Bind is a DNS server – a sort of phone book for the Internet, so when you type ‘google.com’ it takes you to the IP of their webserver, instead of trying to remember a bunch of different IP’s for the sites you visit.
To make this happen, Bind9 SERVER makes a sort of small phonebook that you can look up numbers with. You only need a server if you want to create your own “phonebook”, otherwise your computer just has a tiny CLIENT that only tells you where to look to find a “phonebook” DNS server.
There are lots of ways to configure Bind9, this is just a down-and-dirty cut/paste that will get you a working DNS server. You can add security stuff as you go, or later after you get it working. You don’t have to install much to make Bind9 work, it’s just the configuration that can be daunting, especially if you’re not quite sure what’s really happening.
This tutorial is done on Debian Wheezy, but it will work on lots of other OS’es with minor modifications. CHANGE THE IP’s to whatever you use, instead of the fictional 1.2.3.4/24, use your real public IP. You have to have a public IP to make a DNS server (or a plan if you have your server NAT’ed behind a firewall), so make sure you have one of those and change the 1.2.3.4 to your real one.
Set up Bind9
apt-get install bind9 dnsutils cd /etc/bind/ mkdir archive cp named.conf archive cp named.conf.local archive cp named.conf.options archive mkdir zones |
Now set yourself up as a nameserver by changing the /etc/resolv.conf, because you want to go looking for DNS on your own server first, then it sends requests elsewhere if you don’t find it on your own server first. You just need one line, delete all the rest.
vi /etc/resolv.conf nameserver 127.0.0.1 |
Now edit your named.conf and add these lines so the whole thing looks like:
vi named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.log"; |
Now create a named.conf.log to set up more useable logging like:
vi named.conf.log logging { channel update_debug { file "/var/log/bind/update_debug.log" versions 3 size 100k; severity debug; print-severity yes; print-time yes; }; channel security_info { file "/var/log/bind/security_info.log" versions 1 size 100k; severity info; print-severity yes; print-time yes; }; channel bind_log { file "/var/log/bind/bind.log" versions 3 size 1m; severity info; print-category yes; print-severity yes; print-time yes; }; category default { bind_log; }; category lame-servers { null; }; category update { update_debug; }; category update-security { update_debug; }; category security { security_info; }; }; |
Now set up your log files to receive the new logs you just defined:
mkdir /var/log/bind touch /var/log/bind/bind.log /var/log/bind/security_info.log /var/log/bind/update_debug.log chown -R bind.bind /var/log/bind |
Now create your actual DNS entries for your sites, which are done by creating “zone” files, which we’ll do by editing named.conf.local like:
vi named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization include "/etc/bind/zones.rfc1918"; <- uncomment this line zone "example.com" { type master; file "/etc/bind/zones/db.example.com"; allow-update { key rndc-key; }; }; zone "site1.com" { type master; file "/etc/bind/zones/db.site1.com"; allow-update { key rndc-key; }; }; zone "site2.com" { type master; file "/etc/bind/zone/db.site2.com"; allow-update { key rndc-key; }; }; |
now set up your options like:
vi /etc/bind/named.conf.options acl internals { 127.0.0.0/8; 192.168.1.0/24; }; options { directory "/etc/bind"; // Exchange port between DNS servers //query-source address * port *; // Transmit requests to 8.8.8.8 if // this server doesn't know how to resolve them forward only; forwarders { 8.8.8.8; }; auth-nxdomain no; # conform to RFC1035 // Listen on local interfaces only(IPV4) //listen-on-v6 { none; }; // listen-on { 127.0.0.1; 10.1.10.0/24; }; listen-on { any; }; // Do not transfer the zone information to the secondary DNS allow-transfer { none; }; // Accept requests for internal network only // allow-query { internals; }; allow-query { any; }; // Allow recursive queries to the local hosts // recursion yes; allow-recursion { internals; }; // Do not make public version of BIND version none; }; // Configure the communication channel for Administrative BIND9 with rndc // By default, they key is in the rndc.key file and is used by rndc and bind9 // on the localhost controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; }; }; |
now create a zone file for the nameserver itself, which should look like (change to meet your actual domain name):
vi /etc/bind/zones/db.example.com $TTL 3600 @ IN SOA ns3.example.com. root.example.com. ( 2007010401 ; Serial 3600 ; Refresh [1h] 600 ; Retry [10m] 86400 ; Expire [1d] 600 ) ; Negative Cache TTL [1h] ; @ IN NS ns1.example.com. @ IN MX 10 www.example.com. ns1 IN A 1.2.3.4 www IN A 1.2.3.4 mail IN A 5.6.7.8 mail IN CNAME mail.example.com |
Now create a zone file for whatever other domain you want to use this as a nameserver for like:
vi /etc/bind/zones/db.site1.com $TTL 3600 @ IN SOA ns1.example.com. root.site1.com. ( 2007010401 ; Serial 3600 ; Refresh [1h] 600 ; Retry [10m] 86400 ; Expire [1d] 600 ) ; Negative Cache TTL [1h] @ IN NS ns1.example.com. @ IN MX 10 mail.site1.com. IN A 1.2.3.4 www IN A 1.2.3.4 mail IN A 5.6.7.8 mail IN CNAME mail |
Now start bind like:
/etc/init.d/bind9 start [ ok ] Starting domain name service...: bind9. |
If you get an error, start by looking at the last lines of the daemon.log like:
cat /var/log/daemon.log |