Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(creating a zonefile)
Line 3: Line 3:
 
[[Category:Daemons and system services (English)]]
 
[[Category:Daemons and system services (English)]]
 
[[Category:HOWTOs (English)]]
 
[[Category:HOWTOs (English)]]
== Bind as caching only server ==
 
  
 +
== Bind as caching only server ==
 
These few steps show you how to install bind as a caching only server.
 
These few steps show you how to install bind as a caching only server.
  
 
=== Install bind ===
 
=== Install bind ===
 +
# pacman -S bind
  
pacman -S bind
+
Edit /etc/named.conf:
 
+
Edit /etc/named.conf
+
 
+
 
  listen-on { 127.0.0.1; };
 
  listen-on { 127.0.0.1; };
  
 
=== Bind needs the kernel module 'capability' to work proper. load manually if not already implemented yet. ===
 
=== Bind needs the kernel module 'capability' to work proper. load manually if not already implemented yet. ===
 
 
  # modprobe capability
 
  # modprobe capability
  
 
This is built in vanilla kernels as confirmed by a:
 
This is built in vanilla kernels as confirmed by a:
 
 
  # zless /proc/config.gz | grep CAPABILITIES
 
  # zless /proc/config.gz | grep CAPABILITIES
 
  CONFIG_SECURITY_CAPABILITIES=y
 
  CONFIG_SECURITY_CAPABILITIES=y
Line 26: Line 22:
  
 
=== Adding named to boot process ===
 
=== Adding named to boot process ===
 
+
Edit /etc/rc.conf:
Edit /etc/rc.conf
+
  DAEMONS=(.. '''named''' ..)
 
+
  DAEMONS=(.. named ..)
+
  
 
=== Set resolv.conf for using the local dns ===
 
=== Set resolv.conf for using the local dns ===
 
+
Edit /etc/resolv.conf:
Edit /etc/resolv.conf
+
 
+
 
  nameserver 127.0.0.1
 
  nameserver 127.0.0.1
  
 
== Running Bind in a chrooted environment ==
 
== Running Bind in a chrooted environment ==
 
 
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]].
 
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]].
  
 
=== Preparing the chroot ===
 
=== Preparing the chroot ===
 
+
Define the chroot directory, for example:
define the chroot directory, for example:
+
 
+
 
  CHROOT="/chroot/named"
 
  CHROOT="/chroot/named"
  
create chroot directories
+
Create chroot directories
 
+
 
  mkdir -m 700 -p ${CHROOT}
 
  mkdir -m 700 -p ${CHROOT}
 
  mkdir -p ${CHROOT}/{dev,etc,var/run/named}
 
  mkdir -p ${CHROOT}/{dev,etc,var/run/named}
  
to enable logging inside chroot you also need to create a log directory:
+
To enable logging inside chroot you also need to create a log directory:
 
+
 
  mkdir ${CHROOT}/var/log
 
  mkdir ${CHROOT}/var/log
  
 
and inside this a file named.log as per logging statement in named.conf:
 
and inside this a file named.log as per logging statement in named.conf:
 
 
  touch ${CHROOT}/var/log/named.log
 
  touch ${CHROOT}/var/log/named.log
  
 
You may also want to access this file from /var/log:
 
You may also want to access this file from /var/log:
 
 
  ln -sf ${CHROOT}/var/log/named.log /var/log
 
  ln -sf ${CHROOT}/var/log/named.log /var/log
  
 
=== Copy necessary files ===
 
=== Copy necessary files ===
 
 
  cp -v /etc/named.conf ${CHROOT}/etc/
 
  cp -v /etc/named.conf ${CHROOT}/etc/
 
  cp -v /etc/localtime ${CHROOT}/etc/
 
  cp -v /etc/localtime ${CHROOT}/etc/
Line 71: Line 55:
  
 
=== Create block devices ===
 
=== Create block devices ===
 
 
  mknod ${CHROOT}/dev/zero c 1 5
 
  mknod ${CHROOT}/dev/zero c 1 5
 
  mknod ${CHROOT}/dev/random c 1 8
 
  mknod ${CHROOT}/dev/random c 1 8
  
 
=== Set permissions ===
 
=== Set permissions ===
 
 
  chown -R named:named ${CHROOT}/var/{,run/}/named
 
  chown -R named:named ${CHROOT}/var/{,run/}/named
 
  chmod 666 ${CHROOT}/dev/{random,zero}
 
  chmod 666 ${CHROOT}/dev/{random,zero}
Line 83: Line 65:
  
