Bind
Jump to navigation
Jump to search
install bind9
apt-get update apt-get install bind9 dnsutils service bind9 stop cd /etc/bind/ rm -rf * mkdir /etc/bind/cache
configure
- create the file named.conf
cat > named.conf << \EOF
// define trusted networks
acl "trusted" {
127.0.0.1;
};
// TSIG key used for the dynamic update
include "/etc/bind/rndc.key";
// configure the communication channel for Administrative BIND9 with rndc
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
};
options {
// the working directory of the server
directory "/etc/bind";
// the interfaces and ports that the server will answer queries from
listen-on-v6 { none; };
listen-on { 127.0.0.1; };
recursion yes;
allow-recursion { trusted; };
// to allow only specific hosts to use the DNS server:
allow-query { trusted; };
allow-query-cache { trusted; };
dnssec-enable yes;
dnssec-validation yes;
// querylog true;
auth-nxdomain no; // conform to RFC1035
// search only querying to the follow nameservers
forward first; // or forward only;
forwarders {
// Google
8.8.4.4;
8.8.8.8;
// // OpenDNS
// 208.67.220.220;
// 208.67.222.222;
};
};
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "cache/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "cache/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "cache/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "cache/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "cache/db.255";
};
EOF
- create the file rndc.key
cat > rndc.key << \EOF
key "rndc-key" {
algorithm hmac-md5;
secret "YOURSECRET";
};
EOF
- NOTE: you can generate a secret in this way
date +%s | sha256sum | cut -d ' ' -f 1 | base64 -w0
create database files
- create the file cache/db.local
cat > cache/db.local << \EOF
;
; BIND data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
EOF
- create the file cache/db.127
cat > cache/db.127 << \EOF
;
; BIND reverse data file for local loopback interface
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
1.0.0 IN PTR localhost.
EOF
- create the file cache/db.0
cat > cache/db.0 << \EOF
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
EOF
- create the file cache/db.255
cat > cache/db.255 << \EOF
;
; BIND reverse data file for broadcast zone
;
$TTL 604800
@ IN SOA localhost. root.localhost. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
EOF
- create the file cache/db.root
This files needs to be updated sporadically, so we prepare a script for that
cat > update-db.root.sh << \EOF
#!/bin/bash
#
NAME=cache/db.root
SOURCE=a.root-servers.net
#SOURCE=8.8.4.4
dig +bufsize=1200 +norec NS . @${SOURCE} > ${NAME}_new || exit
if test -f ${NAME}_new
then
if test -f ${NAME}
then
mv -f ${NAME} ${NAME}_old
fi
mv ${NAME}_new ${NAME}
fi
chown root:bind ${NAME}
chmod 644 ${NAME}
cat ${NAME}
# End
EOF
- change ownership of created files and hide the content of the key file
chown root:bind named.conf rndc.key cache/* chmod 640 rndc.key chmod 750 update-db.root.sh
start and test
- now, update the db.root, start bind9 and test!
./update-db.root.sh service bind9 start nslookup google.com 127.0.0.1