Documente Academic
Documente Profesional
Documente Cultură
https://help.ubuntu.com/community/BIND9ServerHowto
Partners
Support
Community
Ubuntu.com
Page History
Login to edit
Search
BIND9ServerHowto
Content Cleanup Required
This article should be cleaned-up to follow the content standards in the Wiki
Guide. More info...
Background
Note: There are some issues with this Howto, too numerable to fix
quickly, and it requires bringing up to standard. I'm mentioning this to
help anyone to avoid the unnecessary time trying to resolve their DNS,
owing the the inconsistencies in this document, particularly if you're
new to DNS configuration. One example is here...
box IN A 192.168.1.10
... in all other places, the document uses the machine name example
ns. Here it changes to box (I believe the author was simply trying to
show that additional computers would be listed, but failed to use a
different address for box. I modified the example file to give box an
address of 192.168.1.21).
Introduction
Domain Name Service (DNS) is an Internet service that maps IP
addresses and fully qualified domain names (FQDN) to one another. In
this way, DNS alleviates the need to remember IP addresses.
Computers that run DNS are called name servers. Ubuntu ships with
BIND (Berkley Internet Naming Daemon), the most widely deployed
DNS server.
This guide is aimed at people looking to learn how to configure and
maintain a DNS server, such as for a network (caching name server) or
to serve DNS zones for a domain name.
Installation
BIND9 is available in the Main repository. No additional repository
needs to be enabled for BIND9.
1 de 10
Tabla de Contenidos
1. Background
2. Introduction
3. Installation
4. BIND9 Configuration Scenarios
1. Caching Server
2. Primary Master Server
3. Secondary Master Server
4. Hybrids
5. Stealth Servers
5. DNS Record Types
1. Address Records
2. Alias Records
3. Mail Exchange Records
4. Name Server Records
6. Configuring BIND9
1. Caching Server configuration
1. Testing
2. Primary Master Server configuration
1. Zone File
2. Reverse Zone File
3. Testing
3. Secondary Master Server
configuration
1. Testing
7. Chrooting BIND9
1. The Chroot Enviroment
2. BIND9's Configuration
3. Ubuntu's syslod Daemon
Configuration
4. Restart the syslog server and BIND9
5. Starting, Stopping, and Restarting
BIND9
6. Status
8. Logging
1. Channel Option
2. Category Option
9. Additional Possibilities
10. Further Information
1. Online Recources
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
2. Printed Resources
Caching Server
In this configuration BIND9 will find the answer to name queries and remember the answer for the next query. This can
be useful for a slow internet connection. By caching DNS queries, you will reduce bandwidth and (more importantly)
latency.
Hybrids
You can even configure BIND9 to be a Caching and Primary Master DNS server simultaneously, a Caching and a
Secondary Master server or even a Caching, Primary Master and Secondary Master server. All that is required is simply
combining the different configuration examples.
Stealth Servers
There are also two other common DNS server setups (used when working with zones for registered domain names),
Stealth Primary and Stealth Secondary. These are effectively the same as Primary and Secondary DNS servers, but with a
slight organizational difference.
For example, you have 3 DNS servers; A, B and C.
A is the Primary, B and C are secondaries.
If you configure your registered domain to use A and B as your domain's DNS servers, then C is a Stealth Secondary. It's
still a secondary, but it's not going to be asked about the zone you are serving to the internet from A and B
If you configure your registered domain to use B and C as your domain's DNS servers, then A is a stealth primary. Any
additional records or edits to the zone are done on A, but computers on the internet will only ever ask B and C about the
zone.
2 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
Address Records
The most commonly used type of record. This record maps an IP Address to a hostname.
www
IN
1.2.3.4
Alias Records
Used to create an alias from an existing A record. You can create a CNAME record pointing to another CNAME record.
But it doubles the number of requests made to the nameserver, thus making it an inefficient way to do so.
mail
www
IN
IN
CNAME
A
www
1.2.3.4
MX
10
mail.example.com.
[...]
mail
IN
1.2.3.4
NS
ns.example.com.
1.2.3.4
[...]
ns
IN
Configuring BIND9
BIND9 Configuration files are stored in:
/etc/bind/
3 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
(where 1.2.3.4 and 5.6.7.8 are the IP numbers of your ISP's DNS servers)
Now restart the bind daemon:
sudo /etc/init.d/bind9 restart
Testing
If you installed the dnsutils package you can test your setup using the dig command:
dig x 127.0.0.1
The dig command can also be used to query other domains for example:
dig google.com
If you "dig" a domain name multiple times you should see a drastic improvement in the Query time: between the first and
second query. This is due to the server caching the query.
