Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(reorderd the article, put the most important info on top. the example still needs more information)
(9 intermediate revisions by 4 users not shown)
Line 1: Line 1:
 
[[Category:Domain Name System]]
 
[[Category:Domain Name System]]
[[Category:Daemons and system services]]
+
[[de:BIND]]
 
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
 
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
  
== BIND as caching-only server ==
+
== Installation ==
These few steps show you how to install BIND as a caching-only server.
+
These few steps show you how to install BIND and set it up as a local caching-only server.
  
=== Install BIND ===
 
 
[[pacman|Install]] the {{Pkg|bind}} package which can be found in the [[Official Repositories|official repositories]].
 
[[pacman|Install]] the {{Pkg|bind}} package which can be found in the [[Official Repositories|official repositories]].
  
Edit {{ic|/etc/named.conf}} and add this under the options section:
+
Optionally edit {{ic|/etc/named.conf}} and add this under the options section, to only allow connections from the localhost:
 
  listen-on { 127.0.0.1; };
 
  listen-on { 127.0.0.1; };
  
=== Adding named to boot process ===
+
Edit {{ic|/etc/resolv.conf}} to use the local DNS server:
Edit {{ic|/etc/rc.conf}} (See also [[rc.conf]]):
+
DAEMONS=(.. '''named''' ..)
+
 
+
=== Set /etc/resolv.conf to use the local DNS server ===
+
Edit {{ic|/etc/resolv.conf}} (See also [[resolv.conf]]):
+
 
  nameserver 127.0.0.1
 
  nameserver 127.0.0.1
  
== BIND as simple DNS forwarder ==
+
[[Daemon#Managing daemons|Start]] the '''named''' daemon.
If, for example you have problems with VPN connections, they can sometimes be solved by setting-up forwarding DNS server. It is set very simply with BIND. Add these lines to {{ic|/etc/named.conf}}, and change IP address according to your setup.
+
 
+
{{hc|/etc/named.conf|<nowiki>
+
listen-on { 192.168.66.1; };
+
forwarders {8.8.8.8; 8.8.4.4; };
+
</nowiki>}}
+
 
+
then don't forget to turn bind on, and add it to the demons array in /etc/rc.conf
+
 
+
== Automatically listen on new interfaces without chroot and root privileges ==
+
Add
+
  interface-interval <rescan-timeout-in-minutes>;
+
parameter into {{ic|named.conf}} options. Then you should modify rc-script:
+
<pre>
+
    stat_busy "Starting DNS"
+
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+
+    setcap cap_net_bind_service=eip /usr/sbin/named
+
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
+
</pre>
+
 
+
So your {{ic|/etc/rc.d/named}} should look like this:
+
<pre>
+
    stat_busy "Starting DNS"
+
    setcap cap_net_bind_service=eip /usr/sbin/named
+
    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+
    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
+
</pre>
+
 
+
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
+
 
+
== Running BIND in a chrooted environment ==
+
Running in a [[chroot]] environment is not required but improves security. If you want you may implement this feature later and skip directly to [[BIND#A_configuration_template_for_running_a_domain|configuration section]] (see also [[BIND (chroot)]]).
+
 
+
=== Preparing the chroot ===
+
Define the chroot directory, for example:
+
CHROOT="/chroot/named"
+
 
+
Create chroot directories
+
mkdir -m 700 -p ${CHROOT}
+
mkdir -p ${CHROOT}/{dev,etc,var/run/named}
+
 
+
To enable logging inside chroot, you also need to create a log directory:
+
mkdir ${CHROOT}/var/log
+
 
+
and inside this a file named.log as per logging statement in {{ic|named.conf}}:
+
touch ${CHROOT}/var/log/named.log
+
 
+
You may also want to access this file from {{ic|/var/log}}:
+
ln -sf ${CHROOT}/var/log/named.log /var/log
+
 
+
=== Copy necessary files ===
+
cp -v /etc/named.conf ${CHROOT}/etc/
+
cp -v /etc/localtime ${CHROOT}/etc/
+
cp -Rv /var/named ${CHROOT}/var/
+
 
