3 AUTHOR: Michenaud Laurent <lmichenaud@free.fr>
4 Patrick Kirk <patrick@enterprise-hr.com>
7 How to set up a simple DNS server with bind
11 This hint explains how to set up bind on your lfs.
12 I am not a bind specialist, what is written is what I
13 have understood. Don't hesitate to correct it if you
14 see mistakes or have optimisations.
16 The Domain Name System (DNS) is used by all TCP/IP Internet software to
17 translate the names that we humans like to use to the IP numbers
18 assigned to all the computers and devices out on the Internet and your
21 Under most flavours of Unix, the most commonly used software package is
22 Berkley Internet Name Domain, (BIND). This article will serve as an
23 introduction to obtaining, installing and configuring BIND under Linux,
24 and will include some pointers on where to go for more in-depth
27 Be aware that some recent security vulnerabilities have been uncovered
28 in BIND, so be sure to get at least version 8.23. As of this writing,
29 the latest version is 9.1.1. BIND can be downloaded from the Internet
30 Software Consortium (ISC) at http://www.isc.org.
32 For the purposes of this article we'll use version 9.1.1, downloadable
34 ftp://ftp.isc.org/isc/bind9/9.1.1/bind-9.1.1.tar.gz
36 In general terms, DNS is a very simple service that takes names like
37 www.yahoo.com and matches them to the machines that serve up the web
38 pages using dotted quad numbers along the lines of 212.19.67.5 Your ISP
39 provides this service for you using BIND. If you have a single machine
40 connected to the Internet and wish to share that connection, running
41 BIND on the machine that shares the connection makes things faster and
42 easier. From a security point of view, IP addresses like 192.168.0.n
43 and 10.n.n.n are non-routable. What this means is that your machines on
44 the LAN are much much safer if you use these addresses. If you don't,
45 sooner or later, someting like ShareSniffer will find a shared folder or
46 service inside your firewall and
50 ------------------------------------------------
51 1) Installation of bind
53 To make the installation FHS compliant, we will install Bind into
54 /usr/local with its configuration files in /etc/bind. This has the
55 advantage that if you want to back up all the configuration documents
56 for you system, you need only back up the /etc/ directory.
58 $ tar zxvf bind-9.1.3.tar.gz
60 $ ./configure --prefix=/usr/local --sysconfdir=/etc/bind &&
65 The following configuration files are very simple. It allows you to have
66 a DNS server for your local network and allows you to use the DNS
67 server of your ISP when you're connected to internet. For security
68 reasons, the service is only proided to machines that are on your local
72 network address : 192.168.0.0
73 domain name : zerezo.org
74 machine host name : zarba
75 machine ip : 192.168.0.51
77 ---------------------------------------------------
78 2) The main configuration file: /etc/bind/named.conf
82 // The IP Addresses we wish to provide DNS services for
83 // Bad idea to let just anyone start playing with this service.
84 // acl means Access Control List, zerezo.org is the family LAN
85 acl zerezo.org { 192.168.0.0/24; 127.0.0.0/24; };
90 directory "/usr/local/sbin";
93 212.47.227.206; //DNS of your ISP here
102 file "/var/log/dns_warnings" versions 3 size 100k;
110 file "/var/log/dns_logs" versions 3 size 100k;
116 category default { warning; } ;
117 category queries { general_dns; } ;
120 // zone for access to Internet
123 file "/etc/bind/named.ca";
126 // zone for access to localhost
127 zone "0.0.127.in-addr.arpa" {
129 file "/etc/bind/named.local";
132 // zone for access to your domain
133 zone "zerezo.org" in {
136 file "/etc/bind/zerezo.org";
139 // zone for access to your domain using ip
140 zone "0.168.192.in-addr.arpa" in {
143 file "/etc/bind/db.192.168.0";
149 ------------------------------------
150 3) Configuration files for each zone
152 There is a configuration file of each zone defined in named.conf.
153 These files are in /etc/bind. You have to create this directory.
155 a) /etc/bind/named.ca
157 This file is used when you are connected to Internet.
158 The up to date version can be downloaded from ftp://ftp.rs.internic.net
159 where it is called named.root
161 If you do download it, remember to rename it named.ca when you put
165 ; This file holds the details on root name servers needed to
166 ; initialize cache of Internet domain name servers
167 ; (e.g. reference this file in the "cache . <file>"
168 ; configuration file of BIND domain name servers).
