Difference between revisions of "BIND"

From ArchWiki
Jump to: navigation, search
m
(3. Setting this to be your default DNS server: link to resolv.conf)
 
(38 intermediate revisions by 20 users not shown)
Line 1: Line 1:
 
[[Category:Domain Name System]]
 
[[Category:Domain Name System]]
 
[[de:BIND]]
 
[[de:BIND]]
 +
[[fr:BIND]]
 
[[ja:BIND]]
 
[[ja:BIND]]
 +
[[zh-CN:BIND]]
 +
{{Related articles start}}
 +
{{Related|DNSCrypt}}
 +
{{Related|dnsmasq}}
 +
{{Related|Pdnsd}}
 +
{{Related|Unbound}}
 +
{{Related articles end}}
 +
{{Style|Numerous style and content issues.}}
 
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
 
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.
  
 
== Installation ==
 
== Installation ==
 +
 
These few steps show you how to install BIND and set it up as a local caching-only server.
 
These few steps show you how to install BIND and set it up as a local caching-only server.
  
[[pacman|Install]] the {{Pkg|bind}} package which can be found in the [[Official Repositories|official repositories]].
+
[[Install]] the {{Pkg|bind}} package.
  
Optionally edit {{ic|/etc/named.conf}} and add this under the options section, to only allow connections from the localhost:
+
Optionally edit {{ic|/etc/named.conf}} and add this into the options section, to only allow connections from the localhost:
 
  listen-on { 127.0.0.1; };
 
  listen-on { 127.0.0.1; };
  
Edit {{ic|/etc/resolv.conf}} to use the local DNS server:
+
Edit [[resolv.conf]] to use the local DNS server, 127.0.0.1.
nameserver 127.0.0.1
+
  
[[Daemon#Managing daemons|Start]] the '''named''' daemon.
+
[[Start]] {{ic|named.service}}.
 +
 
 +
== Forwarding ==
 +
 
 +
When BIND acts as a forwarding DNS server, it merely acts as a cache for known queries, and naively forwards all other requests to a predefined upstream DNS server - such as the one managed by your ISP, or some well-known global DNS service like OpenNIC or Google DNS servers.
 +
 
 +
To setup a forwarding DNS server, add these lines to {{ic|/etc/named.conf}} in either the global options section or in a specific zone, and change IP address according to your setup.
 +
 
 +
options {
 +
  listen-on { 192.168.66.1; };
 +
  forwarders { 8.8.8.8; 8.8.4.4; };
 +
};
 +
 
 +
Do not forget to [[restart]] {{ic|named.service}}.
  
 
== A configuration template for running a domain ==
 
== A configuration template for running a domain ==
 +
 
This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.
 
This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.
  
Line 23: Line 46:
  
 
=== 1. Creating a zonefile ===
 
=== 1. Creating a zonefile ===
 +
 
  # nano /var/named/domain.tld.zone
 
  # nano /var/named/domain.tld.zone
  
Line 48: Line 72:
 
$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.
 
$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.
  
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
+
'''Serial must be incremented manually before restarting named every time you change a resource record for the zone.''' If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
  
 
=== 2. Configuring master server ===
 
=== 2. Configuring master server ===
 +
 
Add your zone to {{ic|/etc/named.conf}}:
 
Add your zone to {{ic|/etc/named.conf}}:
 
  zone "domain.tld" IN {
 
  zone "domain.tld" IN {
Line 59: Line 84:
 
  };
 
  };
  
Restart the daemon and you are done.
+
[[Start/enable]] {{ic|named.service}} and you are done.
  
== BIND as simple DNS forwarder ==
+
Otherwise [[reload]] the configuration files.
If you have problems with, for example, VPN connections, they can sometimes be solved by setting-up a forwarding DNS server. This is very simple with BIND. Add these lines to {{ic|/etc/named.conf}}, and change IP address according to your setup.
+
listen-on { 192.168.66.1; };
+
forwarders { 8.8.8.8; 8.8.4.4; };
+
Don't forget to restart the service!
+
  
== Running BIND in a chrooted environment ==
+
The latter option will keep your nameserver available while still allowing the configuration change.
Running in a [[chroot]] environment is not required but improves security. See [[BIND (chroot)]] for how to do this.
+
 
 +
=== 3. Setting this to be your default DNS server ===
 +
 
 +
If you are running your own DNS server, you might as well use it for all DNS lookups.  This will require the ability to do ''recursive'' lookups.  In order to prevent [https://www.us-cert.gov/ncas/alerts/TA13-088A DNS Amplification Attacks], recursion is turned off by default for most resolvers.  The default Arch {{ic|/etc/named.conf}} file allows for recursion only on the loopback interface:
 +
 
 +
allow-recursion { 127.0.0.1; };
 +
 
 +
So to facilitate general DNS lookups from your host, your [[resolv.conf]] configuration file must have 127.0.0.1 as a name server. See [[Resolv.conf#Preserve DNS settings]] on how to keep this from being overwritten.
 +
 
 +
If you want to provide name service for your local network; e.g. 192.168.0, you must add the appropriate range of IP addresses to {{ic|/etc/named.conf}}:
 +
 
 +
allow-recursion { 192.168.0.0/24; 127.0.0.1; };
  
 
== Configuring BIND to serve DNSSEC signed zones ==
 
== Configuring BIND to serve DNSSEC signed zones ==
 +
 
See [[DNSSEC#BIND (serving signed DNS zones)]]
 
See [[DNSSEC#BIND (serving signed DNS zones)]]
  
== Automatically listen on new interfaces without chroot and root privileges ==
+
== Automatically listen on new interfaces ==
{{Out of date|initscripts have been replaced by systemd}}
+
 
