‘wazo1s [INDSServerHouta - Community Help Wik Partners Support Community Ubuntu.com Page History + Login to edit |) BIND9ServerHowto Background Note: There are some issues with this Howto, too numerable to fix quickly, and it requires bringing up to standard, I'm mentioning this to help anyone to avoid the unnecessary time trying to resolve their DNS, owing the the inconsistencies inthis document, particularly if you're new to DNS configuration. One example is here box IN A 192,168.1.10 in all other places, the document uses the machine name example rs. Here it changes to box (I believe the author was simply trying to show that additional computers would be listed, but failed to use a different address for box. I modified the example file to give box an address of 192.168.1.21). Introduction Domain Name Service (DNS) isan Internet service that maps IP addresses and fully qualified domain rames (FQDN) to one another. In this way, DNS alleviates the need to remember IP addresses ‘Computers that run DNS are called name servers. Ubuntu ships with BIND (Berkley Internet Naming Daemon, the most widely deployed DNS server. ‘This guide is aimed at people looking to learn how to configure and maintain a DNS server, such as for a network (caching name server) or to serve DNS zones for a domain name, Installation BINDS is available in the Main repository. No additional repository needs to be enabled for BINDS, Before we begin, you should be Familiar with RootSudo. ‘To install the server simply install the bind9 package. See InstallingSoftware for details on using package managers. Indice Background Introduction Installation BIND® Configuration Scenarios 1. Caching Server 2. Primary Master Server 3. Secondary Master Server 4 Hybrids 5. Stealth Servers DNS Record Types 1. Address Records 2. Alias Records 3. Mal Exchange Records 4 Name Server Records Configuring BIND9 1. Caching Server configuration 1 Testing 2. Primary Master Server configuration 1. Zone File 2. Reverse Zone File 3. Testing 3. Secondary Master Server configuration 1. Testing Chrooting BINDS 1 The Chroot Enviroment 2. BINDYs Configuration 3. Ubunt's syslod Daemon Configuration 4. Restart the syslog server and BINDS 5. Starting, Stopping, and Restarting BINDS 6. Status Logging 1. Channel Option 2. Category Option Additional Possibilities Further Information 1. Online Recources 2. Printed Resources A very useful package for testing and troubleshooting DNS issues is the dnsutils package, Also, the BIND9 Documentation can be found in the bind9-doe package BIND9 Configuration Scenarios hiphetp ubuntu comfcommuriy/BINDSServerHowto 1‘wazo1s IND OServerHouto- Commusity Help Wiki BINDS can provide many different DNS services. Some ofthe most useful setups ar: Caching Server In this configuration BIND wil find the answer to name queries and remember the answer forthe next query, This ean be useful fora slow internet connection. By caching DNS queries, you will reduce bandwidth and (more importantly) latency Primary Master Server BINDS can be used to serve DNS records (groups of imaginary one (but only if used on a restricted network). vals are referred to as zones) for a registered domain name or an Secondary Master Server A secondary master DNS server is used to complement a primary master DNS server by serving a copy of the zone(s) configured on the primary server. Secondary servers are recommended in larger setups. If you intend to serve & registered domain name they ensure that your DNS zone is still available even if your primary server is not online Hybrids ‘You can even configure BINDS to be a Caching and Primary Master DNS server simultaneously, a Caching and a Secondary Master server or even a Caching, Primary Master and Secondary Master server. All that is requited is simply combining the different configuration examples. Stealth Servers ‘There are also two other common DNS server setups (used when working with zones for registered domain names), Stealth Primary and Stealth Secondary, These are effectively the same as Primary and Secondary DNS servers, but with a slight organizational difference For example, you have 3 DNS servers, A, B and C. Ais the Primary, B and C are secondaries If you configure your registered domain to use A and B as your domain's DNS servers, then C is a Stealth Secondary. It's sill a secondary, but its not going to be asked about the zone you are serving tothe internet from A and B Ifyou configure your registered domain to use B and C as your domain's DNS servers, then A isa stealth primary. Any additional records or edits to the zone are done on A, but computers on the internet will only ever ask B and C about the DNS Record Types There are lots of different DNS record types, but some ofthe most common types