Difference between revisions of "BIND"
(→Configuration) |
|||
(29 intermediate revisions by 7 users not shown) | |||
Line 2: | Line 2: | ||
|- | |- | ||
!Download Source: | !Download Source: | ||
− | | | + | | http://ftp.isc.org/isc/bind{{BIND-Version2}}/{{BIND-Version}}/bind-{{BIND-Version}}.tar.gz |
|- | |- | ||
!Alternate Download Source: | !Alternate Download Source: | ||
− | | http://gd.tuwien.ac.at/infosys/servers/isc/ | + | | http://gd.tuwien.ac.at/infosys/servers/isc/bind/{{BIND-Version}}/bind-{{BIND-Version}}.tar.gz |
|} | |} | ||
− | + | {{Package-Introduction|BIND (Berkeley Internet Name Domain) is an implementation of the DNS protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System.|http://www.bind9.net/}} | |
− | == Optional == | + | == Dependencies == |
+ | |||
+ | === Optional === | ||
* [[OpenSSL]] (Recommended for secure environments) | * [[OpenSSL]] (Recommended for secure environments) | ||
Line 18: | Line 20: | ||
Compile the package: | Compile the package: | ||
− | ./configure --prefix=/usr && | + | ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-threads --with-libtool && |
make | make | ||
Install the package | Install the package | ||
− | make | + | make install |
== Multilib == | == Multilib == | ||
Line 31: | Line 33: | ||
Compile the package: | Compile the package: | ||
− | CC="gcc ${BUILD32}" ./configure --prefix=/usr && | + | CC="gcc ${BUILD32}" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-threads \ |
+ | --with-libtool && | ||
make | make | ||
Install the package | Install the package | ||
− | make - | + | make install && |
+ | mv -v /usr/bin/isc-config.sh{,-32} | ||
=== N32 === | === N32 === | ||
Line 42: | Line 46: | ||
Compile the package: | Compile the package: | ||
− | CC="gcc ${BUILDN32}" ./configure --prefix=/usr | + | CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --sysconfdir=/etc --localstatedir=/var \ |
− | + | --enable-threads --with-libtool && | |
make | make | ||
Install the package | Install the package | ||
− | make - | + | make install && |
+ | mv -v /usr/bin/isc-config.sh{,-n32} | ||
=== 64Bit === | === 64Bit === | ||
Line 54: | Line 59: | ||
Compile the package: | Compile the package: | ||
− | CC="gcc ${BUILD64}" ./configure --prefix=/usr | + | CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --sysconfdir=/etc --localstatedir=/var \ |
− | + | --enable-threads --with-libtool && | |
make | make | ||
Install the package | Install the package | ||
− | make - | + | make install && |
+ | mv -v /usr/bin/isc-config.sh{,-64} && | ||
+ | ln -sfv multiarch_wrapper /usr/bin/isc-config.sh | ||
+ | |||
+ | == Configuring Bind == | ||
+ | |||
+ | === Named User/Group === | ||
+ | |||
+ | groupadd -g 52 named && | ||
+ | useradd -c 'BIND User' -d /srv/named -g named -s /bin/false -u 52 named | ||
+ | |||
+ | === BootScript === | ||
+ | |||
+ | Install the init script included in the [[bootscripts]] package. | ||
+ | |||
+ | make install-bind | ||
+ | |||
+ | === Basic structure for the chroot environment === | ||
+ | |||
+ | install -dv /srv/named/{dev,etc/namedb/{pz,slave},var/run} && | ||
+ | mknod -m666 /srv/named/dev/null c 1 3 && | ||
+ | mknod -m666 /srv/named/dev/zero c 1 5 && | ||
+ | mknod -m666 /srv/named/dev/random c 1 8 && | ||
+ | cp -L /etc/localtime /srv/named/etc/localtime | ||
+ | |||
+ | === Configuration === | ||
+ | |||
+ | Generate a RNDC Key for use in the next 2 configuration files below: | ||
+ | |||
+ | rndc-confgen -r /dev/urandom -b 512 | sed -e '/^\tsecret/!d' -e 's/^\(.*\)"\(.*\)"\(.*\)$/\2/' | ||
+ | |||
+ | Create a basic internal configuration for bind, You may have to substitute some ip addresses and subnets depending on your configuration: | ||
+ | |||
+ | cat > /srv/named/etc/named.conf << "EOF" | ||
+ | options { | ||
+ | directory "/etc/namedb"; | ||
+ | pid-file "/var/run/named.pid"; | ||
+ | statistics-file "/var/run/named.stats"; | ||
+ | |||
+ | allow-query { "lan"; }; | ||
+ | |||
+ | listen-on { 127.0.0.1; }; | ||
+ | listen-on { 192.168.1.1; }; | ||
+ | }; | ||
+ | |||
