BIND: Difference between revisions
(→Configuring BIND to serve DNSSEC signed zones: fix template) |
Lahwaacz.bot (talk | contribs) (update status of external links) |
||
| (112 intermediate revisions by 23 users not shown) | |||
| Line 2: | Line 2: | ||
[[de:BIND]] | [[de:BIND]] | ||
[[es:BIND]] | [[es:BIND]] | ||
[[ja:BIND]] | [[ja:BIND]] | ||
[[zh-hans:BIND]] | [[zh-hans:BIND]] | ||
{{Related articles start}} | {{Related articles start}} | ||
{{Related| | {{Related|Domain name resolution}} | ||
{{Related articles end}} | {{Related articles end}} | ||
{{Style|Numerous style and content issues.}} | {{Style|Numerous style and content issues.}} | ||
[https://www.isc.org/downloads/bind/ BIND] is the most widely used Domain Name System (DNS) server. | [https://www.isc.org/downloads/bind/ BIND] (or named) is the most widely used Domain Name System (DNS) server. | ||
{{Note|The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[https://kb.isc.org/article/AA-00861/0/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html]}} | {{Note|The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[https://kb.isc.org/article/AA-00861/0/ISC-Software-Defect-and-Security-Vulnerability-Disclosure-Policy.html]{{Dead link|2023|09|16|status=404}}}} | ||
== Installation == | == Installation == | ||
| Line 21: | Line 16: | ||
[[Install]] the {{Pkg|bind}} package. | [[Install]] the {{Pkg|bind}} package. | ||
[[Start/enable]] the {{ic|named.service}} systemd unit. | |||
To use the DNS server locally, use the {{ic|127.0.0.1}} nameserver (meaning clients like Firefox resolve via 127.0.0.1), see [[Domain name resolution]]. | |||
This will however require you to [[#Allow recursion]] while a firewall might block outside queries to your local named. | |||
== Configuration == | == Configuration == | ||
BIND is configured in {{ic|/etc/named.conf}}. The available options are documented in | BIND is configured in {{ic|/etc/named.conf}}. The available options are documented in {{man|5|named.conf}}. | ||
[[Reload]] the {{ic|named.service}} unit to apply configuration changes. | [[Reload]] the {{ic|named.service}} unit to apply configuration changes. | ||
===Restrict access to localhost=== | === Restrict access to localhost === | ||
BIND by default listens on port 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the {{ic|options}} section in {{ic|/etc/named.conf}}: | |||
listen-on { 127.0.0.1; }; | listen-on { 127.0.0.1; }; | ||
listen-on-v6 { ::1; }; | |||
=== Set up DNS forwarding === | === Set up DNS forwarding === | ||
To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section. | To make BIND forward DNS queries to another DNS server add the {{ic|forwarders}} clause to the {{ic|options}} section. | ||
Example to make BIND forward to the Google DNS servers: | Example to make BIND forward to the Google Public DNS servers: | ||
forwarders { 8.8.8.8; 8.8.4.4; }; | forwarders { | ||
8.8.8.8; 2001:4860:4860::8888; | |||
8.8.4.4; 2001:4860:4860::8844; | |||
}; | |||
(As of 9.18, only plaintext DNS servers are supported as forwarders.) | |||
=== Serve DNS over TLS or HTTPS === | |||
To enable serving DNS over TLS or HTTPS in BIND 9.18, define a [https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/reference.html#tls tls] block specifying your certificate, then add [https://downloads.isc.org/isc/bind9/9.18.0/doc/arm/html/reference.html#interfaces listen-on] clauses enabling DNS over TLS and HTTPS listeners (as well as a standard DNS listener). | |||
{{hc|/etc/named.conf|<nowiki> | |||
tls mycert { | |||
cert-file "<path>.crt"; | |||
key-file "<path>.key"; | |||
}; | |||
options { | |||
// Standard port 53 listeners need to be re-added explicitly | |||
listen-on { any; }; | |||
listen-on-v6 { any; }; | |||
// Add a DNS over TLS listener on standard port 853 | |||
listen-on tls mycert { any; }; | |||
listen-on-v6 tls mycert { any; }; | |||
// Add a DNS over HTTPS listener on custom port | |||
listen-on port 9443 tls mycert http default { any; }; | |||
listen-on-v6 port 9443 tls mycert http default { any; }; | |||
// If needed, add a cleartext HTTP listener for a reverse proxy | |||
//listen-on port 8443 tls none http default { 127.0.0.1; }; | |||
