Difference between revisions of "Tutorial BIND9"
| (14 intermediate revisions by the same user not shown) | |||
| Line 22: | Line 22: | ||
<pre>sudo apt install bind9-doc</pre> | <pre>sudo apt install bind9-doc</pre> | ||
| − | === | + | ==== Testing ==== |
| − | + | Use these tools to check BIND configurations: | |
| − | * | + | * named-checkconf |
| − | + | * named-checkzone | |
| − | + | After ensuring the configs are correct, make several queries: | |
| − | + | Eg.:<code>dig @127.0.0.1 yahoo.com</code> | |
| − | |||
| − | |||
| − | < | ||
| − | + | Carefully review the output: | |
| − | |||
| − | |||
| − | |||
<pre> | <pre> | ||
labuser@labmachine:~$ dig @localhost yahoo.com | labuser@labmachine:~$ dig @localhost yahoo.com | ||
| Line 66: | Line 60: | ||
</pre> | </pre> | ||
| − | === Additional Config === | + | ==== Additional Config ==== |
| − | By default, it only allows query from localhost. To enable query from your networks, setup appropiately in | + | By default, it only allows query from localhost. To enable query from your networks, setup appropiately in BIND config. |
| − | <pre> | + | |
| − | + | <pre> | |
| − | # | + | options { |
| − | + | directory "/var/cache/bind"; | |
| − | # | + | recursion yes; # enables recursive queries |
| + | allow-recursion { 10.0.0.0/8 ; }; # allows recursive queries from LAN clients | ||
| + | listen-on { 10.9.0.19; }; # listen on specified IP only | ||
| + | allow-transfer { none; }; # disable zone transfers by default | ||
| − | + | forwarders { | |
| − | + | 1.1.1.1; | |
| − | + | 8.8.8.8; | |
| − | + | }; | |
| + | . . . | ||
| + | }; | ||
</pre> | </pre> | ||
| + | ==== More Testing ==== | ||
| + | Test from other computers on the network. Observe the responses. | ||
| − | == | + | Lab: Check and fix issues that arise during testing. |
| − | + | ||
| + | == Authoritative Configuration == | ||
| + | Earlier, we configured BIND for recursive usage. Now we will be configuring BIND for authoritative usage. | ||
=== Adding a new Zone === | === Adding a new Zone === | ||
| Line 90: | Line 93: | ||
<pre> | <pre> | ||
| − | $ORIGIN | + | $ORIGIN a.example.com.np. |
$TTL 86400 | $TTL 86400 | ||
| − | @ IN SOA dns1. | + | @ IN SOA dns1.a.example.com.np. hostmaster.a.example.com.np. ( |
| − | + | 2024071501 ; serial | |
| − | 21600 ; refresh after 6 hours | + | 21600 ; refresh after 6 hours |
| − | 3600 ; retry after 1 hour | + | 3600 ; retry after 1 hour |
| − | 604800 ; expire after 1 week | + | 604800 ; expire after 1 week |
| − | 86400 ) ; minimum TTL of 1 day | + | 86400 ) ; minimum TTL of 1 day |
| − | + | ||
| − | IN NS dns1. | + | IN NS dns1.a.example.com.np. |
| − | IN NS dns2. | + | IN NS dns2.a.example.com.np. |
| − | IN MX 10 mail. | + | IN MX 10 mail.a.example.com.np. |
| − | IN MX 20 mail2. | + | IN MX 20 mail2.a.example.com.np. |
dns1 IN A 10.0.1.1 | dns1 IN A 10.0.1.1 | ||
| − | dns2 IN A 10.0.1.2 | + | dns2 IN A 10.0.1.2 |
| − | server1 IN A 10.0.1.5 | + | server1 IN A 10.0.1.5 |
server2 IN A 10.0.1.6 | server2 IN A 10.0.1.6 | ||
| − | + | ||
ftp IN A 10.0.1.3 | ftp IN A 10.0.1.3 | ||
IN A 10.0.1.4 | IN A 10.0.1.4 | ||
| Line 120: | Line 123: | ||
</pre> | </pre> | ||
| + | Now, you need to include the recently configured zone into BIND config by | ||
| + | <pre>sudo nano /etc/bind/named.conf.local</pre> | ||
| + | |||
| + | Add the following entry | ||
| + | <pre> | ||
| + | zone "a.example.com.np" { type master; file "/etc/bind/a.example.com.np.zone"; };</pre> | ||
| + | |||
| + | Then, reload BIND: | ||
| + | <pre>rndc reconfig</pre> | ||
