====== Debian Lenny BIND Howto ====== http://www.thinkdebian.org/archives/652 This guide will show you how to get DNS working on your Debian server using BIND 9. I will show you how to setup the network interface, and how to maximize security by running BIND 9 inside a chroot environment. You will need to register a domain name so there will be no conflicts between internet domains and the domain(s) used on your LAN. You can register a domain name at ServQc. ===== Setting up BIND 9 ===== This will install BIND 9 and dnsutils which contains dig, nslookup and nsupdate DNS tools. ''# aptitude install bind9 dnsutils'' You will need to modify these settings to suit your network. ''# vim /etc/bind/named.conf.options'' options { directory "/var/cache/bind"; auth-nxdomain no; # conform to RFC1035 allow-query { 192.168.1.0/24; } ; # network(s) which are allowed DNS queries allow-transfer { none; } ; allow-recursion { 192.168.1.0/24; } ; # restrict which clients resolve DNS queries listen-on { 192.168.1.20; } ; # interface BIND 9 listens on forward only; forwarders { 208.67.222.222; # specify your ISP name servers 208.67.220.220; }; }; ===== Configuring Authoratative DNS ===== Make sure you replace ‘example.com’ with your own registered domain name. Make sure ‘1.168.192.in-addr.arpa’ contains the first 3 digits of your static IP in reverse order, ie. 192.168.0.20 will be ‘0.168.192.in-addr.arpa’ or 192.168.1.20 will be ‘1.168.192.in-addr.arpa’. ''# vim /etc/bind/named.conf.local'' zone "example.com" { type master; file "/etc/bind/zones/example.com.db"; }; zone "1.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/1.168.192.in-addr.arpa"; }; ==== Adding a New Zone ==== You will need to edit this example with your network details and domain name. I have added some extra A records at the end so you can access your desktop via desktop.example.com, etc. ''# mkdir /etc/bind/zones'' ''# vim /etc/bind/zones/example.com.db'' ; ; SOA ; $TTL 1h @ IN SOA ns1.example.com. hostmaster.example.com. ( 0000000001 ; Serial number 1h ; Slave refresh 15m ; Slave retry 2w ; Slave expire 1h ; Negative Cache TTL ) ; ; NS RECORDS ; @ IN NS ns1.example.com. @ IN NS ns2.example.com. ; ; MX RECORD ; @ IN MX 10 mx.example.com. ; ; A RECORDS ; @ IN A 192.168.1.20 www IN A 192.168.1.20 ns1 IN A 192.168.1.20 ns2 IN A 192.168.1.20 mx IN A 192.168.1.20 desktop IN A 192.168.1.21 laptop IN A 192.168.1.22 router IN A 192.168.1.254 ==== Reverse DNS ==== Make sure you change ‘20′ on the bottom left hand corner of the configuration into the last digit of your IP address. ''# vim /etc/bind/zones/1.168.192.in-addr.arpa'' $TTL 1h @ IN SOA ns1.example.com. hostmaster.example.com. ( 0000000001; 1h; 15m; 2w; 1h ) IN NS ns1.example.com. 20 IN PTR example.com. ===== Setting up Chroot Enviroment ===== Set BIND 9 to run as a unprivileged user and chroot to /var/lib/named ''# vim /etc/default/bind9'' # run resolvconf? RESOLVCONF=yes # startup options for the server OPTIONS="-u bind -t /var/lib/named" We need to create the directories BIND 9 will chroot to. ''# mkdir -p /var/lib/named/etc'' ''# mkdir -p /var/lib/named/dev'' ''# mkdir -p /var/lib/named/var/cache/bind'' ''# mkdir -p /var/lib/named/var/run/bind/run'' Move BIND 9 configuration directory to /var/lib/named/etc ''# mv /etc/bind /var/lib/named/etc'' Create a symlink from the new location to the old location. ''# ln -s /var/lib/named/etc/bind /etc/bind'' Create null and random devices. ''# mknod /var/lib/named/dev/null c 1 3'' ''# mknod /var/lib/named/dev/random c 1 8'' Set the permissions of the directories. ''# chmod 666 /var/lib/named/dev/null'' ''# chmod 666 /var/lib/named/dev/random'' ''# chown -R bind:bind /var/lib/named/var/*'' ''# chown -R bind:bind /var/lib/named/etc/bind'' We need to add this line to sysklogd so we get important messages logged. ''# vim /etc/default/syslogd'' SYSLOGD="-a /var/lib/named/dev/log" Restart sysklogd and start BIND 9 ''# /etc/init.d/sysklogd restart'' ''# /etc/init.d/bind9 start'' ===== Configure Network Settings ===== The server needs a static IP address, if DHCP is used, and the server IP keeps on changing, DNS would stop working because BIND 9 would be trying to resolve to a IP what doesn’t exist. Here are my network interface settings, you will probably need to modify them to suit your network. ''# aptitude remove dhcp3-common'' ''# vim /etc/network/interfaces'' # This file describes the network interfaces available on your system # and how to activate them. For more information, see interfaces(5). # The loopback network interface auto lo iface lo inet loopback # The primary network interface auto eth0 allow-hotplug eth0 iface eth0 inet static address 192.168.1.20 netmask 255.255.255.0 network 192.168.1.0 broadcast 192.168.1.255 gateway 192.168.1.254 # dns-* options are implemented by the resolvconf package, if installed dns-nameservers 192.168.1.20 Edit resolv.conf so DNS queries will point to BIND 9, change the IP accordingly. ''# vim /etc/resolv.conf'' nameserver 192.168.1.20 Restart the network. ''# /etc/init.d/networking restart'' ===== Check DNS is Working ===== Make sure you change the IP accordingly. You can also check subdomains: ''dig @192.168.1.20 desktop.example.com'' and MX mail records: ''dig MX @192.168.1.20 example.com'' ''# dig @192.168.1.20 example.com'' ; <<>> DiG 9.5.0-P2 <<>> @192.168.1.20 example.com ; (1 server found) ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42726 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;example.com. IN A ;; ANSWER SECTION: example.com. 3600 IN A 192.168.1.20 ;; AUTHORITY SECTION: example.com. 3600 IN NS ns1.example.com. example.com. 3600 IN NS ns2.example.com. ;; ADDITIONAL SECTION: ns1.example.com. 3600 IN A 192.168.1.20 ns2.example.com. 3600 IN A 192.168.1.20 ;; Query time: 0 msec ;; SERVER: 192.168.1.20#53(192.168.1.20) ;; WHEN: Sun Jan 11 07:53:47 2009 ;; MSG SIZE rcvd: 116 Check reverse DNS is working ''# host 192.168.1.20'' 20.1.168.192.in-addr.arpa domain name pointer example.com.