Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
m (Install bind: reword)
(fixed capitalization in headings; updated some headings; updated and added new templates)
Line 3: Line 3:
 
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
 
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
  
== Bind as caching only server ==
+
== BIND as caching-only server ==
These few steps show you how to install bind as a caching only server.
+
These few steps show you how to install BIND as a caching-only server.
  
=== Install bind ===
+
=== Install BIND ===
 
[[pacman|Install]] the {{Pkg|bind}} package which can be found in the [[Official Repositories|official repositories]].
 
[[pacman|Install]] the {{Pkg|bind}} package which can be found in the [[Official Repositories|official repositories]].
  
Line 13: Line 13:
  
 
=== Adding named to boot process ===
 
=== Adding named to boot process ===
Edit {{filename|/etc/rc.conf}} (See also [[rc.conf]]):
+
Edit {{ic|/etc/rc.conf}} (See also [[rc.conf]]):
 
  DAEMONS=(.. '''named''' ..)
 
  DAEMONS=(.. '''named''' ..)
  
=== Set resolv.conf for using the local dns ===
+
=== Set /etc/resolv.conf to use the local DNS server ===
Edit {{filename|/etc/resolv.conf}} (See also [[resolv.conf]]):
+
Edit {{ic|/etc/resolv.conf}} (See also [[resolv.conf]]):
 
  nameserver 127.0.0.1
 
  nameserver 127.0.0.1
  
Line 23: Line 23:
 
Add
 
Add
 
   interface-interval <rescan-timeout-in-minutes>;
 
   interface-interval <rescan-timeout-in-minutes>;
parameter into {{filename|named.conf}} options. Then you should modify rc-script:
+
parameter into {{ic|named.conf}} options. Then you should modify rc-script:
 
<pre>
 
<pre>
 
     stat_busy "Starting DNS"
 
     stat_busy "Starting DNS"
Line 32: Line 32:
 
</pre>
 
</pre>
  
So your {{filename|/etc/rc.d/named}} should look like this:
+
So your {{ic|/etc/rc.d/named}} should look like this:
 
<pre>
 
<pre>
 
     stat_busy "Starting DNS"
 
     stat_busy "Starting DNS"
Line 42: Line 42:
 
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
 
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
  
== Running Bind in a chrooted environment ==
+
== Running BIND in a chrooted environment ==
 
Running in a [[chroot]] environment is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]] (see also [[BIND (chroot)]]).
 
Running in a [[chroot]] environment is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]] (see also [[BIND (chroot)]]).
  
Line 53: Line 53:
 
  mkdir -p ${CHROOT}/{dev,etc,var/run/named}
 
  mkdir -p ${CHROOT}/{dev,etc,var/run/named}
  
To enable logging inside chroot you also need to create a log directory:
+
To enable logging inside chroot, you also need to create a log directory:
 
  mkdir ${CHROOT}/var/log
 
  mkdir ${CHROOT}/var/log
  
and inside this a file named.log as per logging statement in {{filename|named.conf}}:
+
and inside this a file named.log as per logging statement in {{ic|named.conf}}:
 
  touch ${CHROOT}/var/log/named.log
 
  touch ${CHROOT}/var/log/named.log
  
You may also want to access this file from {{filename|/var/log}}:
+
You may also want to access this file from {{ic|/var/log}}:
 
  ln -sf ${CHROOT}/var/log/named.log /var/log
 
  ln -sf ${CHROOT}/var/log/named.log /var/log
  
Line 87: Line 87:
 
  cp /etc/rc.d/named /etc/rc.d/named-chroot
 
  cp /etc/rc.d/named /etc/rc.d/named-chroot
  
Edit {{filename|/etc/rc.d/named-chroot}} and simply add "-t ${CHROOT}" to
+
Edit {{ic|/etc/rc.d/named-chroot}} and simply add {{ic|<nowiki>-t ${CHROOT}</nowiki>}} to
 
  [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
  [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
so that it looks like
 
so that it looks like
Line 102: Line 102:
  
 
=== Starting named-chroot on bootup ===
 
=== Starting named-chroot on bootup ===
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this                                   
+
You probably followed the first section before, so you have to add {{ic|-chroot}} to the existing named, so that it looks like this                                   
  
Edit {{filename|/etc/rc.conf}}:
+
Edit {{ic|/etc/[[rc.conf]]}}:
 
  DAEMONS=(.. '''named-chroot''' ..)
 
  DAEMONS=(.. '''named-chroot''' ..)
  
Line 124: Line 124:
  
 
=== Script to regenerate the chroot environment ===  
 
=== Script to regenerate the chroot environment ===  
I use this script to (re)generate Bind chroot environment. A suitable location is {{filename|/usr/local/sbin/updatebindchroot}}:
+
I use this script to (re)generate BIND chroot environment. A suitable location is {{ic|/usr/local/sbin/updatebindchroot}}:
  
 
  #!/bin/sh
 
  #!/bin/sh
Line 152: Line 152:
 
  chmod 0750 ${CHROOT}
 
  chmod 0750 ${CHROOT}
  
I call this in {{filename|/etc/rc.d/named-chroot}} just before running named:
+
I call this in {{ic|/etc/rc.d/named-chroot}} just before running named:
 
  /usr/local/sbin/updatebindchroot
 
  /usr/local/sbin/updatebindchroot
  
Now you can edit configuration in {{filename|/etc/named.conf}} and mappings in {{filename|/var/named}}. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
+
Now you can edit configuration in {{ic|/etc/named.conf}} and mappings in {{ic|/var/named}}. Then both {{ic|named}} and {{ic|named-chroot}} can be used (one at a time of course). Restarting {{ic|named-chroot}} recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
  
