Difference between revisions of "BIND"

From ArchWiki
Jump to navigation Jump to search
(updated status of external links (interactive))
Tag: wiki-scripts
 
(152 intermediate revisions by 50 users not shown)
Line 1: Line 1:
{{stub}}
+
[[Category:Domain Name System]]
[[Category:Networking (English)]]
+
[[de:BIND]]
[[Category:Daemons and system services (English)]]
+
[[es:BIND]]
[[Category:HOWTOs (English)]]
+
[[fr:BIND]]
== Bind as caching only server ==
+
[[ja:BIND]]
 +
[[zh-hans:BIND]]
 +
{{Related articles start}}
 +
{{Related|Domain name resolution}}
 +
{{Related articles end}}
 +
{{Style|Numerous style and content issues.}}
 +
[https://www.isc.org/downloads/bind/ BIND] (or named) is the most widely used Domain Name System (DNS) server.
  
These few steps show you how to install bind as a caching only server.
+
{{Note|The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[https://kb.isc.org/article/AA-00861/0/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html]}}
  
=== Install bind ===
+
== Installation ==
  
pacman -S bind
+
[[Install]] the {{Pkg|bind}} package.
  
Edit /etc/named.conf
+
[[Start/enable]] the {{ic|named.service}} systemd unit.
  
listen-on { 127.0.0.1; };
+
To use the DNS server locally, use the {{ic|127.0.0.1}} nameserver (meaning clients like firefox resolve via 127.0.0.1), see [[Domain name resolution]].
 +
This will however require you to [[#Allow recursion]] while a firewall might block outside queries to your local named.
  
=== Bind needs the kernel module 'capability' to work proper. load manually if not already implemented yet. ===
+
== Configuration ==
  
# modprobe capability
+
BIND is configured in {{ic|/etc/named.conf}}. The available options are documented in {{man|5|named.conf}}.
  
This is built in vanilla kernels as confirmed by a:
+
[[Reload]] the {{ic|named.service}} unit to apply configuration changes.
  
# zless /proc/config.gz | grep CAPABILITIES
+
===Restrict access to localhost===
CONFIG_SECURITY_CAPABILITIES=y
 
CONFIG_SECURITY_FILE_CAPABILITIES=y
 
  
=== Adding named to boot process ===
+
BIND by defaults listens on port 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the options section in {{ic|/etc/named.conf}}:
 +
listen-on { 127.0.0.1; };
  
Edit /etc/rc.conf
+
=== Set up DNS forwarding ===
  
DAEMONS=(.. named ..)
+
To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.
  
=== Set resolv.conf for using the local dns ===
+
Example to make BIND forward to the Google DNS servers:
  
Edit /etc/resolv.conf
+
forwarders { 8.8.8.8; 8.8.4.4; };
  
nameserver 127.0.0.1
+
== A configuration template for running a domain ==
  
== Running Bind in a chrooted environment ==
+
Following is a simple home nameserver being set up, using ''domain.tld'' as the domain being served world-wide like this wiki's ''archlinux.org'' domain is.
  
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]].
+
A more elaborate example is [http://www.howtoforge.com/two_in_one_dns_bind9_views DNS server with BIND9], while [http://www.brennan.id.au/08-Domain_Name_System_BIND.html#yourdomain this shows] how to set up internal network name resolution.
  
=== Preparing the chroot ===
+
=== Creating a zonefile ===
  
define the chroot directory, for example:
+
Create {{ic|/var/named/domain.tld.zone}}.
  
