Bind
From ArchWiki
Contents |
[edit] Bind as caching only server
These few steps show you how to install bind as a caching only server.
[edit] Install bind
pacman -S bind
Edit /etc/named.conf
listen-on { 127.0.0.1; };
[edit] Bind needs the kernel module 'capability' to work proper. load manually if not already implemented yet.
# modprobe capability
This is built in vanilla kernels as confirmed by a:
# zless /proc/config.gz | grep CAPABILITIES CONFIG_SECURITY_CAPABILITIES=y CONFIG_SECURITY_FILE_CAPABILITIES=y
[edit] Adding named to boot process
Edit /etc/rc.conf
DAEMONS=(.. named ..)
[edit] Set resolv.conf for using the local dns
Edit /etc/resolv.conf
nameserver 127.0.0.1
[edit] Running Bind in a chrooted environment
This is not required but improves security. If you want you may implement this feature later and skip directly to configuration section.
[edit] Preparing the chroot
define the chroot directory, for example:
CHROOT="/chroot/named"
create chroot directories
mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/run/named}
to enable logging inside chroot you also need to create a log directory:
mkdir ${CHROOT}/var/log
and inside this a file named.log as per logging statement in named.conf:
touch ${CHROOT}/var/log/named.log
You may also want to access this file from /var/log:
ln -sf ${CHROOT}/var/log/named.log /var/log
[edit] Copy necessary files
cp -v /etc/named.conf ${CHROOT}/etc/
cp -v /etc/localtime ${CHROOT}/etc/
cp -Rv /var/named ${CHROOT}/var/
[edit] Create block devices
mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8
[edit] Set permissions
chown -R named:named ${CHROOT}/var/{,run/}/named
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}
If you enabled logging (see above):
chown named:named ${CHROOT}/var/log/named.log
[edit] Prepare the rc script
cp /etc/rc.d/named /etc/rc.d/named-chroot
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
so that it looks like
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
[edit] Prepare variables
vim /etc/conf.d/named
CHROOT="/chroot/named"
[edit] Starting named-chroot on bootup
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this
Edit /etc/rc.conf
DAEMONS=(.. named-chroot ..)
[edit] Start the service
/etc/rc.d/named-chroot start
[edit] Test the service
# host wiki.archlinux.org 127.0.0.1
Output should be something like this
Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: wiki.archlinux.org is an alias for archlinux.org. archlinux.org has address 66.211.213.17 archlinux.org mail is handled by 10 mail.archlinux.org.
[edit] Script to regenerate the chroot environment
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:
#!/bin/sh # Prepare or update a chroot environment for running Bind # see http://wiki.archlinux.org/index.php/Bind . /etc/conf.d/named # create chroot directories mkdir -m 700 -p ${CHROOT} mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}} # copy necessary files cp /etc/named.conf ${CHROOT}/etc/ cp /etc/localtime ${CHROOT}/etc/ cp -R /var/named ${CHROOT}/var/ touch ${CHROOT}/var/log/named.log # create block devices mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null mknod ${CHROOT}/dev/random c 1 8 2>/dev/null # set permissions chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named} chmod 666 ${CHROOT}/dev/{random,zero} chown root:named ${CHROOT} chmod 0750 ${CHROOT}
I call this in /etc/rc.d/named-chroot just before running named:
/usr/local/sbin/updatebindchroot
Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
[edit] A configuration template for running a domain
in our example we use "domain.tld" as our domain
[edit] preparing some folder structure
mkdir /var/named/{pri,sec}
if using chroot:
mkdir /chroot/named/var/named/{pri,sec}
[edit] creating a zonefile
vim /var/named/pri/domain.tld.zone
$TTL 7200
; domain.tld
@ IN SOA ns01.domain.tld. postmaster.domain.tld. (
2007011601 ; Serial
28800 ; Refresh
1800 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
IN NS ns01
IN NS ns02
ns01 IN A 0.0.0.0
ns02 IN A 0.0.0.0
localhost IN A 127.0.0.1
@ IN MX 10 mail
imap IN CNAME mail
smtp IN CNAME mail
@ IN A 0.0.0.0
www IN A 0.0.0.0
mail IN A 0.0.0.0
@ IN TXT "v=spf1 mx"
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
[edit] configuring master server
copy the zonefile if using a chroot:
cp domain.tld.zone /chroot/named/var/named/pri/
Edit /etc/named.conf
zone "domain.tld" IN {
type master;
file "pri/domain.tld.zone";
allow-update { none; };
notify no;
};
copy to chroot:
cp named.conf /chroot/named/etc/
[edit] configuring slave server
If using chroot:
cp domain.tld.zone /chroot/named/var/named/sec/
Edit /etc/named.conf
zone "domain.tld" IN {
type slave;
file "sec/domain.tld.zone";
masters { 0.0.0.0; }; # ip address of the master server
};
if using chroot:
cp named.conf /chroot/named/etc/
restart the services and you're done.