//listen-on-v6 port 8443 tls none http default { ::1; }; | |||
}; | |||
...</nowiki>}} | |||
Note that {{ic|tls{}<nowiki/>}} is defined at the top level, ''not'' inside the {{ic|options{}<nowiki/>}} block. | |||
== A configuration template for running a domain == | == A configuration template for running a domain == | ||
Following is a simple home nameserver being set up, using ''domain.tld'' as the domain being served world-wide like this wiki's ''archlinux.org'' domain is. | |||
A more elaborate example is [https://www.howtoforge.com/two_in_one_dns_bind9_views DNS server with BIND9], while [https://www.brennan.id.au/08-Domain_Name_System_BIND.html#yourdomain this shows] how to set up internal network name resolution. | |||
=== Creating a zonefile === | |||
Create {{ic|/var/named/domain.tld.zone}}. | |||
$ORIGIN domain.tld. | |||
$TTL 2h | |||
@ SOA ns1 hostmaster ( | |||
2018111111 ; Serial | |||
8h ; Refresh | |||
30m ; Retry | |||
1w ; Expire | |||
1h ) ; Negative Cache TTL | |||
NS ns1 | |||
NS ns2 | |||
@ A 203.0.113.1 | |||
AAAA 2001:db8:113::1 | |||
MX 10 mail | |||
TXT "v=spf1 mx" | |||
www A 203.0.113.1 | |||
AAAA 2001:db8:113::1 | |||
ns1 A 203.0.113.4 | |||
AAAA 2001:db8:113::4 | |||
ns2 A 198.51.100.5 | |||
AAAA 2001:db8:5100::5 | |||
mail A 198.51.100.6 | |||
AAAA 2001:db8:5100::6 | |||
imap CNAME mail | |||
smtp CNAME mail | |||
{{ic|$ORIGIN}} defines the default suffix for all names which do not already end with a {{ic|.}} (dot), e.g. {{ic|mail}} will be expanded to {{ic|mail.$ORIGIN}} ⇒ {{ic|mail.domain.tld.}} everywhere. | |||
$TTL defines the default time-to-live | {{ic|$TTL}} defines the default time-to-live (i.e. cache expiry time) for all records which do not have their own TTL specified. Here it is 2 hours. | ||
''' | Serial must be '''incremented''' manually before reloading named every time you change a resource record for the zone. Otherwise secondary servers (replicas or slaves) will not re-transfer the zone: they only do it if the serial is '''greater''' than that of the last time they transferred the zone. This example uses the somewhat common {{ic|YYYYMMDDXX}} format, but this is not required; the serial number can also just start at 1. | ||
=== | === Configuring master server === | ||
Add your zone to {{ic|/etc/named.conf}}: | Add your zone to {{ic|/etc/named.conf}}: | ||
| Line 88: | Line 132: | ||
file "domain.tld.zone"; | file "domain.tld.zone"; | ||
allow-update { none; }; | allow-update { none; }; | ||
}; | }; | ||
[[Reload]] the {{ic|named.service}} unit to apply the configuration change. | [[Reload]] the {{ic|named.service}} unit to apply the configuration change. | ||
== | == Allow recursion == | ||
If you are running your own DNS server, you might as well use it for all DNS lookups. | If you are running your own DNS server, you might as well use it for all DNS lookups, or even [[#Serve the root zone locally]] by yourself. The former will require the ability to do ''recursive'' lookups. In order to prevent [https://www.us-cert.gov/ncas/alerts/TA13-088A DNS Amplification Attacks], recursion is turned off by default for most resolvers. The default Arch {{ic|/etc/named.conf}} file allows for recursion only on the loopback interface: | ||
allow-recursion { 127.0.0.1; }; | allow-recursion { 127.0.0.1; ::1; }; | ||
{{Accuracy|LAN networking is not recursive.}} | |||
If you want to provide name service for your local network; e.g. 192.168.0, you must add the appropriate range of IP addresses to {{ic|/etc/named.conf}}: | If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to {{ic|/etc/named.conf}}: | ||
allow-recursion { 192.168.0.0/24; 127.0.0.1; }; | allow-recursion { | ||
192.168.0.0/24; | |||
fd01:2345:6789::/64; | |||
127.0.0.1; | |||
::1; | |||
}; | |||
== Configuring BIND to serve DNSSEC signed zones == | == Configuring BIND to serve DNSSEC signed zones == | ||
{{ | [[DNSSEC]] validation is enabled by default. Do not forget to check that "edns" is not disabled. | ||
On master DNS server: | |||
* generate KSK and ZSK keys: | |||
$ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com | |||
$ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com | |||
* change zone configuration: | |||