+
=== As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot ===
+
mkdir -p ${CHROOT}/usr/lib/engines
+
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
+
 
+
=== Create block devices ===
+
mknod ${CHROOT}/dev/zero c 1 5
+
mknod ${CHROOT}/dev/random c 1 8
+
 
+
=== Set permissions ===
+
chown -R named:named ${CHROOT}/var/{,run/}named
+
chmod 666 ${CHROOT}/dev/{random,zero}
+
chown root:named ${CHROOT}
+
chmod 0750 ${CHROOT}
+
 
+
If you enabled logging (see above):
+
chown named:named ${CHROOT}/var/log/named.log
+
 
+
=== Prepare the rc script ===
+
cp /etc/rc.d/named /etc/rc.d/named-chroot
+
 
+
Edit {{ic|/etc/rc.d/named-chroot}} and simply add {{ic|<nowiki>-t ${CHROOT}</nowiki>}} to
+
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+
so that it looks like
+
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
+
Also change
+
PIDFILE=/var/run/named/named.pid
+
to
+
PIDFILE=${CHROOT}/var/run/named/named.pid
+
 
+
=== Prepare variables ===
+
# vim /etc/conf.d/named
+
 
+
CHROOT="/chroot/named"
+
 
+
=== Starting named-chroot on bootup ===
+
You probably followed the first section before, so you have to add {{ic|-chroot}} to the existing named, so that it looks like this                                 
+
 
+
Edit {{ic|/etc/[[rc.conf]]}}:
+
DAEMONS=(.. '''named-chroot''' ..)
+
 
+
=== Start the service ===
+
# /etc/rc.d/named-chroot start
+
 
+
=== Test the service ===
+
# host wiki.archlinux.org 127.0.0.1
+
 
+
Output should be something like this
+
Using domain server:
+
Name: 127.0.0.1
+
Address: 127.0.0.1#53
+
Aliases:
+
+
wiki.archlinux.org is an alias for archlinux.org.
+
archlinux.org has address 66.211.213.17
+
archlinux.org mail is handled by 10 mail.archlinux.org.
+
 
+
=== Script to regenerate the chroot environment ===
+
I use this script to (re)generate BIND chroot environment. A suitable location is {{ic|/usr/local/sbin/updatebindchroot}}:
+
 
+
#!/bin/sh
+
# Prepare or update a chroot environment for running BIND
+
# see http://wiki.archlinux.org/index.php/BIND
+
+
. /etc/conf.d/named
+
+
# create chroot directories
+
mkdir -m 700 -p ${CHROOT}
+
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}
+
+
# copy necessary files
+
cp /etc/named.conf ${CHROOT}/etc/
+
cp /etc/localtime ${CHROOT}/etc/
+
cp -R /var/named ${CHROOT}/var/
+
touch ${CHROOT}/var/log/named.log
+
+
# create block devices
+
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
+
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null
+
+
# set permissions
+
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
+
chmod 666 ${CHROOT}/dev/{random,zero}
+
chown root:named ${CHROOT}
+
chmod 0750 ${CHROOT}
+
 
+
I call this in {{ic|/etc/rc.d/named-chroot}} just before running named:
+
/usr/local/sbin/updatebindchroot
+
 
+
Now you can edit configuration in {{ic|/etc/named.conf}} and mappings in {{ic|/var/named}}. Then both {{ic|named}} and {{ic|named-chroot}} can be used (one at a time of course). Restarting {{ic|named-chroot}} recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
+
 
+
== Configuring BIND to serve DNSSEC signed zones ==
+
See [[DNSSEC#BIND (serving_signed_DNS_zones)]]
+
  
 
== A configuration template for running a domain ==
 
== A configuration template for running a domain ==
In our example we use "domain.tld" as our domain.
+
This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.
 