  CHROOT="/chroot/named"
+
  $TTL 7200
 +
; domain.tld
 +
@      IN      SOA    ns01.domain.tld. postmaster.domain.tld. (
 +
                                        2018111111 ; Serial
 +
                                        28800      ; Refresh
 +
                                        1800      ; Retry
 +
                                        604800    ; Expire - 1 week
 +
                                        86400 )    ; Minimum
 +
                IN      NS      ns01
 +
                IN      NS      ns02
 +
ns01            IN      A      0.0.0.0
 +
ns02            IN      A      0.0.0.0
 +
localhost      IN      A      127.0.0.1
 +
@              IN      MX 10  mail
 +
imap            IN      CNAME  mail
 +
smtp            IN      CNAME  mail
 +
@              IN      A      0.0.0.0
 +
www            IN      A      0.0.0.0
 +
mail            IN      A      0.0.0.0
 +
@              IN      TXT    "v=spf1 mx"
  
create chroot directories
+
$TTL defines the default time-to-live in seconds for all record types. Here it is 2 hours.
  
mkdir -m 700 -p ${CHROOT}
+
Serial must be '''incremented''' manually before restarting named every time you change a resource record for the zone. Otherwise slaves will not re-transfer the zone: they only do it if the serial is '''greater''' than that of the last time they transferred the zone.
mkdir -p ${CHROOT}/{dev,etc,var/run/named}
 
  
to enable logging inside chroot you also need to create a log directory:
+
=== Configuring master server ===
  
mkdir ${CHROOT}/var/log
+
Add your zone to {{ic|/etc/named.conf}}:
 
+
  zone "domain.tld" IN {
and inside this a file named.log as per logging statement in named.conf:
+
        type master;
 
+
        file "domain.tld.zone";
  touch ${CHROOT}/var/log/named.log
+
        allow-update { none; };
 
+
        notify no;
You may also want to access this file from /var/log:
+
  };
 
 
ln -sf ${CHROOT}/var/log/named.log /var/log
 
 
 
=== Copy necessary files ===
 
 
 
cp -v /etc/named.conf ${CHROOT}/etc/
 
cp -v /etc/localtime ${CHROOT}/etc/
 
cp -Rv /var/named ${CHROOT}/var/
 
 
 
=== Create block devices ===
 
 
 
mknod ${CHROOT}/dev/zero c 1 5
 
mknod ${CHROOT}/dev/random c 1 8
 
 
 
=== Set permissions ===
 
 
 
chown -R named:named ${CHROOT}/var/{,run/}/named
 
chmod 666 ${CHROOT}/dev/{random,zero}
 
chown root:named ${CHROOT}
 
  chmod 0750 ${CHROOT}
 
 
 
If you enabled logging (see above):
 
 
 
chown named:named ${CHROOT}/var/log/named.log
 
  
=== Prepare the rc script ===
+
[[Reload]] the {{ic|named.service}} unit to apply the configuration change.
  
cp /etc/rc.d/named /etc/rc.d/named-chroot
+
== Allow recursion ==
  
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to
+
If you are running your own DNS server, you might as well use it for all DNS lookups, or even locally serve the root-zone yourself following [[RFC:7706]]. The former will require the ability to do ''recursive'' lookups.  In order to prevent [https://www.us-cert.gov/ncas/alerts/TA13-088A DNS Amplification Attacks], recursion is turned off by default for most resolvers.  The default Arch {{ic|/etc/named.conf}} file allows for recursion only on the loopback interface:
  
  [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+
  allow-recursion { 127.0.0.1; };
  
so that it looks like
+
{{Accuracy|LAN networking isn't recursive.}}
  
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
+
If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to {{ic|/etc/named.conf}}:
  
=== Prepare variables ===
+
allow-recursion { 192.168.0.0/24; 127.0.0.1; };
  
vim /etc/conf.d/named
+
== Configuring BIND to serve DNSSEC signed zones ==
  
CHROOT="/chroot/named"
+
To enable DNSSEC support you need to add "dnssec-enable yes;" to /etc/named.conf "options" block.
 +
Do not forget to check that "edns" is not disabled.
  
=== Starting named-chroot on bootup ===
+
On master DNS server:
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this                                 
+
* generate KSK and ZSK keys:
  
Edit /etc/rc.conf
+
  $ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
+
  $ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
DAEMONS=(.. named-chroot ..)
 
