BIND Domain Name Server

BIND Domain Name Server

By | | Comments 0 Comment

Last Updated on 2017-07-02 by Sture

Description

BIND is open source software that enables you to publish your Domain Name System (DNS) information on the Internet and to resolve DNS queries for your users. The name BIND stands for “Berkeley Internet Name Domain” because the software originated in the early 1980s at the University of California at Berkeley.

BIND is by far the most widely used DNS software on the Internet, providing a robust and stable platform on top of which organizations can build distributed computing systems with the knowledge that those systems are fully compliant with published DNS standards.

WWW: https://www.isc.org/software/bind.

Installed and configured package(s) requirement:

  1. OpenSSL – Open Secure Sockets Layer

Preparation for Installation

Start PuTTY on a Windows PC, Terminal on a Mac or similar terminal application on a Linux PC.

In this example Terminal on a Mac is used.

Open a remote SSH session to the server with:

Mac:~ user$ ssh user@192.168.1.4 [enter]
N.B.: Replace user@192.168.1.4 with User ID and IP Address on Your server! 
[user@server ~]$

Enable superuser privileges with:

[user@server ~]$ sudo -s [enter]
Password: <-- passwd [enter]
[root@server /usr/home/user]#

N.B.: Enter user password, not the root password!

Installation

Search for bind in the remote package repositories with:

[root@server /usr/home/user]# pkg search bind <enter>
bind-tools-9.10.4P6            Command line tools from BIND: delv, dig, host, nslookup...
bind9-devel-9.12.0.a.2017.02.09 BIND DNS suite with updated DNSSEC and DNS64
bind910-9.10.4P6               BIND DNS suite with updated DNSSEC and DNS64
bind911-9.10.4P6               BIND DNS suite with updated DNSSEC and DNS64
bind99-9.9.9P6                 BIND DNS suite with updated DNSSEC and DNS64
bindgraph-0.3_1                RRDtool frontend for BIND statistics
bindtest-1.56_1                Test bind() semantics of IPv6 sockets
.
.
[root@server /usr/home/user]#

In this example, bind910 will be installed due to that bind911 has TCP_FASTOPEN error issues when running under FreeBSD 11.0-RELEASE-amd64.

Install bind910 with;

[root@server /usr/home/user]# pkg install bind910 [enter]
Updating FreeBSD repository catalogue...
FreeBSD repository is up-to-date.
All repositories are up-to-date.
The following 4 package(s) will be affected (of 0 checked):

New packages to be INSTALLED:
	bind911: 9.10.4P6
	lmdb: 0.9.18_1
	idnkit: 1.0_6
	json-c: 0.12.1

Number of packages to be installed: 4

The process will require 61 MiB more space.
8 MiB to be downloaded.

Proceed with this action? [y/N]: y [enter]
Fetching bind911-9.10.4P6.txz: 100%    8 MiB   2.7MB/s    00:03    
Fetching lmdb-0.9.18_1.txz: 100%   87 KiB  89.5kB/s    00:01    
Fetching idnkit-1.0_6.txz: 100%  194 KiB 198.4kB/s    00:01    
Fetching json-c-0.12.1.txz: 100%   38 KiB  39.2kB/s    00:01    
Checking integrity... done (0 conflicting)
[1/4] Installing lmdb-0.9.18_1...
[1/4] Extracting lmdb-0.9.18_1: 100%
[2/4] Installing idnkit-1.0_6...
[2/4] Extracting idnkit-1.0_6: 100%
[3/4] Installing json-c-0.12.1...
[3/4] Extracting json-c-0.12.1: 100%
[4/4] Installing bind911-9.10.4P6...
[4/4] Extracting bind911-9.10.4P6: 100%
Message from idnkit-1.0_6:
===>   NOTICE:

The idnkit port currently does not have a maintainer. As a result, it is
more likely to have unresolved issues, not be up-to-date, or even be removed in
the future. To volunteer to maintain this port, please create an issue at:

https://bugs.freebsd.org/bugzilla

More information about port maintainership is available at:

https://www.freebsd.org/doc/en/articles/contributing/ports-contributing.html#maintain-port
Message from bind911-9.10.4P6:
**********************************************************************
*            _  _____ _____ _____ _   _ _____ ___ ___  _   _         *
*           / \|_   _|_   _| ____| \ | |_   _|_ _/ _ \| \ | |        *
*          / _ \ | |   | | |  _| |  \| | | |  | | | | |  \| |        *
*         / ___ \| |   | | | |___| |\  | | |  | | |_| | |\  |        *
*        /_/   \_\_|   |_| |_____|_| \_| |_| |___\___/|_| \_|        *
*                                                                    *
*   BIND requires configuration of rndc, including a "secret" key.   *
*    The easiest, and most secure way to configure rndc is to run    *
*   'rndc-confgen -a' to generate the proper conf file, with a new   *
*            random key, and appropriate file permissions.           *
*                                                                    *
*     The /usr/local/etc/rc.d/named script will do that for you.     *
*                                                                    *
**********************************************************************
[root@server /usr/home/user]#

Configuration

List installed services named with:

[root@server /usr/home/user]# service -r | grep named
/usr/local/etc/rc.d/named
[root@server /usr/home/user]#

Find the rcvar for /etc/rc.conf:

[root@server /usr/home/user]# /usr/local/etc/rc.d/named rcvar
# named
#
named_enable="NO"
#   (default: "")

[root@server /usr/home/user]#

To start BIND at system boot, add information to /etc/rc.conf with this commands:

[root@server /usr/home/user]# echo '' >> /etc/rc.conf; echo '# BIND' >> /etc/rc.conf; echo 'named_enable="YES"' >> /etc/rc.conf; echo 'named_auto_forward="YES"' >> /etc/rc.conf [enter]
[root@server /usr/home/user]#

N.B.: named_auto_forward=”YES” tells BIND to pick forward Name Server(s) from file /etc/resolve.conf!

Automatically rotate the /var/named/var/log/named.log log file with:

[root@server /usr/home/user]# echo '/var/log/named.log                      600  9   100000 *     Z' >> /etc/syslog.conf [enter]
[root@server /usr/home/user]#

Update Resolve Config

Update file /etc/resolv.conf and set the local host as the primary DNS:

[root@server /usr/home/user]# ee /etc/resolv.conf [enter]
search		example.net
nameserver	127.0.0.1
nameserver	208.67.222.222
nameserver	208.67.220.220

N.B.: In this example OpenDNS Name Servers 208.67.222.222 and 208.67.220.220 is will be used by the local BIND Name Server for forward requests.

Generate Cryptograpic Key

Generate a rndc.key file with the following command:

[root@server /usr/home/user]# rndc-confgen -a [enter]
wrote key file "/usr/local/etc/namedb/rndc.key"
[root@server /usr/home/user]#

Change file modes on file /usr/local/etc/namedb/rndc.key with:

[root@server /usr/home/user]# chmod 440 /usr/local/etc/namedb/rndc.key [enter]
[root@server /usr/home/user]#

Display content of file /usr/local/etc/namedb/rndc.key with:

[root@server /usr/home/user]# cat /usr/local/etc/namedb/rndc.key [enter]
key "rndc-key" {
        algorithm hmac-md5;
        secret "XcwJ.............JSCMw==";
        };

N.B.: The content of file cat /usr/local/etc/namedb/rndc.key must be copied to the BIND configuration file /usr/local/etc/namedb/named.conf!

Configuration file

Edit the BIND configuration file for /usr/local/etc/namedb/named.conf with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/named.conf [enter]

N.B.: This is an example file. Please use it only as a template!

//
// named.conf
//

acl nets { 192.168.1/24; 127.0.0.1; };

options {
	// Relative to the chroot directory, if any, and should be fully qualified.
	directory       "/usr/local/etc/namedb/working";
	pid-file        "/var/run/named/pid";
	dump-file       "/var/dump/named_dump.db";
	statistics-file "/var/stats/named.stats";
	listen-on { 192.168.1.4; 127.0.0.1; };
	forwarders { 208.67.222.222; 208.67.220.220; };
	allow-query { nets; };
	allow-recursion { nets; };
	};

logging {
	channel log_file { file "/var/log/named/named.log" versions 3 size 5M;
	severity  debug 3 ; };
	category queries { log_file; };
	category xfer-in { log_file; };
	category xfer-out { log_file; };
	category default { log_file; };
	};

include "/usr/local/etc/namedb/rndc.key";

controls {
        inet 127.0.0.1 port 953 allow { nets; } keys { "rndc-key"; };
        inet 192.168.1.1 port 953 allow { nets; } keys { "rndc-key"; };
        };