 
== Configuring BIND to serve DNSSEC signed zones ==
 
== Configuring BIND to serve DNSSEC signed zones ==
Line 195: Line 195:
 
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
 
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
  
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
+
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
  
 
=== 3. Configuring master server ===
 
=== 3. Configuring master server ===
Line 201: Line 201:
 
  cp domain.tld.zone ${CHROOT}/var/named/pri/
 
  cp domain.tld.zone ${CHROOT}/var/named/pri/
  
Edit {{filename|/etc/named.conf}}:
+
Edit {{ic|/etc/named.conf}}:
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type master;
 
         type master;
Line 216: Line 216:
 
  cp domain.tld.zone ${CHROOT}/var/named/sec/
 
  cp domain.tld.zone ${CHROOT}/var/named/sec/
  
Edit {{filename|/etc/named.conf}}:
+
Edit {{ic|/etc/named.conf}}:
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type slave;
 
         type slave;
 
         file "sec/domain.tld.zone";
 
         file "sec/domain.tld.zone";
         masters { 0.0.0.0; };  # ip address of the master server
+
         masters { 0.0.0.0; };  # IP address of the master server
 
  };
 
  };
  
Line 226: Line 226:
 
  cp named.conf ${CHROOT}/etc/
 
  cp named.conf ${CHROOT}/etc/
  
Restart the services and you're done.
+
Restart the services and you are done.
  
 
==See also==
 
==See also==

Revision as of 22:55, 27 November 2011

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

BIND as caching-only server

These few steps show you how to install BIND as a caching-only server.

Install BIND

Install the bind package which can be found in the official repositories.

Edit /etc/named.conf and add this under the options section:

listen-on { 127.0.0.1; };

Adding named to boot process

Edit /etc/rc.conf (See also rc.conf):

DAEMONS=(.. named ..)

Set /etc/resolv.conf to use the local DNS server

Edit /etc/resolv.conf (See also resolv.conf):

nameserver 127.0.0.1

Automatically listen on new interfaces without chroot and root privileges

Add

 interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options. Then you should modify rc-script:

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your /etc/rc.d/named should look like this:

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security. If you want you may implement this feature later and skip directly to configuration section (see also BIND (chroot)).

Preparing the chroot

Define the chroot directory, for example:

CHROOT="/chroot/named"

Create chroot directories

mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/run/named}

To enable logging inside chroot, you also need to create a log directory:

mkdir ${CHROOT}/var/log

and inside this a file named.log as per logging statement in named.conf:

touch ${CHROOT}/var/log/named.log

You may also want to access this file from /var/log:

ln -sf ${CHROOT}/var/log/named.log /var/log

Copy necessary files

cp -v /etc/named.conf ${CHROOT}/etc/
cp -v /etc/localtime ${CHROOT}/etc/
cp -Rv /var/named ${CHROOT}/var/

As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot

mkdir -p ${CHROOT}/usr/lib/engines
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/

Create block devices

mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8

Set permissions

chown -R named:named ${CHROOT}/var/{,run/}named
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

If you enabled logging (see above):

chown named:named ${CHROOT}/var/log/named.log

Prepare the rc script

cp /etc/rc.d/named /etc/rc.d/named-chroot

Edit /etc/rc.d/named-chroot and simply add -t ${CHROOT} to

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}

so that it looks like

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}

Also change

PIDFILE=/var/run/named/named.pid

to

PIDFILE=${CHROOT}/var/run/named/named.pid

Prepare variables

# vim /etc/conf.d/named
CHROOT="/chroot/named"

Starting named-chroot on bootup

You probably followed the first section before, so you have to add -chroot to the existing named, so that it looks like this

Edit /etc/rc.conf:

DAEMONS=(.. named-chroot ..)

Start the service

# /etc/rc.d/named-chroot start

Test the service

# host wiki.archlinux.org 127.0.0.1

Output should be something like this

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

wiki.archlinux.org is an alias for archlinux.org.
archlinux.org has address 66.211.213.17
archlinux.org mail is handled by 10 mail.archlinux.org.

Script to regenerate the chroot environment

I use this script to (re)generate BIND chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:

#!/bin/sh
# Prepare or update a chroot environment for running Bind
# see http://wiki.archlinux.org/index.php/Bind

. /etc/conf.d/named

# create chroot directories
mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}

# copy necessary files
cp /etc/named.conf ${CHROOT}/etc/
cp /etc/localtime ${CHROOT}/etc/
cp -R /var/named ${CHROOT}/var/
touch ${CHROOT}/var/log/named.log

# create block devices
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null

# set permissions
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

I call this in /etc/rc.d/named-chroot just before running named:

/usr/local/sbin/updatebindchroot

Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#Bind (serving_signed_DNS_zones)

A configuration template for running a domain

In our example we use "domain.tld" as our domain.

1. Preparing some folder structure

mkdir /var/named/{pri,sec}

If using chroot:

mkdir ${CHROOT}/var/named/{pri,sec}

2. Creating a zonefile

# vim /var/named/pri/domain.tld.zone
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

3. Configuring master server

Copy the zonefile if using a chroot:

cp domain.tld.zone ${CHROOT}/var/named/pri/

Edit /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "pri/domain.tld.zone";
        allow-update { none; };
        notify no;
};

Copy to chroot:

cp named.conf ${CHROOT}/etc/

4. Configuring slave server

If using chroot:

cp domain.tld.zone ${CHROOT}/var/named/sec/

Edit /etc/named.conf:

zone "domain.tld" IN {
        type slave;
        file "sec/domain.tld.zone";
        masters { 0.0.0.0; };   # IP address of the master server
};

If using chroot:

cp named.conf ${CHROOT}/etc/

Restart the services and you are done.

See also

BIND Resources