 
If you enabled logging (see above):
 
If you enabled logging (see above):
 
 
  chown named:named ${CHROOT}/var/log/named.log
 
  chown named:named ${CHROOT}/var/log/named.log
  
 
=== Prepare the rc script ===
 
=== Prepare the rc script ===
 
 
  cp /etc/rc.d/named /etc/rc.d/named-chroot
 
  cp /etc/rc.d/named /etc/rc.d/named-chroot
  
 
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to
 
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to
 
 
  [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
  [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
 
so that it looks like
 
so that it looks like
 
 
  [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
 
  [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
  
 
=== Prepare variables ===
 
=== Prepare variables ===
 
+
# vim /etc/conf.d/named
vim /etc/conf.d/named
+
  
 
  CHROOT="/chroot/named"
 
  CHROOT="/chroot/named"
Line 107: Line 83:
 
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this                                   
 
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this                                   
  
Edit /etc/rc.conf
+
Edit /etc/rc.conf:
+
  DAEMONS=(.. '''named-chroot''' ..)
  DAEMONS=(.. named-chroot ..)
+
  
 
=== Start the service ===
 
=== Start the service ===
 
 
  /etc/rc.d/named-chroot start
 
  /etc/rc.d/named-chroot start
  
 
=== Test the service ===
 
=== Test the service ===
 
 
  # host wiki.archlinux.org 127.0.0.1
 
  # host wiki.archlinux.org 127.0.0.1
  
 
Output should be something like this
 
Output should be something like this
 
 
  Using domain server:
 
  Using domain server:
 
  Name: 127.0.0.1
 
  Name: 127.0.0.1
Line 131: Line 103:
  
 
=== Script to regenerate the chroot environment ===  
 
=== Script to regenerate the chroot environment ===  
 
 
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:
 
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:
  
Line 161: Line 132:
  
 
I call this in /etc/rc.d/named-chroot just before running named:
 
I call this in /etc/rc.d/named-chroot just before running named:
 
 
  /usr/local/sbin/updatebindchroot
 
  /usr/local/sbin/updatebindchroot
  
Line 167: Line 137:
  
 
== A configuration template for running a domain ==
 
== A configuration template for running a domain ==
 +
In our example we use "domain.tld" as our domain.
  
in our example we use "domain.tld" as our domain
+
=== 1. Preparing some folder structure ===
 
+
=== preparing some folder structure ===
+
 
+
 
  mkdir /var/named/{pri,sec}
 
  mkdir /var/named/{pri,sec}
  
if using chroot:
+
If using chroot:
 
+
 
  mkdir /chroot/named/var/named/{pri,sec}
 
  mkdir /chroot/named/var/named/{pri,sec}
  
=== creating a zonefile ===
+
=== 2. Creating a zonefile ===
 
+
# vim /var/named/pri/domain.tld.zone
vim /var/named/pri/domain.tld.zone
+
  
 
  $TTL 7200
 
  $TTL 7200
Line 207: Line 173:
 
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
 
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
  
=== configuring master server ===
+
=== 3. Configuring master server ===
 
+
Copy the zonefile if using a chroot:
copy the zonefile if using a chroot:
+
 
+
 
  cp domain.tld.zone /chroot/named/var/named/pri/
 
  cp domain.tld.zone /chroot/named/var/named/pri/
  
Edit /etc/named.conf
+
Edit /etc/named.conf:
 
+
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type master;
 
         type master;
Line 222: Line 185:
 
  };
 
  };
  
copy to chroot:
+
Copy to chroot:
 
+
 
  cp named.conf /chroot/named/etc/
 
  cp named.conf /chroot/named/etc/
  
=== configuring slave server ===
+
=== 4. Configuring slave server ===
 
+
 
If using chroot:
 
If using chroot:
 
 
  cp domain.tld.zone /chroot/named/var/named/sec/
 
  cp domain.tld.zone /chroot/named/var/named/sec/
  
Edit /etc/named.conf
+
Edit /etc/named.conf:
 
+
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type slave;
 
         type slave;
Line 240: Line 199:
 
  };
 
  };
  
if using chroot:
+
If using chroot:
 
+
 
  cp named.conf /chroot/named/etc/
 
  cp named.conf /chroot/named/etc/
  
restart the services and you're done.
+
Restart the services and you're done.
  
