BIND
BIND is the most widely used Domain Name System (DNS) server.
Contents
Installation
To use BIND as the system's DNS server prepend nameserver 127.0.0.1
to resolv.conf.
Start/enable the named.service
systemd unit.
Configuration
BIND is configured in /etc/named.conf
. The available options are documented in the named.conf
man page.
Reload the named.service
unit to apply configuration changes.
Restrict access to localhost
To only allow connections from localhost add the following line to the options section in /etc/named.conf
:
listen-on { 127.0.0.1; };
Set up DNS forwarding
To make BIND forward DNS queries to another DNS server add the forwarders clause to the options section.
Example to make BIND forward to the Google DNS servers:
forwarders { 8.8.8.8; 8.8.4.4; };
A configuration template for running a domain
This is a simple tutorial in howto setup a simple home network DNS-server with bind. In our example we use "domain.tld" as our domain.
For a more elaborate example see Two-in-one DNS server with BIND9.
Another guide at Linux Home Server HOWTO - Domain name system (BIND): Adding your domain will show you how to set up internal network name resolution in no time; short, on-point and very informative.
1. Creating a zonefile
# nano /var/named/domain.tld.zone
$TTL 7200 ; domain.tld @ IN SOA ns01.domain.tld. postmaster.domain.tld. ( 2007011601 ; Serial 28800 ; Refresh 1800 ; Retry 604800 ; Expire - 1 week 86400 ) ; Minimum IN NS ns01 IN NS ns02 ns01 IN A 0.0.0.0 ns02 IN A 0.0.0.0 localhost IN A 127.0.0.1 @ IN MX 10 mail imap IN CNAME mail smtp IN CNAME mail @ IN A 0.0.0.0 www IN A 0.0.0.0 mail IN A 0.0.0.0 @ IN TXT "v=spf1 mx"
$TTL defines the default time-to-live in seconds for all record types. In this example it is 2 hours.
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.
2. Configuring master server
Add your zone to /etc/named.conf
:
zone "domain.tld" IN { type master; file "domain.tld.zone"; allow-update { none; }; notify no; };
Reload the named.service
unit to apply the configuration change.
3. Setting this to be your default DNS server
If you are running your own DNS server, you might as well use it for all DNS lookups. This will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf
file allows for recursion only on the loopback interface:
allow-recursion { 127.0.0.1; };
So to facilitate general DNS lookups from your host, your resolv.conf configuration file must have 127.0.0.1 as a name server. See Resolv.conf#Preserve DNS settings on how to keep this from being overwritten.
If you want to provide name service for your local network; e.g. 192.168.0, you must add the appropriate range of IP addresses to /etc/named.conf
:
allow-recursion { 192.168.0.0/24; 127.0.0.1; };
Configuring BIND to serve DNSSEC signed zones
- http://www.dnssec.net/practical-documents
- http://blog.techscrawl.com/2009/01/13/enabling-dnssec-on-bind/
- Or use an external mechanisms such as OpenDNSSEC (fully-automatic key rollover)
Automatically listen on new interfaces
By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hours. You can tune this value by adding :
interface-interval <rescan-timeout-in-minutes>;
parameter into named.conf
options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.
Then restart the service.
Running BIND in a chrooted environment
Running in a chroot environment is not required but improves security.
Creating the Jail House
In order to do this, we first need to create a place to keep the jail, we shall use /srv/named
, and then put the required files into the jail.
mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}} # Copy over required system files cp -av /etc/{localtime,named.conf} /srv/named/etc/ cp -av /usr/lib/engines/* /srv/named/usr/lib/engines/ cp -av /var/named/* /srv/named/var/named/. # Set up required dev nodes mknod /srv/named/dev/null c 1 3 mknod /srv/named/dev/random c 1 8 # Set Ownership of the files chown -R named:named /srv/named
This should create the required file system for the jail.
Service File
Next we need to create the new service file which will allow force bind into the chroot
cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service
we need to edit how the service calls bind.
/etc/systemd/system/named-chroot.service
ExecStart=/usr/bin/named -4 -f -u named -t "/srv/named"
Now, reload systemd systemctl daemon-reload
. Then start named-chroot.service