| + | or (there is some difference between these commands) | ||
| + | <pre>rndc reload</pre> | ||
| + | |||
| + | Now run tests from your computer and others on the network. | ||
| + | |||
| + | ==== Making Changes ==== | ||
| + | Edit the zone file, add new entries, make a few changes, remove some and check whether they are propagated correctly. | ||
| + | |||
| + | Editing: | ||
| + | * Use your favorite editor to make all changes to the file | ||
| + | * Increment the Zone serial number | ||
| + | * Save the file | ||
| + | * Reload the zone <code>rndc reload lab1.com.np</code> | ||
| + | * Checking | ||
| + | * Troubleshooting | ||
=== Secondary Zone === | === Secondary Zone === | ||
| + | Now that we have a good understanding of zone, changes and upadating them, lets add a secondary zone. Team up with another group and add their domain to yours as secondary: | ||
| + | |||
| + | * Group 1 add lab2 | ||
| + | * Group 2 add lab3 | ||
| + | * ... | ||
| + | * Group 6 add lab1 | ||
| + | |||
| + | Work with the other group to allow permissions, ensure the zone is transferred and changes are propagated promptly. | ||
| + | |||
| + | On the **secondary server**, add the zone into named.conf.local: | ||
| + | <pre> | ||
| + | zone "lab1.com.np" { | ||
| + | type slave; | ||
| + | file "/etc/bind/lab1.com.np.zone"; | ||
| + | masters { 10.9.0.31; }; | ||
| + | };</pre> | ||
| + | Be sure to use the correct IP and zones, using above as an example. | ||
| + | |||
| + | On the **origin server**, you will have to allow zone transfer to the appropriate servers: | ||
| + | <pre> | ||
| + | allow-transfer { | ||
| + | 10.9.0.31; # lab1 | ||
| + | 10.9.0.32; # lab2 | ||
| + | }; | ||
| + | </pre> | ||
| + | |||
| + | When editing the zone file, be careful about the syntax. | ||
| + | |||
| + | Once done, reload BIND using rndc command. | ||
| + | ==== Make some changes ==== | ||
| + | Make some changes and test. | ||
| + | |||
| + | ==== dig ==== | ||
| + | Using dig to check domain transfers: | ||
| + | <pre>dig +AXFR lab1.com.np @10.9.0.31</pre> | ||
| + | |||
| + | == Logging == | ||
| + | Logging configuration example named.conf.logging | ||
| + | <pre>logging { | ||
| + | channel simplelog { | ||
| + | file "/var/log/bind.log"; | ||
| + | severity info; | ||
| + | }; | ||
| + | category default { simplelog; }; | ||
| + | };</pre> | ||
| + | |||
| + | Create the log file and set correct owner | ||
| + | <pre>sudo touch /var/log/bind.log | ||
| + | sudo chown bind /var/log/bind.log</pre> | ||
| + | |||
| + | Then add this to named.conf | ||
| + | <pre>include "/etc/bind/named.conf.logging";</pre> | ||
| + | And then reload BIND using rndc command. | ||
| − | + | == Sources and External Links == | |
* [https://en.wikipedia.org/wiki/BIND BIND entry in Wikipedia] | * [https://en.wikipedia.org/wiki/BIND BIND entry in Wikipedia] | ||
[[Category:Workshops]] | [[Category:Workshops]] | ||
Latest revision as of 17:07, 28 July 2024
BIND is a suite of DNS software. Its most prominent component, named (pronounced name-dee, short for name daemon), performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network. Also contained in the suite are various administration tools such as nsupdate and dig, and a DNS resolver interface library.
Features
Important features of BIND 9 include:
- TSIG
- nsupdate
- IPv6
- RNDC (remote name daemon control)
- views
- multiprocessor support
- Response Rate Limiting (RRL)
- DNSSEC, and
- Broad portability
RNDC enables remote configuration updates, using a shared secret to provide encryption for local and remote terminals during each session.