  
=== Start the service ===
+
* change zone configuration:
  
/etc/rc.d/named-chroot start
+
  zone "example.com" {
 +
        type master;
 +
        allow-transfer { ... };
 +
        auto-dnssec maintain;
 +
        inline-signing yes;
 +
        key-directory "master/";
 +
        file "master/example.com.zone";
 +
  };
  
=== Test the service ===
+
Now bind will sign zone automatically. (This example assumes that all required files are in /var/named/master/)
  
# host wiki.archlinux.org 127.0.0.1
+
Then you should pass DS records (from dsset-example.com. file) to parent zone owner probably using your registrar website. It glues parent zone with your KSK.
  
Output should be something like this
+
KSK (and corresponding DS records) should be changed rarely because of it needs manual intervention, ZSK can be changed more often because of this key is usually shorter to be faster in signature checking.
  
Using domain server:
+
You can schedule old ZSK key expiration and generate new one using:
Name: 127.0.0.1
 
Address: 127.0.0.1#53
 
Aliases:
 
 
wiki.archlinux.org is an alias for archlinux.org.
 
archlinux.org has address 66.211.213.17
 
archlinux.org mail is handled by 10 mail.archlinux.org.
 
  
=== Script to regenerate the chroot environment ===
+
  $ dnssec-settime -I +172800 -D +345600 Kexample.com.+000+111111.key
 +
  $ dnssec-keygen -S Kexample.com.+000+111111.key -i 152800
  
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:
+
Bind should automatically use new ZSK key at appropriate time.
  
#!/bin/sh
+
=== See also ===
# Prepare or update a chroot environment for running Bind
 
# see http://wiki.archlinux.org/index.php/Bind
 
 
. /etc/conf.d/named
 
 
# create chroot directories
 
mkdir -m 700 -p ${CHROOT}
 
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}
 
 
# copy necessary files
 
cp /etc/named.conf ${CHROOT}/etc/
 
cp /etc/localtime ${CHROOT}/etc/
 
cp -R /var/named ${CHROOT}/var/
 
touch ${CHROOT}/var/log/named.log
 
 
# create block devices
 
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
 
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null
 
 
# set permissions
 
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
 
chmod 666 ${CHROOT}/dev/{random,zero}
 
chown root:named ${CHROOT}
 
chmod 0750 ${CHROOT}
 
  
I call this in /etc/rc.d/named-chroot just before running named:
+
* [http://www.dnssec.net/practical-documents DNSSEC]
 +
* [http://www.cymru.com/Documents/secure-bind-template.html  a BIND configuration template]
 +
* [http://www.bind9.net/manuals man bind]
 +
* [http://www.bind9.net/BIND-FAQ bind FAQ]
  
/usr/local/sbin/updatebindchroot
+
There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available.
  
Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.
+
== Automatically listen on new interfaces ==
  
== A configuration template for running a domain ==
+
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding :
 +
interface-interval <rescan-timeout-in-minutes>;
 +
parameter into {{ic|named.conf}} options section. Max value is 28 days. (40320 min) <br>
 +
You can disable this feature by setting its value to 0.
  
in our example we use "domain.tld" as our domain
+
Then restart the service.
  
=== preparing some folder structure ===
+
== Running BIND in a chrooted environment ==
  
mkdir /var/named/{pri,sec}
+
Running in a [[chroot]] environment is not required but improves security.
  
if using chroot:
+
=== Creating the Jail House ===
 +
In order to do this, we first need to create a place to keep the jail, we shall use {{ic|/srv/named}}, and then put the required files into the jail.
  
mkdir /chroot/named/var/named/{pri,sec}
+
  mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
 +
  # Copy over required system files
 +
  cp -av /etc/{localtime,named.conf} /srv/named/etc/
 +
  cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
 +
  cp -av /var/named/* /srv/named/var/named/.
 +
  # Set up required dev nodes
 +
  mknod /srv/named/dev/null c 1 3
 +
  mknod /srv/named/dev/random c 1 8
 +
  # Set Ownership of the files
 +
  chown -R named:named /srv/named
  
