December 7, 2024

Bind9 Howto

Bind is a DNS server – a sort of phone book for the Internet, so when you type ‘google.com’ it takes you to the IP of their webserver, instead of trying to remember a bunch of different IP’s for the sites you visit.

To make this happen, Bind9 SERVER makes a sort of small phonebook that you can look up numbers with. You only need a server if you want to create your own “phonebook”, otherwise your computer just has a tiny CLIENT that only tells you where to look to find a “phonebook” DNS server.

There are lots of ways to configure Bind9, this is just a down-and-dirty cut/paste that will get you a working DNS server. You can add security stuff as you go, or later after you get it working. You don’t have to install much to make Bind9 work, it’s just the configuration that can be daunting, especially if you’re not quite sure what’s really happening.

This tutorial is done on Debian Wheezy, but it will work on lots of other OS’es with minor modifications. CHANGE THE IP’s to whatever you use, instead of the fictional 1.2.3.4/24, use your real public IP. You have to have a public IP to make a DNS server (or a plan if you have your server NAT’ed behind a firewall), so make sure you have one of those and change the 1.2.3.4 to your real one.

Set up Bind9

apt-get install bind9 dnsutils
cd /etc/bind/
mkdir archive
cp named.conf archive
cp named.conf.local archive
cp named.conf.options archive
mkdir zones

Now set yourself up as a nameserver by changing the /etc/resolv.conf, because you want to go looking for DNS on your own server first, then it sends requests elsewhere if you don’t find it on your own server first. You just need one line, delete all the rest.

vi /etc/resolv.conf
  nameserver 127.0.0.1

Now edit your named.conf and add these lines so the whole thing looks like:

vi named.conf
 // This is the primary configuration file for the BIND DNS server named.
 //
 // Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
 // structure of BIND configuration files in Debian, *BEFORE* you customize 
 // this configuration file.
 //
 // If you are just adding zones, please do that in /etc/bind/named.conf.local
 include "/etc/bind/named.conf.options";
 include "/etc/bind/named.conf.local";
 include "/etc/bind/named.conf.default-zones";
 include "/etc/bind/named.conf.log";

Now create a named.conf.log to set up more useable logging like:

vi named.conf.log
 logging {
        channel update_debug {
                file "/var/log/bind/update_debug.log" versions 3 size 100k;
                severity debug;
                print-severity  yes;
                print-time      yes;
        };
        channel security_info {
                file "/var/log/bind/security_info.log" versions 1 size 100k;
                severity info;
                print-severity  yes;
                print-time      yes;
        };
        channel bind_log {
                file "/var/log/bind/bind.log" versions 3 size 1m;
                severity info;
                print-category  yes;
                print-severity  yes;
                print-time      yes;
        };
 
        category default { bind_log; };
        category lame-servers { null; };
        category update { update_debug; };
        category update-security { update_debug; };
        category security { security_info; };
};

Now set up your log files to receive the new logs you just defined:

mkdir /var/log/bind
touch /var/log/bind/bind.log /var/log/bind/security_info.log /var/log/bind/update_debug.log
chown -R bind.bind /var/log/bind

Now create your actual DNS entries for your sites, which are done by creating “zone” files, which we’ll do by editing named.conf.local like:

vi named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
include "/etc/bind/zones.rfc1918"; <- uncomment this line
 
zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com";
        allow-update { key rndc-key; };
};
 
zone "site1.com" {
        type master;
        file "/etc/bind/zones/db.site1.com";
        allow-update { key rndc-key; };
};
 
zone "site2.com" {
        type master;
        file "/etc/bind/zone/db.site2.com";
        allow-update { key rndc-key; };
};

now set up your options like:

vi /etc/bind/named.conf.options
acl internals { 127.0.0.0/8; 192.168.1.0/24; };
 
options {
        directory "/etc/bind";
 
        // Exchange port between DNS servers
        //query-source address * port *;
 
        // Transmit requests to 8.8.8.8 if
        // this server doesn't know how to resolve them
        forward only;
        forwarders { 8.8.8.8; };
 
        auth-nxdomain no;    # conform to RFC1035
 
        // Listen on local interfaces only(IPV4)
        //listen-on-v6 { none; };
        // listen-on { 127.0.0.1; 10.1.10.0/24; };
        listen-on { any; };
 
        // Do not transfer the zone information to the secondary DNS
        allow-transfer { none; };
 
        // Accept requests for internal network only
        // allow-query { internals; };
        allow-query { any; };
 
        // Allow recursive queries to the local hosts
        // recursion yes;
        allow-recursion { internals; };
 
        // Do not make public version of BIND
        version none;
};
 
// Configure the communication channel for Administrative BIND9 with rndc
// By default, they key is in the rndc.key file and is used by rndc and bind9
// on the localhost
controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; };
};

now create a zone file for the nameserver itself, which should look like (change to meet your actual domain name):

vi /etc/bind/zones/db.example.com
$TTL    3600
@       IN      SOA     ns3.example.com. root.example.com. (
                   2007010401           ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
;
@       IN      NS      ns1.example.com.
@       IN      MX      10 www.example.com.
 
ns1     IN      A       1.2.3.4
www     IN      A       1.2.3.4
mail    IN      A       5.6.7.8
 
mail    IN      CNAME   mail.example.com

Now create a zone file for whatever other domain you want to use this as a nameserver for like:

vi /etc/bind/zones/db.site1.com
$TTL    3600
@       IN      SOA     ns1.example.com. root.site1.com. (
                   2007010401           ; Serial
                         3600           ; Refresh [1h]
                          600           ; Retry   [10m]
                        86400           ; Expire  [1d]
                          600 )         ; Negative Cache TTL [1h]
@       IN      NS      ns1.example.com.
@       IN      MX      10 mail.site1.com.
        IN      A       1.2.3.4
 
www     IN      A       1.2.3.4
mail    IN      A       5.6.7.8
 
mail    IN      CNAME   mail

Now start bind like:

/etc/init.d/bind9 start
[ ok ] Starting domain name service...: bind9.

If you get an error, start by looking at the last lines of the daemon.log like:

cat /var/log/daemon.log

Leave a Reply