Zone File
To add a DNS zone to BIND9, turning BIND9 into a Primary Master server, all you have to do is edit
named.conf.local:
[...]
zone "example.com" {
type master;
file "/etc/bind/db.example.com";
};
[...]
Edit the new zone file /etc/bind/db.example.com change localhost. to the FQDN of your server, leaving the
additional "." at the end. Change 127.0.0.1 to the nameserver's IP Address and root.localhost to a valid email
address, but with a "." instead of the "@". also leaving the "." at the end.
Also, create an A record for ns.example.com the name server in this example:
;
; BIND data file for local loopback interface
;
$TTL
604800
@
IN
SOA
ns.example.com. root.example.com. (
1
; Serial
604800
; Refresh
86400
; Retry
4 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
;
@
ns
IN
IN
NS
A
; Expire
; Negative Cache TTL
ns.example.com.
192.168.1.10
You must increment the serial number every time you make changes to the zone file. If you make multiple changes before
restarting BIND9, simply increment the serial once.
Now, you can add DNS records to the bottom of the zone.
Tip: Many people like to use the last date edited as the serial of a zone, such as 2005010100 which is yyyymmddss
(where s is serial)
Once you've made a change to the zone file BIND9 will need to be restarted for the changes to take effect:
sudo /etc/init.d/bind9 restart
Note: replace 1.168.192 with the first three octets of whatever private network you are using. Also, name the zone file
db.192 in the example appropriately.
Now create the db.192 file:
sudo cp /etc/bind/db.127 /etc/bind/db.192
Next edit /etc/bind/db.192 changing the basically the same options as in /etc/bind/db.example.com:
;
; BIND reverse data file for local loopback interface
;
$TTL
604800
@
IN
SOA
ns.example.com. root.example.com. (
2
; Serial
604800
; Refresh
86400
; Retry
2419200
; Expire
604800 )
; Negative Cache TTL
;
@
IN
NS
ns.
10
IN
PTR
ns.example.com.
; also list other computers
21
IN
PTR
box.example.com.
The serial number in the reverse zone needs to be incremented on each changes as well. For each A record you configure
in /etc/bind/db.example.com you need to create a PTR record in /etc/bind/db.192.
After creating the reverse zone file restart bind9:
sudo /etc/init.d/bind9 restart
Testing
You should now be able to ping example.com and have it resolve to the host configured above:
ping example.com
5 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
You can also use the named-checkzone utility that is part of the bind9 package:
namedcheckzone example.com /etc/bind/db.example.com
and
namedcheckzone 1.168.192.inaddr.arpa. /etc/bind/db.192
This is a great way to make sure you haven't made any mistakes before restarting bind9.
You can use the dig utility to test the reverse zone as well as the new domain name:
dig 1.168.192.inaddr.arpa. AXFR
Note: replace @ip_secondary with the actual IP Address of your secondary server.
Next, on the Secondary Master, install the bind9 package the same way as the primary. Then edit the /etc/bind
/named.conf.local and add the following declarations for the Forward and Reverse zones:
[...]
zone "example.com" {
type slave;
file "/var/cache/bind/db.example.com";
masters { @ip_master; };
};
[...]
zone "1.168.192.inaddr.arpa" {
type slave;
file "/var/cache/bind/db.192";
masters { @ip_master; };
};
[...]
Note: replace @ip_master with the IP Address of the Primary. The zone file must be in /var/cache/bind/ because, by
default, AppArmor only allows write access inside it (this was made specifically for a slave configuration. See
AppArmor's configuration in /etc/apparmor.d/usr.sbin.named).
Restart the server, and in /var/log/syslog you should see something similar to:
syslog.5.gz:May 14 23:33:53 smith named[5064]: zone example.com/IN: transferred serial 2006051401
6 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
syslog.5.gz:May 14 23:33:53 smith named[5064]: transfer of 'example.com/IN' from 10.0.0.202#53: end of transfer
syslog.5.gz:May 14 23:33:35 smith named[5064]: slave zone "1.168.192.inaddr.arpa" (IN) loaded (serial 2006051401)
Note: A zone is only transfered if the Serial Number on the Primary is larger than the one on the Secondary.
Testing
Testing the Secondary Master can be done using the same methods as the Primary. Also, you could shutdown BIND9 on
the Primary then try pinging example.com from a host configured to use the Secondary as well as the Primary for name
resolution. If all goes well the Secondary should resolve example.com.