=== creating a zonefile ===
+
This should create the required file system for the jail.
  
vim /var/named/pri/domain.tld.zone
+
=== Service File ===
  
$TTL 7200
+
Next we need to create the new service file which will allow force bind into the chroot
; domain.tld
 
@      IN      SOA    ns01.domain.tld. postmaster.domain.tld. (
 
                                        2007011601 ; Serial
 
                                        28800      ; Refresh
 
                                        1800      ; Retry
 
                                        604800    ; Expire - 1 week
 
                                        86400 )    ; Minimum
 
                IN      NS      ns01
 
                IN      NS      ns02
 
ns01            IN      A      0.0.0.0
 
ns02            IN      A      0.0.0.0
 
localhost      IN      A      127.0.0.1
 
@              IN      MX 10  mail
 
imap            IN      CNAME  mail
 
smtp            IN      CNAME  mail
 
@              IN      A      0.0.0.0
 
www            IN      A      0.0.0.0
 
mail            IN      A      0.0.0.0
 
@              IN      TXT    "v=spf1 mx"
 
 
 
=== configuring master server ===
 
 
 
copy the zonefile if using a chroot:
 
 
 
cp domain.tld.zone /chroot/named/var/named/pri/
 
 
 
Edit /etc/named.conf
 
 
 
zone "domain.tld" IN {
 
        type master;
 
        file "pri/domain.tld.zone";
 
        allow-update { none; };
 
        notify no;
 
};
 
 
 
copy to chroot:
 
 
 
cp named.conf /chroot/named/etc/
 
 
 
=== configuring slave server ===
 
 
 
If using chroot:
 
 
 
cp domain.tld.zone /chroot/named/var/named/sec/
 
 
 
Edit /etc/named.conf
 
 
 
zone "domain.tld" IN {
 
        type slave;
 
        file "sec/domain.tld.zone";
 
        masters { 0.0.0.0; };  # ip address of the master server
 
};
 
  
if using chroot:
+
  cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service
  
cp named.conf /chroot/named/etc/
+
we need to edit how the service calls bind.
  
restart the services and you're done.
+
{{hc|/etc/systemd/system/named-chroot.service|<nowiki>
 +
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"
 +
</nowiki>}}
  
== BIND Resources ==
+
Now, restart the systemd service.
  
* [[http://bind-users.info/FAQ.html bind-users FAQ]]
+
== See also ==
* [[http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]]
+
* [https://www.isc.org/downloads/bind/doc/ BIND 9 Administrator Reference Manual]
* [[http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]]
+
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]
* [[http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]]
+
* [http://shop.oreilly.com/product/9780596100575.do DNS and BIND by Liu and Albitz]
* [[http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]]
+
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND] with [http://www.zytrax.com/books/dns/  abbreviated version online]
 +
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]
 +
* [https://cira.ca/domain-name-system-dns-glossary DNS Glossary]{{Dead link|2020|02|23}}
 +
* [https://lists.archlinux.org/pipermail/arch-dev-public/2013-March/024588.html Archived mailing list discussion on BIND's future]
 +
* [https://www.heise.de/netze/rfc/rfcs/rfc7706.shtml#page-9  root zone transfer made simple - serve root@home] copy the /etc/named.conf , restart BIND & enjoy!

Latest revision as of 19:12, 23 February 2020

Tango-edit-clear.pngThis article or section needs language, wiki syntax or style improvements. See Help:Style for reference.Tango-edit-clear.png

Reason: Numerous style and content issues. (Discuss in Talk:BIND#)

BIND (or named) is the most widely used Domain Name System (DNS) server.

Note: The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[1]

Installation

Install the bind package.

Start/enable the named.service systemd unit.

