HOWTO Setup a DNS Server with BIND

Get full information from here: http://web.archive.org/web/20080119200951/gentoo-wiki.com/HOWTO_Setup_a_DNS_Server_with_BIND

Introduction
BIND (Berkeley Internet Name Domain) is an open reference implementation of the Domain Name System (DNS) protocol and provides a redistributable implementation of the major components of the Domain Name System.


 * a name server (named)
 * a resolver library
 * troubleshooting tools like nslookup and dig

The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service.

My Bind Installation
My personal Bind installation has over 15000 zones and peaks at roughly 500 queries/sec across two servers. This How-To includes many organizational tips for running a large system without administration of it becoming unwieldly. I'll point those out along the way so home users with three or four domains can skip the extra steps. However most of the large system configs are geared towards easier troubleshooting and administration and I encourage all users to use the ISP tweaks I've included. After all most large systems started out as small systems.

Firewall Config
Bind listens on port 53 UDP and TCP. TCP is normally only used during zone transfers so it would appear that you could filter it if you have no slaves. However If the response to a query is greater than 1024 bytes, the server sends a partial response, and client and server will try to redo the transaction with TCP.

Responses that big do not happen often, but they happen. And people do quite often block 53/tcp without their world coming to an end. But this is where one usually inserts the story about the Great DNS Meltdown when more root servers were added. This made queries for the root list greater than 1024 and the whole DNS system started to break down from people violating the DNS spec (RFC1035) and blocking TCP.

Installing Bind
This document is based on a fresh install of 2005.0 built on July 13 on a Dell 4700. 3.0Ghz P4 w/HT, gentoo-sources 2.6.12-r4 SMP kernel, glibc built with the NPTL flag, and Bind 9.2.5-r4. Older or newer installs should not differ too greatly from this install.

Bind is in Portage and has a number of USE variables to add functionality. We're going to eliminate most of them for the purpose of this doc to keep things simple. Once I'm happy that this doc can actually lead someone through a simple setup, I may go back and add in other functionality.

Choosing your USE flags
For most users I'd recommend removing IPv6 support and any database support. This doc probably won't delve into using a database backend. Linux 2.6 users with NPTL that anticipate a high number of queries will defintely want to enable threads as Bind is highly threaded. /etc/portage/package.use

Dependencies
On my fresh install there were no extra dependencies required over the default install using the above USE variables.

Bind as configured above builds in under five minutes on my test system. Your mileage may vary.

Configuring kernel
It's possible that you may need to change your kernel configuration. "Different security models" is optional, but if you have enabled it, you must also enable the default Linux capabilities:

Configuring Bind
Gentoo alternates between naming files and directories "named" or "bind" which makes everything confusing. Also, most other OSs use "named" for everything rather than "bind". I've forgotten exactly what I did to straighten things out, but the commands below should allow you to assume everything is in a named/something or called named.whatever. I'll need to do a fresh install to verify sometime soon.

I prefer to break customer domains into include files by company. We have a small number of customers with 500+ domains per customer. It's a bit easier to find domains in the config this way and to track changes. I also include the logging config and any acls this way as well. You can put them all into one file if you like.

Creating Dirs and Symlinks
We're going to create some structure for the rest of config files. We're also going to symlink bind dirs to named dirs so that admins unfamilar with Gentoo can still find evertything. It's like that whole /etc/apache vs /etc/httpd problem people new to Gentoo have. This will also keep /var/bind/ from getting littered with files and make an etc-update mishaps less likely to lose all your configs.

Fixing the Pid Files and RC Scripts
Ebuilds prior to net-dns/bind-9.2.5-r4 had an issue with the named.pid file. Following steps are recommended to fix it.

Then edit /etc/init.d/named and change all instances of /var/run/named.pid to /var/run/named/named.pid. I find this layout a bit cleaner than dropping named in /var/run/ and my named.conf below assumes you've done this.

named.conf
I really suggest using this config. Yes you can set Bind up without all the logging, splitting domains into their own file, but troubleshooting is vastly easier when you have done all the groundwork. You will need to change the IP's that are allowed to do recursion to your own IP's. The same will allow transfer and notify as well.