are covered below Address Records The most commonly used type of record. This record maps an IP Address to a hostname, ww IN A 2.2.8.4 Alias Records Ised to create an alias from an existing A record, You can create a CNAME record pointing to another CNAME record But it doubles the number of requests made to the nameserver, thus making it an inefficient way to do so mail IN CNAME. sae ww IN A 123.8 Mail Exchange Records Used to define where email should be sent to and at what priority. Must point to an A record, not a CNAME. Multiple MX records can exist if multiple mail servers are responsible for that domain hiip:hetp ubuntu comfcommuriy/BINDSServerHowto‘wazo1s BINDSServerHouto- Commurty Help Wiki IN WK 20 mail.exanple.com. mail IN A 1.2.34 Name Server Records Used to define which servers serve copies of this zone, It must point to an A record, not a CNAME, ‘This is where Primary and Secondary servers are defined, Stealth servers are intentionally omitted. IN NS nscexanple.com. rs IN A Configuring BIND9 BINDS Configuration files are stored in: sere/oings The main configuration is stored in the following files: Jeve/ind/naned.cont {Jete/oind/naned.cont options Jete/bind/naned. cont local Caching Server configuration ‘The default configuration is setup to act as a caching server All that is required is simply adding the IP numbers of your ISP's DNS servers. ‘Simply uncomment and edit the following in /ete/bind/named. conf. options: 1 forwarders ( 1.2.3.4; 56.7.8) » 1 (where 1.2.3.4 and 5.6.7.8 are the IP numbers of your ISP's DNS servers) Now restart the bind daemon. sudo /etc/init.4/binds restart Testing Ifyou installed the dnsu ils package you can test your setup using the dig command: ig x 127.0.0.1 If.all goes well you should see output similar to: 5 <> DIG 9.4.1-PI > % 127.8.0.1, $3 global options: printend 3} DowEADERc<- opcode: QUERY, status: NOEMROR, id: 13427 EH} flags: qr aa rdras QUERY: "1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 Le 55 Query time: 1 msec 5} SERVER: 172.28, 180.80953(272.28.100..80) 1} WHEN: Mon Nov 26 23:22:53 2067 PSG SIZE revd: 92 ‘The dig command can also be used to query other domains for example: ig google.com hiip:hetpuburtu comfcommuriy/BINDSServerHowto‘wazo1s BINDSServerHouto- Commurty Help Wiki Ifyou "dig" a domain name multiple times you should sce a drastic improvement in the Query time: between the first and second query. This is due to the server eaching the query. Primary Master Server configuration In this section BINDS will be configured as the primary master for the domain example.com, Simply replace example.com with your fully qualified domain name ‘Lone File To add a DNS zone to BINDS, turning BINDS into a Primary Master server, all you have to do is edit named.conf. local: 1 zone “exanple.cos” { type master; file “/etc/bind/db.exanple. con"; h 1 Now use an existing zone file asa template: sudo cp /ete/bind/db.ocal. /ete/bind/éb.exaeple.con Bult the new zone file /etc/bind/db.example. con change localhost. to the FQDN of your server, leaving the additional ," atthe end, Change 127.0.0.1 to the nameserver's IP Address and root. localhost to a valid email address, but with a" instead of the "@". also leaving the °." atthe end. Also, create an A record for ns.example.com the name server in this example } BIND data file for local loopback interface Sr. 6os00 e IN SOA ns exanple.com. root .example.con. ( 1 p serdal oss0e Refresh 36400 Retry 2ars26@ } Expire 604800 ) Negative Cache TTL é INNS ns exanple.com. salso List other computers box IN A 392.168.1.21 ‘You must increment the serial number every time you make changes to the zone file, I'you make multiple changes before restarting BINDS, simply increment the serial once Now, you can add DNS records o the bottom of the zone, Tip: Many people like to use the las date edited asthe serial ofa zone, such as 2005010100 which is yyyymmddss (where sis serial) Once you've made a change to the zone file BIND9 will need to be restarted for the changes to take effect sudo /etc/init.4/bindd restart Reverse Zone File ‘Now that the zone file is setup and resolving names to IP Adresses a Reverse zone is also required, A Reverse zone allows DNS to convert from an address to a name. Bait /etc/bind/named.conf.1ocal and add the following, zone "1.168.192.4n-addr.arpa” ( ‘type masters notify no; File "/ete/bina/do.192"; h Note: replace 1.168.192 withthe first three octets of whatever private network you are using, Also, name the zone file 4db.192 in the example appropriately, hiip:hetp ubuntu comfcommuriy/BINDSServerHowto‘wazo1s BINDSServerHouto- Commurty Help Wiki Now ereate the db. 192 file sudo cp /ete/bind/db.127 /etc/bind/db.192 Next edit /etc/bind/db.192 changing the basically the same options as in /etc/bind/db..example.com } B10 reverse data file For local Loopback interface Sr. cosa00 e IK SOA ns exanple.com. root .example.con. ( 2 P Serial sesso } Refresh 36400 j Retry 2ais26@ } Expire 604800 ) Negative Cache TTL é INNS. eo NoPTR example. con 5 also List other conputers Form nox. exanple.con. ‘The serial number in the reverse zone needs to be incremented on each changes as well, For each A record you configure in /etc/bind/db. example. com you need to create a PTR record in /et¢/bind/db.192 ‘After creating the reverse zone file restart hind sudo /etc/init.4/binds restart Testing ‘You should now be able to ping example.com and have it resolve to the host configured above: ing exanple.com ‘You can also use the named-cheekzone utility that is part ofthe bind9 package: rnaned-checkzone exanple.con /etc/bind/db.exanple.com and rpaned-checkzone 2.168.192.4n-addr.arpa. /etc/bind/db.192 ‘This is a great way to make sure you haven't made any mistakes before restarting bind ‘You can use the dig utility to test the reverse zone as well as the new domain name: ig 2.168.192.in-adde.arpa. AXFR You should see output resolving 1. 68.192.in-addr.arpa. to your nameserver. Secondary Master Server configuration Once a Primary Master has been configured a Secondary Master is needed in order to maintain the availability of the domain should the Primary become unavailable First, on the primary master server, the zone transfer needs to be allowed, Add the allow-transfer option to the sample Forward and Reverse zone definition in /ete/bind/ named. conf. Local: 1 zone “exanple.cos" { stype master: Ale “/ete/bind/éb.exanple.con"; allow-transfer { @ip_secondary;.}; h 1 zone "1.368.292. in-adér.arpa” ( type easter; notify nos File */ete/bind/éb.192"5 allow-transfer { @ip_secondary; 3 y hiip:hetp ubuntu comfcommuriy/BINDSServerHowtowre2ots SIND GServetiouto- Community Help Wiki Note: replace @ip_secondary with the actual IP Address of your secondary server. Next, on the Secondary Master, install the bind9 package the same way as the primary. Then edt the Jetc/bind/naned..conf.1ocal and add the following declarations forthe Forward and Reverse zones 1 zone “example. con” { type slave; file *"/var/cache/bind/db.exanple con”; asters ( @ipeaster; }; addr.arpa" slave} file */var/cache/bind/db.192"; asters { Bip easter; }; h 1 Note: replace @ip_master with the IP Addcess ofthe Primary. The zone file must be in /var/cache/bind/ because, by default, AppArmor only allows write access inside it (this was made specifically for a slave configuration. See AppArmor's configuration in /etc/apparmor .d/usr. sbin.naned). Restart the server, and in / var /1og/sys1og you should see something similar to: syslog.5.gz:ay 14 23:33:53 smith naned[Sasa]: zone exanple.con/IN: transferred serial 2096051401 syslog..geiMay 14 23:33:53 smith naned[5@60]: transfer of ‘exanple.con/IN' from 20.0.0,202853: end of transfer syslog.5.gz:May 14 23:33:35 smith raned[sasq]: slave zone "1.168.192.in-addr.arpa" (IN) loaded (Serial 2606051421) Note: A zone is only transfered if the Serial Number on the Primary is larger than the one on the Secondary. Testing Testing the Secondary Master can be done using the same methods as the Primary. Also, you could shutdown BIND9 on the Primary then try pinging example.com from a host configured to use the Secondary as well as the Primary for name resolution. Ifall goes well the Secondary should resolve example.com, Chrooting BIND9 Chrooting BIND9 is a recommended setup from a security perspective if you don't have AppArmor installed. In a chroot enviroment, BIND9 has access to all the files and hardware devices it needs, but is unable to access anything it should rot need. AppArmor is installed by default on recent Ubuntu releases. Unless you've explicitly disabled AppArmor, you ‘ight want to read this before you decide to attempt a chrooted bind. Lf you still want to go forward with i, youll need this information, which isnt covered in the instructions that follow here. To chroot BINDY, simply create a chroot enviroment for it and add the additional configuration below The Chroot Enviroment Create the following directory structure $ sudo skdir -p /chrot $ co /chroot/naned § sudo skair -p dev etc/namedb/slave var/run waned Set permissions for chroot environment $ sudo chown root:root /chroot $ Sudo chnod 708 /chroot, $ sudo chown bind:bind /chroot/naned $ sudo chmod 702 /chroot/naned Create or move the bind configuration file $ sudo touch /chroot/naned/ete/named.cont $ sudo ep /etc/bind/naned. conf /chroot//naned/ete Give write permissions to the user bind for /ehroot/namediete/namedbyslave directory hiip:hetp ubuntu comfcommuriy/BINDSServerHowto 6‘wazo1s IND OServerHouto- Commusity Help Wiki $ sudo chown bind:bind /chroct/naned/ete/nanecb/siave ‘This is where the files forall slave zones will be kept. This increases security, by stopping the ability of an attacker to edit any of your master zone files if they do gain access as the bind user. Accordingly, all slave file names in the Ichrootnamediete/named conf file will need to have directory names that designate the slave directory. An example zone definition is listed below. zone “ny.zone.con.” { ype stave; file “slaves/ay.zone.com.cns"; nnasters { 2.2.18; i h Create the devi es BIND9 requires $ sudo mknod /chroot 5 sudo sknod /chroo’ naned/dev/null ¢ 13 named/dev/randon ¢ 1 8 Gi user bind access to the /ehroot/namedivarirun directory that will be used to strore PID and statistical data, $ sudo chown bind:bind /chreot/named/var/run BIND9's Configuration it the bind startup options found in fete/defaulvbind, Change the Fine the reads Jetc/detautt/binds OPTIONS=*-u bind So that it reads Jere/deFauit/bings: OPTIONS="-u bind -t /chroot/naned -c /etc/naned.conf" The - option changes the root directory from which bind operates to be /chrootnamed. The -c option tells Bind that the configuration file is located at /ete/named conf: Remember that this path is relative to the root set by -t The named conf file must also recieve extra options in order to run correctly below is a minimal set of options {chroot /nazed/etc/naned. cont options { directory */etc/nanedb" pic-file "/var/run/naned.pia"; Statistics-file "/var/run/naned. stats"; Ubuntu’s syslod Daemon Configuration Jotc/init.d/sysktogs } S'SLOcDe"-u sysiog -2 /chroot/naned/dev/log 1 (Author Note: Check this config) Restart the syslog server and BIND9 $ sudo /ete/init.d/sysklogs restart $ Sudo /ete/init.é/binds restart [At this point you should check /vartogimessages for any errors that may have been throw by bind Starting, Stopping, and Restarting BIND9 Use the following command to start BIND9 $ sudo /ote/init.d/binds start hip:hetp ubuntu comfcommuriy/BINDSServerHowto 79‘wazo1s IND OServerHouto- Commusity Help Wiki To stop it, use $ sudo /ete/init.¢/binds stop Finally, to restart it, run $ sudo /ete/init.d/binds restart Status Yo check the status of your BIND9 installation $ host localhost $ dig @localhost (where localhost isthe system you ate setting BIND9 up on. If not localhost, use the appropriate IP number ) Logging BIND9 has a wide variety of logging configuration options available. There are two main options to BIND® logging the ‘channel option configures where logs go, and the category option determines what to log. fo logging option is configured for the default option i: Logging { category default { default syslog; default_debug; )5 category unmatched { null}: b ‘Next we wil configure BINDS to send debug messages related to DNS queries to a separate le Channel Option First, we need to configure a ehannel to specify which file to send the messages to. Edit /etc/bind/naned..conf.1ocal and add the following: ossing ( channel query.108 { ‘file "/var/log/query 10g"; 1/ Set the severity to dynamic to see all the debug messages, severity dynamic; % b Category Option Neat, configu a category to send all DNS queries othe query fle ageing ( cheonel query. 2o¢ { Fie eye eatery. 104° 17 Set the serenity <0 hanic to see 311 the debug messages fevericy debug 35 Bb yy MABONY averdes ( query 10g; Ji Note: the debug option can be set from 1 to 3. Ifa level isnt specified level 1 is the default Since the named daemon runs as the bind user the /var/1og/query 10g file must be created and the ownership changed sudo touch /var/log/query.1og Sudo chown bind /var/log/query.10g Now restart BIND9 for the changes to take affect sudo /etc/init.d/binds restart You should see the file /var/1og/query -10g fill with BINDS log information. This isa simple example ofthe BINDS logging options available see bind9 net manual for more information hip:hetp ubuntu comicommuriyiBINDSServerHowto‘wazo1s AND@Serverov- Cammy Help Wiki Additional Possibilities ‘You can monitor your BINDS server usage by installing the bindgraph package from the Universe (To enable Universe - see AddingRepositoriesHowto) and following configuration details as outlined in bindgraph's README documents Further Information Online Recources ISC’s BIND9 Manual" TLDP's "DNS HOWTO" (For General Overview) ‘Chroot BIND Howto Debian BIND Wiki BIND reference guide Printed Resources ‘DNS & BIND" raul Albitz & Cricket Liu - Sth Edition - "O'Reilly Press" (Amazon.com) DNS & BIND Cookbook - Cricket Liu - 4th Edition - "O'Reilly Press" (Amazon com) Category Networking CategoryInternet BIND9ServerHowto (Iultima modifica ¢ del 2015-07-31 19:10:07, fata da reintorino @ ool- 46634245 stati optonline net[75,99.66,245] reintorino) hiphetp ubuntu comfcommuriy/BINDSServerHowto