AllowOverride None
Options ExecCGI
Order allow,deny
Allow from all

Redirect: Allows you to tell clients about documents which used to exist in your server's namespace, but do not anymore. This allows you to tell the clients where to look for the relocated document.
Format: Redirect old-URL new-URL

Directives controlling the display of server-generated directory listings.

FancyIndexing: Asks whether you want fancy directory indexing or standard IndexOptions FancyIndexing

AddIcon* directives: Tell the server which icon to show for different files or filename extensions. These are only displayed for FancyIndexed directories.
AddIconByEncoding (CMP,/icons/compressed.gif) x-compress x-gzip
AddIconByType (TXT,/icons/text.gif) text/*
AddIconByType (IMG,/icons/image2.gif) image/*
AddIconByType (SND,/icons/sound2.gif) audio/*
AddIconByType (VID,/icons/movie.gif) video/*
AddIcon /icons/binary.gif .bin .exe
AddIcon /icons/binhex.gif .hqx
AddIcon /icons/tar.gif .tar
AddIcon /icons/world2.gif .wrl .wrl.gz .vrml .vrm .iv
AddIcon /icons/compressed.gif .Z .z .tgz .gz .zip
AddIcon /icons/a.gif .ps .ai .eps
AddIcon /icons/layout.gif .html .shtml .htm .pdf
AddIcon /icons/text.gif .txt
AddIcon /icons/c.gif .c
AddIcon /icons/p.gif .pl .py
AddIcon /icons/f.gif .for
AddIcon /icons/dvi.gif .dvi
AddIcon /icons/uuencoded.gif .uu
AddIcon /icons/script.gif .conf .sh .shar .csh .ksh .tcl
AddIcon /icons/tex.gif .tex
AddIcon /icons/bomb.gif core

AddIcon /icons/back.gif ..
AddIcon /icons/hand.right.gif README
AddIcon /icons/folder.gif ^^DIRECTORY^^
AddIcon /icons/blank.gif ^^BLANKICON^^

DefaultIcon: Which icon to show for files, which do not have an icon explicitly set.
DefaultIcon /icons/unknown.gif

AddDescription: Allows you to place a short description after a file in server-generated indexes. These are only displayed for FancyIndexed directories.
Format: AddDescription "description" filename
AddDescription "GZIP compressed document" .gz
AddDescription "tar archive" .tar
AddDescription "GZIP compressed tar archive" .tgz

ReadmeName: The name of the README file the server will look for by default, and append to directory listings.
HeaderName: the name of a file, which should be prepended to directory indexes.
The server will first look for name.html and include it if found. If name.html doesn't exist, the server will then look for name.txt and include it as plaintext if found.
ReadmeName README
HeaderName HEADER

IndexIgnore: A set of filenames which directory indexing should ignore and not include in the listing. Shell-style wildcarding is permitted.
IndexIgnore .??* *~ * HEADER* README* RCS CVS *,v *,t

AddEncoding: Allows you to have certain browsers (Mosaic/X 2.1+) uncompress information on the fly.
Note: Not all browsers support this. Despite the name similarity, the following Add* directives have nothing to do with the FancyIndexing customization directives above.
AddEncoding x-compress Z
AddEncoding x-gzip gz tgz

AddLanguage: Allows you to specify the language of a document. You can then use content negotiation to give a browser a file in a language it can understand. Note that the suffix does not have to be the same as the language keyword --- those with documents in Polish (whose net-standard language code is pl) may wish to use "AddLanguage pl .po" to avoid the ambiguity with the common suffix for perl scripts.
AddLanguage en .en
AddLanguage fr .fr
AddLanguage de .de
AddLanguage da .da
AddLanguage el .el
AddLanguage it .it

LanguagePriority: Allows you to give precedence to some languages in case of a tie during content negotiation.
Just list the languages in decreasing order of preference.
LanguagePriority en fr de

AddType: Allows you to tweak mime.types without actually editing it, or to make certain files to be certain types.
For example, the PHP3 module (not part of the Apache distribution - see will typically use:

AddType application/x-httpd-php3 .php3
AddType application/x-httpd-php3-source .phps

The following is for PHP/FI (PHP2):

AddType application/x-httpd-php .phtml

AddType application/x-tar .tgz

AddHandler: Allows you to map certain file extensions to "handlers", actions unrelated to filetype. These can be either built into the server or added with the Action command (see below)
If you want to use server side includes, or CGI outside ScriptAliased directories, uncomment the following lines.
To use CGI scripts:
AddHandler cgi-script .cgi