zone "example.com" { | |||
type master; | |||
allow-transfer { ... }; | |||
auto-dnssec maintain; | |||
inline-signing yes; | |||
key-directory "master/"; | |||
file "master/example.com.zone"; | |||
}; | |||
Now bind will sign zone automatically. (This example assumes that all required files are in /var/named/master/) | |||
Then you should pass DS records (from dsset-example.com. file) to parent zone owner probably using your registrar website. It glues parent zone with your KSK. | |||
KSK (and corresponding DS records) should be changed rarely because it needs manual intervention, ZSK can be changed more often because this key is usually shorter to be faster in signature checking. | |||
You can schedule old ZSK key expiration and generate new one using: | |||
$ dnssec-settime -I +172800 -D +345600 Kexample.com.+000+111111.key | |||
$ dnssec-keygen -S Kexample.com.+000+111111.key -i 152800 | |||
Bind should automatically use new ZSK key at appropriate time. | |||
There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available. | |||
== Automatically listen on new interfaces == | == Automatically listen on new interfaces == | ||
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every | By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding : | ||
interface-interval <rescan-timeout-in-minutes>; | interface-interval <rescan-timeout-in-minutes>; | ||
parameter into {{ic|named.conf}} options section. Max value is 28 days. (40320 min) <br> | parameter into {{ic|named.conf}} options section. Max value is 28 days. (40320 min) <br> | ||
| Line 129: | Line 202: | ||
Running in a [[chroot]] environment is not required but improves security. | Running in a [[chroot]] environment is not required but improves security. | ||
=== Creating the | {{Expansion|{{ic|/srv/}} is an odd place for chroots, {{ic|/var/lib/}} would be a more common place.}} | ||
=== Creating the jail house === | |||
In order to do this, we first need to create a place to keep the jail, we shall use {{ic|/srv/named}}, and then put the required files into the jail. | In order to do this, we first need to create a place to keep the jail, we shall use {{ic|/srv/named}}, and then put the required files into the jail. | ||
# mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}} | |||
Copy over required system files: | |||
# cp -av /etc/{localtime,named.conf} /srv/named/etc/ | |||
# cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/ | |||
# cp -av /var/named/* /srv/named/var/named/. | |||
Set up required nodes in {{ic|/dev/}}: | |||
# mknod /srv/named/dev/null c 1 3 | |||
# mknod /srv/named/dev/random c 1 8 | |||
Set [[ownership]] of the files: | |||
# chown -R named:named /srv/named | |||
This should create the required file system for the jail. | This should create the required file system for the jail. | ||
=== Service | === Service unit === | ||
Next we need a [[replacement unit file]] so that the service calls bind which will allow force bind into the chroot: | |||
{{hc|/etc/systemd/system/named-chroot.service|2= | |||
ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named" | |||
}} | |||
Now, reload systemd with [[daemon-reload]], and [[start]] the {{ic|named-chroot.service}}. | |||
== Serve the root zone locally == | |||
If you do not want to rely on [[Domain name resolution#Third-party DNS services|third-party DNS services]], you can serve the root zone locally following [[RFC:7706]]. This can be achieved by using BIND as a DNS recursive resolver. | |||
To manage a recursive resolver, you typically need to configure a ''root hints file''. This file contains the names and IP addresses of the authoritative name servers for the root zone. | |||
Grab the file from [https://www.iana.org/domains/root/files IANA website] and place it into {{ic|/var/named}}. | |||
{{hc|/etc | Edit your server config, adding the respective file: | ||
{{hc|/etc/named.conf| | |||
zone "." IN { | |||
type hint; | |||
file "named.root"; | |||
}; | |||
}} | |||
Recursion also should be allowed in the config. See [[#Allow recursion]]. | |||
== See also == | == See also == | ||
* [https://www.isc.org/downloads/bind/doc/ BIND 9 Administrator Reference Manual] | |||
