Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
(Copy necessary files)
m (Creating a zonefile: style)
 
(131 intermediate revisions by 40 users not shown)
Line 1: Line 1:
[[Category:Networking (English)]]
+
[[Category:Domain Name System]]
[[Category:Daemons and system services (English)]]
+
[[de:BIND]]
[[Category:HOWTOs (English)]]
+
[[es:BIND]]
{{Out of date}}
+
[[fr:BIND]]
 +
[[ja:BIND]]
 +
[[zh-hans:BIND]]
 +
{{Related articles start}}
 +
{{Related|DNSCrypt}}
 +
{{Related|dnsmasq}}
 +
{{Related|Pdnsd}}
 +
{{Related|Unbound}}
 +
{{Related|PowerDNS}}
 +
{{Related articles end}}
 +
{{Style|Numerous style and content issues.}}
 +
[https://www.isc.org/downloads/bind/ BIND] (or named) is the most widely used Domain Name System (DNS) server.
  
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
+
{{Note|The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[https://kb.isc.org/article/AA-00861/0/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html]}}
  
== Bind as caching only server ==
+
== Installation ==
These few steps show you how to install bind as a caching only server.
 
  
=== Install bind ===
+
[[Install]] the {{Pkg|bind}} package.
# pacman -S bind
 
  
Edit /etc/named.conf and add this under the options section
+
[[Start/enable]] the {{ic|named.service}} systemd unit.
listen-on { 127.0.0.1; };
 
  
=== Adding named to boot process ===
+
To use the DNS server locally, use the {{ic|127.0.0.1}} nameserver (meaning clients like firefox resolve via 127.0.0.1), see [[Domain name resolution]].
Edit /etc/rc.conf:
+
This will however require you to [[#Allow recursion]] while a firewall might block outside queries to your local named.
DAEMONS=(.. '''named''' ..)
 
  
=== Set resolv.conf for using the local dns ===
+
== Configuration ==
Edit /etc/resolv.conf:
 
nameserver 127.0.0.1
 
  
== Automatically listen on new interfaces without chroot and root privileges ==
+
BIND is configured in {{ic|/etc/named.conf}}. The available options are documented in {{man|5|named.conf}}.
Add
 
  interface-interval <rescan-timeout-in-minutes>;
 
parameter into named.conf options. Then you should modify rc-script:
 
<pre>
 
    stat_busy "Starting DNS"
 
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
+    setcap cap_net_bind_service=eip /usr/sbin/named
 
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 
</pre>
 
  
So your /etc/rc.d/named should look like this:
+
[[Reload]] the {{ic|named.service}} unit to apply configuration changes.
<pre>
 
    stat_busy "Starting DNS"
 
    setcap cap_net_bind_service=eip /usr/sbin/named
 
    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
 
    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
 
</pre>
 
  
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
+
===Restrict access to localhost===
  
== Running Bind in a chrooted environment ==
+
BIND by defaults listens on [[port]] 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the options section in {{ic|/etc/named.conf}}:
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]].
+
listen-on { 127.0.0.1; };
  
=== Preparing the chroot ===
+
=== Set up DNS forwarding ===
Define the chroot directory, for example:
 
CHROOT="/chroot/named"
 
  
Create chroot directories
+
To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.
mkdir -m 700 -p ${CHROOT}
 
mkdir -p ${CHROOT}/{dev,etc,var/run/named}
 
  
To enable logging inside chroot you also need to create a log directory:
+
Example to make BIND forward to the Google DNS servers:
mkdir ${CHROOT}/var/log
 
  
and inside this a file named.log as per logging statement in named.conf:
+
forwarders { 8.8.8.8; 8.8.4.4; };
touch ${CHROOT}/var/log/named.log
 
  
You may also want to access this file from /var/log:
+
== A configuration template for running a domain ==
ln -sf ${CHROOT}/var/log/named.log /var/log
 
 
 
=== Copy necessary files ===
 
cp -v /etc/named.conf ${CHROOT}/etc/
 
cp -v /etc/localtime ${CHROOT}/etc/
 
cp -Rv /var/named ${CHROOT}/var/
 
 
 
