Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(little cleanup)
(REMOVED CHROOT INSTRUCTIONS. These are already covered in BIND (chroot) and they make this article a mess.)
Line 28: Line 28:
 
  forwarders {8.8.8.8; 8.8.4.4; };
 
  forwarders {8.8.8.8; 8.8.4.4; };
 
Don't forget to restart the service!
 
Don't forget to restart the service!
 
== Automatically listen on new interfaces without chroot and root privileges ==
 
Add
 
  interface-interval <rescan-timeout-in-minutes>;
 
parameter into {{ic|named.conf}} options. Then you should modify rc-script:
 
<pre>
 
    stat_busy "Starting DNS"
 
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
+    setcap cap_net_bind_service=eip /usr/sbin/named
 
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 
</pre>
 
 
So your {{ic|/etc/rc.d/named}} should look like this:
 
<pre>
 
    stat_busy "Starting DNS"
 
    setcap cap_net_bind_service=eip /usr/sbin/named
 
    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 
    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 
</pre>
 
 
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
 
  
 
== Running BIND in a chrooted environment ==
 
== Running BIND in a chrooted environment ==
Running in a [[chroot]] environment is not required but improves security. If you want you may implement this feature later and skip directly to [[BIND#A_configuration_template_for_running_a_domain|configuration section]] (see also [[BIND (chroot)]]).
+
Running in a [[chroot]] environment is not required but improves security. See [[BIND (chroot)]] for how to do this.
 
+
=== Preparing the chroot ===
+
Define the chroot directory, for example:
+
CHROOT="/chroot/named"
+
 
+
Create chroot directories
+
mkdir -m 700 -p ${CHROOT}
+
mkdir -p ${CHROOT}/{dev,etc,var/run/named}
+
 
+
To enable logging inside chroot, you also need to create a log directory:
+
mkdir ${CHROOT}/var/log
+
 
+
and inside this a file named.log as per logging statement in {{ic|named.conf}}:
+
touch ${CHROOT}/var/log/named.log
+
 
+
You may also want to access this file from {{ic|/var/log}}:
+
ln -sf ${CHROOT}/var/log/named.log /var/log
+
 
+
=== Copy necessary files ===
+
cp -v /etc/named.conf ${CHROOT}/etc/
+
cp -v /etc/localtime ${CHROOT}/etc/
+
cp -Rv /var/named ${CHROOT}/var/
+
 
+
=== As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot ===
+
mkdir -p ${CHROOT}/usr/lib/engines
+
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
+
 
+
=== Create block devices ===
+
mknod ${CHROOT}/dev/zero c 1 5
+
mknod ${CHROOT}/dev/random c 1 8
+
 
+
=== Set permissions ===
+
chown -R named:named ${CHROOT}/var/{,run/}named
+
chmod 666 ${CHROOT}/dev/{random,zero}
+
chown root:named ${CHROOT}
+
chmod 0750 ${CHROOT}
+
 
+
If you enabled logging (see above):
+
chown named:named ${CHROOT}/var/log/named.log
+
 
+
=== Prepare the rc script ===
+
cp /etc/rc.d/named /etc/rc.d/named-chroot
+
 
+
Edit {{ic|/etc/rc.d/named-chroot}} and simply add {{ic|<nowiki>-t ${CHROOT}</nowiki>}} to
+
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+
so that it looks like
+
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
+
Also change
+
PIDFILE=/var/run/named/named.pid
+
to
+
PIDFILE=${CHROOT}/var/run/named/named.pid
+
 
+
=== Prepare variables ===
+
# vim /etc/conf.d/named
+
 
+
CHROOT="/chroot/named"
+
 
+
=== Starting named-chroot on bootup ===
+
You probably followed the first section before, so you have to add {{ic|-chroot}} to the existing named, so that it looks like this                                 
+
 
+
Edit {{ic|/etc/[[rc.conf]]}}:
+
DAEMONS=(.. '''named-chroot''' ..)
+
 
+
=== Start the service ===
+
# /etc/rc.d/named-chroot start
+
 
+
=== Test the service ===
+
# host wiki.archlinux.org 127.0.0.1
+
 
+
Output should be something like this
+
Using domain server:
+
Name: 127.0.0.1
+
Address: 127.0.0.1#53
+
Aliases:
+
+
wiki.archlinux.org is an alias for archlinux.org.
+
archlinux.org has address 66.211.213.17
+
archlinux.org mail is handled by 10 mail.archlinux.org.
+
 
