%general-entities; ]> $LastChangedBy$ $Date$ <acronym>BIND</acronym>-&bind-version; Introduction to <application><acronym>BIND</acronym></application> The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the . Package information Download (HTTP): Download (FTP): Download size: &bind-size; Estimated Disk space required: &bind-buildsize; Estimated build time: &bind-time; <application><acronym>BIND</acronym></application> dependencies Optional , , and Installation of <application><acronym>BIND</acronym></application> Install BIND by running the following commands: ./configure --prefix=/usr --sysconfdir=/etc && make && make install Configuring <application><acronym>BIND</acronym></application> Config files named.conf, root.hints, 127.0.0, rndc.conf Configuration Information We will configure BIND to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory. First we create the unprivileged user and group named: groupadd named && useradd -m -g named -s /bin/false named Then we set up some files, directories and devices needed by BIND: cd /home/named && mkdir -p dev etc/namedb/slave var/run && mknod /home/named/dev/null c 1 3 && mknod /home/named/dev/random c 1 8 && chmod 666 /home/named/dev/{null,random} && mkdir /home/named/etc/namedb/pz && cp /etc/localtime /home/named/etc Create the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys: cat > /home/named/etc/named.conf << "EOF" options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; key "rndc_key" { algorithm hmac-md5; secret "[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; EOF Create a zone file with the following contents: cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF Create the root.hints file with the following commands: Caution must be used to ensure no leading spaces in this file. cat > /home/named/etc/namedb/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 EOF The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. Consult the BIND 9 Administrator Reference Manual for details. Create the rndc.conf with the following commands: cat > /etc/rndc.conf << "EOF" key rndc_key { algorithm "hmac-md5"; secret "[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]"; }; options { default-server localhost; default-key rndc_key; }; EOF The rndc.conf file contains information for controlling named operations with the rndc utility. Create or modify resolv.conf to use the new name server with the following commands: Replace yourdomain.com with your own valid domain name. cp /etc/resolv.conf /etc/resolv.conf.bak && cat > /etc/resolv.conf << "EOF" search [yourdomain.com] nameserver 127.0.0.1 EOF Set permissions on the chroot jail with the following command: chown -R named.named /home/named To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the package. make install-bind Now start BIND with the new boot script: /etc/rc.d/init.d/bind start Testing <application><acronym>BIND</acronym></application> Test out the new BIND 9 installation. First query the local host address with dig: dig -x 127.0.0.1 Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address: dig www.linuxfromscratch.org && dig www.linuxfromscratch.org You can see almost instantaneous results with the named caching lookups. Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND Administrator Reference Manual for further configuration options. Contents The BIND package contains dig, host, isc-config.sh, nslookup, rndc, rndc-confgen, named-checkconf, named-checkzone, lwresd, named, dnssec-signzone, dnssec-signkey, dnssec-keygen, dnssec-makekeyset and nsupdate. Description dig dig interrogates DNS servers. host host is a utility for DNS lookups. nslookup nslookup is a program used to query Internet domain nameservers. rndc rndc controls the operation of BIND. rndc-confgen rndc-confgen generates rndc.conf files. named-checkconf named-checkconf checks the syntax of named.conf files. named-checkzone named-checkzone checks zone file validity. lwresd lwresd is a caching-only name server for local process use. named named is the name server daemon. dnssec-signzone dnssec-signzone generates signed versions of zone files. dnssec-signkey dnssec-signkey signs zone file key sets. dnssec-keygen dnssec-keygen is a key generator for secure DNS. dnssec-makekeyset dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen. nsupdate nsupdate is used to submit DNS update requests.