//zone "." { type hint; file "named.root"; };
zone "localhost" { type master; file "/usr/local/etc/namedb/master/localhost-forward.db"; };
zone "127.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/localhost-reverse.db"; };
zone "255.in-addr.arpa" { type master; file "/usr/local/etc/namedb/master/empty.db"; };

zone "example.net" {
        notify yes;
        type master;
        file "/usr/local/etc/namedb/dynamic/hosts-forward.db";
        allow-update { key rndc-key; };
        };

zone "1.168.192.in-addr.arpa" {
        notify yes;
        type master;
        file "/usr/local/etc/namedb/dynamic/hosts-reverse.db";
        allow-update { key rndc-key; };
        };

“Seed” zone files

Prepare a “seed” zone file for the domain the server should update dynamically.

In this example, the dynamic subdomain is going to be example.net. Remember to replace example.net with your domain name, it must match what you have used in file /var/named/etc/namedb/named.conf.

The “seed” zone file is very minimal and should contain information that WON’T ever change. In this case, that will be the SOA record, the NS records, and the MX record.

Create the forward “seed” zone file with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/dynamic/hosts-forward.db [enter]

N.B.: This is an example file!

$ORIGIN .
$TTL 3600       ; 1 hour
example.net  IN SOA  server.example.net. admin.example.net. (
                                0          ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      server.example.net.
                        MX      10 server.example.net.
$ORIGIN example.net.
server                  A       192.168.1.1
ftp                     CNAME   server
mx                      CNAME   server
ns                      CNAME   server
www                     CNAME   server

Create the reverse “seed” zone file with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/dynamic/hosts-reverse.db [enter]

N.B.: This is an example file:

$ORIGIN .
$TTL 3600       ; 1 hour
1.168.192.in-addr.arpa  IN SOA  server.example.net. admin.example.net. (
                                0          ; serial
                                10800      ; refresh (3 hours)
                                3600       ; retry (1 hour)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      server.example.net.
                        MX      10 server.example.net.
$ORIGIN 1.168.192.in-addr.arpa.
1                       PTR     server.example.net.

Feel free to modify based on what you want to do, you can add more aliases, A or MX records, and make sure to change your domain name above from example.net to your domain name. Make sure to add a “.” after words, also change your hostname from server to the hostname you are using.

admin.example.net is the e-mail address of the person responsible for the zone. Here we use a “.” instead of an “@” sign in the e-mail address.

name service needs to update the configuration for the dynamic IPs itself. Set write permission for the user bind with:

[root@server /usr/home/user]# chown bind:bind /usr/local/etc/namedb/dynamic/hosts-* [enter]
[root@server /usr/home/user]#

Create a new directory called /var/log/named with:

[root@server /usr/home/user]# mkdir /var/log/named [enter]
[root@server /usr/home/user]#

Change file owner and group with:

[root@server /usr/home/user]# chown bind:bind /var/log/named [enter]
[root@server /usr/home/user]#

Change file modes with:

[root@server /usr/home/user]# chmod 777 /var/log/named [enter]
[root@server /usr/home/user]#

Create a empty log files called /var/log/named/named.log with:

[root@server /usr/home/user]# touch /var/log/named/named.log [enter]
[root@server /usr/home/user]#

/var/log/named/named.log files must have write permission for user bind:

[root@server /usr/home/user]# chown bind:bind /var/log/named/named.log [enter]
[root@server /usr/home/user]#

Syntax Checks

named-checkzone checks the syntax and integrity of a zone file. It performs the same checks as named does when loading a zone. This makes named-checkzone useful for checking zone files before configuring them into a name server.

