Difference between revisions of "BIND"
(REMOVED CHROOT INSTRUCTIONS. These are already covered in BIND (chroot) and they make this article a mess.) |
(removed remaining chroot references) |
||
| Line 37: | Line 37: | ||
=== 1. Preparing some folder structure === | === 1. Preparing some folder structure === | ||
mkdir /var/named/{pri,sec} | mkdir /var/named/{pri,sec} | ||
| − | |||
| − | |||
| − | |||
=== 2. Creating a zonefile === | === 2. Creating a zonefile === | ||
| Line 70: | Line 67: | ||
=== 3. Configuring master server === | === 3. Configuring master server === | ||
| − | |||
| − | |||
| − | |||
Add your zone to {{ic|/etc/named.conf}}: | Add your zone to {{ic|/etc/named.conf}}: | ||
zone "domain.tld" IN { | zone "domain.tld" IN { | ||
| Line 80: | Line 74: | ||
notify no; | notify no; | ||
}; | }; | ||
| − | |||
| − | |||
| − | |||
=== 4. Configuring slave server === | === 4. Configuring slave server === | ||
| − | |||
| − | |||
| − | |||
Add your zone to {{ic|/etc/named.conf}}: | Add your zone to {{ic|/etc/named.conf}}: | ||
zone "domain.tld" IN { | zone "domain.tld" IN { | ||
| Line 94: | Line 82: | ||
masters { 0.0.0.0; }; # IP address of the master server | masters { 0.0.0.0; }; # IP address of the master server | ||
}; | }; | ||
| − | |||
| − | |||
| − | |||
Restart the services and you are done. | Restart the services and you are done. | ||
Revision as of 08:31, 8 October 2012
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
Contents
- 1 BIND as caching-only server
- 2 BIND as simple DNS forwarder
- 3 Running BIND in a chrooted environment
- 4 A configuration template for running a domain
- 5 Configuring BIND to serve DNSSEC signed zones
- 6 Automatically listen on new interfaces without chroot and root privileges
- 7 See also
- 8 BIND Resources
BIND as caching-only server
These few steps show you how to install BIND as a caching-only server.
Install BIND
Install the bind package which can be found in the official repositories.
Edit /etc/named.conf and add this under the options section:
listen-on { 127.0.0.1; };
Start BIND
Start the daemon:
rc.d start named
Or add it to /etc/rc.conf:
DAEMONS=(.. named ..)
Set /etc/resolv.conf to use the local DNS server
Edit /etc/resolv.conf:
nameserver 127.0.0.1
BIND as simple DNS forwarder
If, for example you have problems with VPN connections, they can sometimes be solved by setting-up forwarding DNS server. It is set very simply with BIND. Add these lines to /etc/named.conf, and change IP address according to your setup.
listen-on { 192.168.66.1; };
forwarders {8.8.8.8; 8.8.4.4; };
Don't forget to restart the service!
Running BIND in a chrooted environment
Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.
A configuration template for running a domain
In our example we use "domain.tld" as our domain.
1. Preparing some folder structure
mkdir /var/named/{pri,sec}
2. Creating a zonefile
# nano /var/named/pri/domain.tld.zone
$TTL 7200
; domain.tld
@ IN SOA ns01.domain.tld. postmaster.domain.tld. (
2007011601 ; Serial
28800 ; Refresh
1800 ; Retry
604800 ; Expire - 1 week
86400 ) ; Minimum
IN NS ns01
IN NS ns02
ns01 IN A 0.0.0.0
ns02 IN A 0.0.0.0
localhost IN A 127.0.0.1
@ IN MX 10 mail
imap IN CNAME mail
smtp IN CNAME mail
@ IN A 0.0.0.0
www IN A 0.0.0.0
mail IN A 0.0.0.0
@ IN TXT "v=spf1 mx"
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
3. Configuring master server
Add your zone to /etc/named.conf:
zone "domain.tld" IN {
type master;
file "pri/domain.tld.zone";
allow-update { none; };
notify no;
};
4. Configuring slave server
Add your zone to /etc/named.conf:
zone "domain.tld" IN {
type slave;
file "sec/domain.tld.zone";
masters { 0.0.0.0; }; # IP address of the master server
};
Restart the services and you are done.
Configuring BIND to serve DNSSEC signed zones
See DNSSEC#BIND (serving_signed_DNS_zones)
Automatically listen on new interfaces without chroot and root privileges
Add
interface-interval <rescan-timeout-in-minutes>;
parameter into named.conf options. Then you should modify rc-script:
stat_busy "Starting DNS"
- [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+ setcap cap_net_bind_service=eip /usr/sbin/named
+ NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+ [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
So your /etc/rc.d/named should look like this:
stat_busy "Starting DNS"
setcap cap_net_bind_service=eip /usr/sbin/named
NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
[ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.