![[Valid RSS]](fileadmin/images/valid-rss.png "Validate my RSS feed")
Linux bind (dns) configuration howto
A short howto on configuring Bind Root DNS Server manually
with this short tutorial ill try to explain the basics of a bind configuration and setup, which im missing on the web, and ive googled around alot.lets start off with the installation.this is fairly easy.
apt-get -f install bind
that installs the debian package of bind, which is currently bind9.after installing, the most important files for us are the following
/etc/bind/named.conf.options
/etc/bind/named.conf.local
/etc/bind/db.empty
/etc/bind/db.local
/etc/bind/db.root
/etc/hosts
/var/run/bind
/run/named.pid
/var/cache/bind/
/etc/init.d/bind9
/etc/default/bind9
here a short description of what they do
/etc/bind/named.conf.options
theres a short example of one of my servers
named.conf.options
options {
directory "/var/cache/bind";
query-source address * port 53;
// forwarders {
// 80.64.128.10;
// 80.64.129.100;
// };
auth-nxdomain yes;
# conform to RFC1035
listen-on { any; };
};
first of all, as the filename implies, we have the central options file in front of us, so we are starting the config with options plus an opening "(". next we tell our bind server, which address we want the server to be running on, in our case we are running on all available every available ip address. as you see, i have the forwarding function disabled (the "//" in front of the forwarders subsection), this is cause i am going to explain how to setup a root dns server, that wont need any forwarders. the "auth-nxdomain yes;" is telling bind9, that we are following the standards of nameserver address protocol. as shown in RFC 1035
http://www.faqs.org/rfcs/rfc1035.html
the "listen on { any; };" directive tells bind9, that we want it to accept queries from everywhere. finally every configuration file is ending with a ");" thats the first file, wasnt that hard, right? ok, now we are going for the central configuration file, thats the file that is going to hold our domain infos.
/etc/bind/named.conf.localzone
"xyz.at" IN { type master;
file "/etc/bind/db.xyz.at";
notify yes;
allow-transfer { xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; };
};
zone "0/ccc.bbb.aaa.in-addr.arpa" {
type master;
file "/etc/bind/0.ccc.bbb.aaa.rev";
notify yes;
allow-transfer { xxx.xxx.xxx.xxx; xxx.xxx.xxx.xxx; };
};
ok, thats it.now what do these lines mean? first we have our master domain zone, that domain zone is what ppls query, and get an ip back. first we set the zone name zone "xyz.at", set that to the name of your domain. no www or mail or ftp... needed here. since this is our first domain in the file and "prolly" our first bind server in our network, we set the "type master;". next we set the path and name of the zonefile, i tend to use the syntax "db.domainname" here, and i like to keep the zone files with the config files, like it is the default with the debian install of bind. the next point, since we are setting up a root dns, and not just a forwarding one, we want our server to notify other root servers directly bout changes made to the domain list from our ip, so we set the "notify yes;". the "allow transfer { ....; ....;};" directive tells our bind server, which other root dns servers we want to accept queries from, i set this for security reasons, theres a bunch of possible methodes of exploitation, if this option isnt set. you have to add some domain servers here, that are either provided by your datacenter/isp or some other root dns servers, that you trust. you have to have the allow transfer, cause your want your rootserver to be "known" by the internet, if youre setting up a local bind just for your lan, you prolly wont need the allow transfer directive. (i havent tested this yet!!!) the second part of the named.conf.local file is the so called "reverse dns", this means, if someone runs services from your ip, ppls will see the domains defined in the reverse dns zone file.The next step is to create those zone files, first we are going to explain the base structure of a zone file, then im going to explain how to add certain types of resolvings. we will start with the db.domainname file.
$ORIGIN xyz.at.$TTL 86400@
IN SOA ns1.xyz.at. admin.xyz.at. (
1
10800
3600
604800
38400 );
3600 IN NS ns1
3600 IN NS ns2
@ 3600 IN A aaa.bbb.ccc.ddd
ns1 3600 IN A aaa.bbb.ccc.ddd
ns2 3600 IN A aaa.bbb.ccc.ddd
ok, what do we have here...first directive is "$TTL 86400", this is the time in milliseconds our server takes between sending his info to other root servers on the internet, setting it too low could cost alot of network and internet traffic, setting it too high, and the other servers will forget bout us, the 86400 is a default value, and was doing fine so far for me. the next line @ IN SOA ns1.xyz.at. technik.xyz.at. binds our domain name to our dns servers, and sets a time, that this information is being refreshed. IN means "INternet" and it tells our dns, that it is going to communicate publicly with the internet as root dns.SOA stays for "State of Authority", "technik.xyz.at." refers to the admins account, this should be set to the dns admin email account and the ns1.xyz.at. is our local dns server.ns1.xyz.at. is our nameserver.the next block of numbers(110800360060480038400); "1" is the serial number, this one is only important if youre running a forwarding dns, so no need to change the default here, we also dont need to change the other values there, this is just a short description of what they mean. "10800" is the time our domain information gets refreshed (transferred to other root servers), ours tells it, to refresh our domain every 3 hours. "3600" is the time it retries, if the refresh fails, our retry is every hour once. "604800" is the time it takes to have our domain expiring (being deleted from other root dns servers) in case our dns server is not running."86400" sets the minimum time for our domain to be deleted from other root dns servers. with the general statement
3600 IN NS ns1
3600 IN NS ns2
we define our base nameservers with the "NS" "NameServer" directive. with the general statement
@ 3600 IN A aaa.bbb.ccc.ddd
we tell our server to which ip we want our domain to be resolved using the "A" directive, also known as address directive.thats it for the base setup. a few interresting things, one might want to add, in case of existance of a mailserver, the MX directive.
IN MX 0 xyz.at.
another interresting directive is the so called "Cannonical Name" "CNAME" its being used to associate certain service names to the domain, for example ftp.xyz.at or www.xyz.at, an example is shown here
www IN CNAME xyz.at
ftp IN CNAME xyz.at
same things can be done via "A" directive. !!important!! if there is an "A" directive, there cant be a "CNAME" directive under the same name. thats it for the base db.xyz.at forward domain zone file. now to the reverse domain zone file, this is even easierfirst of all, the name of the zonefile in the named.conf.local file is defined via the network subset, meaning: a zone 0/ccc.bbb.aaa.... is a 3 ips zone, starting at .1 and ending at .3
$TTL 86400
@ IN SOA ns1.xyz.at. technik.xyz.at.
(
13
3h
1h
1w
1h
)
IN NS ns1.xyz.at.
IN NS ns2.xyz.at.
ddd IN PTR coolname.xyz.at.
the file is very identical to the forward domain zone file, a difference, the PTR directive.The "PTR" directive
ddd IN PTR coolname.xyz.at.
that directive results in the remote resolution of "coolname.xyz.at" to our ip.thats it for the bind setup. last we are going to add our reverse domain infos to our "/etc/hosts" file.
aaa.bbb.ccc.ddd coolname.xyz.at server
the "server" value is the value from your "/etc/hostname" file. for further infos on howto configure bind, and for a bit bigger examples, take a look on this page.
http://www.linuxmafia.com/faq/Network_Other/bind-lecture.html
my howto is just short, and tries to cover the first questions concerning setting up a bind, if you find any errors in it, please contact me via email