DNS classes

July 31, 2009


If you ever administered a DNS server you are probably familiar with the IN (internet) class, as in

localhost   IN      A

where you define an IP address for the name localhost. As you may, or may not, already know there are other classes defined (but hardly used) for the DNS. Two of those are the Chaos class (CH) and the Hesiod (HS) class. With these classes you can create some sort of parallel world where you can also define names. This feature of the DNS isn’t exactly in great use, but is is nice to know where they were used for.


The CH class has its use in the Chaosnet, which is a network implementation that didn’t make it, unlike the current Ethernet + TCP/IP combo. If you want to read up on your knowledge of the Chaosnet protocol this pdf is your friend.

Today the CH class is missused by BIND, for the following neat tricks:

dig CH @localhost version.bind TXT  

Which yields:

;version.bind.      CH  TXT
version.bind.   0   CH  TXT "9.5.1-P2"
version.bind.   0   CH  NS  version.bind.

that shows the BIND version. Of course you can disable this so that people cannot query you server’s version, DNS Fingerprinting works much better in that case.

And of course:

dig CH @localhost authors.bind TXT

which gives:

authors.bind.       0   CH  TXT "David Lawrence"
authors.bind.       0   CH  TXT "Danny Mayer"
authors.bind.       0   CH  TXT "Damien Neil"
authors.bind.       0   CH  TXT "Matt Nelson"
authors.bind.       0   CH  TXT "Michael Sawyer"
authors.bind.       0   CH  TXT "Brian Wellington"
authors.bind.       0   CH  TXT "Mark Andrews"
authors.bind.       0   CH  TXT "James Brister"
authors.bind.       0   CH  TXT "Ben Cottrell"
authors.bind.       0   CH  TXT "Michael Graff"
authors.bind.       0   CH  TXT "Andreas Gustafsson"
authors.bind.       0   CH  TXT "Bob Halley"

So you know who to hit when the next bind bug hits your installation.

NSD also does this trick:

dig @ns4.nic.nl CH version.bind TXT 


version.bind.       0   CH  TXT "NSD 3.0.7"


The HS class has its origins Project Athena (also see Wikipedia. Which is a naming server ala nis or more recent ldap. With HS class you can put user and group data in your DNS, so you can do without an ldap server. The package hesiod still can be installed if you want to play with this.

Putting passwords in your DNS may need to be a smart thing to do, so with hesiod you also want to use Kerberos.

I don’t know if there are any tricks BIND does with the HS class, esp. since hesiod can still be used.

If you want to use the HS class in BIND you must tell that to BIND, in your named.conf say:

zone "domain_name" hesiod {
type master;
filename "somewhere.db";

And in your zone file use HS instead of IN:

localhost   HS  A

Further reading

Further reading in RFC2929 and in BIND reference manual.