=== As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot ===
 
mkdir -p ${CHROOT}/usr/lib/engines
 
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
 
 
 
=== Create block devices ===
 
mknod ${CHROOT}/dev/zero c 1 5
 
mknod ${CHROOT}/dev/random c 1 8
 
 
 
=== Set permissions ===
 
chown -R named:named ${CHROOT}/var/{,run/}/named
 
chmod 666 ${CHROOT}/dev/{random,zero}
 
chown root:named ${CHROOT}
 
chmod 0750 ${CHROOT}
 
 
 
If you enabled logging (see above):
 
chown named:named ${CHROOT}/var/log/named.log
 
 
 
=== Prepare the rc script ===
 
cp /etc/rc.d/named /etc/rc.d/named-chroot
 
 
 
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to
 
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
 
so that it looks like
 
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
 
 
 
=== Prepare variables ===
 
# vim /etc/conf.d/named
 
 
 
CHROOT="/chroot/named"
 
 
 
=== Starting named-chroot on bootup ===
 
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this                                 
 
 
 
Edit /etc/rc.conf:
 
DAEMONS=(.. '''named-chroot''' ..)
 
 
 
=== Start the service ===
 
/etc/rc.d/named-chroot start
 
 
 
=== Test the service ===
 
# host wiki.archlinux.org 127.0.0.1
 
 
 
Output should be something like this
 
Using domain server:
 
Name: 127.0.0.1
 
Address: 127.0.0.1#53
 
Aliases:
 
 
wiki.archlinux.org is an alias for archlinux.org.
 
archlinux.org has address 66.211.213.17
 
archlinux.org mail is handled by 10 mail.archlinux.org.
 
 
 
=== Script to regenerate the chroot environment ===
 
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:
 
 
 
#!/bin/sh
 
# Prepare or update a chroot environment for running Bind
 
# see http://wiki.archlinux.org/index.php/Bind
 
 
. /etc/conf.d/named
 
 
# create chroot directories
 
mkdir -m 700 -p ${CHROOT}
 
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}
 
 
# copy necessary files
 
cp /etc/named.conf ${CHROOT}/etc/
 
cp /etc/localtime ${CHROOT}/etc/
 
cp -R /var/named ${CHROOT}/var/
 
touch ${CHROOT}/var/log/named.log
 
 
# create block devices
 
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
 
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null
 
 
# set permissions
 
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
 
chmod 666 ${CHROOT}/dev/{random,zero}
 
chown root:named ${CHROOT}
 
chmod 0750 ${CHROOT}
 
 
 
I call this in /etc/rc.d/named-chroot just before running named:
 
/usr/local/sbin/updatebindchroot
 
 
 
Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
 
  
== Configuring BIND to serve DNSSEC signed zones ==
+
Following is a simple home nameserver being set up, using ''domain.tld'' as the domain being served world-wide like this wiki's ''archlinux.org'' domain is.
See [[DNSSEC#Bind (serving_signed_DNS_zones)]]
 
  
== A configuration template for running a domain ==
+
A more elaborate example is [http://www.howtoforge.com/two_in_one_dns_bind9_views DNS server with BIND9], while [http://www.brennan.id.au/08-Domain_Name_System_BIND.html#yourdomain this shows] how to set up internal network name resolution.
In our example we use "domain.tld" as our domain.
 
  
=== 1. Preparing some folder structure ===
+
=== Creating a zonefile ===
mkdir /var/named/{pri,sec}
 
  
If using chroot:
+
Create {{ic|/var/named/domain.tld.zone}}.
mkdir ${CHROOT}/var/named/{pri,sec}
 
 
 
=== 2. Creating a zonefile ===
 
# vim /var/named/pri/domain.tld.zone
 
  
 
  $TTL 7200
 
  $TTL 7200
 
  ; domain.tld
 
  ; domain.tld
 
  @      IN      SOA    ns01.domain.tld. postmaster.domain.tld. (
 
  @      IN      SOA    ns01.domain.tld. postmaster.domain.tld. (
                                         2007011601 ; Serial
+
                                         2018111111 ; Serial
 
                                         28800      ; Refresh
 
                                         28800      ; Refresh
 
                                         1800      ; Retry
 
                                         1800      ; Retry
Line 192: Line 76:
 
  @              IN      TXT    "v=spf1 mx"
 
  @              IN      TXT    "v=spf1 mx"
  
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.
+
$TTL defines the default time-to-live in seconds for all record types. Here it is 2 hours.
  
