TITLE: BIND LFS VERSION: 3.0-RC1 AUTHOR: Michenaud Laurent Patrick Kirk SYNOPSIS: How to set up a simple DNS server with bind HINT: version 1.0 final This hint explains how to set up bind on your lfs. I am not a bind specialist, what is written is what I have understood. Don't hesitate to correct it if you see mistakes or have optimisations. The Domain Name System (DNS) is used by all TCP/IP Internet software to translate the names that we humans like to use to the IP numbers assigned to all the computers and devices out on the Internet and your internal network. Under most flavours of Unix, the most commonly used software package is Berkley Internet Name Domain, (BIND). This article will serve as an introduction to obtaining, installing and configuring BIND under Linux, and will include some pointers on where to go for more in-depth information. Be aware that some recent security vulnerabilities have been uncovered in BIND, so be sure to get at least version 8.23. As of this writing, the latest version is 9.1.1. BIND can be downloaded from the Internet Software Consortium (ISC) at http://www.isc.org. For the purposes of this article we'll use version 9.1.1, downloadable from ftp://ftp.isc.org/isc/bind9/9.1.1/bind-9.1.1.tar.gz In general terms, DNS is a very simple service that takes names like www.yahoo.com and matches them to the machines that serve up the web pages using dotted quad numbers along the lines of 212.19.67.5 Your ISP provides this service for you using BIND. If you have a single machine connected to the Internet and wish to share that connection, running BIND on the machine that shares the connection makes things faster and easier. From a security point of view, IP addresses like 192.168.0.n and 10.n.n.n are non-routable. What this means is that your machines on the LAN are much much safer if you use these addresses. If you don't, sooner or later, someting like ShareSniffer will find a shared folder or service inside your firewall and cause mischief. ------------------------------------------------ 1) Installation of bind To make the installation FHS compliant, we will install Bind into /usr/local with its configuration files in /etc/bind. This has the advantage that if you want to back up all the configuration documents for you system, you need only back up the /etc/ directory. $ tar zxvf bind-9.1.3.tar.gz $ cd bind-9.1.3 $ ./configure --prefix=/usr/local --sysconfdir=/etc/bind && $ make && $ make install && $ mkdir -p /etc/bind The following configuration files are very simple. It allows you to have a DNS server for your local network and allows you to use the DNS server of your ISP when you're connected to internet. For security reasons, the service is only proided to machines that are on your local network. On this example, network address : 192.168.0.0 domain name : zerezo.org machine host name : zarba machine ip : 192.168.0.51 --------------------------------------------------- 2) The main configuration file: /etc/bind/named.conf // Begin of file // The IP Addresses we wish to provide DNS services for // Bad idea to let just anyone start playing with this service. // acl means Access Control List, zerezo.org is the family LAN acl zerezo.org { 192.168.0.0/24; 127.0.0.0/24; }; // General options options { auth-nxdomain yes; directory "/usr/local/sbin"; forward first; forwarders { 212.47.227.206; //DNS of your ISP here 212.47.227.207; }; }; // How to log logging { channel warning { file "/var/log/dns_warnings" versions 3 size 100k; severity warning; print-category yes; print-severity yes; print-time yes; }; channel general_dns { file "/var/log/dns_logs" versions 3 size 100k; severity info; print-category yes; print-severity yes; print-time yes; }; category default { warning; } ; category queries { general_dns; } ; }; // zone for access to Internet zone "." { type hint; file "/etc/bind/named.ca"; }; // zone for access to localhost zone "0.0.127.in-addr.arpa" { type master; file "/etc/bind/named.local"; }; // zone for access to your domain zone "zerezo.org" in { type master; notify no; file "/etc/bind/zerezo.org"; }; // zone for access to your domain using ip zone "0.168.192.in-addr.arpa" in { type master; notify no; file "/etc/bind/db.192.168.0"; }; // End of file ------------------------------------ 3) Configuration files for each zone There is a configuration file of each zone defined in named.conf. These files are in /etc/bind. You have to create this directory. a) /etc/bind/named.ca This file is used when you are connected to Internet. The up to date version can be downloaded from ftp://ftp.rs.internic.net where it is called named.root If you do download it, remember to rename it named.ca when you put it in /etc/bind // Begin of file ; This file holds the details on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . " ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC registration services ; under anonymous FTP as ; file /domain/named.root ; on server FTP.RS.INTERNIC.NET ; -OR- under Gopher at RS.INTERNIC.NET ; under menu InterNIC Registration Services (NSI) ; submenu InterNIC Registration Archives ; file named.root ; ; last update: Aug 22, 1997 ; related version of root zone: 1997082200 ; ; ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 ; ; formerly C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ; formerly TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ; ; formerly NS.NASA.GOV ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; ; formerly NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; ; formerly NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ; ; formerly NIC.NORDU.NET ; . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; ; temporarily housed at NSI (InterNIC) ; . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 198.41.0.10 ; ; housed in LINX, operated by RIPE NCC ; . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 ; ; temporarily housed at ISI (IANA) ; . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ; ; housed in Japan, operated by WIDE ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 // End of File b) /etc/bind/named.local You must have an alias postmaster that points to the user root or another one. // Begin of file $TTL 604800 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. ( 1999112002 ; 28800 ; 14400 ; 604800 ; 86400 ); NS zarba.zerezo.org. 1 PTR localhost. ; // End of file c) /etc/bind/zerezo.org // Begin of file $TTL 604800 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. ( 1999112002 ; serial number 28800 ; rafraichissement 14400 ; nouvel essais 604800 ; expiration 86400 ); temps de vie minimum // NS = name server @ IN NS zarba @ IN NS zarba.zerezo.org. // MX = mail server, the number is the priority @ IN MX 10 zarba @ IN MX 20 zarba.zerezo.org. // local DNS server @ IN A 127.0.0.1 @ IN A 192.168.0.51 // IP server localhost IN A 127.0.0.1 zarba IN A 192.168.0.51 // IP of others machines of the network karine IN A 192.168.0.52 yaf IN A 192.168.0.7 // aliases www IN CNAME zarba ftp IN CNAME zarba mail IN CNAME zarba // End of file d) /etc/bind/db.192.168.0 // Begin of file $TTL 604800 @ IN SOA zarba.zerezo.org. postmaster.zarba.zerezo.org. ( 1999112002 ; numero de serie 28800 ; rafraichissement 14400 ; nouvel essais 604800 ; expiration 86400 ); temps de vie // nameserver IN NS zarba.zerezo.org. // IP Reverses adresses 1 IN PTR zarba.zerezo.org. 2 IN PTR karine.zerezo.org. 3 IN PTR yaf.zerezo.org. // End of file ------------------------ 4) rndc configuration rndc is used to administrate bind. It development is not finished but I prefer to put it in this hint rather than the obsolete nslookup utility. a) Creation of a key You have to get a key so rndc can communicate with bind : dnssec-keygen -a hmac-md5 -b 128 -n user rndc It will create you two files. Get the value of the key in the .key one. b) /etc/bind/rdnc.conf Create the file and edit the key please. // Begin of file options { default-server localhost; default-key rndc_key; }; server localhost { key rndc_key; }; key rndc_key { algorithm hmac-md5; secret "Xd3zz2FgxvkML4V/BlVG8Q=="; }; // End of file c) Edit again /etc/bind/named.conf and add the following lines : key rndc_key { algorithm hmac-md5; secret "Xd3zz2FgxvkML4V/BlVG8Q=="; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; -------------------- 5) /etc/init.d/named a) Here is the boot script #!/bin/sh # Begin /etc/init.d/ # # Include the functions declared in the /etc/init.d/functions file # source /etc/init.d/functions case "$1" in start) echo -n "Starting DNS server..." loadproc /usr/sbin/named ;; stop) echo -n "Stopping DNS server..." /usr/sbin/rndc stop evaluate_retval ;; reload) echo -n "Reloading DNS server..." /usr/sbin/rndc reload evaluate_retval ;; restart) $0 stop /usr/sbin/sleep 1 $0 start ;; status) /usr/sbin/rndc status evalute_retval ;; *) echo "Usage: $0 {start|stop|reload|restart|status}" exit 1 ;; esac # End /etc/init.d/ b) Create the links cd /etc/rc0.d ln -s ../init.d/named K600named cd /etc/rc1.d ln -s ../init.d/named K600named cd /etc/rc6.d ln -s ../init.d/named K600named cd /etc/rc3.d ln -s ../init.d/named S300named cd /etc/rc5.d ln -s ../init.d/named S300named -------------------------- 6) Edit /etc/resolv.conf so it use your DNS server search zerezo.org nameserver 127.0.0.1 nameserver 192.168.0.51 -------------------------- 6) Test your configuration Some tests : dig -x 127.0.0.1 if you have a ftp server : ftp ftp.zerezo.org ftp zarba.zerezo.org if you have apache, launch your browser and use as url : http://www.zerezo.org http://zarba.zerezo.org If problems, look at the logs /var/log/dns* and /var/log/daemon.log