 
== BIND Resources ==
 
== BIND Resources ==
 
+
* [http://bind-users.info/FAQ.html bind-users FAQ]
* [[http://bind-users.info/FAQ.html bind-users FAQ]]
+
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
* [[http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]]
+
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]
* [[http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]]
+
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
* [[http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]]
+
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]
* [[http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]]
+

Revision as of 10:22, 12 February 2009

Tango-document-new.pngThis article is a stub.Tango-document-new.png

Notes: please use the first argument of the template to provide more detailed indications. (Discuss in Talk:BIND#)

Bind as caching only server

These few steps show you how to install bind as a caching only server.

Install bind

# pacman -S bind

Edit /etc/named.conf:

listen-on { 127.0.0.1; };

Bind needs the kernel module 'capability' to work proper. load manually if not already implemented yet.

# modprobe capability

This is built in vanilla kernels as confirmed by a:

# zless /proc/config.gz | grep CAPABILITIES
CONFIG_SECURITY_CAPABILITIES=y
CONFIG_SECURITY_FILE_CAPABILITIES=y

Adding named to boot process

Edit /etc/rc.conf:

DAEMONS=(.. named ..)

Set resolv.conf for using the local dns

Edit /etc/resolv.conf:

nameserver 127.0.0.1

Running Bind in a chrooted environment

This is not required but improves security. If you want you may implement this feature later and skip directly to configuration section.

Preparing the chroot

Define the chroot directory, for example:

CHROOT="/chroot/named"

Create chroot directories

mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/run/named}

To enable logging inside chroot you also need to create a log directory:

mkdir ${CHROOT}/var/log

and inside this a file named.log as per logging statement in named.conf:

touch ${CHROOT}/var/log/named.log

You may also want to access this file from /var/log:

ln -sf ${CHROOT}/var/log/named.log /var/log

Copy necessary files

cp -v /etc/named.conf ${CHROOT}/etc/
cp -v /etc/localtime ${CHROOT}/etc/
cp -Rv /var/named ${CHROOT}/var/

Create block devices

mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8

Set permissions

chown -R named:named ${CHROOT}/var/{,run/}/named
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

If you enabled logging (see above):

chown named:named ${CHROOT}/var/log/named.log

Prepare the rc script

cp /etc/rc.d/named /etc/rc.d/named-chroot

Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}

so that it looks like

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}

Prepare variables

# vim /etc/conf.d/named
CHROOT="/chroot/named"

Starting named-chroot on bootup

you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this

Edit /etc/rc.conf:

DAEMONS=(.. named-chroot ..)

Start the service

/etc/rc.d/named-chroot start

Test the service

# host wiki.archlinux.org 127.0.0.1

Output should be something like this

Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases:

wiki.archlinux.org is an alias for archlinux.org.
archlinux.org has address 66.211.213.17
archlinux.org mail is handled by 10 mail.archlinux.org.

Script to regenerate the chroot environment

I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:

#!/bin/sh
# Prepare or update a chroot environment for running Bind
# see http://wiki.archlinux.org/index.php/Bind

. /etc/conf.d/named

# create chroot directories
mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}

# copy necessary files
cp /etc/named.conf ${CHROOT}/etc/
cp /etc/localtime ${CHROOT}/etc/
cp -R /var/named ${CHROOT}/var/
touch ${CHROOT}/var/log/named.log

# create block devices
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null

# set permissions
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

I call this in /etc/rc.d/named-chroot just before running named:

/usr/local/sbin/updatebindchroot

Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.

A configuration template for running a domain

In our example we use "domain.tld" as our domain.

1. Preparing some folder structure

mkdir /var/named/{pri,sec}

If using chroot:

mkdir /chroot/named/var/named/{pri,sec}

2. Creating a zonefile

# vim /var/named/pri/domain.tld.zone
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

3. Configuring master server

Copy the zonefile if using a chroot:

cp domain.tld.zone /chroot/named/var/named/pri/

Edit /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "pri/domain.tld.zone";
        allow-update { none; };
        notify no;
};

Copy to chroot:

cp named.conf /chroot/named/etc/

4. Configuring slave server

If using chroot:

cp domain.tld.zone /chroot/named/var/named/sec/

Edit /etc/named.conf:

zone "domain.tld" IN {
        type slave;
        file "sec/domain.tld.zone";
        masters { 0.0.0.0; };   # ip address of the master server
};

If using chroot:

cp named.conf /chroot/named/etc/

Restart the services and you're done.

BIND Resources