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
+
Serial must be '''incremented''' manually before restarting named every time you change a resource record for the zone. Otherwise slaves will not re-transfer the zone: they only do it if the serial is '''greater''' than that of the last time they transferred the zone.
  
=== 3. Configuring master server ===
+
=== Configuring master server ===
Copy the zonefile if using a chroot:
 
cp domain.tld.zone ${CHROOT}/var/named/pri/
 
  
Edit /etc/named.conf:
+
Add your zone to {{ic|/etc/named.conf}}:
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
 
         type master;
 
         type master;
         file "pri/domain.tld.zone";
+
         file "domain.tld.zone";
 
         allow-update { none; };
 
         allow-update { none; };
 
         notify no;
 
         notify no;
 
  };
 
  };
  
Copy to chroot:
+
[[Reload]] the {{ic|named.service}} unit to apply the configuration change.
cp named.conf ${CHROOT}/etc/
 
  
=== 4. Configuring slave server ===
+
== Allow recursion ==
If using chroot:
 
cp domain.tld.zone ${CHROOT}/var/named/sec/
 
  
Edit /etc/named.conf:
+
If you are running your own DNS server, you might as well use it for all DNS lookups, or even locally serve the root-zone yourself following [[RFC:7706]]. The former will require the ability to do ''recursive'' lookups.  In order to prevent [https://www.us-cert.gov/ncas/alerts/TA13-088A DNS Amplification Attacks], recursion is turned off by default for most resolvers.  The default Arch {{ic|/etc/named.conf}} file allows for recursion only on the loopback interface:
  zone "domain.tld" IN {
+
 
        type slave;
+
  allow-recursion { 127.0.0.1; };
        file "sec/domain.tld.zone";
+
 
        masters { 0.0.0.0; };  # ip address of the master server
+
{{Accuracy|LAN networking isn't recursive.}}
};
+
 
 +
If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to {{ic|/etc/named.conf}}:
 +
 
 +
allow-recursion { 192.168.0.0/24; 127.0.0.1; };
 +
 
 +
== Configuring BIND to serve DNSSEC signed zones ==
 +
 
 +
{{Expansion|This is just a list of links in need of condensing to over here.}}
 +
 
 +
* [http://www.dnssec.net/practical-documents DNSSEC]
 +
* [http://www.cymru.com/Documents/secure-bind-template.html  a BIND configuration template]
 +
* [http://www.bind9.net/manuals man bind]
 +
* [http://www.bind9.net/BIND-FAQ bind FAQ]
 +
 
 +
There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available.
 +
 
 +
== Automatically listen on new interfaces ==
 +
 
 +
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding :
 +
interface-interval <rescan-timeout-in-minutes>;
 +
parameter into {{ic|named.conf}} options section. Max value is 28 days. (40320 min) <br>
 +
You can disable this feature by setting its value to 0.
 +
 
 +
Then restart the service.
 +
 
 +
== Running BIND in a chrooted environment ==
 +
 
 +
Running in a [[chroot]] environment is not required but improves security.
 +
 
 +
=== Creating the Jail House ===
 +
In order to do this, we first need to create a place to keep the jail, we shall use {{ic|/srv/named}}, and then put the required files into the jail.
 +
 
 +
  mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
 +
   # Copy over required system files
 +
  cp -av /etc/{localtime,named.conf} /srv/named/etc/
 +
  cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
 +
  cp -av /var/named/* /srv/named/var/named/.
 +
  # Set up required dev nodes
 +
  mknod /srv/named/dev/null c 1 3
 +
  mknod /srv/named/dev/random c 1 8
 +
  # Set Ownership of the files
 +
  chown -R named:named /srv/named
 +
 
 +
This should create the required file system for the jail.
 +
 
 +
=== Service File ===
 +
 
 +
Next we need to create the new service file which will allow force bind into the chroot
 +
 
 +
  cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service
 +
 
 +
we need to edit how the service calls bind.
  
