| blob | 4f56cc57a99427e66c83f7efdbbbacca70b7c803 |
1 TITLE: BIND
2 LFS VERSION: 3.0-RC1
3 AUTHOR: Michenaud Laurent <lmichenaud@free.fr>
4 Patrick Kirk <patrick@enterprise-hr.com>
6 SYNOPSIS:
7 How to set up a simple DNS server with bind
9 HINT:
10 version 1.0 final
11 This hint explains how to set up bind on your lfs.
12 I am not a bind specialist, what is written is what I
13 have understood. Don't hesitate to correct it if you
14 see mistakes or have optimisations.
16 The Domain Name System (DNS) is used by all TCP/IP Internet software to
17 translate the names that we humans like to use to the IP numbers
18 assigned to all the computers and devices out on the Internet and your
19 internal network.
21 Under most flavours of Unix, the most commonly used software package is
22 Berkley Internet Name Domain, (BIND). This article will serve as an
23 introduction to obtaining, installing and configuring BIND under Linux,
24 and will include some pointers on where to go for more in-depth
25 information.
27 Be aware that some recent security vulnerabilities have been uncovered
28 in BIND, so be sure to get at least version 8.23. As of this writing,
29 the latest version is 9.1.1. BIND can be downloaded from the Internet
30 Software Consortium (ISC) at http://www.isc.org.
32 For the purposes of this article we'll use version 9.1.1, downloadable
33 from
34 ftp://ftp.isc.org/isc/bind9/9.1.1/bind-9.1.1.tar.gz
36 In general terms, DNS is a very simple service that takes names like
37 www.yahoo.com and matches them to the machines that serve up the web
38 pages using dotted quad numbers along the lines of 212.19.67.5 Your ISP
39 provides this service for you using BIND. If you have a single machine
40 connected to the Internet and wish to share that connection, running
41 BIND on the machine that shares the connection makes things faster and
42 easier. From a security point of view, IP addresses like 192.168.0.n
43 and 10.n.n.n are non-routable. What this means is that your machines on
44 the LAN are much much safer if you use these addresses. If you don't,
45 sooner or later, someting like ShareSniffer will find a shared folder or
46 service inside your firewall and
47 cause mischief.
50 ------------------------------------------------
51 1) Installation of bind
53 To make the installation FHS compliant, we will install Bind into
54 /usr/local with its configuration files in /etc/bind. This has the
55 advantage that if you want to back up all the configuration documents
56 for you system, you need only back up the /etc/ directory.
58 $ tar zxvf bind-9.1.3.tar.gz
59 $ cd bind-9.1.3
60 $ ./configure --prefix=/usr/local --sysconfdir=/etc/bind &&
61 $ make &&
62 $ make install &&
63 $ mkdir -p /etc/bind
65 The following configuration files are very simple. It allows you to have
66 a DNS server for your local network and allows you to use the DNS
67 server of your ISP when you're connected to internet. For security
68 reasons, the service is only proided to machines that are on your local
69 network.
71 On this example,
72 network address : 192.168.0.0
73 domain name : zerezo.org
74 machine host name : zarba
75 machine ip : 192.168.0.51
77 ---------------------------------------------------
78 2) The main configuration file: /etc/bind/named.conf
80 // Begin of file
82 // The IP Addresses we wish to provide DNS services for
83 // Bad idea to let just anyone start playing with this service.
84 // acl means Access Control List, zerezo.org is the family LAN
85 acl zerezo.org { 192.168.0.0/24; 127.0.0.0/24; };
87 // General options
88 options {
89 auth-nxdomain yes;
90 directory "/usr/local/sbin";
91 forward first;
92 forwarders {
93 212.47.227.206; //DNS of your ISP here
94 212.47.227.207;
95 };
96 };
98 // How to log
99 logging {
100 channel warning
101 {
102 file "/var/log/dns_warnings" versions 3 size 100k;
103 severity warning;
104 print-category yes;
105 print-severity yes;
106 print-time yes;
107 };
108 channel general_dns
109 {
110 file "/var/log/dns_logs" versions 3 size 100k;
111 severity info;
112 print-category yes;
113 print-severity yes;
114 print-time yes;
115 };
116 category default { warning; } ;
117 category queries { general_dns; } ;
118 };
120 // zone for access to Internet
121 zone "." {
122 type hint;
123 file "/etc/bind/named.ca";
124 };
126 // zone for access to localhost
127 zone "0.0.127.in-addr.arpa" {
128 type master;
129 file "/etc/bind/named.local";
130 };
132 // zone for access to your domain
133 zone "zerezo.org" in {
134 type master;
135 notify no;
136 file "/etc/bind/zerezo.org";
137 };
139 // zone for access to your domain using ip
140 zone "0.168.192.in-addr.arpa" in {
141 type master;
142 notify no;
143 file "/etc/bind/db.192.168.0";
144 };