To use server-parsed HTML files
AddType text/html .shtml
AddHandler server-parsed .shtml

Uncomment the following line to enable Apache's send-asis HTTP file feature
AddHandler send-as-is asis

If you wish to use server-parsed imagemap files, use
AddHandler imap-file map

To enable type maps, you might want to use
AddHandler type-map var

Action: Lets you define media types that will execute a script whenever a matching file is called. This eliminates the need for repeated URL pathnames for oft-used CGI file processors.
Format: Action media/type /cgi-script/location
Format: Action handler-name /cgi-script/location

MetaDir: Specifies the name of the directory in which Apache can find meta information files. These files contain additional HTTP headers to include when sending the document
MetaDir .web

MetaSuffix: Specifies the file name suffix for the file containing the meta information.
MetaSuffix .meta

Saturday, February 15, 2003

Web Server Tutorial Part 1


Apache as Web server

The Web server is meant for keeping Websites. There are three ways a Website can be stored. They are:
1) default directory hosting
2) virtual directory hosting
3) virtual domain hosting

We have to first configure the DNS. Then configure the following file (redhat 6.2) /etc/httpd/conf/httpd.conf If we use Apache as a Web server whether on Windows platform or Linux, the main file which is used is called /etc/httpd/conf/httpd.conf

The root directory of Web server is /etc/httpd, which is divided into three parts:
1) /etc/httpd/conf (where configuration files stays)
2) /etc/httpd/logs (where the logs of Web server and site accessing stay)
3) /etc/httpd/modules (where the module stays, which enables the server side programmer to do programming in the languages supported by Web server)

Lets open the file /etc/httpd/conf/httpd.conf and take a detailed look at the macros to be used.

httpd.conf-Apache HTTP server configuration file
(Based upon the NCSA server configuration files originally by Rob McCool.)

This is the main Apache server configuration file. It contains the configuration directives that give the server its instructions.

Note: See for detailed information about the directives. Do not simply read the instructions in here without understanding what they do. They're here as hints or reminders. If you are unsure consult the online docs.

After this (httpd.conf) file is processed, the server will look for and process (only in the case of 6.1 the following mentioned file is checked. If it is 6.2 they are not checked):
and then
unless you have overridden these with ResourceConfig and/or AccessConfig directives here.


The configuration directives are grouped into three basic sections:
1. Directives that control the operation of the Apache server process as a whole (the 'global environment').
2. Directives that define the parameters of the `main' or `default' server, which responds to requests that aren't handled by a virtual host. These directives also provide default values for the settings of all virtual hosts.
3. Settings for virtual hosts, which allow Web requests to be sent to different IP addresses or hostnames and have them handled by the same Apache server process.

Section 1: Global Environment

The directives in this section affect the overall operation of Apache, such as the number of concurrent requests it can handle or where it can find its configuration files.

ServerType: ServerType is either inetd, or standalone. Inetd mode is only supported on Unix platforms.

ServerRoot: The top of the directory tree under which the server's configuration, error, and log files are kept.

NOTE: If you intend to place this on an NFS (or otherwise network) mounted filesystem then please read the LockFile documentation (available at; You will save yourself a lot of trouble. Do not add a slash at the end of the directory path.
ServerRoot "/etc/httpd"

LockFile: The LockFile directive sets the path to the lockfile used when Apache is compiled with either

This directive should normally be left at its default value. The main reason for changing it is if the logs directory is NFS mounted, since the lockfile must be stored on a local disk. The PID of the main server process is automatically appended to the filename.
LockFile /var/lock/httpd.lock

PidFile: The file in which the server should record its process identification number when it starts.
PidFile /var/run/

ScoreBoardFile: File used to store internal server process information. Not all architectures require this. But if yours does (you'll know because this file will be created when you run Apache) then you must ensure that no two invocations of Apache share the same scoreboard file.
ScoreBoardFile /var/run/httpd.scoreboard

In the standard configuration, the server will process this file, srm.conf, and access.conf in that order. The latter two files are now distributed empty, as it is recommended that all directives be kept in a single file for simplicity. The commented-out values below are the built-in defaults. You can have the server ignore these files altogether by using "/dev/null" (for Unix) or "nul" (for Win32) for the arguments to the directives.

