Difference between revisions of "BIND"

From CBLFS
Jump to navigationJump to search
(Configuration)
(Configuration)
 
(4 intermediate revisions by the same user not shown)
Line 91: Line 91:
  
 
=== Configuration ===
 
=== Configuration ===
 +
 +
Generate a RNDC Key for use in the next 2 configuration files below:
 +
 +
rndc-confgen -r /dev/urandom -b 512 | sed -e '/^\tsecret/!d' -e 's/^\(.*\)"\(.*\)"\(.*\)$/\2/'
  
 
Create a basic internal configuration for bind, You may have to substitute some ip addresses and subnets depending on your configuration:
 
Create a basic internal configuration for bind, You may have to substitute some ip addresses and subnets depending on your configuration:
Line 99: Line 103:
 
     pid-file "/var/run/named.pid";
 
     pid-file "/var/run/named.pid";
 
     statistics-file "/var/run/named.stats";
 
     statistics-file "/var/run/named.stats";
    forwarders { 208.67.222.222; 208.67.220.220; };
 
 
   
 
   
 
     allow-query { "lan"; };
 
     allow-query { "lan"; };
Line 119: Line 122:
 
     algorithm hmac-md5;
 
     algorithm hmac-md5;
 
     secret "'''''Insert RNDC Key Here'''''";
 
     secret "'''''Insert RNDC Key Here'''''";
 +
};
 +
 +
zone "." {
 +
    type hint;
 +
    file "root.hints";
 
  };
 
  };
 
   
 
   
 
  zone "localhost" {
 
  zone "localhost" {
    type   master;
+
    type master;
    file   "pz/localhost";
+
    file "pz/localhost";
    notify no;
+
    notify no;
 
  };
 
  };
 
   
 
   
Line 130: Line 138:
 
     type master;
 
     type master;
 
     file "pz/127.0.0";
 
     file "pz/127.0.0";
 +
    notify no;
 
  };
 
  };
 +
 +
# The following 2 zones are examples for setting up forward and reverse lookup zone
 +
# They can be updated with the rndc key from the rndc utility or [[Dhcp]]
 +
#zone "test.local" {
 +
#    type master;
 +
#    file "pz/test.local";
 +
#    allow-update { key "rndc_key"; };
 +
#    allow-transfer { 127.0.0.1; };
 +
#    notify yes;
 +
#};
 +
#
 +
#zone "1.168.192.in-addr.arpa" {
 +
#    type master;
 +
#    file "pz/1.168.192.in-addr.arpa";
 +
#    allow-update { key "rndc_key"; };
 +
#    allow-transfer { 127.0.0.1; };
 +
#    notify yes;
 +
#};
 
   
 
   
 
  logging {
 
  logging {
Line 169: Line 196:
 
     secret          "'''''Insert RNDC Key Here'''''";
 
     secret          "'''''Insert RNDC Key Here'''''";
 
  };
 
  };
EOF
+
EOF
 +
 
 +
The following list of root hints was copied from Internic[http://www.internic.net/zones/named.root] on 2010-01-08:
 +
 