Add
+
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hours. You can tune this value by adding :
  interface-interval <rescan-timeout-in-minutes>;
+
interface-interval <rescan-timeout-in-minutes>;
parameter into {{ic|named.conf}} options. Then you should modify rc-script:
+
parameter into {{ic|named.conf}} options section. Max value is 28 days. (40320 min) <br>
<pre>
+
You can disable this feature by setting its value to 0.
    stat_busy "Starting DNS"
+
 
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+
Then restart the service.
+    setcap cap_net_bind_service=eip /usr/sbin/named
+
 
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+
== Running BIND in a chrooted environment ==
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
+
 
</pre>
+
Running in a [[chroot]] environment is not required but improves security.
 +
 
 +
=== Creating the Jail House ===
 +
In order to do this, we first need to create a place to keep the jail, we shall use {{ic|/srv/named}}, and then put the required files into the jail.
 +
 
 +
  mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
 +
  # Copy over required system files
 +
  cp -av /etc/{localtime,named.conf} /srv/named/etc/
 +
  cp -av /usr/lib/engines/* /srv/named/usr/lib/engines/
 +
  # Set up required dev nodes
 +
  mknod /srv/named/dev/null c 1 3
 +
  mknod /srv/named/dev/random c 1 8
 +
  # Set Ownership of the files
 +
  chown -R named:named /srv/named
 +
 
 +
This should create the required file system for the jail.
 +
 
 +
=== Service File ===
 +
 
 +
Next we need to create the new service file which will allow force bind into the chroot
 +
 
 +
  cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service
  
So your {{ic|/etc/rc.d/named}} should look like this:
+
we need to edit how the service calls bind.
<pre>
+
    stat_busy "Starting DNS"
+
    setcap cap_net_bind_service=eip /usr/sbin/named
+
    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+
    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}
+
</pre>
+
  
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.
+
{{hc|/etc/systemd/system/named-chroot.service|<nowiki>
 +
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"
 +
</nowiki>}}}
  
==See also==
+
Now, reload systemd {{ic|systemctl daemon-reload}}. Then [[start]] {{ic|named-chroot.service}}
*[[BIND (chroot)]]
+
  
== BIND Resources ==
+
== See also ==
 
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
 
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
 +
* [http://shop.oreilly.com/product/9780596100575.do DNS and BIND by Cricket Liu and Paul Albitz]
 
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]
 
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]
 
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
 
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
 
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]
 
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]
 +
* [https://lists.archlinux.org/pipermail/arch-dev-public/2013-March/024588.html Archived mailing list discussion on BIND's future]

Latest revision as of 16:55, 16 April 2016

Related articles

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements.Tango-edit-clear.png

Reason: Numerous style and content issues. (Discuss in Talk:BIND#)

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

Installation

These few steps show you how to install BIND and set it up as a local caching-only server.

Install the bind package.

Optionally edit /etc/named.conf and add this into the options section, to only allow connections from the localhost:

listen-on { 127.0.0.1; };

Edit resolv.conf to use the local DNS server, 127.0.0.1.

Start named.service.

Forwarding

When BIND acts as a forwarding DNS server, it merely acts as a cache for known queries, and naively forwards all other requests to a predefined upstream DNS server - such as the one managed by your ISP, or some well-known global DNS service like OpenNIC or Google DNS servers.

To setup a forwarding DNS server, add these lines to /etc/named.conf in either the global options section or in a specific zone, and change IP address according to your setup.

options {
 listen-on { 192.168.66.1; };
 forwarders { 8.8.8.8; 8.8.4.4; };
};

Do not forget to restart named.service.

A configuration template for running a domain

This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.

For a more elaborate example see Two-in-one DNS server with BIND9.

1. Creating a zonefile

# nano /var/named/domain.tld.zone
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

2. Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "domain.tld.zone";
        allow-update { none; };
        notify no;
};

Start/enable named.service and you are done.

Otherwise reload the configuration files.

The latter option will keep your nameserver available while still allowing the configuration change.

3. Setting this to be your default DNS server

If you are running your own DNS server, you might as well use it for all DNS lookups. This will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf file allows for recursion only on the loopback interface:

allow-recursion { 127.0.0.1; };

So to facilitate general DNS lookups from your host, your resolv.conf configuration file must have 127.0.0.1 as a name server. See Resolv.conf#Preserve DNS settings on how to keep this from being overwritten.

If you want to provide name service for your local network; e.g. 192.168.0, you must add the appropriate range of IP addresses to /etc/named.conf:

allow-recursion { 192.168.0.0/24; 127.0.0.1; };

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#BIND (serving signed DNS zones)

Automatically listen on new interfaces

By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hours. You can tune this value by adding :

interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.

Then restart the service.

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security.

Creating the Jail House

In order to do this, we first need to create a place to keep the jail, we shall use /srv/named, and then put the required files into the jail.

 mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
 # Copy over required system files
 cp -av /etc/{localtime,named.conf} /srv/named/etc/
 cp -av /usr/lib/engines/* /srv/named/usr/lib/engines/
 # Set up required dev nodes
 mknod /srv/named/dev/null c 1 3
 mknod /srv/named/dev/random c 1 8
 # Set Ownership of the files
 chown -R named:named /srv/named

This should create the required file system for the jail.

Service File

Next we need to create the new service file which will allow force bind into the chroot

 cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service

we need to edit how the service calls bind.

/etc/systemd/system/named-chroot.service
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"
}

Now, reload systemd systemctl daemon-reload. Then start named-chroot.service

See also