+
=== 1. Preparing some folder structure ===
+
mkdir /var/named/{pri,sec}
+
  
If using chroot:
+
For a more elaborate example see [http://www.howtoforge.com/two_in_one_dns_bind9_views Two-in-one DNS server with BIND9].
mkdir ${CHROOT}/var/named/{pri,sec}
+
  
=== 2. Creating a zonefile ===
+
=== 1. Creating a zonefile ===
  # vim /var/named/pri/domain.tld.zone
+
  # nano /var/named/domain.tld.zone
  
 
  $TTL 7200
 
  $TTL 7200
Line 203: Line 45:
 
  @              IN      TXT    "v=spf1 mx"
 
  @              IN      TXT    "v=spf1 mx"
  
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
+
$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.
  
 
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
 
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
  
=== 3. Configuring master server ===
+
=== 2. Configuring master server ===
Copy the zonefile if using a chroot:
+
Add your zone to {{ic|/etc/named.conf}}:
cp domain.tld.zone ${CHROOT}/var/named/pri/
+
 
+
Edit {{ic|/etc/named.conf}}:
+
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type master;
 
         type master;
         file "pri/domain.tld.zone";
+
         file "domain.tld.zone";
 
         allow-update { none; };
 
         allow-update { none; };
 
         notify no;
 
         notify no;
 
  };
 
  };
  
Copy to chroot:
+
Restart the daemon and you are done.
cp named.conf ${CHROOT}/etc/
+
  
=== 4. Configuring slave server ===
+
== BIND as simple DNS forwarder ==
If using chroot:
+
If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to {{ic|/etc/named.conf}}, and change IP address according to your setup.
cp domain.tld.zone ${CHROOT}/var/named/sec/
+
listen-on { 192.168.66.1; };
 +
forwarders { 8.8.8.8; 8.8.4.4; };
 +
Don't forget to restart the service!
  
Edit {{ic|/etc/named.conf}}:
+
== Running BIND in a chrooted environment ==
zone "domain.tld" IN {
+
Running in a [[chroot]] environment is not required but improves security. See [[BIND (chroot)]] for how to do this.
        type slave;
+
        file "sec/domain.tld.zone";
+
        masters { 0.0.0.0; };  # IP address of the master server
+
};
+
  
If using chroot:
+
== Configuring BIND to serve DNSSEC signed zones ==
cp named.conf ${CHROOT}/etc/
+
See [[DNSSEC#BIND (serving signed DNS zones)]]
  
Restart the services and you are done.
+
== Automatically listen on new interfaces without chroot and root privileges ==
 +
Add
 +
  interface-interval <rescan-timeout-in-minutes>;
 +
parameter into {{ic|named.conf}} options. Then you should modify rc-script:
 +
<pre>
 +
    stat_busy "Starting DNS"
 +
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 +
+    setcap cap_net_bind_service=eip /usr/sbin/named
 +
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 +
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 +
</pre>
 +
 
 +
So your {{ic|/etc/rc.d/named}} should look like this:
 +
<pre>
 +
    stat_busy "Starting DNS"
 +
    setcap cap_net_bind_service=eip /usr/sbin/named
 +
    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 +
    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 +
</pre>
 +
 
 +
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
  
 
==See also==
 
==See also==

Revision as of 02:34, 16 December 2012

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

Installation

These few steps show you how to install BIND and set it up as a local caching-only server.

Install the bind package which can be found in the official repositories.

Optionally edit /etc/named.conf and add this under the options section, to only allow connections from the localhost:

listen-on { 127.0.0.1; };

Edit /etc/resolv.conf to use the local DNS server:

nameserver 127.0.0.1

Start the named daemon.

A configuration template for running a domain

This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.

For a more elaborate example see Two-in-one DNS server with BIND9.

1. Creating a zonefile

# nano /var/named/domain.tld.zone
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

2. Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "domain.tld.zone";
        allow-update { none; };
        notify no;
};

Restart the daemon and you are done.

BIND as simple DNS forwarder

If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to /etc/named.conf, and change IP address according to your setup.

listen-on { 192.168.66.1; };
forwarders { 8.8.8.8; 8.8.4.4; };

Don't forget to restart the service!

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#BIND (serving signed DNS zones)

Automatically listen on new interfaces without chroot and root privileges

Add

 interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options. Then you should modify rc-script:

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your /etc/rc.d/named should look like this:

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

See also

BIND Resources