+ | acl "lan" { | ||
+ | 127.0.0.1; | ||
+ | 192.168.1.0/24; | ||
+ | }; | ||
+ | |||
+ | controls { | ||
+ | inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; | ||
+ | }; | ||
+ | |||
+ | key "rndc_key" { | ||
+ | algorithm hmac-md5; | ||
+ | secret "'''''Insert RNDC Key Here'''''"; | ||
+ | }; | ||
+ | |||
+ | zone "." { | ||
+ | type hint; | ||
+ | file "root.hints"; | ||
+ | }; | ||
+ | |||
+ | zone "localhost" { | ||
+ | type master; | ||
+ | file "pz/localhost"; | ||
+ | notify no; | ||
+ | }; | ||
+ | |||
+ | zone "0.0.127.in-addr.arpa" { | ||
+ | type master; | ||
+ | file "pz/127.0.0"; | ||
+ | notify no; | ||
+ | }; | ||
+ | |||
+ | # The following 2 zones are examples for setting up forward and reverse lookup zone | ||
+ | # They can be updated with the rndc key from the rndc utility or [[Dhcp]] | ||
+ | #zone "test.local" { | ||
+ | # type master; | ||
+ | # file "pz/test.local"; | ||
+ | # allow-update { key "rndc_key"; }; | ||
+ | # allow-transfer { 127.0.0.1; }; | ||
+ | # notify yes; | ||
+ | #}; | ||
+ | # | ||
+ | #zone "1.168.192.in-addr.arpa" { | ||
+ | # type master; | ||
+ | # file "pz/1.168.192.in-addr.arpa"; | ||
+ | # allow-update { key "rndc_key"; }; | ||
+ | # allow-transfer { 127.0.0.1; }; | ||
+ | # notify yes; | ||
+ | #}; | ||
+ | |||
+ | logging { | ||
+ | category default { default_syslog; default_debug; }; | ||
+ | category unmatched { null; }; | ||
+ | channel default_syslog { | ||
+ | syslog daemon; | ||
+ | severity info; | ||
+ | }; | ||
+ | channel default_debug { | ||
+ | file "named.run"; | ||
+ | severity dynamic; | ||
+ | }; | ||
+ | channel default_stderr { | ||
+ | stderr; | ||
+ | severity info; | ||
+ | }; | ||
+ | channel null { | ||
+ | null; | ||
+ | }; | ||
+ | }; | ||
+ | EOF | ||
+ | |||
+ | Create a configuration file for the nameserver remote control utility: | ||
+ | |||
+ | cat > /etc/rndc.conf << "EOF" | ||
+ | options { | ||
+ | default-server 127.0.0.1; | ||
+ | default-key "rndckey"; | ||
+ | }; | ||
+ | |||
+ | server 127.0.0.1 { | ||
+ | key "rndckey"; | ||
+ | }; | ||
+ | |||
+ | key "rndc_key" { | ||
+ | algorithm "hmac-md5"; | ||
+ | secret "'''''Insert RNDC Key Here'''''"; | ||
+ | }; | ||
+ | EOF | ||
+ | |||
+ | The following list of root hints was copied from Internic[http://www.internic.net/zones/named.root] on 2010-01-08: | ||
+ | |||
+ | cat > /srv/named/etc/namedb/root.hints << "EOF" | ||
+ | ; This file holds the information on root name servers needed to | ||
+ | ; initialize cache of Internet domain name servers | ||
+ | ; (e.g. reference this file in the "cache . <file>" | ||
+ | ; configuration file of BIND domain name servers). | ||
+ | ; | ||
+ | ; This file is made available by InterNIC | ||
+ | ; under anonymous FTP as | ||
+ | ; file /domain/named.root | ||
+ | ; on server FTP.INTERNIC.NET | ||
+ | ; -OR- RS.INTERNIC.NET | ||
+ | ; | ||
+ | ; last update: Dec 12, 2008 | ||
+ | ; related version of root zone: 2008121200 | ||
+ | ; | ||
+ | ; formerly NS.INTERNIC.NET | ||
+ | ; | ||
+ | . 3600000 IN NS A.ROOT-SERVERS.NET. | ||
+ | A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 | ||
+ | A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 | ||
+ | ; | ||
+ | ; FORMERLY NS1.ISI.EDU | ||
+ | ; | ||
+ | . 3600000 NS B.ROOT-SERVERS.NET. | ||
+ | B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 | ||
+ | ; | ||
+ | ; FORMERLY C.PSI.NET | ||
+ | ; | ||
+ | . 3600000 NS C.ROOT-SERVERS.NET. | ||
+ | C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 | ||
+ | ; | ||
+ | ; FORMERLY TERP.UMD.EDU | ||
+ | ; | ||
+ | . 3600000 NS D.ROOT-SERVERS.NET. | ||
+ | D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 | ||
+ | ; | ||
+ | ; FORMERLY NS.NASA.GOV | ||
+ | ; | ||
+ | . 3600000 NS E.ROOT-SERVERS.NET. | ||
+ | E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 | ||
+ | ; | ||
+ | ; FORMERLY NS.ISC.ORG | ||
+ | ; | ||
+ | . 3600000 NS F.ROOT-SERVERS.NET. | ||
+ | F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 | ||
+ | F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F | ||
+ | ; | ||
