Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(Install bind: updated to comply with the new style guide)
Line 7: Line 7:
  
 
=== Install bind ===
 
=== Install bind ===
# pacman -S bind
+
[[pacman|Install]] the package {{Pkg|bind}} which can be found in the [[Official Repositories|official repositories]].
  
Edit {{filename|/etc/named.conf}} and add this under the options section
+
Edit {{ic|/etc/named.conf}} and add this under the options section:
 
  listen-on { 127.0.0.1; };
 
  listen-on { 127.0.0.1; };
  

Revision as of 22:47, 27 November 2011

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

Bind as caching only server

These few steps show you how to install bind as a caching only server.

Install bind

Install the package bind which can be found in the official repositories.

Edit /etc/named.conf and add this under the options section: 

listen-on { 127.0.0.1; };

Adding named to boot process

Edit Template:Filename (See also rc.conf): 

DAEMONS=(.. named ..)

Set resolv.conf for using the local dns

Edit Template:Filename (See also resolv.conf): 

nameserver 127.0.0.1

Automatically listen on new interfaces without chroot and root privileges

Add 

 interface-interval <rescan-timeout-in-minutes>;

parameter into Template:Filename options. Then you should modify rc-script: 

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your Template:Filename should look like this: 

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

Running Bind in a chrooted environment

Running in a chroot environment is not required but improves security. If you want you may implement this feature later and skip directly to configuration section (see also BIND (chroot)).

Preparing the chroot

Define the chroot directory, for example: 

CHROOT="/chroot/named"

Create chroot directories 

mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/run/named}

To enable logging inside chroot you also need to create a log directory: 

mkdir ${CHROOT}/var/log

and inside this a file named.log as per logging statement in Template:Filename: 

touch ${CHROOT}/var/log/named.log

You may also want to access this file from Template:Filename: 

ln -sf ${CHROOT}/var/log/named.log /var/log

Copy necessary files

cp -v /etc/named.conf ${CHROOT}/etc/
cp -v /etc/localtime ${CHROOT}/etc/
cp -Rv /var/named ${CHROOT}/var/

As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot

mkdir -p ${CHROOT}/usr/lib/engines
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/

Create block devices

mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8

Set permissions

chown -R named:named ${CHROOT}/var/{,run/}named
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

If you enabled logging (see above): 

chown named:named ${CHROOT}/var/log/named.log

Prepare the rc script

cp /etc/rc.d/named /etc/rc.d/named-chroot

Edit Template:Filename and simply add "-t ${CHROOT}" to 

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}

so that it looks like 

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}

Also change 

PIDFILE=/var/run/named/named.pid

to 

PIDFILE=${CHROOT}/var/run/named/named.pid

Prepare variables

# vim /etc/conf.d/named

CHROOT="/chroot/named"

Starting named-chroot on bootup

you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this

Edit Template:Filename: 

DAEMONS=(.. named-chroot ..)

Start the service

# /etc/rc.d/named-chroot start

Test the service

# host wiki.archlinux.org 127.0.0.1

Output should be something like this 

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

wiki.archlinux.org is an alias for archlinux.org.
archlinux.org has address 66.211.213.17
archlinux.org mail is handled by 10 mail.archlinux.org.

Script to regenerate the chroot environment

I use this script to (re)generate Bind chroot environment. A suitable location is Template:Filename: 

#!/bin/sh
# Prepare or update a chroot environment for running Bind
# see http://wiki.archlinux.org/index.php/Bind

. /etc/conf.d/named

# create chroot directories
mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}

# copy necessary files
cp /etc/named.conf ${CHROOT}/etc/
cp /etc/localtime ${CHROOT}/etc/
cp -R /var/named ${CHROOT}/var/
touch ${CHROOT}/var/log/named.log

# create block devices
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null

# set permissions
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

I call this in Template:Filename just before running named: 

/usr/local/sbin/updatebindchroot

Now you can edit configuration in Template:Filename and mappings in Template:Filename. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#Bind (serving_signed_DNS_zones)

A configuration template for running a domain

In our example we use "domain.tld" as our domain.

1. Preparing some folder structure

mkdir /var/named/{pri,sec}

If using chroot: 

mkdir ${CHROOT}/var/named/{pri,sec}

2. Creating a zonefile

# vim /var/named/pri/domain.tld.zone

$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

3. Configuring master server

Copy the zonefile if using a chroot: 

cp domain.tld.zone ${CHROOT}/var/named/pri/

Edit Template:Filename: 

zone "domain.tld" IN {
        type master;
        file "pri/domain.tld.zone";
        allow-update { none; };
        notify no;
};

Copy to chroot: 

cp named.conf ${CHROOT}/etc/

4. Configuring slave server

If using chroot: 

cp domain.tld.zone ${CHROOT}/var/named/sec/

Edit Template:Filename: 

zone "domain.tld" IN {
        type slave;
        file "sec/domain.tld.zone";
        masters { 0.0.0.0; };   # ip address of the master server
};

If using chroot: 

cp named.conf ${CHROOT}/etc/

Restart the services and you're done.

See also

BIND Resources

Retrieved from "https://wiki.archlinux.org/index.php?title=BIND&oldid=171368"