If using chroot:
+
{{hc|/etc/systemd/system/named-chroot.service|<nowiki>
cp named.conf ${CHROOT}/etc/
+
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"
 +
</nowiki>}}
  
Restart the services and you're done.
+
Now, restart the systemd service.
  
== BIND Resources ==
+
== See also ==
 +
* [https://www.isc.org/downloads/bind/doc/ BIND 9 Administrator Reference Manual]
 
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
 
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]
+
* [http://shop.oreilly.com/product/9780596100575.do DNS and BIND by Liu and Albitz]
 +
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND] with [http://www.zytrax.com/books/dns/  abbreviated version online]
 
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
 
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]
+
* [https://cira.ca/domain-name-system-dns-glossary DNS Glossary]
 +
* [https://lists.archlinux.org/pipermail/arch-dev-public/2013-March/024588.html Archived mailing list discussion on BIND's future]
 +
* [https://www.heise.de/netze/rfc/rfcs/rfc7706.shtml#page-9  root zone transfer made simple - serve root@home] copy the /etc/named.conf , restart BIND & enjoy!

Latest revision as of 07:52, 20 November 2018

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Numerous style and content issues. (Discuss in Talk:BIND#)

BIND (or named) is the most widely used Domain Name System (DNS) server.

Note: The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[1]

Installation

Install the bind package.

Start/enable the named.service systemd unit.

To use the DNS server locally, use the 127.0.0.1 nameserver (meaning clients like firefox resolve via 127.0.0.1), see Domain name resolution. This will however require you to #Allow recursion while a firewall might block outside queries to your local named.

Configuration

BIND is configured in /etc/named.conf. The available options are documented in named.conf(5).

Reload the named.service unit to apply configuration changes.

Restrict access to localhost

BIND by defaults listens on port 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the options section in /etc/named.conf:

listen-on { 127.0.0.1; };

Set up DNS forwarding

To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.

Example to make BIND forward to the Google DNS servers:

forwarders { 8.8.8.8; 8.8.4.4; };

A configuration template for running a domain

Following is a simple home nameserver being set up, using domain.tld as the domain being served world-wide like this wiki's archlinux.org domain is.

A more elaborate example is DNS server with BIND9, while this shows how to set up internal network name resolution.

Creating a zonefile

Create /var/named/domain.tld.zone.

$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2018111111 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live in seconds for all record types. Here it is 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. Otherwise slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "domain.tld.zone";
        allow-update { none; };
        notify no;
};

Reload the named.service unit to apply the configuration change.

Allow recursion

If you are running your own DNS server, you might as well use it for all DNS lookups, or even locally serve the root-zone yourself following RFC:7706. The former will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf file allows for recursion only on the loopback interface:

allow-recursion { 127.0.0.1; };

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: LAN networking isn't recursive. (Discuss in Talk:BIND#)

If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to /etc/named.conf:

allow-recursion { 192.168.0.0/24; 127.0.0.1; };

Configuring BIND to serve DNSSEC signed zones

Tango-view-fullscreen.pngThis article or section needs expansion.Tango-view-fullscreen.png

Reason: This is just a list of links in need of condensing to over here. (Discuss in Talk:BIND#)

There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available.

Automatically listen on new interfaces

By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding :

interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.

Then restart the service.

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security.

Creating the Jail House

In order to do this, we first need to create a place to keep the jail, we shall use /srv/named, and then put the required files into the jail.

 mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
 # Copy over required system files
 cp -av /etc/{localtime,named.conf} /srv/named/etc/
 cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
 cp -av /var/named/* /srv/named/var/named/.
 # Set up required dev nodes
 mknod /srv/named/dev/null c 1 3
 mknod /srv/named/dev/random c 1 8
 # Set Ownership of the files
 chown -R named:named /srv/named

This should create the required file system for the jail.

Service File

Next we need to create the new service file which will allow force bind into the chroot

 cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service

we need to edit how the service calls bind.

/etc/systemd/system/named-chroot.service
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"

Now, restart the systemd service.

See also