BIND-9.3.1

Config files

named.conf, root.hints, 127.0.0, rndc.conf and resolv.conf

Configuration Information

BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.

Create the unprivileged user and group named:

groupadd -g 20 named &&
useradd -m -c "BIND Owner" -g named -s /bin/false -u 20 named

Set up some files, directories and devices needed by BIND:

cd /home/named &&
mkdir -p dev etc/namedb/slave var/run &&
mknod /home/named/dev/null c 1 3 &&
mknod /home/named/dev/random c 1 8 &&
chmod 666 /home/named/dev/{null,random} &&
mkdir /home/named/etc/namedb/pz &&
cp /etc/localtime /home/named/etc

Then, generate a key for use in the named.conf and rdnc.conf files using the rndc-confgen command:

rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2

Create the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys:

cat > /home/named/etc/named.conf << "EOF"
 options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "[Insert secret from rndc-confgen's output here]";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
     category default { default_syslog; default_debug; };
     category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
     null;                                // toss anything sent to
                                          // this channel
  };
};

EOF

Create the rndc.conf file with the following commands:

cat > /etc/rndc.conf << "EOF"
key rndc_key {
algorithm "hmac-md5";
    secret
    "[Insert secret from rndc-confgen's output here]";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};
EOF

The rndc.conf file contains information for controlling named operations with the rndc utility.

Create a zone file with the following contents:

cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
EOF

Create the root.hints file with the following commands:

Note

Caution must be used to ensure there are no leading spaces in this file.

cat > /home/named/etc/namedb/root.hints << "EOF"
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
EOF

The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root. Consult the BIND 9 Administrator Reference Manual for details.

Create or modify resolv.conf to use the new name server with the following commands:

Note

Replace [yourdomain.com] with your own valid domain name.

cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search [yourdomain.com]
nameserver 127.0.0.1
EOF

Set permissions on the chroot jail with the following command:

chown -R named.named /home/named

Boot Script

To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the blfs-bootscripts-6.1 package.

make install-bind

Now start BIND with the new boot script:

/etc/rc.d/init.d/bind start

Testing BIND

Test out the new BIND 9 installation. First query the local host address with dig:

dig -x 127.0.0.1

Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:

dig www.linuxfromscratch.org &&
dig www.linuxfromscratch.org

You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual located at doc/arm/Bv9ARM.html in the package source tree, for further configuration options.

dig	interrogates DNS servers.
dnssec-keygen	is a key generator for secure DNS.
dnssec-signzone	generates signed versions of zone files.
host	is a utility for DNS lookups.
lwresd	is a caching-only name server for local process use.
named	is the name server daemon.
named-checkconf	checks the syntax of `named.conf` files.
named-checkzone	checks zone file validity.
nslookup	is a program used to query Internet domain nameservers.
nsupdate	is used to submit DNS update requests.
rndc	controls the operation of BIND.
rndc-confgen	generates `rndc.conf` files.

Beyond Linux From Scratch - Version 6.1

Chapter 21. Major Servers

BIND-9.3.1

Introduction to BIND

Package Information

BIND Dependencies

Optional

Optional (to Run the Test Suite)

Optional (to [Re]Build Documentation)

Installation of BIND

Command Explanations

Configuring BIND

Config files

Configuration Information

Note

Note

Boot Script

Testing BIND

Contents

Short Descriptions