Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(removed remaining chroot references)
m (Configuring BIND to serve DNSSEC signed zones)
Line 86: Line 86:
  
 
== Configuring BIND to serve DNSSEC signed zones ==
 
== Configuring BIND to serve DNSSEC signed zones ==
See [[DNSSEC#BIND (serving_signed_DNS_zones)]]
+
See [[DNSSEC#BIND (serving signed DNS zones)]]
  
 
== Automatically listen on new interfaces without chroot and root privileges ==
 
== Automatically listen on new interfaces without chroot and root privileges ==

Revision as of 10:52, 8 October 2012

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

BIND as caching-only server

These few steps show you how to install BIND as a caching-only server.

Install BIND

Install the bind package which can be found in the official repositories.

Edit /etc/named.conf and add this under the options section:

listen-on { 127.0.0.1; };

Start BIND

Start the daemon:

rc.d start named

Or add it to /etc/rc.conf:

DAEMONS=(.. named ..)

Set /etc/resolv.conf to use the local DNS server

Edit /etc/resolv.conf:

nameserver 127.0.0.1

BIND as simple DNS forwarder

If, for example you have problems with VPN connections, they can sometimes be solved by setting-up forwarding DNS server. It is set very simply with BIND. Add these lines to /etc/named.conf, and change IP address according to your setup.

listen-on { 192.168.66.1; };
forwarders {8.8.8.8; 8.8.4.4; };

Don't forget to restart the service!

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.

A configuration template for running a domain

In our example we use "domain.tld" as our domain.

1. Preparing some folder structure

mkdir /var/named/{pri,sec}

2. Creating a zonefile

# nano /var/named/pri/domain.tld.zone
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

3. Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "pri/domain.tld.zone";
        allow-update { none; };
        notify no;
};

4. Configuring slave server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type slave;
        file "sec/domain.tld.zone";
        masters { 0.0.0.0; };   # IP address of the master server
};

Restart the services and you are done.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#BIND (serving signed DNS zones)

Automatically listen on new interfaces without chroot and root privileges

Add

 interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options. Then you should modify rc-script:

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your /etc/rc.d/named should look like this:

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

See also

BIND Resources