Logging conf
Bind can be chatty in the log files and the sheer amount of data can sometimes make it hard to find interesting logs. Fortunately Bind allows you to separate your logs and rotate them automatically in its config. The following config splits each logging category into separate files, rotates them every 5MB, and keeps three rotations of each log. You can change the length of the log file rotations by changing the versions and size options in each channel. While this config seems quite large and ugly it'll never need to be touched and having log files separated like this can make many common troubleshooting procedures easier.

ACL conf
The ACL section defines Access Control Lists that Bind uses to group a set of networks by name. In this example, the networks 10.*.*.*, 192.168.1.*, and 127.0.0.1 have been grouped together under the name 'our-networks'. This name can then be used to refer to the entire group when assigning permissions. (See: HOWTO_Setup_a_DNS_Server_with_BIND)

Zone File conf
There are many examples of how to add a zone file to the config. Zone statements can be placed directly in named.conf, or they can be included from an external file using the include statement. In this example we will include one of the two zone statements listed below. Zone configurations can be made in two different formats. Let's call them single-line and multi-line.

This is how a configuration in multi-line format appears:

And this is the same config with a single zone on each line:

You may prefer the single line format for administrative tasks. It's easier to run sort, grep, sed, and other tools against the config file to make mass changes. Any script you write to generate a new slave or master config will be easier and simpler to write. However, it appears that the multi-line config is easier to read in documentation, so we're going to use it through out this How-To for clarity.

Each refers to zone file using the file line to include a map of domain names and their matching IP addresses. Zone files are covered in more detail below.

Adding a Slave Zone
'''

Adding an ACL to a Zone
We can use the Access Control Lists to specify permissions for each zone. allow-query { our-networks; }; Adding this line to the zone defined below tells Bind that any of the networks specified in the 'our-networks' group has permission to request the name of any IP address in the 10.113.1.* network.

Picking Your Zone File
There are a number of example of zone files on the Internet, each with their own little quirks. I would recommend using a layout that appeals to you. However it is in your best interest to use the same format for all your domains. This will make changes easier and you can script out wholesale changes using sed or other tools if your IP's need to change quickly or other problems. There is nothing worse than trying to edit 1000 domains by hand each with a different format.

About serial numbers
Don't forget to update the serial number each time you change a zone file. The new serial number must be anything larger than the previous one. Most systems simply use the date of the change plus two digits as a serial number. For example, a zone file that has been changed for the second time on the third of January 2004 would have 2004010302 as a serial number. But the serial number can be any number with the maximum value of 9999999999 as long as the new serial number is larger than the previous serial number. If you don't increment your serial number, your DNS slave servers will not accept the changes and keep the old version of the zone file.

Sometimes you'll need to reset your serial number. This is easy to do if you control all your name servers. Change the master server, stop the slave servers, delete the old zone, start the slave servers. However if you do not have access to your slave servers you can set the serial number to 0 on the master server. Once the slave picks up the change you'll be able to use any number as the next serial number. This is usually done when an admin sets the serial to 3005103001 and wants to reset the serial back to 2005103001 or something similar.

About IP Addresses
When specifying a given IP range using the format 8.113.10.in-addr.arpa., the bytes are given in reverse order. In effect the IP range is 10.113.8.0/24. For a 16-bit netmask, it would be 113.10.in-addr.arpa., equivalent to 10.113.0.0/16.

Default zone
If you are a hosting provider and want to have default zone (if some domain has your NS server as primary, but you haven't added zone for this domain yet) for newly-added domains AND your server is not designed to execute recursive queries, you can use this section:

After this, any domain, that cannot be found in your configuration will be passed over "path_to_default_zone_file" ruleset.

Further Information

 * Alternative configuration files
 * BIND 9 DNS Administration Reference Book
 * DNS for Rocket Scientists
 * BIND (the alternate gentoo wiki page)