 +
cat > /srv/named/etc/namedb/root.hints << "EOF"
 +
;      This file holds the information on root name servers needed to
 +
;      initialize cache of Internet domain name servers
 +
;      (e.g. reference this file in the "cache  .  <file>"
 +
;      configuration file of BIND domain name servers).
 +
;
 +
;      This file is made available by InterNIC
 +
;      under anonymous FTP as
 +
;          file                /domain/named.root
 +
;          on server          FTP.INTERNIC.NET
 +
;      -OR-                    RS.INTERNIC.NET
 +
;
 +
;      last update:    Dec 12, 2008
 +
;      related version of root zone:  2008121200
 +
;
 +
; formerly NS.INTERNIC.NET
 +
;
 +
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
 +
A.ROOT-SERVERS.NET.      3600000      A    198.41.0.4
 +
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
 +
;
 +
; FORMERLY NS1.ISI.EDU
 +
;
 +
.                        3600000      NS    B.ROOT-SERVERS.NET.
 +
B.ROOT-SERVERS.NET.      3600000      A    192.228.79.201
 +
;
 +
; FORMERLY C.PSI.NET
 +
;
 +
.                        3600000      NS    C.ROOT-SERVERS.NET.
 +
C.ROOT-SERVERS.NET.      3600000      A    192.33.4.12
 +
;
 +
; FORMERLY TERP.UMD.EDU
 +
;
 +
.                        3600000      NS    D.ROOT-SERVERS.NET.
 +
D.ROOT-SERVERS.NET.      3600000      A    128.8.10.90
 +
;
 +
; FORMERLY NS.NASA.GOV
 +
;
 +
.                        3600000      NS    E.ROOT-SERVERS.NET.
 +
E.ROOT-SERVERS.NET.      3600000      A    192.203.230.10
 +
;
 +
; FORMERLY NS.ISC.ORG
 +
;
 +
.                        3600000      NS    F.ROOT-SERVERS.NET.
 +
F.ROOT-SERVERS.NET.      3600000      A    192.5.5.241
 +
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
 +
;
 +
; FORMERLY NS.NIC.DDN.MIL
 +
;
 +
.                        3600000      NS    G.ROOT-SERVERS.NET.
 +
G.ROOT-SERVERS.NET.      3600000      A    192.112.36.4
 +
;
 +
; FORMERLY AOS.ARL.ARMY.MIL
 +
;
 +
.                        3600000      NS    H.ROOT-SERVERS.NET.
 +
H.ROOT-SERVERS.NET.      3600000      A    128.63.2.53
 +
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
 +
;
 +
; FORMERLY NIC.NORDU.NET
 +
;
 +
.                        3600000      NS    I.ROOT-SERVERS.NET.
 +
I.ROOT-SERVERS.NET.      3600000      A    192.36.148.17
 +
;
 +
; OPERATED BY VERISIGN, INC.
 +
;
 +
.                        3600000      NS    J.ROOT-SERVERS.NET.
 +
J.ROOT-SERVERS.NET.      3600000      A    192.58.128.30
 +
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
 +
;
 +
; OPERATED BY RIPE NCC
 +
;
 +
.                        3600000      NS    K.ROOT-SERVERS.NET.
 +
K.ROOT-SERVERS.NET.      3600000      A    193.0.14.129
 +
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
 +
;
 +
; OPERATED BY ICANN
 +
;
 +
.                        3600000      NS    L.ROOT-SERVERS.NET.
 +
L.ROOT-SERVERS.NET.      3600000      A    199.7.83.42
 +
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42 
 +
;
 +
; OPERATED BY WIDE
 +
;
 +
.                        3600000      NS    M.ROOT-SERVERS.NET.
 +
M.ROOT-SERVERS.NET.      3600000      A    202.12.27.33
 +
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
 +
; End of File
 +
EOF
  
 
Create a default zone for localhost:
 
Create a default zone for localhost:
Line 198: Line 316:
 
  1      IN      PTR    localhost.
 
  1      IN      PTR    localhost.
 
  EOF
 
  EOF
 +
 +
=== Permissions ===
 +
 +
Change the ownership and set permissions:
 +
 +
chmod -Rv ug+rw /srv/named
 +
chown -Rv named:named /srv/named
  
 
[[Category:Network Utilities]]
 
[[Category:Network Utilities]]

Latest revision as of 17:24, 8 January 2010

Download Source: http://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz
Alternate Download Source: http://gd.tuwien.ac.at/infosys/servers/isc/bind/9.6.1-P2/bind-9.6.1-P2.tar.gz

Introduction to BIND

BIND (Berkeley Internet Name Domain) is an implementation of the DNS protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System.

Project Homepage: http://www.bind9.net/

Dependencies

Optional

  • OpenSSL (Recommended for secure environments)

Non-Multilib

Compile the package:

./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-threads --with-libtool &&
make

Install the package

make install

Multilib

32Bit

Compile the package:

CC="gcc ${BUILD32}" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-threads \
     --with-libtool &&
make

Install the package

make install &&
mv -v /usr/bin/isc-config.sh{,-32}

N32

Compile the package:

CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --sysconfdir=/etc --localstatedir=/var \
     --enable-threads --with-libtool &&
make

Install the package

make install &&
mv -v /usr/bin/isc-config.sh{,-n32}

64Bit

Compile the package:

CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --sysconfdir=/etc --localstatedir=/var \
    --enable-threads --with-libtool &&
make

Install the package

make install &&
mv -v /usr/bin/isc-config.sh{,-64} &&
ln -sfv multiarch_wrapper /usr/bin/isc-config.sh

Configuring Bind

Named User/Group

groupadd -g 52 named &&
useradd -c 'BIND User' -d /srv/named -g named -s /bin/false -u 52 named

BootScript

Install the init script included in the bootscripts package.

make install-bind

Basic structure for the chroot environment

install -dv /srv/named/{dev,etc/namedb/{pz,slave},var/run} &&
mknod -m666 /srv/named/dev/null c 1 3 &&
mknod -m666 /srv/named/dev/zero c 1 5 &&
mknod -m666 /srv/named/dev/random c 1 8 &&
cp -L /etc/localtime /srv/named/etc/localtime

