Bind

From campisano.org
Jump to navigation Jump to search

install bind9

apt-get update
apt-get install bind9 dnsutils
service bind9 stop
cd /etc/bind/
rm -rf *
mkdir /etc/bind/cache

configure

  • create the file named.conf
cat > named.conf << \EOF
// define trusted networks
acl "trusted" {
    127.0.0.1;
};

// TSIG key used for the dynamic update
include "/etc/bind/rndc.key";

// configure the communication channel for Administrative BIND9 with rndc
controls {
    inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
};



options {
    // the working directory of the server
    directory           "/etc/bind";

    // the interfaces and ports that the server will answer queries from
    listen-on-v6        { none; };
    listen-on           { 127.0.0.1; };

    recursion yes;
    allow-recursion     { trusted; };

    // to allow only specific hosts to use the DNS server:
    allow-query         { trusted; };
    allow-query-cache   { trusted; };


    dnssec-enable       yes;
    dnssec-validation   yes;

//    querylog true;
    auth-nxdomain       no; // conform to RFC1035

    // search only querying to the follow nameservers
    forward             first; // or forward only;

    forwarders {
        // Google
        8.8.4.4;
        8.8.8.8;

//        // OpenDNS
//        208.67.220.220;
//        208.67.222.222;
    };

};

// prime the server with knowledge of the root servers
zone "." {
    type hint;
    file "cache/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
    type master;
    file "cache/db.local";
};

zone "127.in-addr.arpa" {
    type master;
    file "cache/db.127";
};

zone "0.in-addr.arpa" {
    type master;
    file "cache/db.0";
};

zone "255.in-addr.arpa" {
    type master;
    file "cache/db.255";
};
EOF
  • create the file rndc.key
cat > rndc.key << \EOF
key "rndc-key" {
    algorithm hmac-md5;
    secret "YOURSECRET";
};
EOF
  • NOTE: you can generate a secret in this way
date +%s | sha256sum | cut -d ' ' -f 1 | base64 -w0

create database files

  • create the file cache/db.local
cat > cache/db.local << \EOF
;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1
EOF
  • create the file cache/db.127
cat > cache/db.127 << \EOF
;
; BIND reverse data file for local loopback interface
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
1.0.0   IN      PTR     localhost.
EOF
  • create the file cache/db.0
cat > cache/db.0 << \EOF
;
; BIND reverse data file for broadcast zone
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
EOF
  • create the file cache/db.255
cat > cache/db.255 << \EOF
;
; BIND reverse data file for broadcast zone
;
$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
EOF
  • create the file cache/db.root

This files needs to be updated sporadically, so we prepare a script for that

cat > update-db.root.sh << \EOF
#!/bin/bash
#



NAME=cache/db.root
SOURCE=a.root-servers.net
#SOURCE=8.8.4.4

dig +bufsize=1200 +norec NS . @${SOURCE} > ${NAME}_new || exit

if test -f ${NAME}_new
then
    if test -f ${NAME}
    then
        mv -f ${NAME} ${NAME}_old
    fi

    mv ${NAME}_new ${NAME}
fi

chown root:bind ${NAME}
chmod 644 ${NAME}

cat ${NAME}



# End
EOF
  • change ownership of created files and hide the content of the key file
chown root:bind named.conf rndc.key cache/*
chmod 640 rndc.key
chmod 750 update-db.root.sh

start and test

  • now, update the db.root, start bind9 and test!
./update-db.root.sh
service bind9 start
nslookup google.com 127.0.0.1

Reference