ResourceConfig conf/srm.conf
AccessConfig conf/access.conf

Timeout: The number of seconds before receives and sends time out.
Timeout 300

KeepAlive: Whether or not to allow persistent connections (more than one request per connection). Set to "Off" to deactivate. But we keep it :
KeepAlive On

MaxKeepAliveRequests: The maximum number of requests to be allowed during a persistent connection. Set to 0 to allow an unlimited amount. We recommend you leave this number high, for maximum performance.
MaxKeepAliveRequests 100

KeepAliveTimeout: Number of seconds to wait for the next request from the same client on the same connection.
KeepAliveTimeout 15

Server-pool size regulation: Rather than making you guess how many server processes you need, Apache dynamically adapts to the load it sees --- that is, it tries to maintain enough server processes to handle the current load, plus a few spare servers to handle transient load spikes (e.g, multiple simultaneous requests from a single Netscape browser).

It does this by periodically checking how many servers are waiting for a request. If there are fewer than MinSpareServers, it creates a new spare. If there are more than MaxSpareServers, some of the spares die off. The default values are probably OK for most sites.
MinSpareServers 5
MaxSpareServers 20

Number of servers to start initially should be a reasonable ballpark figure.
StartServers 8

Limit on total number of servers running: Limit on the number of clients who can simultaneously connect. If this limit is ever reached, clients will be `locked out', so it should not be set too low. It is intended, mainly, as a brake to keep a runaway server from taking the system with it as it spirals down.
MaxClients 150

MaxRequestsPerChild: The number of requests each child process is allowed to process before the child dies. The child will exit so as to avoid problems after prolonged use when Apache (and maybe the libraries it uses) leak memory or other resources. On most systems, this isn't really needed, but a few (such as Solaris) do have notable leaks in the libraries. For these platforms, set to something like 10000 or so; a setting of 0 means unlimited.

NOTE: This value does not include keepalive requests after the initial request per connection. For example, if a child process handles an initial request and 10 subsequent "keptalive" requests, it would only count as 1 request towards this limit.
MaxRequestsPerChild 100

Listen: Allows you to bind Apache to specific IP addresses and/or ports, in addition to the default. See also the directive.
Listen 3000

BindAddress: You can support virtual hosts with this option. This directive is used to tell the server which IP address to listen to. It can either contain "*", an IP address, or a fully qualified Internet domain name.
BindAddress *

Well that's all for now. In the second part we shall look into Dynamic Shared Object (DSO) Support and also 'Main' server configuration.

Saturday, January 04, 2003


DNS stands for Domain Name Service. It is a service that can keep large number of machines’ ipaddresses for huge network communication. In this article we look at what DNS is, why is it needed, its use, and how to configure it.

In Linux, the networking related services could be set up in three different ways:
1) /etc/hosts to /etc/hosts mapping based networking
2) DNS based networking
3) NIS/NIS+ based networking which in turn can take the help of DNS or /etc/hosts file

For network-based services the actual network daemon reads some file for communication.
The first file that it reads is /etc/host.conf. Over here one may generally find two lines as
Order hosts, bind, Nis
Multi on

The first line tells what would the network-related services like httpd, sendmail, nfsd, ypserv etc, which gets invoked at the time of booting from /etc/rc.d/init.d read, before doing remote communication. It also tells whether the /etc/hosts file mapping where the host entries for each machine is present on each machine or it should read a DNS implemented by BIND software or a nis/nis+ based networking which is dependent on either of the above setup.

The second line says whether one machine can have multiple IPaddresses attached with same machine name or not as a Linux platform allows a machine name to have multiple IPaddresses.

Example: Let’s say a system administrator wants to setup 3 IPaddresses with the same machine name associated with one Ethernet card with
#ifconfig eth0
#ifconfig eth0:1
#ifconfig eth0:2

Now in /etc/hosts if we write kshounish1 kshounish1 kshounish1

That means any another machine can access the services of kshounish1 machine by writing any of the ipaddress. Remember that the order means the searching order if it’s like Order hosts, bind.
That means all the services which need to read something before getting served or get requested will first see the mapping of the hosts in /etc/hosts file. If it gets that file it would work or else it will search for the DNS through BIND software. For DNS setup it should be Order bind, hosts.

And note that once you change the order you need to start
# /etc/rc.d/init.d/network restart
This is the first step before you start configuring DNS

What is DNS?

DNS means Domain Name Service. It is actually a service that can keep large number of machines’ ipaddresses for huge network communication. Now the question arises why is this needed. Lets understand this with the help of an illustration.