Installation
The package bind9 will be used for installation.
sudo apt install bind9
and then if you want to also install the documentation (very useful):
sudo apt install bind9-doc
Testing
Use these tools to check BIND configurations:
- named-checkconf
- named-checkzone
After ensuring the configs are correct, make several queries:
Eg.:dig @127.0.0.1 yahoo.com
Carefully review the output:
labuser@labmachine:~$ dig @localhost yahoo.com ; <<>> DiG 9.18.24-1-Debian <<>> @localhost yahoo.com ; (2 servers found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26347 ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;yahoo.com. IN A ;; ANSWER SECTION: yahoo.com. 1428 IN A 74.6.143.25 yahoo.com. 1428 IN A 74.6.231.21 yahoo.com. 1428 IN A 98.137.11.164 yahoo.com. 1428 IN A 98.137.11.163 yahoo.com. 1428 IN A 74.6.143.26 yahoo.com. 1428 IN A 74.6.231.20 ;; Query time: 0 msec ;; SERVER: ::1#53(localhost) (UDP) ;; WHEN: Thu Jul 25 11:01:56 UTC 2024 ;; MSG SIZE rcvd: 134
Additional Config
By default, it only allows query from localhost. To enable query from your networks, setup appropiately in BIND config.
options {
directory "/var/cache/bind";
recursion yes; # enables recursive queries
allow-recursion { 10.0.0.0/8 ; }; # allows recursive queries from LAN clients
listen-on { 10.9.0.19; }; # listen on specified IP only
allow-transfer { none; }; # disable zone transfers by default
forwarders {
1.1.1.1;
8.8.8.8;
};
. . .
};
More Testing
Test from other computers on the network. Observe the responses.
Lab: Check and fix issues that arise during testing.
Authoritative Configuration
Earlier, we configured BIND for recursive usage. Now we will be configuring BIND for authoritative usage.
Adding a new Zone
Use the following example to add a new zone. In this example we create a new file lab1.com.np.zone with the following content:
Do not forget to replace 'lab1.com.np` with your correct domain.
$ORIGIN a.example.com.np. $TTL 86400 @ IN SOA dns1.a.example.com.np. hostmaster.a.example.com.np. ( 2024071501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day IN NS dns1.a.example.com.np. IN NS dns2.a.example.com.np. IN MX 10 mail.a.example.com.np. IN MX 20 mail2.a.example.com.np. dns1 IN A 10.0.1.1 dns2 IN A 10.0.1.2 server1 IN A 10.0.1.5 server2 IN A 10.0.1.6 ftp IN A 10.0.1.3 IN A 10.0.1.4 mail IN CNAME server1 mail2 IN CNAME server2 www IN CNAME server1
Now, you need to include the recently configured zone into BIND config by
sudo nano /etc/bind/named.conf.local
Add the following entry
zone "a.example.com.np" { type master; file "/etc/bind/a.example.com.np.zone"; };
Then, reload BIND:
rndc reconfig
or (there is some difference between these commands)
rndc reload
Now run tests from your computer and others on the network.
Making Changes
Edit the zone file, add new entries, make a few changes, remove some and check whether they are propagated correctly.
Editing:
- Use your favorite editor to make all changes to the file
- Increment the Zone serial number
- Save the file
- Reload the zone
rndc reload lab1.com.np - Checking
- Troubleshooting
Secondary Zone
Now that we have a good understanding of zone, changes and upadating them, lets add a secondary zone. Team up with another group and add their domain to yours as secondary:
- Group 1 add lab2
- Group 2 add lab3
- ...
- Group 6 add lab1
Work with the other group to allow permissions, ensure the zone is transferred and changes are propagated promptly.
On the **secondary server**, add the zone into named.conf.local:
zone "lab1.com.np" {
type slave;
file "/etc/bind/lab1.com.np.zone";
masters { 10.9.0.31; };
};
Be sure to use the correct IP and zones, using above as an example.
On the **origin server**, you will have to allow zone transfer to the appropriate servers:
allow-transfer {
10.9.0.31; # lab1
10.9.0.32; # lab2
};
When editing the zone file, be careful about the syntax.
Once done, reload BIND using rndc command.
Make some changes
Make some changes and test.
dig
Using dig to check domain transfers:
dig +AXFR lab1.com.np @10.9.0.31
Logging
Logging configuration example named.conf.logging
logging {
channel simplelog {
file "/var/log/bind.log";
severity info;
};
category default { simplelog; };
};
Create the log file and set correct owner
sudo touch /var/log/bind.log sudo chown bind /var/log/bind.log
Then add this to named.conf
include "/etc/bind/named.conf.logging";
And then reload BIND using rndc command.
