====== Debian Lenny BIND Howto ======
http://www.thinkdebian.org/archives/652
This guide will show you how to get DNS working on your Debian server using BIND 9. I will show you how to setup the network interface, and how to maximize security by running BIND 9 inside a chroot environment. You will need to register a domain name so there will be no conflicts between internet domains and the domain(s) used on your LAN. You can register a domain name at ServQc.
===== Setting up BIND 9 =====
This will install BIND 9 and dnsutils which contains dig, nslookup and nsupdate DNS tools.
''# aptitude install bind9 dnsutils''
You will need to modify these settings to suit your network.
''# vim /etc/bind/named.conf.options''
options {
directory "/var/cache/bind";
auth-nxdomain no; # conform to RFC1035
allow-query { 192.168.1.0/24; } ; # network(s) which are allowed DNS queries
allow-transfer { none; } ;
allow-recursion { 192.168.1.0/24; } ; # restrict which clients resolve DNS queries
listen-on { 192.168.1.20; } ; # interface BIND 9 listens on
forward only;
forwarders {
208.67.222.222; # specify your ISP name servers
208.67.220.220;
};
};
===== Configuring Authoratative DNS =====
Make sure you replace ‘example.com’ with your own registered domain name. Make sure ‘1.168.192.in-addr.arpa’ contains the first 3 digits of your static IP in reverse order, ie. 192.168.0.20 will be ‘0.168.192.in-addr.arpa’ or 192.168.1.20 will be ‘1.168.192.in-addr.arpa’.
''# vim /etc/bind/named.conf.local''
zone "example.com" {
type master;
file "/etc/bind/zones/example.com.db";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/1.168.192.in-addr.arpa";
};
==== Adding a New Zone ====
You will need to edit this example with your network details and domain name. I have added some extra A records at the end so you can access your desktop via desktop.example.com, etc.
''# mkdir /etc/bind/zones''
''# vim /etc/bind/zones/example.com.db''
;
; SOA
;
$TTL 1h
@ IN SOA ns1.example.com. hostmaster.example.com. (
0000000001 ; Serial number
1h ; Slave refresh
15m ; Slave retry
2w ; Slave expire
1h ; Negative Cache TTL
)
;
; NS RECORDS
;
@ IN NS ns1.example.com.
@ IN NS ns2.example.com.
;
; MX RECORD
;
@ IN MX 10 mx.example.com.
;
; A RECORDS
;
@ IN A 192.168.1.20
www IN A 192.168.1.20
ns1 IN A 192.168.1.20
ns2 IN A 192.168.1.20
mx IN A 192.168.1.20
desktop IN A 192.168.1.21
laptop IN A 192.168.1.22
router IN A 192.168.1.254
==== Reverse DNS ====
Make sure you change ‘20′ on the bottom left hand corner of the configuration into the last digit of your IP address.
''# vim /etc/bind/zones/1.168.192.in-addr.arpa''
$TTL 1h
@ IN SOA ns1.example.com. hostmaster.example.com. (
0000000001;
1h;
15m;
2w;
1h
)
IN NS ns1.example.com.
20 IN PTR example.com.
===== Setting up Chroot Enviroment =====
Set BIND 9 to run as a unprivileged user and chroot to /var/lib/named
''# vim /etc/default/bind9''
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-u bind -t /var/lib/named"
We need to create the directories BIND 9 will chroot to.
''# mkdir -p /var/lib/named/etc''
''# mkdir -p /var/lib/named/dev''
''# mkdir -p /var/lib/named/var/cache/bind''
''# mkdir -p /var/lib/named/var/run/bind/run''
Move BIND 9 configuration directory to /var/lib/named/etc
''# mv /etc/bind /var/lib/named/etc''
Create a symlink from the new location to the old location.
''# ln -s /var/lib/named/etc/bind /etc/bind''
Create null and random devices.
''# mknod /var/lib/named/dev/null c 1 3''
''# mknod /var/lib/named/dev/random c 1 8''
Set the permissions of the directories.
''# chmod 666 /var/lib/named/dev/null''
''# chmod 666 /var/lib/named/dev/random''
''# chown -R bind:bind /var/lib/named/var/*''
''# chown -R bind:bind /var/lib/named/etc/bind''
We need to add this line to sysklogd so we get important messages logged.
''# vim /etc/default/syslogd''
SYSLOGD="-a /var/lib/named/dev/log"
Restart sysklogd and start BIND 9
''# /etc/init.d/sysklogd restart''
''# /etc/init.d/bind9 start''
===== Configure Network Settings =====
The server needs a static IP address, if DHCP is used, and the server IP keeps on changing, DNS would stop working because BIND 9 would be trying to resolve to a IP what doesn’t exist. Here are my network interface settings, you will probably need to modify them to suit your network.
''# aptitude remove dhcp3-common''
''# vim /etc/network/interfaces''
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).
# The loopback network interface
auto lo
iface lo inet loopback
# The primary network interface
auto eth0
allow-hotplug eth0
iface eth0 inet static
address 192.168.1.20
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.20
Edit resolv.conf so DNS queries will point to BIND 9, change the IP accordingly.
''# vim /etc/resolv.conf''
nameserver 192.168.1.20
Restart the network.
''# /etc/init.d/networking restart''
===== Check DNS is Working =====
Make sure you change the IP accordingly.
You can also check subdomains: ''dig @192.168.1.20 desktop.example.com''
and MX mail records: ''dig MX @192.168.1.20 example.com''
''# dig @192.168.1.20 example.com''
; <<>> DiG 9.5.0-P2 <<>> @192.168.1.20 example.com
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42726
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 3600 IN A 192.168.1.20
;; AUTHORITY SECTION:
example.com. 3600 IN NS ns1.example.com.
example.com. 3600 IN NS ns2.example.com.
;; ADDITIONAL SECTION:
ns1.example.com. 3600 IN A 192.168.1.20
ns2.example.com. 3600 IN A 192.168.1.20
;; Query time: 0 msec
;; SERVER: 192.168.1.20#53(192.168.1.20)
;; WHEN: Sun Jan 11 07:53:47 2009
;; MSG SIZE rcvd: 116
Check reverse DNS is working
''# host 192.168.1.20''
20.1.168.192.in-addr.arpa domain name pointer example.com.