170 ; This file is made available by InterNIC registration services
171 ; under anonymous FTP as
172 ; file /domain/named.root
173 ; on server FTP.RS.INTERNIC.NET
174 ; -OR- under Gopher at RS.INTERNIC.NET
175 ; under menu InterNIC Registration Services (NSI)
176 ; submenu InterNIC Registration Archives
179 ; last update: Aug 22, 1997
180 ; related version of root zone: 1997082200
183 ; formerly NS.INTERNIC.NET
185 . 3600000 IN NS A.ROOT-SERVERS.NET.
186 A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
188 ; formerly NS1.ISI.EDU
190 . 3600000 NS B.ROOT-SERVERS.NET.
191 B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
195 . 3600000 NS C.ROOT-SERVERS.NET.
196 C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
198 ; formerly TERP.UMD.EDU
200 . 3600000 NS D.ROOT-SERVERS.NET.
201 D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
203 ; formerly NS.NASA.GOV
205 . 3600000 NS E.ROOT-SERVERS.NET.
206 E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
208 ; formerly NS.ISC.ORG
210 . 3600000 NS F.ROOT-SERVERS.NET.
211 F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
213 ; formerly NS.NIC.DDN.MIL
215 . 3600000 NS G.ROOT-SERVERS.NET.
216 G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
218 ; formerly AOS.ARL.ARMY.MIL
220 . 3600000 NS H.ROOT-SERVERS.NET.
221 H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
223 ; formerly NIC.NORDU.NET
225 . 3600000 NS I.ROOT-SERVERS.NET.
226 I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
228 ; temporarily housed at NSI (InterNIC)
230 . 3600000 NS J.ROOT-SERVERS.NET.
231 J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
233 ; housed in LINX, operated by RIPE NCC
235 . 3600000 NS K.ROOT-SERVERS.NET.
236 K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
238 ; temporarily housed at ISI (IANA)
240 . 3600000 NS L.ROOT-SERVERS.NET.
241 L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
243 ; housed in Japan, operated by WIDE
245 . 3600000 NS M.ROOT-SERVERS.NET.
246 M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
251 b) /etc/bind/named.local
253 You must have an alias postmaster that points to the user root
258 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. (
269 c) /etc/bind/zerezo.org
273 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. (
274 1999112002 ; serial number
275 28800 ; rafraichissement
276 14400 ; nouvel essais
278 86400 ); temps de vie minimum
282 @ IN NS zarba.zerezo.org.
284 // MX = mail server, the number is the priority
286 @ IN MX 20 zarba.zerezo.org.
293 localhost IN A 127.0.0.1
294 zarba IN A 192.168.0.51
296 // IP of others machines of the network
297 karine IN A 192.168.0.52
308 d) /etc/bind/db.192.168.0
312 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. (
313 1999112002 ; numero de serie
314 28800 ; rafraichissement
315 14400 ; nouvel essais
317 86400 ); temps de vie
320 IN NS zarba.zerezo.org.
322 // IP Reverses adresses
323 1 IN PTR zarba.zerezo.org.
324 2 IN PTR karine.zerezo.org.
325 3 IN PTR yaf.zerezo.org.
330 ------------------------
331 4) rndc configuration
333 rndc is used to administrate bind. It development is not
334 finished but I prefer to put it in this hint rather than
335 the obsolete nslookup utility.
339 You have to get a key so rndc can communicate with bind :
340 dnssec-keygen -a hmac-md5 -b 128 -n user rndc
342 It will create you two files. Get the value of the key in the .key one.
345 b) /etc/bind/rdnc.conf
347 Create the file and edit the key please.
351 default-server localhost;
352 default-key rndc_key;
361 secret "Xd3zz2FgxvkML4V/BlVG8Q==";
366 c) Edit again /etc/bind/named.conf and add the following lines :
371 "Xd3zz2FgxvkML4V/BlVG8Q==";
375 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
382 a) Here is the boot script
387 # Include the functions declared in the /etc/init.d/functions file
390 source /etc/init.d/functions
394 echo -n "Starting DNS server..."
395 loadproc /usr/sbin/named
399 echo -n "Stopping DNS server..."
405 echo -n "Reloading DNS server..."
406 /usr/sbin/rndc reload
417 /usr/sbin/rndc status
422 echo "Usage: $0 {start|stop|reload|restart|status}"
434 ln -s ../init.d/named K600named
436 ln -s ../init.d/named K600named
438 ln -s ../init.d/named K600named
440 ln -s ../init.d/named S300named
442 ln -s ../init.d/named S300named
445 --------------------------
446 6) Edit /etc/resolv.conf so it use your DNS server
450 nameserver 192.168.0.51
453 --------------------------
454 6) Test your configuration
459 if you have a ftp server :
463 if you have apache, launch your browser and use as url :
464 http://www.zerezo.org
465 http://zarba.zerezo.org
467 If problems, look at the logs /var/log/dns* and