Chrooting BIND9
Chrooting BIND9 is a recommended setup from a security perspective if you don't have AppArmor installed. In a chroot
enviroment, BIND9 has access to all the files and hardware devices it needs, but is unable to access anything it should not
need. AppArmor is installed by default on recent Ubuntu releases. Unless you've explicitly disabled AppArmor, you
might want to read this before you decide to attempt a chrooted bind. If you still want to go forward with it, you'll need
this information, which isn't covered in the instructions that follow here.
To chroot BIND9, simply create a chroot enviroment for it and add the additional configuration below
sudo
sudo
sudo
sudo
chown
chmod
chown
chmod
root:root /chroot
700 /chroot
bind:bind /chroot/named
700 /chroot/named
or
$ sudo cp /etc/bind/named.conf /chroot/named/etc
This is where the files for all slave zones will be kept. This increases security, by stopping the ability of an attacker to edit
any of your master zone files if they do gain access as the bind user. Accordingly, all slave file names in the /chroot
/named/etc/named.conf file will need to have directory names that designate the slave directory. An example zone
definition is listed below.
zone "my.zone.com." {
type slave;
file "slaves/my.zone.com.dns";
masters {
10.1.1.10;
};
};
Give the user bind access to the /chroot/named/var/run directory that will be used to strore PID and statistical data.
7 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
BIND9's Configuration
Edit the bind startup options found in /etc/default/bind9. Change the line the reads:
/etc/default/bind9:
OPTIONS="u bind"
So that it reads
/etc/default/bind9:
The -t option changes the root directory from which bind operates to be /chroot/named. The -c option tells Bind that the
configuration file is located at /etc/named.conf. Remember that this path is relative to the root set by -t.
The named.conf file must also recieve extra options in order to run correctly below is a minimal set of options:
/chroot/named/etc/named.conf:
options {
directory "/etc/namedb";
pidfile "/var/run/named.pid";
statisticsfile "/var/run/named.stats";
};
[...]
SYSLOGD="u syslog a /chroot/named/dev/log"
[...]
At this point you should check /var/log/messages for any errors that may have been thrown by bind.
Status
To check the status of your BIND9 installation:
$ host localhost
8 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
or
$ dig @localhost
(where localhost is the system you are setting BIND9 up on. If not localhost, use the appropriate IP number.)
Logging
BIND9 has a wide variety of logging configuration options available. There are two main options to BIND9 logging the
channel option configures where logs go, and the category option determines what to log.
If no logging option is configured for the default option is:
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
};
Next we will configure BIND9 to send debug messages related to DNS queries to a separate file.
Channel Option
First, we need to configure a channel to specify which file to send the messages to. Edit /etc/bind
/named.conf.local and add the following:
logging {
channel query.log {
file "/var/log/query.log";
// Set the severity to dynamic to see all the debug messages.
severity dynamic;
};
};
Category Option
Next, configure a category to send all DNS queries to the query file:
logging {
channel query.log {
file "/var/lib/bind/query.log";
// Set the severity to dynamic to see all the debug messages.
severity debug 3;
};
category queries { query.log; };
};
Note: the debug option can be set from 1 to 3. If a level isn't specified level 1 is the default.
Now restart BIND9 for the changes to take affect:
sudo /etc/init.d/bind9 restart
You should see the file /var/log/query.log fill with BIND9 log information. This is a simple example of the BIND9
logging options available see bind9.net manual for more information.
Additional Possibilities
You can monitor your BIND9 server usage by installing the bindgraph package from the Universe (To enable Universe see AddingRepositoriesHowto) and following configuration details as outlined in bindgraph's README documents
Further Information
9 de 10
16/08/16 17:49
https://help.ubuntu.com/community/BIND9ServerHowto
Online Recources
"ISC's BIND9 Manual"
TLDP's "DNS HOWTO" (For General Overview)
"Chroot BIND Howto"
Debian BIND Wiki
BIND reference guide
Printed Resources
"DNS & BIND" - Paul Albitz & Cricket Liu - 5th Edition - "O'Reilly Press" (Amazon.com)
DNS & BIND Cookbook - Cricket Liu - 4th Edition - "O'Reilly Press" (Amazon.com)
CategoryNetworking CategoryInternet
BIND9ServerHowto (ltima edicin 2016-07-08 14:55:48 efectuada por gweatherby @
155.37.216.91[155.37.216.91]:gweatherby)
10 de 10
16/08/16 17:49