Difference between revisions of "BIND"
Thestinger (talk | contribs) |
(→Install bind: updated to comply with the new style guide) |
||
Line 7: | Line 7: | ||
=== Install bind === | === Install bind === | ||
− | + | [[pacman|Install]] the package {{Pkg|bind}} which can be found in the [[Official Repositories|official repositories]]. | |
− | Edit {{ | + | Edit {{ic|/etc/named.conf}} and add this under the options section: |
listen-on { 127.0.0.1; }; | listen-on { 127.0.0.1; }; | ||
Revision as of 22:47, 27 November 2011
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
Contents
- 1 Bind as caching only server
- 2 Automatically listen on new interfaces without chroot and root privileges
- 3 Running Bind in a chrooted environment
- 3.1 Preparing the chroot
- 3.2 Copy necessary files
- 3.3 As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot
- 3.4 Create block devices
- 3.5 Set permissions
- 3.6 Prepare the rc script
- 3.7 Prepare variables
- 3.8 Starting named-chroot on bootup
- 3.9 Start the service
- 3.10 Test the service
- 3.11 Script to regenerate the chroot environment
- 4 Configuring BIND to serve DNSSEC signed zones
- 5 A configuration template for running a domain
- 6 See also
- 7 BIND Resources
Bind as caching only server
These few steps show you how to install bind as a caching only server.
Install bind
Install the package bind which can be found in the official repositories.
Edit /etc/named.conf
and add this under the options section:
listen-on { 127.0.0.1; };
Adding named to boot process
Edit Template:Filename (See also rc.conf):
DAEMONS=(.. named ..)
Set resolv.conf for using the local dns
Edit Template:Filename (See also resolv.conf):
nameserver 127.0.0.1
Automatically listen on new interfaces without chroot and root privileges
Add
interface-interval <rescan-timeout-in-minutes>;
parameter into Template:Filename options. Then you should modify rc-script:
stat_busy "Starting DNS" - [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} + setcap cap_net_bind_service=eip /usr/sbin/named + NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'` + [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
So your Template:Filename should look like this:
stat_busy "Starting DNS" setcap cap_net_bind_service=eip /usr/sbin/named NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'` [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
Running Bind in a chrooted environment
Running in a chroot environment is not required but improves security. If you want you may implement this feature later and skip directly to configuration section (see also BIND (chroot)).
Preparing the chroot
Define the chroot directory, for example:
CHROOT="/chroot/named"
Create chroot directories
mkdir -m 700 -p ${CHROOT} mkdir -p ${CHROOT}/{dev,etc,var/run/named}
To enable logging inside chroot you also need to create a log directory:
mkdir ${CHROOT}/var/log
and inside this a file named.log as per logging statement in Template:Filename:
touch ${CHROOT}/var/log/named.log
You may also want to access this file from Template:Filename:
ln -sf ${CHROOT}/var/log/named.log /var/log
Copy necessary files
cp -v /etc/named.conf ${CHROOT}/etc/ cp -v /etc/localtime ${CHROOT}/etc/ cp -Rv /var/named ${CHROOT}/var/
As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot
mkdir -p ${CHROOT}/usr/lib/engines cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
Create block devices
mknod ${CHROOT}/dev/zero c 1 5 mknod ${CHROOT}/dev/random c 1 8
Set permissions
chown -R named:named ${CHROOT}/var/{,run/}named chmod 666 ${CHROOT}/dev/{random,zero} chown root:named ${CHROOT} chmod 0750 ${CHROOT}
If you enabled logging (see above):
chown named:named ${CHROOT}/var/log/named.log
Prepare the rc script
cp /etc/rc.d/named /etc/rc.d/named-chroot
Edit Template:Filename and simply add "-t ${CHROOT}" to
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
so that it looks like
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
Also change
PIDFILE=/var/run/named/named.pid
to
PIDFILE=${CHROOT}/var/run/named/named.pid
Prepare variables
# vim /etc/conf.d/named
CHROOT="/chroot/named"
Starting named-chroot on bootup
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this
Edit Template:Filename:
DAEMONS=(.. named-chroot ..)
Start the service
# /etc/rc.d/named-chroot start
Test the service
# host wiki.archlinux.org 127.0.0.1
Output should be something like this
Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: wiki.archlinux.org is an alias for archlinux.org. archlinux.org has address 66.211.213.17 archlinux.org mail is handled by 10 mail.archlinux.org.
Script to regenerate the chroot environment
I use this script to (re)generate Bind chroot environment. A suitable location is Template:Filename:
#!/bin/sh # Prepare or update a chroot environment for running Bind # see http://wiki.archlinux.org/index.php/Bind . /etc/conf.d/named # create chroot directories mkdir -m 700 -p ${CHROOT} mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}} # copy necessary files cp /etc/named.conf ${CHROOT}/etc/ cp /etc/localtime ${CHROOT}/etc/ cp -R /var/named ${CHROOT}/var/ touch ${CHROOT}/var/log/named.log # create block devices mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null mknod ${CHROOT}/dev/random c 1 8 2>/dev/null # set permissions chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named} chmod 666 ${CHROOT}/dev/{random,zero} chown root:named ${CHROOT} chmod 0750 ${CHROOT}
I call this in Template:Filename just before running named:
/usr/local/sbin/updatebindchroot
Now you can edit configuration in Template:Filename and mappings in Template:Filename. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
Configuring BIND to serve DNSSEC signed zones
See DNSSEC#Bind (serving_signed_DNS_zones)
A configuration template for running a domain
In our example we use "domain.tld" as our domain.
1. Preparing some folder structure
mkdir /var/named/{pri,sec}
If using chroot:
mkdir ${CHROOT}/var/named/{pri,sec}
2. Creating a zonefile
# vim /var/named/pri/domain.tld.zone
$TTL 7200 ; domain.tld @ IN SOA ns01.domain.tld. postmaster.domain.tld. ( 2007011601 ; Serial 28800 ; Refresh 1800 ; Retry 604800 ; Expire - 1 week 86400 ) ; Minimum IN NS ns01 IN NS ns02 ns01 IN A 0.0.0.0 ns02 IN A 0.0.0.0 localhost IN A 127.0.0.1 @ IN MX 10 mail imap IN CNAME mail smtp IN CNAME mail @ IN A 0.0.0.0 www IN A 0.0.0.0 mail IN A 0.0.0.0 @ IN TXT "v=spf1 mx"
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
3. Configuring master server
Copy the zonefile if using a chroot:
cp domain.tld.zone ${CHROOT}/var/named/pri/
Edit Template:Filename:
zone "domain.tld" IN { type master; file "pri/domain.tld.zone"; allow-update { none; }; notify no; };
Copy to chroot:
cp named.conf ${CHROOT}/etc/
4. Configuring slave server
If using chroot:
cp domain.tld.zone ${CHROOT}/var/named/sec/
Edit Template:Filename:
zone "domain.tld" IN { type slave; file "sec/domain.tld.zone"; masters { 0.0.0.0; }; # ip address of the master server };
If using chroot:
cp named.conf ${CHROOT}/etc/
Restart the services and you're done.