146 // End of file
149 ------------------------------------
150 3) Configuration files for each zone
152 There is a configuration file of each zone defined in named.conf.
153 These files are in /etc/bind. You have to create this directory.
155 a) /etc/bind/named.ca
157 This file is used when you are connected to Internet.
158 The up to date version can be downloaded from ftp://ftp.rs.internic.net
159 where it is called named.root
161 If you do download it, remember to rename it named.ca when you put
162 it in /etc/bind
164 // Begin of file
165 ; This file holds the details on root name servers needed to
166 ; initialize cache of Internet domain name servers
167 ; (e.g. reference this file in the "cache . <file>"
168 ; configuration file of BIND domain name servers).
169 ;
170 ; This file is made available by InterNIC registration services
171 ; under anonymous FTP as
172 ; file /domain/named.root
173 ; on server FTP.RS.INTERNIC.NET
174 ; -OR- under Gopher at RS.INTERNIC.NET
175 ; under menu InterNIC Registration Services (NSI)
176 ; submenu InterNIC Registration Archives
177 ; file named.root
178 ;
179 ; last update: Aug 22, 1997
180 ; related version of root zone: 1997082200
181 ;
182 ;
183 ; formerly NS.INTERNIC.NET
184 ;
185 . 3600000 IN NS A.ROOT-SERVERS.NET.
186 A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
187 ;
188 ; formerly NS1.ISI.EDU
189 ;
190 . 3600000 NS B.ROOT-SERVERS.NET.
191 B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
192 ;
193 ; formerly C.PSI.NET
194 ;
195 . 3600000 NS C.ROOT-SERVERS.NET.
196 C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
197 ;
198 ; formerly TERP.UMD.EDU
199 ;
200 . 3600000 NS D.ROOT-SERVERS.NET.
201 D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
202 ;
203 ; formerly NS.NASA.GOV
204 ;
205 . 3600000 NS E.ROOT-SERVERS.NET.
206 E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
207 ;
208 ; formerly NS.ISC.ORG
209 ;
210 . 3600000 NS F.ROOT-SERVERS.NET.
211 F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
212 ;
213 ; formerly NS.NIC.DDN.MIL
214 ;
215 . 3600000 NS G.ROOT-SERVERS.NET.
216 G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
217 ;
218 ; formerly AOS.ARL.ARMY.MIL
219 ;
220 . 3600000 NS H.ROOT-SERVERS.NET.
221 H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
222 ;
223 ; formerly NIC.NORDU.NET
224 ;
225 . 3600000 NS I.ROOT-SERVERS.NET.
226 I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
227 ;
228 ; temporarily housed at NSI (InterNIC)
229 ;
230 . 3600000 NS J.ROOT-SERVERS.NET.
231 J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10
232 ;
233 ; housed in LINX, operated by RIPE NCC
234 ;
235 . 3600000 NS K.ROOT-SERVERS.NET.
236 K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
237 ;
238 ; temporarily housed at ISI (IANA)
239 ;
240 . 3600000 NS L.ROOT-SERVERS.NET.
241 L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
242 ;
243 ; housed in Japan, operated by WIDE
244 ;
245 . 3600000 NS M.ROOT-SERVERS.NET.
246 M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
248 // End of File
251 b) /etc/bind/named.local
253 You must have an alias postmaster that points to the user root
254 or another one.
256 // Begin of file
257 $TTL 604800
258 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. (
259 1999112002 ;
260 28800 ;
261 14400 ;
262 604800 ;
263 86400 );
264 NS zarba.zerezo.org.
265 1 PTR localhost. ;
266 // End of file
269 c) /etc/bind/zerezo.org
271 // Begin of file
272 $TTL 604800
273 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. (
274 1999112002 ; serial number
275 28800 ; rafraichissement
276 14400 ; nouvel essais
277 604800 ; expiration
278 86400 ); temps de vie minimum
280 // NS = name server
281 @ IN NS zarba
282 @ IN NS zarba.zerezo.org.