Configuration

Generate a RNDC Key for use in the next 2 configuration files below:

rndc-confgen -r /dev/urandom -b 512 | sed -e '/^\tsecret/!d' -e 's/^\(.*\)"\(.*\)"\(.*\)$/\2/'

Create a basic internal configuration for bind, You may have to substitute some ip addresses and subnets depending on your configuration:

cat > /srv/named/etc/named.conf << "EOF"
options {
    directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

    allow-query { "lan"; };

    listen-on { 127.0.0.1; };
    listen-on { 192.168.1.1; };
};

acl "lan" {
    127.0.0.1;
    192.168.1.0/24;
};

controls {
    inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};

key "rndc_key" {
    algorithm hmac-md5;
    secret "Insert RNDC Key Here";
};

zone "." {
    type hint;
    file "root.hints";
};

zone "localhost" {
    type master;
    file "pz/localhost";
    notify no;
};

zone "0.0.127.in-addr.arpa" {
    type master;
    file "pz/127.0.0";
    notify no;
};

# The following 2 zones are examples for setting up forward and reverse lookup zone
# They can be updated with the rndc key from the rndc utility or Dhcp
#zone "test.local" {
#    type master;
#    file "pz/test.local";
#    allow-update { key "rndc_key"; };
#    allow-transfer { 127.0.0.1; };
#    notify yes;
#};
#
#zone "1.168.192.in-addr.arpa" {
#    type master;
#    file "pz/1.168.192.in-addr.arpa";
#    allow-update { key "rndc_key"; };
#    allow-transfer { 127.0.0.1; };
#    notify yes;
#};

logging {
    category default { default_syslog; default_debug; };
    category unmatched { null; };
    channel default_syslog {
        syslog daemon;
        severity info;
    };
    channel default_debug {
        file "named.run";
        severity dynamic;
    };
    channel default_stderr {
        stderr;
        severity info;
    };
    channel null {
        null;
    };
};
EOF

Create a configuration file for the nameserver remote control utility:

cat > /etc/rndc.conf << "EOF"
options {
    default-server 127.0.0.1;
    default-key "rndckey";
};

server 127.0.0.1 {
    key "rndckey";
};

key "rndc_key" {
    algorithm       "hmac-md5";
    secret          "Insert RNDC Key Here";
};
EOF

The following list of root hints was copied from Internic[1] on 2010-01-08:

cat > /srv/named/etc/namedb/root.hints << "EOF"
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC 
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.INTERNIC.NET
;       -OR-                    RS.INTERNIC.NET
;
;       last update:    Dec 12, 2008
;       related version of root zone:   2008121200
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
A.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:BA3E::2:30
;
; FORMERLY NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     192.228.79.201
;
; FORMERLY C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; FORMERLY TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; FORMERLY NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; FORMERLY NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
F.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:2F::F
;
; FORMERLY NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; FORMERLY AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
H.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:1::803F:235
;
; FORMERLY NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; OPERATED BY VERISIGN, INC.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
J.ROOT-SERVERS.NET.      3600000      AAAA  2001:503:C27::2:30
;
; OPERATED BY RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129 
K.ROOT-SERVERS.NET.      3600000      AAAA  2001:7FD::1
;
; OPERATED BY ICANN
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     199.7.83.42
L.ROOT-SERVERS.NET.      3600000      AAAA  2001:500:3::42   
;
; OPERATED BY WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
M.ROOT-SERVERS.NET.      3600000      AAAA  2001:DC3::35
; End of File
EOF

Create a default zone for localhost:

cat > /srv/named/etc/namedb/pz/localhost << "EOF"
$TTL    3D
@       IN SOA  @ root (
                            42          ; serial (d. adams)
                            3H          ; refresh
                            15M         ; retry
                            1W          ; expiry
                            1D)         ; minimum
        IN NS           @
        IN A            127.0.0.1
EOF

And the corresponding reverse lookup zone:

cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF"
$TTL    1D
@       IN      SOA     localhost. root.localhost.  (
                            1          ; Serial
                            8H         ; Refresh
                            2H         ; Retry
                            4W         ; Expire
                            1D)        ; Minimum
        IN      NS      localhost.
1       IN      PTR     localhost.
EOF

Permissions

Change the ownership and set permissions:

chmod -Rv ug+rw /srv/named
chown -Rv named:named /srv/named
Retrieved from "?title=BIND&oldid=19826"