+ | ; FORMERLY NS.NIC.DDN.MIL | ||
+ | ; | ||
+ | . 3600000 NS G.ROOT-SERVERS.NET. | ||
+ | G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 | ||
+ | ; | ||
+ | ; FORMERLY AOS.ARL.ARMY.MIL | ||
+ | ; | ||
+ | . 3600000 NS H.ROOT-SERVERS.NET. | ||
+ | H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 | ||
+ | H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 | ||
+ | ; | ||
+ | ; FORMERLY NIC.NORDU.NET | ||
+ | ; | ||
+ | . 3600000 NS I.ROOT-SERVERS.NET. | ||
+ | I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 | ||
+ | ; | ||
+ | ; OPERATED BY VERISIGN, INC. | ||
+ | ; | ||
+ | . 3600000 NS J.ROOT-SERVERS.NET. | ||
+ | J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 | ||
+ | J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 | ||
+ | ; | ||
+ | ; OPERATED BY RIPE NCC | ||
+ | ; | ||
+ | . 3600000 NS K.ROOT-SERVERS.NET. | ||
+ | K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 | ||
+ | K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 | ||
+ | ; | ||
+ | ; OPERATED BY ICANN | ||
+ | ; | ||
+ | . 3600000 NS L.ROOT-SERVERS.NET. | ||
+ | L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 | ||
+ | L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 | ||
+ | ; | ||
+ | ; OPERATED BY WIDE | ||
+ | ; | ||
+ | . 3600000 NS M.ROOT-SERVERS.NET. | ||
+ | M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 | ||
+ | M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 | ||
+ | ; End of File | ||
+ | EOF | ||
+ | |||
+ | Create a default zone for localhost: | ||
+ | |||
+ | cat > /srv/named/etc/namedb/pz/localhost << "EOF" | ||
+ | $TTL 3D | ||
+ | @ IN SOA @ root ( | ||
+ | 42 ; serial (d. adams) | ||
+ | 3H ; refresh | ||
+ | 15M ; retry | ||
+ | 1W ; expiry | ||
+ | 1D) ; minimum | ||
+ | IN NS @ | ||
+ | IN A 127.0.0.1 | ||
+ | EOF | ||
+ | |||
+ | And the corresponding reverse lookup zone: | ||
+ | |||
+ | cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF" | ||
+ | $TTL 1D | ||
+ | @ IN SOA localhost. root.localhost. ( | ||
+ | 1 ; Serial | ||
+ | 8H ; Refresh | ||
+ | 2H ; Retry | ||
+ | 4W ; Expire | ||
+ | 1D) ; Minimum | ||
+ | IN NS localhost. | ||
+ | 1 IN PTR localhost. | ||
+ | EOF | ||
+ | |||
+ | === Permissions === | ||
+ | |||
+ | Change the ownership and set permissions: | ||
+ | |||
+ | chmod -Rv ug+rw /srv/named | ||
+ | chown -Rv named:named /srv/named | ||
+ | |||
+ | [[Category:Network Utilities]] |
Latest revision as of 17:24, 8 January 2010
Download Source: | http://ftp.isc.org/isc/bind9/9.6.1-P2/bind-9.6.1-P2.tar.gz |
---|---|
Alternate Download Source: | http://gd.tuwien.ac.at/infosys/servers/isc/bind/9.6.1-P2/bind-9.6.1-P2.tar.gz |
Contents
Introduction to BIND
BIND (Berkeley Internet Name Domain) is an implementation of the DNS protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System.
Project Homepage: http://www.bind9.net/
Dependencies
Optional
- OpenSSL (Recommended for secure environments)
Non-Multilib
Compile the package:
./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-threads --with-libtool && make
Install the package
make install
Multilib
32Bit
Compile the package:
CC="gcc ${BUILD32}" ./configure --prefix=/usr --sysconfdir=/etc --localstatedir=/var --enable-threads \ --with-libtool && make
Install the package
make install && mv -v /usr/bin/isc-config.sh{,-32}
N32
Compile the package:
CC="gcc ${BUILDN32}" ./configure --prefix=/usr --libdir=/usr/lib32 --sysconfdir=/etc --localstatedir=/var \ --enable-threads --with-libtool && make
Install the package
make install && mv -v /usr/bin/isc-config.sh{,-n32}
64Bit
Compile the package:
CC="gcc ${BUILD64}" ./configure --prefix=/usr --libdir=/usr/lib64 --sysconfdir=/etc --localstatedir=/var \ --enable-threads --with-libtool && make
Install the package
make install && mv -v /usr/bin/isc-config.sh{,-64} && ln -sfv multiarch_wrapper /usr/bin/isc-config.sh
Configuring Bind
Named User/Group
groupadd -g 52 named && useradd -c 'BIND User' -d /srv/named -g named -s /bin/false -u 52 named
BootScript
Install the init script included in the bootscripts package.
