BIND 9.2.2

Introduction to BIND 9.2.2

Download location (HTTP):       
Download location (FTP):        ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz
Version used:                   9.2.2
Package size:                   4.8 MB
Estimated Disk space required:  38 MB

The Bind package provides a DNS server and client utilities.

Installation of BIND

Install BIND by running the following commands:

./configure --prefix=/usr &&
make &&
make install

Configuring BIND

We will configure BIND to run in a chroot jail as an unprivileged user(named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's $HOME directory

First we set up some files and directories needed by BIND:

groupadd -g 200 named &&
useradd -m -g named -u 200 -s /bin/false named &&
cd /home/named &&
mkdir -p dev etc/namedb/slave var/run &&
mknod /home/named/dev/null c 1 3 &&
mknod /home/named/dev/random c 1 8 &&
chmod 666 /home/named/dev/{null,random} &&
mkdir /home/named/etc/namedb/pz &&
cp /etc/localtime /home/named/etc

Config files

named.conf, root.hints, 127.0.0 and rndc.conf

Create the named.conf file with the following commands:

cat > /home/named/etc/named.conf << "EOF"
 options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";
       
 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };
EOF

Create a zone file with the following contents:

cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
EOF

Create the root.hints file with the following commands:

Note: Caution must be used to insure no leading spaces in this file.

cat > /home/named/etc/namedb/root.hints << "EOF"
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       128.9.0.107
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
EOF

Create the rndc.conf with the following commands:

cat > /etc/rndc.conf << "EOF"
key rndc_key {
algorithm "hmac-md5";
    secret
    "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};
EOF

Create or modify resolv.conf to use the new name server with the following commands:

Note: Replace yourdomain.com with your own valid domain name.

cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search yourdomain.com
nameserver 127.0.0.1
EOF

Set permissions on the chroot jail with the following command:

chown -R named.named /home/named

Create the BIND boot script:

cat > /etc/rc.d/init.d/bind << "EOF"
#!/bin/bash
# Begin $rc_base/init.d/bind
# Based on sysklogd script from LFS-3.1 and earlier.
# Rewritten by Gerard Beekmans  - gerard@linuxfromscratch.org
source /etc/sysconfig/rc
source $rc_functions
case "$1" in
	start)
		echo "Starting named..."
		loadproc /usr/sbin/named -u named -t /home/named -c \
		        /etc/named.conf
		;;
	stop)
		echo "Stopping named..."
		killproc /usr/sbin/named
		;;
	restart)
		$0 stop
		sleep 1
		$0 start
		;;
   reload)
                echo "Reloading named..."
                /usr/sbin/rndc -c /etc/rndc.conf reload
                ;;
			       		
	status)
		statusproc /usr/sbin/named
		;;
	*)
		echo "Usage: $0 {start|stop|restart|status}"
		exit 1
		;;
esac
# End $rc_base/init.d/bind
EOF

Add the run level symlinks:

chmod 754 /etc/rc.d/init.d/bind &&
ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind &&
ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind &&
ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K49bind &&
ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind &&
ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind &&
ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind &&
ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind

Now start BIND with the new boot script:

/etc/rc.d/init.d/bind start

Testing BIND

Test out the new BIND 9 installation. First query the local host address with dig:

dig -x 127.0.0.1

Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:

dig beyond.linuxfromscratch.org &&
dig beyond.linuxfromscratch.org
You can see almost instantaneous results with the named caching lookups. Consult bind-9.2.2/doc/arm/Bv9ARM.html, the BIND Administrator Reference Manual for further configuration options.

Configuration command explanations

groupadd -g 200 named
useradd -m -g named -u 200 -s /bin/false named
cd /home/named
mkdir -p dev etc/namedb/slave var/run
mknod /home/named/dev/null c 1 3
mknod /home/named/dev/random c 1 8
chmod 666 /home/named/dev/{null,random}
mkdir /home/named/etc/namedb/pz
cp /etc/localtime /home/named/etc
Create the unprivileged user and group named, along with device files that named will need access to inside the chroot jail.

cat > /home/named/etc/named.conf << "EOF" : Create the BIND configuration file, from which named will read the location of zone files, root name servers and secure DNS keys.

cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" : Create a single zone file.

cat > /home/named/etc/namedb/root.hints << "EOF" : The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. Consult the BIND 9 Administrator Reference Manual for details.

cat > /etc/rndc.conf << "EOF" : The rndc.conf file contains information for controlling named operations with the rndc utility.

cat > /etc/resolv.conf << "EOF" : The resolv.conf file will specify the local host(127.0.0.1) as the name server.

cat > /etc/rc.d/init.d/bind << "EOF" : Create the boot script for BIND 9, used to start and stop the name server daemon, named.

Contents

The BIND package contains dig, host, rndc, rndc-confgen, named-checkconf, named-checkzone, lwresd, named, dnssec-signzone, dnssec-signkey, dnssec-keygen, dnssec-makekeyset and nsupdate.

Description

dig

dig interrogates DNS servers.

host

host is a utility for DNS lookups.

rndc

rndc controls the operation of BIND.

rndc-confgen

rndc-confgen generates rndc.conf files.

named-checkconf

named-checkconf checks the syntax of named.conf files.

named-checkzone

named-checkzone checks zone file validity.

lwresd

lwresd is a caching-only name server for local process use.

named

named is the name server daemon.

dnssec-signzone

dnssec-signzone generates signed versions of zone files.

dnssec-signkey

dnssec-signkey signs zone file key sets.

dnssec-keygen

dnssec-keygen is a key generator for secure DNS.

dnssec-makekeyset

dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen.

nsupdate

nsupdate is used to submit DNS update requests.