BIND THE DNS SERVER TO USE !
DNS Domain Name Services Name to IP resolving /etc/hosts /etc/resolv.conf
Why Bind? Berkeley Internet Name Daemon Because its in the book... It’s the best... Its incorporated by superior appliance vendors Robust
TLD & ROOT Servers.be.com.org.nu.nl.net...
Types of DNS records A AAAA MX CNAME PTR...
Begin installation... Take a fresh copy of your debian server Remove unnecessary services # apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig
Snip INETD services # update-inetd --remove daytime # update-inetd --remove telnet # update-inetd --remove time # update-inetd --remove finger # update-inetd --remove talk # update-inetd --remove ntalk # update-inetd --remove ftp # update-inetd --remove discard # /etc/init.d/inetd reload
Install Bind9 #apt-get update && apt-get upgrade # apt-get install bind9 Setting up bind9 ( ) Adding group `bind' (104) Done. Adding system user `bind' Adding new user `bind' (104) with group `bind'. Not creating home directory. Starting domain name service: named.=bind9
A local DNS server’s purpose ! Caching Forwarding Resolv local domain(s) - records
CHROOT environment Security !!! Seperate directory System in a system
Setup CHROOT for BIND # /etc/init.d/bind9 stop Next, edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named Change the line OPTS="-u bind" so that it reads: OPTIONS="-u bind -t /var/lib/named"
Complete Chroot environment (1) To provide a complete environment for running BIND, create the necessary directories under /var/lib: # mkdir -p /var/lib/named/etc # mkdir /var/lib/named/dev # mkdir -p /var/lib/named/var/cache/bind # mkdir -p /var/lib/named/var/run/bind/run Then move the config directory from /etc to /var/lib/named/etc: # mv /etc/bind /var/lib/named/etc Now create a symbolic link to the new config directory from the old location, to avoid problems when BIND is upgraded in the future: # ln -s /var/lib/named/etc/bind /etc/bind Make null and random devices for use by BIND, and fix the directory permissions: # mknod /var/lib/named/dev/null c 1 3 # mknod /var/lib/named/dev/random c 1 8
Complete Chroot environment (2) Then change the permissions and ownership of the files: # chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random # chown -R bind:bind /var/lib/named/var/* # chown -R bind:bind /var/lib/named/etc/bind You’ll also need to change the startup script /etc/init.d/sysklogd!!!!!!!! so that you can still see messages in the system logs. Change the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log" Now restart the logging process with the command: # /etc/init.d/sysklogd restart # /etc/init.d/bind9 start Check /var/log/syslog for any errors. You can page through the file using: # less /var/log/syslog
/etc/bind/named.conf // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local acl internals { /8; /24; /24; }; include "/etc/bind/named.conf.options"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; zone " in-addr.arpa" { type master; file "/etc/bind/pri in-addr.arpa"; }; zone " in-addr.arpa" { type master; file "/etc/bind/pri in-addr.arpa"; }; zone "middle-earth" { type master; file "/etc/bind/pri.middle-earth"; }; zone "michiels.nu" { type master; file "/etc/bind/pri.michiels.nu"; }; include "/etc/bind/named.conf.local";
/etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { ; ; }; auth-nxdomain no; # conform to RFC1035 //listen-on-v6 { any; }; allow-recursion { internals; }; allow-query { internals; }; allow-query-cache { internals; }; };
/etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918";
Files ~ # cd /etc/bind bind # ls -l total 60 -rw-r--r-- 1 root root :21 db.0 -rw-r--r-- 1 root root :21 db.127 -rw-r--r-- 1 root root :21 db.255 -rw-r--r-- 1 root root :21 db.empty -rw-r--r-- 1 root root :21 db.local -rw-r--r-- 1 root root :21 db.root -rw-r--r-- 1 root bind :03 named.conf -rw-r--r-- 1 root bind :03 named.conf.local -rw-r--r-- 1 root bind :03 named.conf.options -rw-r--r-- 1 root bind :05 pri in-addr.arpa -rw-r--r-- 1 root bind :05 pri in-addr.arpa -rw-r--r-- 1 root bind :33 pri.michiels.nu -rw-r--r-- 1 root bind :33 pri.middle-earth -rw-r bind bind :02 rndc.key -rw-r--r-- 1 root root :21 zones.rfc1918
/etc/pri.michiels.nu $TTL IN SOA ns1.afraid.org. root.michiels.nu. ( ; serial, todays date + todays serial # ; refresh, seconds 7200 ; retry, seconds ; expire, seconds ) ; minimum, seconds ; NS ns1.afraid.org. ; NS ns2.afraid.org. ; ; michiels.nu. A www A minas-morgul A mines-of-moria CNAME moria.middle-earth. ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;
Restart DNS Server #/etc/init.d/bind restart
Troubleshooting #less /var/log/syslog #nslookup #dig #netstat –edapu | grep LISTEN