From ArchWiki
Revision as of 07:35, 4 December 2012 by Fengchao (Talk | contribs) (Remove from Daemon category. See Talk:Table of Contents#Remove Category:Daemons and system services.)

Jump to: navigation, search

Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.

BIND as caching-only server

These few steps show you how to install BIND as a caching-only server.

Install BIND

Install the bind package which can be found in the official repositories.

Edit /etc/named.conf and add this under the options section:

listen-on {; };

Start BIND

Start the daemon:

systemctl start named

Optionally, set it to start up on boot:

systemctl enable named

Set /etc/resolv.conf to use the local DNS server

Edit /etc/resolv.conf:


BIND as simple DNS forwarder

If, for example you have problems with VPN connections, they can sometimes be solved by setting-up forwarding DNS server. It is set very simply with BIND. Add these lines to /etc/named.conf, and change IP address according to your setup.

listen-on {; };
forwarders {;; };

Don't forget to restart the service!

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security. See BIND (chroot) for how to do this.

A configuration template for running a domain

In our example we use "domain.tld" as our domain.

1. Preparing some folder structure

mkdir /var/named/{pri,sec}

2. Creating a zonefile

# nano /var/named/pri/
$TTL 7200
; domain.tld
@       IN      SOA     ns01.domain.tld. postmaster.domain.tld. (
                                        2007011601 ; Serial
                                        28800      ; Refresh
                                        1800       ; Retry
                                        604800     ; Expire - 1 week
                                        86400 )    ; Minimum
                IN      NS      ns01
                IN      NS      ns02
ns01            IN      A
ns02            IN      A
localhost       IN      A
@               IN      MX 10   mail
imap            IN      CNAME   mail
smtp            IN      CNAME   mail
@               IN      A
www             IN      A
mail            IN      A
@               IN      TXT     "v=spf1 mx"

$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.

Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.

3. Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "pri/";
        allow-update { none; };
        notify no;

4. Configuring slave server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type slave;
        file "sec/";
        masters {; };   # IP address of the master server

Restart the services and you are done.

Configuring BIND to serve DNSSEC signed zones

See DNSSEC#BIND (serving signed DNS zones)

Automatically listen on new interfaces without chroot and root privileges


 interface-interval <rescan-timeout-in-minutes>;

parameter into named.conf options. Then you should modify rc-script:

     stat_busy "Starting DNS"
-    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}
+    setcap cap_net_bind_service=eip /usr/sbin/named
+    NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
+    [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

So your /etc/rc.d/named should look like this:

     stat_busy "Starting DNS"
     setcap cap_net_bind_service=eip /usr/sbin/named
     NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`
     [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}

Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.

See also

BIND Resources