Difference between revisions of "BIND"
(REMOVED CHROOT INSTRUCTIONS. These are already covered in BIND (chroot) and they make this article a mess.) |
(removed remaining chroot references) |
||
Line 37: | Line 37: | ||
=== 1. Preparing some folder structure === | === 1. Preparing some folder structure === | ||
mkdir /var/named/{pri,sec} | mkdir /var/named/{pri,sec} | ||
− | |||
− | |||
− | |||
=== 2. Creating a zonefile === | === 2. Creating a zonefile === | ||
Line 70: | Line 67: | ||
=== 3. Configuring master server === | === 3. Configuring master server === | ||
− | |||
− | |||
− | |||
Add your zone to {{ic|/etc/named.conf}}: | Add your zone to {{ic|/etc/named.conf}}: | ||
zone "domain.tld" IN { | zone "domain.tld" IN { | ||
Line 80: | Line 74: | ||
notify no; | notify no; | ||
}; | }; | ||
− | |||
− | |||
− | |||
=== 4. Configuring slave server === | === 4. Configuring slave server === | ||
− | |||
− | |||
− | |||
Add your zone to {{ic|/etc/named.conf}}: | Add your zone to {{ic|/etc/named.conf}}: | ||
zone "domain.tld" IN { | zone "domain.tld" IN { | ||
Line 94: | Line 82: | ||
masters { 0.0.0.0; }; # IP address of the master server | masters { 0.0.0.0; }; # IP address of the master server | ||
}; | }; | ||
− | |||
− | |||
− | |||
Restart the services and you are done. | Restart the services and you are done. |
Revision as of 08:31, 8 October 2012
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
Contents
- 1 BIND as caching-only server
- 2 BIND as simple DNS forwarder
- 3 Running BIND in a chrooted environment
- 4 A configuration template for running a domain
- 5 Configuring BIND to serve DNSSEC signed zones
- 6 Automatically listen on new interfaces without chroot and root privileges
- 7 See also
- 8 BIND Resources
BIND as caching-only server
These few steps show you how to install BIND as a caching-only server.
Install BIND
Install the bind package which can be found in the official repositories.
Edit /etc/named.conf
and add this under the options section:
listen-on { 127.0.0.1; };
Start BIND
Start the daemon:
rc.d start named
Or add it to /etc/rc.conf
:
DAEMONS=(.. named ..)
Set /etc/resolv.conf to use the local DNS server
Edit /etc/resolv.conf
:
nameserver 127.0.0.1
BIND as simple DNS forwarder
If, for example you have problems with VPN connections, they can sometimes be solved by setting-up forwarding DNS server. It is set very simply with BIND. Add these lines to /etc/named.conf
, and change IP address according to your setup.
listen-on { 192.168.66.1; }; forwarders {8.8.8.8; 8.8.4.4; };
Don't forget to restart the service!
Running BIND in a chrooted environment
Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.
A configuration template for running a domain
In our example we use "domain.tld" as our domain.
1. Preparing some folder structure
mkdir /var/named/{pri,sec}
2. Creating a zonefile
# nano /var/named/pri/domain.tld.zone
$TTL 7200 ; domain.tld @ IN SOA ns01.domain.tld. postmaster.domain.tld. ( 2007011601 ; Serial 28800 ; Refresh 1800 ; Retry 604800 ; Expire - 1 week 86400 ) ; Minimum IN NS ns01 IN NS ns02 ns01 IN A 0.0.0.0 ns02 IN A 0.0.0.0 localhost IN A 127.0.0.1 @ IN MX 10 mail imap IN CNAME mail smtp IN CNAME mail @ IN A 0.0.0.0 www IN A 0.0.0.0 mail IN A 0.0.0.0 @ IN TXT "v=spf1 mx"
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
3. Configuring master server
Add your zone to /etc/named.conf
:
zone "domain.tld" IN { type master; file "pri/domain.tld.zone"; allow-update { none; }; notify no; };
4. Configuring slave server
Add your zone to /etc/named.conf
:
zone "domain.tld" IN { type slave; file "sec/domain.tld.zone"; masters { 0.0.0.0; }; # IP address of the master server };
Restart the services and you are done.
Configuring BIND to serve DNSSEC signed zones
See DNSSEC#BIND (serving_signed_DNS_zones)
Automatically listen on new interfaces without chroot and root privileges
Add
interface-interval <rescan-timeout-in-minutes>;
parameter into named.conf
options. Then you should modify rc-script:
stat_busy "Starting DNS" - [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} + setcap cap_net_bind_service=eip /usr/sbin/named + NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'` + [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
So your /etc/rc.d/named
should look like this:
stat_busy "Starting DNS" setcap cap_net_bind_service=eip /usr/sbin/named NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'` [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.