Example: Let’s say kshounish1, kshounish2, kshounish3, kshounish4, and kshounish5 are the 5 machines in a network, then for communication between each machine, each machine’s /etc/hosts file should have all the five entries of the machine name. Within this small network there would be no problem if you add another machine say kshounish6 in the network. But for this too, the network administrator has to go to each machine, add the kshounish6 in /etc/hosts file and then comeback to the new comer kshounish6 machine and add all the other entries (kshounish1...kshounish5) including its own name also in /etc/hosts file.

But what if the network is setup with say 60 machines and a 61st machine has to be added? Then administrator will have to go to each machine again and write the new machine’s name at /etc/hosts/ file and again comeback and write all the 60 machines name on the 61st machine’s etc/hosts file which is a tedious and time taking job. Thus, it is better to keep a centralized server, where all the ipaddresses will stay and if a new one does enter into the network then the change will have to be done at the server and not on the client’s machine. And a better way of setting that client-server networking concept is having one master server and 3-4 slave servers for it.

DNS Setup

DNS is a concept of client server network so both sides configuration is needed.

Lets say we have 10 machines -- kshounish1 to kshounish10 with to -- and have decided to make kshounish1 as our DNS master server and kshounish2 as slave server and kshounish3 as another slave server and kshounish4 as slave’s slave server. Why do we need a slave server? Well, it is valuable in case of failure of the master server.

Note: Remember, to setup DNS, we need a domain name, as it understand the FQDN format (Fully Qualified Domain Name). So if we decide that our domain name will be Then our machine names will be…

Client configuration steps

1) # vi /etc/host.conf
2) replace Order hosts,bind to Order bind,hosts
3) #/etc/rc.d/init.d/network restart
4) # vi /etc/resolv.conf

press “i” and write
nameserver server)
nameserver of master)
nameserver slave)
nameserver of (8)))
11) nslookup(after the master server daemon is running)

Remember that the machine which is a pure client, should not run the server daemon (“named” discussed below) but slave server can have both server and client process running in their Linux box.

DNS Server Setup

“named” description: For running a proper DNS server a daemon should run something called ‘named daemon’. It merely refers to the names of the machines rather than their ipaddresses. For this, the mapping name should be resolved by a server called ‘name server’. In order to run a `name server’, named daemon is needed. The files needed for configuring and running DNS (master and slave server) are:
1) /etc/named.conf
2) /var/named (remember its not file it’s a directory where the main database stays)
3) dnsconf utility

Before starting configuration by dnsconf utility lets see what actually the DNS server needs to get configured. It needs the following:

named configuration file (/etc/named.conf): It basically defines the parameters that point to the sources of domain database information, which can be local files or on remote servers.

Hint file (cache file)(/var/named/ It actually provides the name of root server which gets activated in case the machine name, which is to be searched, is not there in user defined zone (discussed below).

localhost file (/var/named.local): All configuration have a local domain Database for resolving address to the host name localhost.

Zone: Basically a zone that keeps the information about the domain database.

Later in named.conf file we will find that there are two predefined zones --named.local and --with database of localhost and database of root servers respectively. But zone needs another two files with Ipaddress to hostname mapping and hostname to Ipaddress mapping. The first one is called as Zone File and the second Reverse Zone File.

Zone file: The zone file defines most of the information. It is used to map host names to address, to identify the mail servers, and to provide other domain information.
Reverse Zone file: This is responsible for mapping Ipaddress to host names, which is exactly the opposite of what the zone file does.

Note that the above two files have to be user defined.

Now let us configure the master server with a proper example.

Example: Taking the above case of to, lets start with dnsconf.

You will find many a option but go for the below mentioned options only for configuring master server
* domains: Which will define the zone file name as well as the domain name of the current machine by default and will affect the named.conf file. This will create a file for domain as /var/named/
* Ipreverse mapping: It will ask options for IP reverse mapping or better still, we can say that it defines the reverse zone file name. Remember to click on add. For network name give the name as “network name”. Networkname.networkname.reverse”, for example here, 192.192.192.reverse. This will make a file called /var/named/192.192.192.reverse.

