Difference between revisions of "Tutorial BIND9"

BIND is a suite of DNS software. Its most prominent component, named (pronounced name-dee, short for name daemon), performs both of the main DNS server roles, acting as an authoritative name server for DNS zones and as a recursive resolver in the network. Also contained in the suite are various administration tools such as nsupdate and dig, and a DNS resolver interface library.

Features

Important features of BIND 9 include:

• TSIG
• nsupdate
• IPv6
• RNDC (remote name daemon control)
• views
• multiprocessor support
• Response Rate Limiting (RRL)
• DNSSEC, and
• Broad portability

RNDC enables remote configuration updates, using a shared secret to provide encryption for local and remote terminals during each session.

Installation

The package bind9 will be used for installation.

sudo apt install bind9

and then if you want to also install the documentation (very useful):

sudo apt install bind9-doc

Testing

Use these tools to check BIND configurations:

• named-checkconf
• named-checkzone

After ensuring the configs are correct, make several queries: Eg.:dig @127.0.0.1 yahoo.com

Carefully review the output:

labuser@labmachine:~$ dig @localhost yahoo.com

; <<>> DiG 9.18.24-1-Debian <<>> @localhost yahoo.com
; (2 servers found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26347
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1232
;; QUESTION SECTION:
;yahoo.com.			IN	A

;; ANSWER SECTION:
yahoo.com.		1428	IN	A	74.6.143.25
yahoo.com.		1428	IN	A	74.6.231.21
yahoo.com.		1428	IN	A	98.137.11.164
yahoo.com.		1428	IN	A	98.137.11.163
yahoo.com.		1428	IN	A	74.6.143.26
yahoo.com.		1428	IN	A	74.6.231.20

;; Query time: 0 msec
;; SERVER: ::1#53(localhost) (UDP)
;; WHEN: Thu Jul 25 11:01:56 UTC 2024
;; MSG SIZE  rcvd: 134

Additional Config

By default, it only allows query from localhost. To enable query from your networks, setup appropiately in BIND config.

options {
    directory "/var/cache/bind";
    recursion yes;                    # enables recursive queries
    allow-recursion { 10.0.0.0/8 ; }; # allows recursive queries from LAN clients
    listen-on { 10.9.0.19; };         # listen on specified IP only
    allow-transfer { none; };         # disable zone transfers by default

    forwarders {
        1.1.1.1;
        8.8.8.8;
    };
        . . .
};

More Testing

Test from other computers on the network. Observe the responses.

Lab: Check and fix issues that arise during testing.

Authoritative Configuration

Earlier, we configured BIND for recursive usage. Now we will be configuring BIND for authoritative usage.

Adding a new Zone

Use the following example to add a new zone. In this example we create a new file lab1.com.np.zone with the following content:

Do not forget to replace 'lab1.com.np` with your correct domain.

$ORIGIN a.example.com.np. 
$TTL 86400 
@	IN	SOA	dns1.a.example.com.np.	hostmaster.a.example.com.np. (
			2024071501 ; serial
			21600      ; refresh after 6 hours
			3600       ; retry after 1 hour
			604800     ; expire after 1 week
			86400 )    ; minimum TTL of 1 day

	IN	NS	dns1.a.example.com.np.
	IN	NS	dns2.a.example.com.np.
	
	IN	MX	10	mail.a.example.com.np.
	IN	MX	20	mail2.a.example.com.np.
	
dns1	IN	A	10.0.1.1
dns2	IN	A	10.0.1.2
			       
server1	IN	A	10.0.1.5
server2	IN	A	10.0.1.6

ftp	IN	A	10.0.1.3
	IN	A	10.0.1.4
	
mail	IN	CNAME	server1
mail2	IN	CNAME	server2

www	IN	CNAME	server1

Now, you need to include the recently configured zone into BIND config by

sudo nano /etc/bind/named.conf.local

Add the following entry

zone "a.example.com.np"  { type master; file "/etc/bind/a.example.com.np.zone"; };

Then, reload BIND:

rndc reconfig

or (there is some difference between these commands)

rndc reload

Now run tests from your computer and others on the network.

Making Changes

Edit the zone file, add new entries, make a few changes, remove some and check whether they are propagated correctly.

Editing:

• Use your favorite editor to make all changes to the file
• Increment the Zone serial number
• Save the file
• Reload the zone rndc reload lab1.com.np
• Checking
• Troubleshooting

Secondary Zone

Now that we have a good understanding of zone, changes and upadating them, lets add a secondary zone. Team up with another group and add their domain to yours as secondary:

• Group 1 add lab2
• Group 2 add lab3
• ...
• Group 6 add lab1

Work with the other group to allow permissions, ensure the zone is transferred and changes are propagated promptly.

On the **secondary server**, add the zone into named.conf.local:

zone "lab1.com.np"  {
    type slave;
    file "/etc/bind/lab1.com.np.zone";
    masters { 10.9.0.31; };
};

Be sure to use the correct IP and zones, using above as an example.

On the **origin server**, you will have to allow zone transfer to the appropriate servers:

    allow-transfer {
        10.9.0.31;     # lab1
        10.9.0.32;     # lab2
    };

When editing the zone file, be careful about the syntax.

Once done, reload BIND using rndc command.

Make some changes

Make some changes and test.

dig

Using dig to check domain transfers:

dig +AXFR lab1.com.np @10.9.0.31

Logging

Logging configuration example named.conf.logging

logging {
     channel simplelog {
        file "/var/log/bind.log";
        severity info;
    };
    category default { simplelog; };
};

Create the log file and set correct owner

sudo touch /var/log/bind.log
sudo chown bind /var/log/bind.log

Then add this to named.conf

include "/etc/bind/named.conf.logging";

And then reload BIND using rndc command.

Sources and External Links

• BIND entry in Wikipedia