Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(Copy necessary files)
(Allow recursion: rm part duplicating Installation: , flag for accuracy)
 
(103 intermediate revisions by 37 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:Domain Name System]]
[[Category:Daemons and system services (English)]]
+
[[de:BIND]]
[[Category:HOWTOs (English)]]
+
[[es:BIND]]
{{Out of date}}
+
[[fr:BIND]]
 +
[[ja:BIND]]
 +
[[zh-hans:BIND]]
 +
{{Related articles start}}
 +
{{Related|DNSCrypt}}
 +
{{Related|dnsmasq}}
 +
{{Related|Pdnsd}}
 +
{{Related|Unbound}}
 +
{{Related|PowerDNS}}
 +
{{Related articles end}}
 +
{{Style|Numerous style and content issues.}}
 +
[https://www.isc.org/downloads/bind/ BIND] (or named) is the most widely used Domain Name System (DNS) server.
  
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
+
{{Note|The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[https://kb.isc.org/article/AA-00861/0/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html]}}
  
== Bind as caching only server ==
+
== Installation ==
These few steps show you how to install bind as a caching only server.
 
  
=== Install bind ===
+
[[Install]] the {{Pkg|bind}} package.
# pacman -S bind
 
  
Edit /etc/named.conf and add this under the options section
+
[[Start/enable]] the {{ic|named.service}} systemd unit.
listen-on { 127.0.0.1; };
 
  
=== Adding named to boot process ===
+
To use the DNS server locally, use the {{ic|127.0.0.1}} nameserver, see [[Domain name resolution]].
Edit /etc/rc.conf:
+
This will however require you to [[#Allow recursion]].
DAEMONS=(.. '''named''' ..)
 
  
=== Set resolv.conf for using the local dns ===
+
== Configuration ==
Edit /etc/resolv.conf:
 
nameserver 127.0.0.1
 
  
== Automatically listen on new interfaces without chroot and root privileges ==
+
BIND is configured in {{ic|/etc/named.conf}}. The available options are documented in {{man|5|named.conf}}.
Add
 
  interface-interval <rescan-timeout-in-minutes>;
 
parameter into named.conf options. Then you should modify rc-script:
 
<pre>
 
    stat_busy "Starting DNS"
 
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
+    setcap cap_net_bind_service=eip /usr/sbin/named
 
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 
</pre>
 
  
So your /etc/rc.d/named should look like this:
+
[[Reload]] the {{ic|named.service}} unit to apply configuration changes.
<pre>
 
    stat_busy "Starting DNS"
 
    setcap cap_net_bind_service=eip /usr/sbin/named
 
    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 
    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 
</pre>
 
  
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
+
===Restrict access to localhost===
  
== Running Bind in a chrooted environment ==
+
BIND by defaults listens on all interfaces and IP addresses.
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]].
 
  
=== Preparing the chroot ===
+
To only allow connections from localhost add the following line to the options section in {{ic|/etc/named.conf}}:
Define the chroot directory, for example:
+
  listen-on { 127.0.0.1; };
  CHROOT="/chroot/named"
 
  
Create chroot directories
+
=== Set up DNS forwarding ===
mkdir -m 700 -p ${CHROOT}
 
mkdir -p ${CHROOT}/{dev,etc,var/run/named}
 
  
To enable logging inside chroot you also need to create a log directory:
+
To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.
mkdir ${CHROOT}/var/log
 
  
and inside this a file named.log as per logging statement in named.conf:
+
Example to make BIND forward to the Google DNS servers:
touch ${CHROOT}/var/log/named.log
 
  
You may also want to access this file from /var/log:
+
  forwarders { 8.8.8.8; 8.8.4.4; };
  ln -sf ${CHROOT}/var/log/named.log /var/log
 
  
=== Copy necessary files ===
+
== A configuration template for running a domain ==
cp -v /etc/named.conf ${CHROOT}/etc/
 
cp -v /etc/localtime ${CHROOT}/etc/
 
cp -Rv /var/named ${CHROOT}/var/
 
 
 
=== As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot ===
 
mkdir -p ${CHROOT}/usr/lib/engines
 
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
 
 
 
=== Create block devices ===
 
mknod ${CHROOT}/dev/zero c 1 5
 
mknod ${CHROOT}/dev/random c 1 8
 
 
 
=== Set permissions ===
 
chown -R named:named ${CHROOT}/var/{,run/}/named
 
chmod 666 ${CHROOT}/dev/{random,zero}
 
chown root:named ${CHROOT}
 
chmod 0750 ${CHROOT}
 
 
 
If you enabled logging (see above):
 
chown named:named ${CHROOT}/var/log/named.log
 
 
 
=== Prepare the rc script ===
 
cp /etc/rc.d/named /etc/rc.d/named-chroot
 
 
 
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to
 
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
so that it looks like
 
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
 
 
 
=== Prepare variables ===
 
# vim /etc/conf.d/named
 
 
 
CHROOT="/chroot/named"
 
 
 
=== Starting named-chroot on bootup ===
 
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this                                 
 
 
 
Edit /etc/rc.conf:
 
DAEMONS=(.. '''named-chroot''' ..)
 