+
=== Script to regenerate the chroot environment ===
+
I use this script to (re)generate BIND chroot environment. A suitable location is {{ic|/usr/local/sbin/updatebindchroot}}:
+
 
+
#!/bin/sh
+
# Prepare or update a chroot environment for running BIND
+
# see http://wiki.archlinux.org/index.php/BIND
+
+
. /etc/conf.d/named
+
+
# create chroot directories
+
mkdir -m 700 -p ${CHROOT}
+
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}
+
+
# copy necessary files
+
cp /etc/named.conf ${CHROOT}/etc/
+
cp /etc/localtime ${CHROOT}/etc/
+
cp -R /var/named ${CHROOT}/var/
+
touch ${CHROOT}/var/log/named.log
+
+
# create block devices
+
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
+
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null
+
+
# set permissions
+
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
+
chmod 666 ${CHROOT}/dev/{random,zero}
+
chown root:named ${CHROOT}
+
chmod 0750 ${CHROOT}
+
 
+
I call this in {{ic|/etc/rc.d/named-chroot}} just before running named:
+
/usr/local/sbin/updatebindchroot
+
 
+
Now you can edit configuration in {{ic|/etc/named.conf}} and mappings in {{ic|/var/named}}. Then both {{ic|named}} and {{ic|named-chroot}} can be used (one at a time of course). Restarting {{ic|named-chroot}} recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
+
 
+
== Configuring BIND to serve DNSSEC signed zones ==
+
See [[DNSSEC#BIND (serving_signed_DNS_zones)]]
+
  
 
== A configuration template for running a domain ==
 
== A configuration template for running a domain ==
Line 236: Line 99:
  
 
Restart the services and you are done.
 
Restart the services and you are done.
 +
 +
== Configuring BIND to serve DNSSEC signed zones ==
 +
See [[DNSSEC#BIND (serving_signed_DNS_zones)]]
 +
 +
== Automatically listen on new interfaces without chroot and root privileges ==
 +
Add
 +
  interface-interval <rescan-timeout-in-minutes>;
 +
parameter into {{ic|named.conf}} options. Then you should modify rc-script:
 +
<pre>
 +
    stat_busy "Starting DNS"
 +
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 +
+    setcap cap_net_bind_service=eip /usr/sbin/named
 +
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 +
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 +
</pre>
 +
 +
So your {{ic|/etc/rc.d/named}} should look like this:
 +
<pre>
 +
    stat_busy "Starting DNS"
 +
    setcap cap_net_bind_service=eip /usr/sbin/named
 +
    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 +
    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 +
</pre>
 +
 +
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
  
 
==See also==
 
==See also==

Revision as of 15:14, 28 September 2012

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

BIND as caching-only server

These few steps show you how to install BIND as a caching-only server.

Install BIND

Install the bind package which can be found in the official repositories.

Edit /etc/named.conf and add this under the options section:

listen-on { 127.0.0.1; };

Start BIND

Start the daemon:

rc.d start named

Or add it to /etc/rc.conf:

DAEMONS=(.. named ..)

Set /etc/resolv.conf to use the local DNS server

Edit /etc/resolv.conf:

nameserver 127.0.0.1

BIND as simple DNS forwarder

If, for example you have problems with VPN connections, they can sometimes be solved by setting-up forwarding DNS server. It is set very simply with BIND. Add these lines to /etc/named.conf, and change IP address according to your setup.

listen-on { 192.168.66.1; };
forwarders {8.8.8.8; 8.8.4.4; };

Don't forget to restart the service!

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.

A configuration template for running a domain

In our example we use "domain.tld" as our domain.

1. Preparing some folder structure

mkdir /var/named/{pri,sec}

If using chroot:

mkdir ${CHROOT}/var/named/{pri,sec}

2. Creating a zonefile

# nano /var/named/pri/domain.tld.zone
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

3. Configuring master server

If using chroot:

cp domain.tld.zone ${CHROOT}/var/named/pri/

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "pri/domain.tld.zone";
        allow-update { none; };
        notify no;
};

If using chroot:

cp named.conf ${CHROOT}/etc/

4. Configuring slave server

If using chroot:

cp domain.tld.zone ${CHROOT}/var/named/sec/

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type slave;
        file "sec/domain.tld.zone";
        masters { 0.0.0.0; };   # IP address of the master server
};

If using chroot:

cp named.conf ${CHROOT}/etc/

Restart the services and you are done.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#BIND (serving_signed_DNS_zones)

Automatically listen on new interfaces without chroot and root privileges

Add

 interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options. Then you should modify rc-script:

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your /etc/rc.d/named should look like this:

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

See also

BIND Resources