* [ | * [https://www.isc.org/downloads/bind/doc/ BIND 9 Administrator Reference Manual (ARM)] | ||
* [ | * [https://bind9.readthedocs.io/en/latest/manpages.html BIND ARM on readthedocs] | ||
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND] | * [https://kb.isc.org/docs/aa-01310 BIND knowledgebase] | ||
* [https://www.isc.org/ Internet Systems Consortium, Inc. (ISC)] | |||
* [ | * [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND] with [https://www.zytrax.com/books/dns/ abbreviated version online] | ||
* [https://lists.archlinux.org/ | * [https://cira.ca/domain-name-system-dns-glossary DNS Glossary] | ||
* [https://lists.archlinux.org/archives/list/arch-dev-public@lists.archlinux.org/thread/RR3TKD5ZWTYKQHQBFPHTHDLN3JKUOOWV/ Archived mailing list discussion on BIND's future] | |||
* [https://www.heise.de/netze/rfc/rfcs/rfc7706.shtml#page-9 root zone transfer made simple - serve root@home] copy the /etc/named.conf , restart BIND & enjoy! | |||
* [https://www.dnssec.net/practical-documents DNSSEC] | |||
* [https://www.cymru.com/Documents/secure-bind-template.html a BIND configuration template] | |||
Latest revision as of 16:09, 16 September 2023
BIND (or named) is the most widely used Domain Name System (DNS) server.
Note: The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.[1][dead link 2023-09-16 ⓘ]
Installation
Start/enable the named.service systemd unit.
To use the DNS server locally, use the 127.0.0.1 nameserver (meaning clients like Firefox resolve via 127.0.0.1), see Domain name resolution.
This will however require you to #Allow recursion while a firewall might block outside queries to your local named.
Configuration
BIND is configured in /etc/named.conf. The available options are documented in named.conf(5).
Reload the named.service unit to apply configuration changes.
Restrict access to localhost
BIND by default listens on port 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the options section in /etc/named.conf:
listen-on { 127.0.0.1; };
listen-on-v6 { ::1; };
Set up DNS forwarding
To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.
Example to make BIND forward to the Google Public DNS servers:
forwarders {
8.8.8.8; 2001:4860:4860::8888;
8.8.4.4; 2001:4860:4860::8844;
};
(As of 9.18, only plaintext DNS servers are supported as forwarders.)
Serve DNS over TLS or HTTPS
To enable serving DNS over TLS or HTTPS in BIND 9.18, define a tls block specifying your certificate, then add listen-on clauses enabling DNS over TLS and HTTPS listeners (as well as a standard DNS listener).
/etc/named.conf
tls mycert {
cert-file "<path>.crt";
key-file "<path>.key";
};
options {
// Standard port 53 listeners need to be re-added explicitly
listen-on { any; };
listen-on-v6 { any; };
// Add a DNS over TLS listener on standard port 853
listen-on tls mycert { any; };
listen-on-v6 tls mycert { any; };
// Add a DNS over HTTPS listener on custom port
listen-on port 9443 tls mycert http default { any; };
listen-on-v6 port 9443 tls mycert http default { any; };
// If needed, add a cleartext HTTP listener for a reverse proxy
//listen-on port 8443 tls none http default { 127.0.0.1; };
//listen-on-v6 port 8443 tls none http default { ::1; };
};
...
Note that tls{} is defined at the top level, not inside the options{} block.
A configuration template for running a domain
Following is a simple home nameserver being set up, using domain.tld as the domain being served world-wide like this wiki's archlinux.org domain is.
A more elaborate example is DNS server with BIND9, while this shows how to set up internal network name resolution.
Creating a zonefile
Create /var/named/domain.tld.zone.
$ORIGIN domain.tld.
$TTL 2h
@ SOA ns1 hostmaster (
2018111111 ; Serial
8h ; Refresh
30m ; Retry
1w ; Expire
1h ) ; Negative Cache TTL
NS ns1
NS ns2
@ A 203.0.113.1
AAAA 2001:db8:113::1
MX 10 mail
TXT "v=spf1 mx"
www A 203.0.113.1
AAAA 2001:db8:113::1
ns1 A 203.0.113.4
AAAA 2001:db8:113::4
ns2 A 198.51.100.5
AAAA 2001:db8:5100::5
mail A 198.51.100.6
AAAA 2001:db8:5100::6
imap CNAME mail
smtp CNAME mail
$ORIGIN defines the default suffix for all names which do not already end with a . (dot), e.g. mail will be expanded to mail.$ORIGIN ⇒ mail.domain.tld. everywhere.
