Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(removed the slave server, it does not belong in such an introductory and simple tutorial)
Line 4: Line 4:
  
 
== BIND as caching-only server ==
 
== BIND as caching-only server ==
These few steps show you how to install BIND as a caching-only server.
+
These few steps show you how to install BIND as a local caching-only server.
  
 
=== Install BIND ===
 
=== Install BIND ===
Line 24: Line 24:
  
 
== BIND as simple DNS forwarder ==
 
== BIND as simple DNS forwarder ==
If, for example you have problems with VPN connections, they can sometimes be solved by setting-up forwarding DNS server. It is set very simply with BIND. Add these lines to {{ic|/etc/named.conf}}, and change IP address according to your setup.
+
If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to {{ic|/etc/named.conf}}, and change IP address according to your setup.
 
  listen-on { 192.168.66.1; };
 
  listen-on { 192.168.66.1; };
  forwarders {8.8.8.8; 8.8.4.4; };
+
  forwarders { 8.8.8.8; 8.8.4.4; };
 
Don't forget to restart the service!
 
Don't forget to restart the service!
  
Line 35: Line 35:
 
In our example we use "domain.tld" as our domain.
 
In our example we use "domain.tld" as our domain.
  
=== 1. Preparing some folder structure ===
+
=== 1. Creating a zonefile ===
mkdir /var/named/{pri,sec}
+
  # nano /var/named/domain.tld.zone
 
+
=== 2. Creating a zonefile ===
+
  # nano /var/named/pri/domain.tld.zone
+
  
 
  $TTL 7200
 
  $TTL 7200
Line 62: Line 59:
 
  @              IN      TXT    "v=spf1 mx"
 
  @              IN      TXT    "v=spf1 mx"
  
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
+
$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.
  
 
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
 
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
  
=== 3. Configuring master server ===
+
=== 2. Configuring master server ===
 
Add your zone to {{ic|/etc/named.conf}}:
 
Add your zone to {{ic|/etc/named.conf}}:
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type master;
 
         type master;
         file "pri/domain.tld.zone";
+
         file "domain.tld.zone";
 
         allow-update { none; };
 
         allow-update { none; };
 
         notify no;
 
         notify no;
 
  };
 
  };
  
=== 4. Configuring slave server ===
+
Change {{ic|listen-on { 127.0.0.1; };}} to {{ic|listen-on { 127.0.0.1; };}} if you want other computers to make use of your DNS server.
Add your zone to {{ic|/etc/named.conf}}:
+
zone "domain.tld" IN {
+
        type slave;
+
        file "sec/domain.tld.zone";
+
        masters { 0.0.0.0; };   # IP address of the master server
+
};
+
  
 
Restart the services and you are done.
 
Restart the services and you are done.
 +
 +
For a more elaborate example see [http://www.howtoforge.com/two_in_one_dns_bind9_views Two-in-one DNS server with BIND9].
  
 
== Configuring BIND to serve DNSSEC signed zones ==
 
== Configuring BIND to serve DNSSEC signed zones ==

Revision as of 02:13, 16 December 2012

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

BIND as caching-only server

These few steps show you how to install BIND as a local caching-only server.

Install BIND

Install the bind package which can be found in the official repositories.

Edit /etc/named.conf and add this under the options section:

listen-on { 127.0.0.1; };

Start BIND

Start the daemon:

systemctl start named

Optionally, set it to start up on boot:

systemctl enable named

Set /etc/resolv.conf to use the local DNS server

Edit /etc/resolv.conf:

nameserver 127.0.0.1

BIND as simple DNS forwarder

If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to /etc/named.conf, and change IP address according to your setup.

listen-on { 192.168.66.1; };
forwarders { 8.8.8.8; 8.8.4.4; };

Don't forget to restart the service!

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.

A configuration template for running a domain

In our example we use "domain.tld" as our domain.

1. Creating a zonefile

# nano /var/named/domain.tld.zone
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

2. Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "domain.tld.zone";
        allow-update { none; };
        notify no;
};

Change listen-on { 127.0.0.1; }; to listen-on { 127.0.0.1; }; if you want other computers to make use of your DNS server.

Restart the services and you are done.

For a more elaborate example see Two-in-one DNS server with BIND9.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#BIND (serving signed DNS zones)

Automatically listen on new interfaces without chroot and root privileges

Add

 interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options. Then you should modify rc-script:

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your /etc/rc.d/named should look like this:

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

See also

BIND Resources