[root@server /usr/home/user]# named-checkconf -zj [enter]
zone localhost/IN: loaded serial 42
zone 127.in-addr.arpa/IN: loaded serial 42
zone 255.in-addr.arpa/IN: loaded serial 42
zone example.net/IN: loaded serial 0
zone 1.168.192.in-addr.arpa/IN: loaded serial 0
[root@server /usr/home/user]#

Optional: rndc.conf

rndc.conf is the configuration file for rndc, the BIND 9 name server control utility. This file has a similar structure and syntax to named.conf. Statements are enclosed in braces and terminated with a semi-colon. Clauses in the statements are also semi-colon terminated.

Add /usr/local/etc/namedb/rndc.key to file /usr/local/etc/namedb/rndc.conf with:

[root@server /usr/home/user]# cat /usr/local/etc/namedb/rndc.key >> /usr/local/etc/namedb/rndc.conf
[root@server /usr/home/user]#

Edit the configuration file for rndc with:

[root@server /usr/home/user]# ee /usr/local/etc/namedb/rndc.conf [enter]

N.B.: This is an example file!

/*
 * rndc configuration file.
 */

options {
        default-server  localhost;
        default-key     "rndc-key";
};

server localhost {
        key             "rndc-key";
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "XcwJ.............JSCMw==";
};

Start

Manually start BIND with;

[root@server /usr/home/user]# service named start [enter]
Starting named.
[root@server /usr/home/user]#

Test BIND status with:

[root@server /usr/home/user]# service named status [enter]
named is running as pid 64826.
[root@server /usr/home/user]#

Check the error logs with:

[root@server /usr/home/user]# grep named /var/log/messages [enter]
Mar  1 12:33:35 srv named[92074]: starting BIND 9.10.4-P6 <id:a6837d0> -u bind -c /usr/local/etc/namedb/named.conf
Mar  1 12:33:35 srv named[92074]: running on FreeBSD amd64 11.0-RELEASE-p2 FreeBSD 11.0-RELEASE-p2 #0: Mon Oct 24 06:55:27 UTC 2016     root@amd64-builder.daemonology.net:/usr/obj/usr/src/sys/GENERIC
Mar  1 12:33:35 srv named[92074]: built with '--localstatedir=/var' '--disable-linux-caps' '--disable-symtable' '--with-randomdev=/dev/random' '--with-libxml2=/usr/local' '--with-readline=-L/usr/local/lib -ledit' '--with-dlopen=yes' '--sysconfdir=/usr/local/etc/namedb' '--disable-fetchlimit' '--disable-filter-aaaa' '--disable-fixed-rrset' '--without-geoip' '--with-idn=/usr/local' '--enable-ipv6' '--with-libjson' '--disable-largefile' '--without-python' '--disable-querytrace' '--enable-rpz-nsdname' '--enable-rpz-nsip' 'STD_CDEFINES=-DDIG_SIGCHASE=1' '--without-gssapi' '--with-openssl=/usr' '--disable-native-pkcs11' '--with-dlz-filesystem=yes' '--without-gost' '--enable-threads' '--prefix=/usr/local' '--mandir=/usr/local/man' '--infodir=/usr/local/info/' '--build=amd64-portbld-freebsd11.0' 'build_alias=amd64-portbld-freebsd11.0' 'CC=cc' 'CFLAGS=-O2 -pipe -DLIBICONV_PLUG -fstack-protector -isystem /usr/local/include -fno-strict-aliasing' 'LDFLAGS= -fstack-protector' 'LIBS=-L/usr/local/lib' 'CPPFLAGS=-DLIBICONV_P
Mar  1 12:33:35 srv named[92074]: ----------------------------------------------------
Mar  1 12:33:35 srv named[92074]: BIND 9 is maintained by Internet Systems Consortium,
Mar  1 12:33:35 srv named[92074]: Inc. (ISC), a non-profit 501(c)(3) public-benefit 
Mar  1 12:33:35 srv named[92074]: corporation.  Support and training for BIND 9 are 
Mar  1 12:33:35 srv named[92074]: available at https://www.isc.org/support
Mar  1 12:33:35 srv named[92074]: ----------------------------------------------------
Mar  1 12:33:35 srv named[92074]: command channel listening on 127.0.0.1#953
Mar  1 12:33:35 srv named[92074]: command channel listening on 192.168.1.4#953
[root@server /usr/home/user]#
[root@server /usr/home/user]# tail /var/log/named/named.log [enter]
.
zone_settimer: zone 100.51.198.IN-ADDR.ARPA/IN: enter
zone_timer: zone id.server/CH: enter
zone_maintenance: zone id.server/CH: enter
zone_settimer: zone id.server/CH: enter
[root@server /usr/home/user]#

