From ArchWiki
Jump to navigation Jump to search

Bind as caching only server

These few steps show you how to install bind as a caching only server.

Install bind

pacman -S bind

Edit /etc/named.conf

listen-on {; };

Bind needs the kernel module 'capability' to work proper. load manually if not already implemented yet.

# modprobe capability

This is built in vanilla kernels as confirmed by a:

# zless /proc/config.gz | grep CAPABILITIES

Adding named to boot process

Edit /etc/rc.conf

DAEMONS=(.. named ..)

Set resolv.conf for using the local dns

Edit /etc/resolv.conf


Running Bind in a chrooted environment

This is not required but improves security. If you want you may implement this feature later and skip directly to configuration section.

Preparing the chroot

define the chroot directory, for example:


create chroot directories

mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/run/named}

to enable logging inside chroot you also need to create a log directory:

mkdir ${CHROOT}/var/log

and inside this a file named.log as per logging statement in named.conf:

touch ${CHROOT}/var/log/named.log

You may also want to access this file from /var/log:

ln -sf ${CHROOT}/var/log/named.log /var/log

Copy necessary files

cp -v /etc/named.conf ${CHROOT}/etc/
cp -v /etc/localtime ${CHROOT}/etc/
cp -Rv /var/named ${CHROOT}/var/

Create block devices

mknod ${CHROOT}/dev/zero c 1 5
mknod ${CHROOT}/dev/random c 1 8

Set permissions

chown -R named:named ${CHROOT}/var/{,run/}/named
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

If you enabled logging (see above):

chown named:named ${CHROOT}/var/log/named.log

Prepare the rc script

cp /etc/rc.d/named /etc/rc.d/named-chroot

Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}

so that it looks like

[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}

Prepare variables

vim /etc/conf.d/named


Starting named-chroot on bootup

you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this

Edit /etc/rc.conf

DAEMONS=(.. named-chroot ..)

Start the service

/etc/rc.d/named-chroot start

Test the service

# host

Output should be something like this

Using domain server:
Aliases: is an alias for has address mail is handled by 10

Script to regenerate the chroot environment

I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:

# Prepare or update a chroot environment for running Bind
# see

. /etc/conf.d/named

# create chroot directories
mkdir -m 700 -p ${CHROOT}
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}

# copy necessary files
cp /etc/named.conf ${CHROOT}/etc/
cp /etc/localtime ${CHROOT}/etc/
cp -R /var/named ${CHROOT}/var/
touch ${CHROOT}/var/log/named.log

# create block devices
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null

# set permissions
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}
chmod 666 ${CHROOT}/dev/{random,zero}
chown root:named ${CHROOT}
chmod 0750 ${CHROOT}

I call this in /etc/rc.d/named-chroot just before running named:


Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.

A configuration template for running a domain

in our example we use "domain.tld" as our domain

preparing some folder structure

mkdir /chroot/named/etc/{pri,sec}

creating a zonefile

vim /chroot/named/etc/pri/

$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A
ns02            IN      A
localhost       IN      A
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A
www             IN      A
mail            IN      A
@               IN      TXT     "v=spf1 mx"

configuring master server

copy the zonefile

cp /chroot/named/etc/pri/

Edit /chroot/named/etc/named.conf

zone "domain.tld" IN {
        type master;
        file "pri/";
        allow-update { none; };
        notify no;

configuring slave server

cp /chroot/named/etc/sec/

Edit /chroot/named/etc/named.conf

zone "domain.tld" IN {
        type slave;
        file "sec/";
        allow-update { none; };
        notify no;
        masters {; };   # ip address of the master server

restart the services and you're done.

BIND Resources