 
 
=== Start the service ===
 
/etc/rc.d/named-chroot start
 
 
 
=== Test the service ===
 
# host wiki.archlinux.org 127.0.0.1
 
  
Output should be something like this
+
This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.
Using domain server:
 
Name: 127.0.0.1
 
Address: 127.0.0.1#53
 
Aliases:
 
 
wiki.archlinux.org is an alias for archlinux.org.
 
archlinux.org has address 66.211.213.17
 
archlinux.org mail is handled by 10 mail.archlinux.org.
 
  
=== Script to regenerate the chroot environment ===
+
For a more elaborate example see [http://www.howtoforge.com/two_in_one_dns_bind9_views Two-in-one DNS server with BIND9].
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:
 
 
 
#!/bin/sh
 
# Prepare or update a chroot environment for running Bind
 
# see http://wiki.archlinux.org/index.php/Bind
 
 
. /etc/conf.d/named
 
 
# create chroot directories
 
mkdir -m 700 -p ${CHROOT}
 
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}
 
 
# copy necessary files
 
cp /etc/named.conf ${CHROOT}/etc/
 
cp /etc/localtime ${CHROOT}/etc/
 
cp -R /var/named ${CHROOT}/var/
 
touch ${CHROOT}/var/log/named.log
 
 
# create block devices
 
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
 
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null
 
 
# set permissions
 
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
 
chmod 666 ${CHROOT}/dev/{random,zero}
 
chown root:named ${CHROOT}
 
chmod 0750 ${CHROOT}
 
 
 
I call this in /etc/rc.d/named-chroot just before running named:
 
/usr/local/sbin/updatebindchroot
 
 
 
Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
 
 
 
== Configuring BIND to serve DNSSEC signed zones ==
 
See [[DNSSEC#Bind (serving_signed_DNS_zones)]]
 
 
 
== A configuration template for running a domain ==
 
In our example we use "domain.tld" as our domain.
 
  
=== 1. Preparing some folder structure ===
+
Another guide at [http://www.brennan.id.au/08-Domain_Name_System_BIND.html#yourdomain Linux Home Server HOWTO - Domain name system (BIND): Adding your domain] will show you how to set up internal network name resolution in no time; short, on-point and very informative.
mkdir /var/named/{pri,sec}
 
  
If using chroot:
+
=== Creating a zonefile ===
mkdir ${CHROOT}/var/named/{pri,sec}
 
  
=== 2. Creating a zonefile ===
+
Create {{ic|/var/named/domain.tld.zone}}.
# vim /var/named/pri/domain.tld.zone
 
  
 
  $TTL 7200
 
  $TTL 7200
Line 192: Line 80:
 
  @              IN      TXT    "v=spf1 mx"
 
  @              IN      TXT    "v=spf1 mx"
  
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
+
$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.
  
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
+
'''Serial must be incremented manually before restarting named every time you change a resource record for the zone.''' If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
  
=== 3. Configuring master server ===
+
=== Configuring master server ===
Copy the zonefile if using a chroot:
 
cp domain.tld.zone ${CHROOT}/var/named/pri/
 
  
Edit /etc/named.conf:
+
Add your zone to {{ic|/etc/named.conf}}:
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type master;
 
         type master;
         file "pri/domain.tld.zone";
+
         file "domain.tld.zone";
 
         allow-update { none; };
 
         allow-update { none; };
 
         notify no;
 
         notify no;
 
  };
 
  };
  
Copy to chroot:
+
[[Reload]] the {{ic|named.service}} unit to apply the configuration change.
  cp named.conf ${CHROOT}/etc/
+
 
 +
== Allow recursion ==
 +
 
 +
If you are running your own DNS server, you might as well use it for all DNS lookups.  This will require the ability to do ''recursive'' lookups.  In order to prevent [https://www.us-cert.gov/ncas/alerts/TA13-088A DNS Amplification Attacks], recursion is turned off by default for most resolvers.  The default Arch {{ic|/etc/named.conf}} file allows for recursion only on the loopback interface:
 +
 
 +
  allow-recursion { 127.0.0.1; };
 +
 
 +
{{Accuracy|LAN networking isn't recursive.}}
 +
 
 +
If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to {{ic|/etc/named.conf}}:
 +
 
 +
allow-recursion { 192.168.0.0/24; 127.0.0.1; };
 +
 
 +
== Configuring BIND to serve DNSSEC signed zones ==
 +
 
 +
{{Expansion|This is just a list of links.}}
 +
 
 +
* http://www.dnssec.net/practical-documents
 +
** http://www.cymru.com/Documents/secure-bind-template.html '''(configuration template!)'''
 +
** http://www.bind9.net/manuals
 +
** http://www.bind9.net/BIND-FAQ
 +
* http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/
 +
* Or use an external mechanisms such as OpenDNSSEC (fully-automatic key rollover)
 +
 
 +
== Automatically listen on new interfaces ==
 +
 
 +
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hours. You can tune this value by adding :
 +
interface-interval <rescan-timeout-in-minutes>;
 +
parameter into {{ic|named.conf}} options section. Max value is 28 days. (40320 min) <br>
 +
You can disable this feature by setting its value to 0.
 +
 
 +
Then restart the service.
 +
 
 +
== Running BIND in a chrooted environment ==
 +
 
 +
Running in a [[chroot]] environment is not required but improves security.
  