make install-bind
Basic structure for the chroot environment
install -dv /srv/named/{dev,etc/namedb/{pz,slave},var/run} && mknod -m666 /srv/named/dev/null c 1 3 && mknod -m666 /srv/named/dev/zero c 1 5 && mknod -m666 /srv/named/dev/random c 1 8 && cp -L /etc/localtime /srv/named/etc/localtime
Configuration
Generate a RNDC Key for use in the next 2 configuration files below:
rndc-confgen -r /dev/urandom -b 512 | sed -e '/^\tsecret/!d' -e 's/^\(.*\)"\(.*\)"\(.*\)$/\2/'
Create a basic internal configuration for bind, You may have to substitute some ip addresses and subnets depending on your configuration:
cat > /srv/named/etc/named.conf << "EOF" options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; allow-query { "lan"; }; listen-on { 127.0.0.1; }; listen-on { 192.168.1.1; }; }; acl "lan" { 127.0.0.1; 192.168.1.0/24; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; key "rndc_key" { algorithm hmac-md5; secret "Insert RNDC Key Here"; }; zone "." { type hint; file "root.hints"; }; zone "localhost" { type master; file "pz/localhost"; notify no; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; notify no; }; # The following 2 zones are examples for setting up forward and reverse lookup zone # They can be updated with the rndc key from the rndc utility or Dhcp #zone "test.local" { # type master; # file "pz/test.local"; # allow-update { key "rndc_key"; }; # allow-transfer { 127.0.0.1; }; # notify yes; #}; # #zone "1.168.192.in-addr.arpa" { # type master; # file "pz/1.168.192.in-addr.arpa"; # allow-update { key "rndc_key"; }; # allow-transfer { 127.0.0.1; }; # notify yes; #}; logging { category default { default_syslog; default_debug; }; category unmatched { null; }; channel default_syslog { syslog daemon; severity info; }; channel default_debug { file "named.run"; severity dynamic; }; channel default_stderr { stderr; severity info; }; channel null { null; }; }; EOF
Create a configuration file for the nameserver remote control utility:
cat > /etc/rndc.conf << "EOF" options { default-server 127.0.0.1; default-key "rndckey"; }; server 127.0.0.1 { key "rndckey"; }; key "rndc_key" { algorithm "hmac-md5"; secret "Insert RNDC Key Here"; }; EOF
The following list of root hints was copied from Internic[1] on 2010-01-08:
cat > /srv/named/etc/namedb/root.hints << "EOF" ; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . <file>" ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC ; under anonymous FTP as ; file /domain/named.root ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET ; ; last update: Dec 12, 2008 ; related version of root zone: 2008121200 ; ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 A.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:BA3E::2:30 ; ; FORMERLY NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 ; ; FORMERLY C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ; FORMERLY TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ; ; FORMERLY NS.NASA.GOV ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; ; FORMERLY NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 F.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:2F::F ; ; FORMERLY NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; ; FORMERLY AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 H.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:1::803F:235 ; ; FORMERLY NIC.NORDU.NET ; . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; ; OPERATED BY VERISIGN, INC. ; . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 J.ROOT-SERVERS.NET. 3600000 AAAA 2001:503:C27::2:30 ; ; OPERATED BY RIPE NCC ; . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 K.ROOT-SERVERS.NET. 3600000 AAAA 2001:7FD::1 ; ; OPERATED BY ICANN ; . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 199.7.83.42 L.ROOT-SERVERS.NET. 3600000 AAAA 2001:500:3::42 ; ; OPERATED BY WIDE ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 M.ROOT-SERVERS.NET. 3600000 AAAA 2001:DC3::35 ; End of File EOF
Create a default zone for localhost:
cat > /srv/named/etc/namedb/pz/localhost << "EOF" $TTL 3D @ IN SOA @ root ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D) ; minimum IN NS @ IN A 127.0.0.1 EOF
And the corresponding reverse lookup zone:
cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF" $TTL 1D @ IN SOA localhost. root.localhost. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum IN NS localhost. 1 IN PTR localhost. EOF
Permissions
Change the ownership and set permissions:
chmod -Rv ug+rw /srv/named chown -Rv named:named /srv/named