284 // MX = mail server, the number is the priority
285 @ IN MX 10 zarba
286 @ IN MX 20 zarba.zerezo.org.
288 // local DNS server
289 @ IN A 127.0.0.1
290 @ IN A 192.168.0.51
292 // IP server
293 localhost IN A 127.0.0.1
294 zarba IN A 192.168.0.51
296 // IP of others machines of the network
297 karine IN A 192.168.0.52
298 yaf IN A 192.168.0.7
300 // aliases
301 www IN CNAME zarba
302 ftp IN CNAME zarba
303 mail IN CNAME zarba
305 // End of file
308 d) /etc/bind/db.192.168.0
310 // Begin of file
311 $TTL 604800
312 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. (
313 1999112002 ; numero de serie
314 28800 ; rafraichissement
315 14400 ; nouvel essais
316 604800 ; expiration
317 86400 ); temps de vie
319 // nameserver
320 IN NS zarba.zerezo.org.
322 // IP Reverses adresses
323 1 IN PTR zarba.zerezo.org.
324 2 IN PTR karine.zerezo.org.
325 3 IN PTR yaf.zerezo.org.
327 // End of file
330 ------------------------
331 4) rndc configuration
333 rndc is used to administrate bind. It development is not
334 finished but I prefer to put it in this hint rather than
335 the obsolete nslookup utility.
337 a) Creation of a key
339 You have to get a key so rndc can communicate with bind :
340 dnssec-keygen -a hmac-md5 -b 128 -n user rndc
342 It will create you two files. Get the value of the key in the .key one.
345 b) /etc/bind/rdnc.conf
347 Create the file and edit the key please.
349 // Begin of file
350 options {
351 default-server localhost;
352 default-key rndc_key;
353 };
355 server localhost {
356 key rndc_key;
357 };
359 key rndc_key {
360 algorithm hmac-md5;
361 secret "Xd3zz2FgxvkML4V/BlVG8Q==";
362 };
363 // End of file
366 c) Edit again /etc/bind/named.conf and add the following lines :
368 key rndc_key {
369 algorithm hmac-md5;
370 secret
371 "Xd3zz2FgxvkML4V/BlVG8Q==";
372 };
374 controls {
375 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
376 };
379 --------------------
380 5) /etc/init.d/named
382 a) Here is the boot script
384 #!/bin/sh
385 # Begin /etc/init.d/
386 #
387 # Include the functions declared in the /etc/init.d/functions file
388 #
390 source /etc/init.d/functions
392 case "$1" in
393 start)
394 echo -n "Starting DNS server..."
395 loadproc /usr/sbin/named
396 ;;
398 stop)
399 echo -n "Stopping DNS server..."
400 /usr/sbin/rndc stop
401 evaluate_retval
402 ;;
404 reload)
405 echo -n "Reloading DNS server..."
406 /usr/sbin/rndc reload
407 evaluate_retval
408 ;;
410 restart)
411 $0 stop
412 /usr/sbin/sleep 1
413 $0 start
414 ;;
416 status)
417 /usr/sbin/rndc status
418 evalute_retval
419 ;;
421 *)
422 echo "Usage: $0 {start|stop|reload|restart|status}"
423 exit 1
424 ;;
426 esac
428 # End /etc/init.d/
431 b) Create the links
433 cd /etc/rc0.d
434 ln -s ../init.d/named K600named
435 cd /etc/rc1.d
436 ln -s ../init.d/named K600named
437 cd /etc/rc6.d
438 ln -s ../init.d/named K600named
439 cd /etc/rc3.d
440 ln -s ../init.d/named S300named
441 cd /etc/rc5.d
442 ln -s ../init.d/named S300named
445 --------------------------
446 6) Edit /etc/resolv.conf so it use your DNS server
448 search zerezo.org
449 nameserver 127.0.0.1
450 nameserver 192.168.0.51
453 --------------------------
454 6) Test your configuration
456 Some tests :
457 dig -x 127.0.0.1
459 if you have a ftp server :
460 ftp ftp.zerezo.org
461 ftp zarba.zerezo.org
463 if you have apache, launch your browser and use as url :
464 http://www.zerezo.org
465 http://zarba.zerezo.org
467 If problems, look at the logs /var/log/dns* and
468 /var/log/daemon.log