Reload Config

Reload configuration file and zones after manual updates with:

[root@server /usr/home/user]# rndc reload [enter]
server reload successful
[root@server /usr/home/user]#

…or with:

[root@server /usr/home/user]# service named reload [enter]
server reload successful
[root@server /usr/home/user]#

How to use

Checked if the nameserver is working on the server:

[root@server /usr/home/user]# dig @localhost ns.example.net [enter]

; <<>> DiG 9.9.4 <<>> @localhost ns.example.net
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 15863
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;ns1.example.net.	IN	A

;; AUTHORITY SECTION:
example.net.	3600	IN	SOA	server.example.net. admin.server.example.net. 247 10800 3600 604800 86400

;; Query time: 0 msec
;; SERVER: 192.168.1.4#53(192.168.1.4)
;; WHEN: Mon Aug  8 23:52:15 2011
;; MSG SIZE  rcvd: 91

[root@server /usr/home/user]#

You can try to dig for google.com to make sure all is good with your DNS server:

[root@server /usr/home/user]# dig @localhost google.com [enter]
	
; <<>> DiG 9.9.4 <<>> @localhost google.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4584
;; flags: qr rd ra; QUERY: 1, ANSWER: 11, AUTHORITY: 13, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		300	IN	A	173.194.32.36
google.com.		300	IN	A	173.194.32.33
google.com.		300	IN	A	173.194.32.32
google.com.		300	IN	A	173.194.32.41
google.com.		300	IN	A	173.194.32.39
google.com.		300	IN	A	173.194.32.38
google.com.		300	IN	A	173.194.32.35
google.com.		300	IN	A	173.194.32.46
google.com.		300	IN	A	173.194.32.40
google.com.		300	IN	A	173.194.32.37
google.com.		300	IN	A	173.194.32.34

;; AUTHORITY SECTION:
.			510352	IN	NS	f.root-servers.net.
.			510352	IN	NS	e.root-servers.net.
.			510352	IN	NS	k.root-servers.net.
.			510352	IN	NS	b.root-servers.net.
.			510352	IN	NS	j.root-servers.net.
.			510352	IN	NS	l.root-servers.net.
.			510352	IN	NS	m.root-servers.net.
.			510352	IN	NS	a.root-servers.net.
.			510352	IN	NS	h.root-servers.net.
.			510352	IN	NS	i.root-servers.net.
.			510352	IN	NS	g.root-servers.net.
.			510352	IN	NS	d.root-servers.net.
.			510352	IN	NS	c.root-servers.net.

;; Query time: 48 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Dec 15 23:10:43 CET 2013
;; MSG SIZE  rcvd: 426

[root@server /usr/home/user]#

Manual dynamic DNS update

A dynamic DNS update can be performed with the nsupdate tool. The nsupdate tool requires that you have a valid key-file, /usr/local/etc/namedb/rndc.key that matches the key in file /usr/local/etc/namedb/named.conf.

In this example a new A record will be added for myhost.example.net with IP address 192.168.1.248:

[root@server /usr/home/user]# nsupdate -k /usr/local/etc/namedb/rndc.key [enter]
> update add myhost.example.net 3600 A 192.168.1.248 [enter]
> send [enter]
> [ctrl][D][root@server /usr/home/user]#

Verify the add of host myhost.example.net with:

[root@server /usr/home/user]# host myhost.example.net [enter]
myhost.example.net has address 192.168.1.248
[root@server /usr/home/user]#

Remove the A record entry for myhost.example.net so it doesn’t cause problems later with:

[root@server /usr/home/user]# nsupdate -k /usr/local/etc/namedb/rndc.key [enter]
> update delete myhost.example.net [enter]
> send [enter]
> [ctrl][D][root@server /usr/home/user]#

Verify the delete of host myhost.example.net with:

[root@server /usr/home/user]# host myhost.example.net [enter]
Host myhost.example.net not found: 3(NXDOMAIN)
[root@server /usr/home/user]#

Leave a Reply