To use the DNS server locally, use the 127.0.0.1 nameserver (meaning clients like firefox resolve via 127.0.0.1), see Domain name resolution. This will however require you to #Allow recursion while a firewall might block outside queries to your local named.

Configuration

BIND is configured in /etc/named.conf. The available options are documented in named.conf(5).

Reload the named.service unit to apply configuration changes.

Restrict access to localhost

BIND by defaults listens on port 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the options section in /etc/named.conf:

listen-on { 127.0.0.1; };

Set up DNS forwarding

To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.

Example to make BIND forward to the Google DNS servers:

forwarders { 8.8.8.8; 8.8.4.4; };

A configuration template for running a domain

Following is a simple home nameserver being set up, using domain.tld as the domain being served world-wide like this wiki's archlinux.org domain is.

A more elaborate example is DNS server with BIND9, while this shows how to set up internal network name resolution.

Creating a zonefile

Create /var/named/domain.tld.zone.

$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2018111111 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A       0.0.0.0
ns02            IN      A       0.0.0.0
localhost       IN      A       127.0.0.1
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A       0.0.0.0
www             IN      A       0.0.0.0
mail            IN      A       0.0.0.0
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live in seconds for all record types. Here it is 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. Otherwise slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "domain.tld.zone";
        allow-update { none; };
        notify no;
};

Reload the named.service unit to apply the configuration change.

Allow recursion

If you are running your own DNS server, you might as well use it for all DNS lookups, or even locally serve the root-zone yourself following RFC:7706. The former will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf file allows for recursion only on the loopback interface:

allow-recursion { 127.0.0.1; };

Tango-inaccurate.pngThe factual accuracy of this article or section is disputed.Tango-inaccurate.png

Reason: LAN networking isn't recursive. (Discuss in Talk:BIND#)

If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to /etc/named.conf:

allow-recursion { 192.168.0.0/24; 127.0.0.1; };

Configuring BIND to serve DNSSEC signed zones

To enable DNSSEC support you need to add "dnssec-enable yes;" to /etc/named.conf "options" block. Do not forget to check that "edns" is not disabled.

On master DNS server:

  • generate KSK and ZSK keys:
 $ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
 $ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
  • change zone configuration:
 zone "example.com" {
       type master;
       allow-transfer { ... };
       auto-dnssec maintain;
       inline-signing yes;
       key-directory "master/";
       file "master/example.com.zone";
 };

Now bind will sign zone automatically. (This example assumes that all required files are in /var/named/master/)

Then you should pass DS records (from dsset-example.com. file) to parent zone owner probably using your registrar website. It glues parent zone with your KSK.

KSK (and corresponding DS records) should be changed rarely because of it needs manual intervention, ZSK can be changed more often because of this key is usually shorter to be faster in signature checking.

You can schedule old ZSK key expiration and generate new one using:

 $ dnssec-settime -I +172800 -D +345600 Kexample.com.+000+111111.key
 $ dnssec-keygen -S Kexample.com.+000+111111.key -i 152800

Bind should automatically use new ZSK key at appropriate time.

See also

There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available.

Automatically listen on new interfaces

By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding :

interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.

Then restart the service.

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security.

Creating the Jail House

In order to do this, we first need to create a place to keep the jail, we shall use /srv/named, and then put the required files into the jail.

 mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
 # Copy over required system files
 cp -av /etc/{localtime,named.conf} /srv/named/etc/
 cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
 cp -av /var/named/* /srv/named/var/named/.
 # Set up required dev nodes
 mknod /srv/named/dev/null c 1 3
 mknod /srv/named/dev/random c 1 8
 # Set Ownership of the files
 chown -R named:named /srv/named

This should create the required file system for the jail.

Service File

Next we need to create the new service file which will allow force bind into the chroot

 cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service

we need to edit how the service calls bind.

/etc/systemd/system/named-chroot.service
  ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"

Now, restart the systemd service.

See also