=== 4. Configuring slave server ===
+
=== Creating the Jail House ===
If using chroot:
+
In order to do this, we first need to create a place to keep the jail, we shall use {{ic|/srv/named}}, and then put the required files into the jail.
cp domain.tld.zone ${CHROOT}/var/named/sec/
 
  
Edit /etc/named.conf:
+
  mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
zone "domain.tld" IN {
+
  # Copy over required system files
        type slave;
+
  cp -av /etc/{localtime,named.conf} /srv/named/etc/
        file "sec/domain.tld.zone";
+
  cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
        masters { 0.0.0.0; };  # ip address of the master server
+
  cp -av /var/named/* /srv/named/var/named/.
};
+
  # Set up required dev nodes
 +
  mknod /srv/named/dev/null c 1 3
 +
  mknod /srv/named/dev/random c 1 8
 +
  # Set Ownership of the files
 +
  chown -R named:named /srv/named
 +
 
 +
This should create the required file system for the jail.
 +
 
 +
=== Service File ===
 +
 
 +
Next we need to create the new service file which will allow force bind into the chroot
 +
 
 +
  cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service
 +
 
 +
we need to edit how the service calls bind.
  
If using chroot:
+
{{hc|/etc/systemd/system/named-chroot.service|<nowiki>
cp named.conf ${CHROOT}/etc/
+
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"
 +
</nowiki>}}
  
Restart the services and you're done.
+
How, restart the systemd service.
  
== BIND Resources ==
+
== See also ==
 +
* [https://www.isc.org/downloads/bind/doc/ BIND 9 Administrator Reference Manual]
 
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
 
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
 +
* [http://shop.oreilly.com/product/9780596100575.do DNS and BIND by Cricket Liu and Paul Albitz]
 
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]
 
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]
 
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
 
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
 
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]
 
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]
 +
* [https://lists.archlinux.org/pipermail/arch-dev-public/2013-March/024588.html Archived mailing list discussion on BIND's future]

Latest revision as of 06:58, 24 May 2018

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Numerous style and content issues. (Discuss in Talk:BIND#)

BIND (or named) is the most widely used Domain Name System (DNS) server.

Note: The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[1]

Installation

Install the bind package.

Start/enable the named.service systemd unit.

To use the DNS server locally, use the 127.0.0.1 nameserver, see Domain name resolution. This will however require you to #Allow recursion.

Configuration

BIND is configured in /etc/named.conf. The available options are documented in named.conf(5).

Reload the named.service unit to apply configuration changes.

Restrict access to localhost

BIND by defaults listens on all interfaces and IP addresses.

To only allow connections from localhost add the following line to the options section in /etc/named.conf:

listen-on { 127.0.0.1; };

Set up DNS forwarding

To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.

Example to make BIND forward to the Google DNS servers:

forwarders { 8.8.8.8; 8.8.4.4; };

A configuration template for running a domain

This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.

For a more elaborate example see Two-in-one DNS server with BIND9.

Another guide at Linux Home Server HOWTO - Domain name system (BIND): Adding your domain will show you how to set up internal network name resolution in no time; short, on-point and very informative.

Creating a zonefile

Create /var/named/domain.tld.zone.

$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "domain.tld.zone";
        allow-update { none; };
        notify no;
};

Reload the named.service unit to apply the configuration change.

Allow recursion

If you are running your own DNS server, you might as well use it for all DNS lookups. This will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf file allows for recursion only on the loopback interface:

allow-recursion { 127.0.0.1; };

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: LAN networking isn't recursive. (Discuss in Talk:BIND#)

If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to /etc/named.conf:

allow-recursion { 192.168.0.0/24; 127.0.0.1; };

Configuring BIND to serve DNSSEC signed zones

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: This is just a list of links. (Discuss in Talk:BIND#)

Automatically listen on new interfaces

By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hours. You can tune this value by adding :

interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.

Then restart the service.

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security.

Creating the Jail House

In order to do this, we first need to create a place to keep the jail, we shall use /srv/named, and then put the required files into the jail.

 mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
 # Copy over required system files
 cp -av /etc/{localtime,named.conf} /srv/named/etc/
 cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
 cp -av /var/named/* /srv/named/var/named/.
 # Set up required dev nodes
 mknod /srv/named/dev/null c 1 3
 mknod /srv/named/dev/random c 1 8
 # Set Ownership of the files
 chown -R named:named /srv/named

This should create the required file system for the jail.

Service File

Next we need to create the new service file which will allow force bind into the chroot

 cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service

we need to edit how the service calls bind.

/etc/systemd/system/named-chroot.service
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"

How, restart the systemd service.

See also