To see how it affects /etc/named.conf file, see the example below:

Now lets open /etc/named.conf
# This is the macro which defines where will the DNS related file stay.
Options {
directory “/var/named”;
# the line below says about the root servers or cache servers
zone “.” {
type hint;
file “”;

# This particular option tells about the file, which will keep hostname to Ipaddress mapping
zone “”{
type master;
file “”;

# this particular option tells about the localhost file mapping
zone “”{
type master;
file “named.local”;

# This particular option tells about the file which will keep ippaddress to #hostname mapping
zone “192.192.192.IN-ADDR.ARPA”{
type master;
file “192.192.192.reverse”;
Now #cd /var/named. There, we will come across four files:
2) named.local
4) 192.192.192.reverse

If we open it will show us all the names of root servers, which will work if zone file or reverse zone file fails to serve the DNS queries. Here the zone and reverse zone files are and 192.192.192.reverse respectively.
Lets see the zone file and reverse zone file, which is
@ IN SOA (
2000011301 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl

DNS Database records

The database records used in zone file are called as standard resource records or sometimes, just “RRs”. All records have the same basic format:
Syntax Name In type data

In previous example
@ IN SOA (
2000011301 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl
can be described as follows

@: It means from the origin to the lastname object that is

In: This stands for Internet servers

SOA: This stands for `Start Of Authority’. It marks the beginning of a zone’s data and defines the parameter that affects the entire zone. Followed by the current machine name where the DNS server is maintained. And, the administrator login, which can be used while DNS is not working.

20000011301;serial: This is the serial number--a numeric value that tells or notifies the slave server, that the database has been updated. So slave server should also update it.

3600;refresh: This is the refresh cycle in seconds. In every refresh cycle the slave server comes to master server and checks for the updated database.

1800;retry: This particular line refers to the retry cycle which in turn means that the slave server should wait before asking the master server again in case master server doesn’t respond.

1209600;expire: This is the time for slave server to respond to queries of client for the expiration time if master server fails and has to be up and not getting up. After this period slave server also fails to solve the queries of clients and sits idle.

432100;default_ttl: This refers to the default time to leave, for this domain to work for, when named is once started. Remember the user doesn’t have to play with this unless he wants that the query time from the slave server should be somewhat less or more. In case we want to change, we should change only the refresh time in both master and slave. The best way is to make it 2, which means after each 2 seconds slave server will query to master server.

And in the same way the reverse zone file also has the above things. The reverse zone file of master server that is 192.192.192.reverse may look like

@ IN SOA (
2000011301 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl


Note: Because the network id is already determined by @ that is 192.192.192.reverse, 1. replaces the reverse.10.

So, once the master server zone file and master server reverse zone file is configured well, just start
#/etc/rc.d/init.d/named restart

Now our master server is configured. So, if any machine has its name server lookup as, we will be able to access it by a command called nslookup.

Slave server configuration
We want to configure a slave server as of

Slave Server setup: We go to dnsconf and configure secondaries option. It will ask for the master server. We write and save it

If your slave server has domain as and whose master is, then the /etc/named.conf at slave server should look like:
#this is the macro which defines where will the DNS related file stay
options {
directory “/var/named”;
#the below line says about the root servers or cache servers
zone “.” {
type hint;
file “”;

# this particular option tells about the file which will keep hostname to ipaddress mapping got from master server
zone “”{
type slave;
file “slave/”;
masters {;};

# this particular option tells about the localhost file mapping
zone “”{
type master;
file “named.local”;

# this particular option tells about the file which will keep ippaddress to #hostname mapping
zone “192.192.192.IN-ADDR.ARPA”{
type slave;
file “slave/192.192.192.reverse”;
masters {}
If we go by dnsconf, it will create a slave under /var/named and then it will keep the files under it.
After we have done this just start the daemon

#/etc/rc.d/init.d/named restart (in

Similarly, for slave’s slave configuration, we can simply make another slave as saying that its master will be

Whenever you do a new entry in zone file or reverse zone file of the master, always add 1 to the serial number and the restart daemon #/etc/rc.d/init.d/named restart.
But there is no need to restart the slave daemon.

Lets take the previous master file and updated master file and see the change in it

Normal database:
@ IN SOA (
2000011301 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl

@ IN SOA (
2000011301 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl


Updated database:

@ IN SOA (
2000011302 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl

@ IN SOA (
2000011302 ; serial
3600 ; refresh
900 ; retry
1209600 ; expire
43200 ; default_ttl


You must have noticed that after adding the new machine we have changed the serial number from 2000011301 to 2000011302. This is done because the slave server updates its database from master. It finds that its serial number is smaller than the master server and when you change the serial number while the slave server queries for updating, its serial number changes automatically as a result of which the slave’s slave also changes.