%general-entities; ]> $Date$ BIND-&bind-version; BIND Introduction to BIND The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the . &lfs111_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &bind-md5sum; Download size: &bind-size; Estimated disk space required: &bind-buildsize; Estimated build time: &bind-time; BIND Dependencies Required Recommended and Optional , , , , , cmocka, geoip, pytest, Sphinx, and w3m Optional database backends , or MySQL, , , and Optional (to run the test suite) Optional (to rebuild the documentation) , , and (or ) User Notes: Installation of BIND Install BIND by running the following commands: ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --mandir=/usr/share/man \ --disable-static && make Issue the following commands to run the complete suite of tests. First, as the root user, set up some test interfaces: If IPv6 is not enabled in the kernel, there will be several error messages: "RTNETLINK answers: Operation not permitted". These messages do not affect the tests. bin/tests/system/ifconfig.sh up The test suite may indicate some skipped tests depending on what configuration options are used. Some tests are marked UNTESTED if is not installed. To run the tests, as an unprivileged user, execute: make -k check Again as root, clean up the test interfaces: bin/tests/system/ifconfig.sh down Finally, install the package as the root user: make install Command Explanations --sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc. : This parameter enables the IDNA2008 (Internationalized Domain Names in Applications) support. : Use this option if you want to be able to limit the rate of recursive client queries. This may be useful on servers which receive a large number of queries. : BIND can also be built without capability support by using this option, at the cost of some loss of security. : Use one (or more) of those options to add Dynamically Loadable Zones support. For more information refer to bind-dlz.sourceforge.net. Configuring BIND Config files named.conf, root.hints, 127.0.0, rndc.conf, and resolv.conf /etc/named.conf /etc/rndc.conf /etc/resolv.conf /etc/namedb/root.hints /etc/namedb/pz/127.0.0.0 Configuration Information BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory. Create the unprivileged user and group named: groupadd -g 20 named && useradd -c "BIND Owner" -g named -s /bin/false -u 20 named && install -d -m770 -o named -g named /srv/named Set up some files, directories and devices needed by BIND: mkdir -p /srv/named && cd /srv/named && mkdir -p dev etc/named/{slave,pz} usr/lib/engines var/run/named && mknod /srv/named/dev/null c 1 3 && mknod /srv/named/dev/urandom c 1 9 && chmod 666 /srv/named/dev/{null,urandom} && cp /etc/localtime etc The rndc.conf file contains information for controlling named operations with the rndc utility. Generate a key for use in the named.conf and rndc.conf with the rndc-confgen command: rndc-confgen -a -b 512 -t /srv/named Complete the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys: cat >> /srv/named/etc/named.conf << "EOF" options { directory "/etc/named"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; // Bind 9 now logs by default through syslog (except debug). // These are the default logging rules. logging { category default { default_syslog; default_debug; }; category unmatched { null; }; channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; channel default_debug { file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level }; channel default_stderr { stderr; // writes to stderr severity info; // only send priority info // and higher }; channel null { null; // toss anything sent to // this channel }; }; EOF Create a zone file with the following contents: cat > /srv/named/etc/named/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF Create the root.hints file with the following commands: Caution must be used to ensure there are no leading spaces in this file. cat > /srv/named/etc/named/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 A.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:ba3e::2:30 B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201 B.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:200::b C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 C.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2::c D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13 D.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2d::d E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 E.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:a8::e F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 F.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:2f::f G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 G.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:12::d0d H.ROOT-SERVERS.NET. 6D IN A 198.97.190.53 H.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:1::53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 I.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fe::53 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 J.ROOT-SERVERS.NET. 6D IN AAAA 2001:503:c27::2:30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 K.ROOT-SERVERS.NET. 6D IN AAAA 2001:7fd::1 L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42 L.ROOT-SERVERS.NET. 6D IN AAAA 2001:500:9f::42 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 M.ROOT-SERVERS.NET. 6D IN AAAA 2001:dc3::35 EOF The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from . For details, consult the "BIND 9 Administrator Reference Manual", included in every source archive of BIND 9 distributed by ISC, in HTML and PDF formats, also available at BIND 9 Administrator Reference Manual. Create or modify resolv.conf to use the new name server with the following commands: Replace <yourdomain.com> with your own valid domain name. cp /etc/resolv.conf /etc/resolv.conf.bak && cat > /etc/resolv.conf << "EOF" search <yourdomain.com> nameserver 127.0.0.1 EOF Set permissions on the chroot jail with the following command: chown -R named:named /srv/named <phrase revision="sysv">Boot Script</phrase> <phrase revision="systemd">Systemd Unit</phrase> To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script named.service unit included in the package: bind make install-bind make install-named Now start BIND with the following command: /etc/rc.d/init.d/bind start systemctl start named Testing BIND Test out the new BIND 9 installation. First query the local host address with dig: dig -x 127.0.0.1 Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address: dig www.&lfs-domainname; && dig www.&lfs-domainname; You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual located at for further configuration options. Contents Installed Programs Installed Libraries Installed Directories arpaname, ddns-confgen, delv, dig, dnssec-cds, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-keymgr, dnssec-revoke, dnssec-settime, dnssec-signzone, dnssec-verify, host, mdig, named, named-checkconf, named-checkzone, named-compilezone (symlink), named-journalprint, named-nzd2nzf, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen, and tsig-keygen (symlink) libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so, libisccfg.so, and libns.so /usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,ns,pk11,pkcs11}, /usr/lib/named, /usr/lib/python&python3-majorver;/site-packages/isc, and /srv/named Short Descriptions arpaname translates IP addresses to the corresponding ARPA names arpaname ddns-confgen generates a key for use by nsupdate and named ddns-confgen delv is a new debugging tool that is a successor to dig delv dig interrogates DNS servers dig dnssec-cds changes DS records for a child zone based on CDS/CDNSKEY dnssec-cds dnssec-checkds is a DNSSEC delegation consistency checking tool dnssec-checkds dnssec-coverage verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage dnssec-coverage dnssec-dsfromkey outputs the Delegation Signer (DS) resource record (RR) dnssec-dsfromkey dnssec-importkey reads a public DNSKEY record and generates a pair of .key/.private files dnssec-importkey dnssec-keyfromlabel gets keys with the given label from a cryptography hardware device and builds key files for DNSSEC dnssec-keyfromlabel dnssec-keygen is a key generator for secure DNS dnssec-keygen dnssec-keymgr ensures correct DNSKEY coverage based on a defined policy dnssec-keymgr dnssec-revoke sets the REVOKED bit on a DNSSEC key dnssec-revoke dnssec-settime sets the key timing metadata for a DNSSEC key dnssec-settime dnssec-signzone generates signed versions of zone files dnssec-signzone dnssec-verify verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete dnssec-verify host is a utility for DNS lookups host mdig is a version of dig that allows multiple queries at once mdig named is the name server daemon named named-checkconf checks the syntax of named.conf files named-checkconf named-checkzone checks zone file validity named-checkzone named-compilezone is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format named-compilezone named-journalprint prints the zone journal in human-readable form named-journalprint named-rrchecker reads an individual DNS resource record from standard input and checks if it is syntactically correct named-rrchecker named-nzd2nzf converts an NZD database to NZF text format named-nzd2nzf nsec3hash generates an NSEC3 hash based on a set of NSEC3 parameters nsec3hash nslookup is a program used to query Internet domain nameservers nslookup nsupdate is used to submit DNS update requests nsupdate rndc controls the operation of BIND rndc rndc-confgen generates rndc.conf files rndc-confgen tsig-keygen is a symlink to ddns-confgen tsig-keygen