$TTL defines the default time-to-live (i.e. cache expiry time) for all records which do not have their own TTL specified. Here it is 2 hours.
Serial must be incremented manually before reloading named every time you change a resource record for the zone. Otherwise secondary servers (replicas or slaves) will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone. This example uses the somewhat common YYYYMMDDXX format, but this is not required; the serial number can also just start at 1.
Configuring master server
Add your zone to /etc/named.conf:
zone "domain.tld" IN {
type master;
file "domain.tld.zone";
allow-update { none; };
};
Reload the named.service unit to apply the configuration change.
Allow recursion
If you are running your own DNS server, you might as well use it for all DNS lookups, or even #Serve the root zone locally by yourself. The former will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf file allows for recursion only on the loopback interface:
allow-recursion { 127.0.0.1; ::1; };
If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to /etc/named.conf:
allow-recursion {
192.168.0.0/24;
fd01:2345:6789::/64;
127.0.0.1;
::1;
};
Configuring BIND to serve DNSSEC signed zones
DNSSEC validation is enabled by default. Do not forget to check that "edns" is not disabled.
On master DNS server:
- generate KSK and ZSK keys:
$ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com $ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
- change zone configuration:
zone "example.com" {
type master;
allow-transfer { ... };
auto-dnssec maintain;
inline-signing yes;
key-directory "master/";
file "master/example.com.zone";
};
Now bind will sign zone automatically. (This example assumes that all required files are in /var/named/master/)
Then you should pass DS records (from dsset-example.com. file) to parent zone owner probably using your registrar website. It glues parent zone with your KSK.
KSK (and corresponding DS records) should be changed rarely because it needs manual intervention, ZSK can be changed more often because this key is usually shorter to be faster in signature checking.
You can schedule old ZSK key expiration and generate new one using:
$ dnssec-settime -I +172800 -D +345600 Kexample.com.+000+111111.key $ dnssec-keygen -S Kexample.com.+000+111111.key -i 152800
Bind should automatically use new ZSK key at appropriate time.
There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available.
Automatically listen on new interfaces
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding :
interface-interval <rescan-timeout-in-minutes>;
parameter into named.conf options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.
Then restart the service.
Running BIND in a chrooted environment
Running in a chroot environment is not required but improves security.
Creating the jail house
In order to do this, we first need to create a place to keep the jail, we shall use /srv/named, and then put the required files into the jail.
# mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
Copy over required system files:
# cp -av /etc/{localtime,named.conf} /srv/named/etc/
# cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
# cp -av /var/named/* /srv/named/var/named/.
Set up required nodes in /dev/:
# mknod /srv/named/dev/null c 1 3 # mknod /srv/named/dev/random c 1 8
Set ownership of the files:
# chown -R named:named /srv/named
This should create the required file system for the jail.
Service unit
Next we need a replacement unit file so that the service calls bind which will allow force bind into the chroot:
/etc/systemd/system/named-chroot.service
ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"
Now, reload systemd with daemon-reload, and start the named-chroot.service.
Serve the root zone locally
If you do not want to rely on third-party DNS services, you can serve the root zone locally following RFC:7706. This can be achieved by using BIND as a DNS recursive resolver.
To manage a recursive resolver, you typically need to configure a root hints file. This file contains the names and IP addresses of the authoritative name servers for the root zone.
Grab the file from IANA website and place it into /var/named.
Edit your server config, adding the respective file:
/etc/named.conf
zone "." IN {
type hint;
file "named.root";
};
Recursion also should be allowed in the config. See #Allow recursion.
See also
- BIND 9 Administrator Reference Manual (ARM)
- BIND ARM on readthedocs
- BIND knowledgebase
- Internet Systems Consortium, Inc. (ISC)
- Pro DNS and BIND with abbreviated version online
- DNS Glossary
- Archived mailing list discussion on BIND's future
- root zone transfer made simple - serve root@home copy the /etc/named.conf , restart BIND & enjoy!
- DNSSEC
- a BIND configuration template