Gentoo BIND Guide
1.
Introduction
This tutorial will show you how to install and configure BIND, the most used DNS
server on Internet. We will configure bind for your domain using different
configurations, one for your local network and one for the rest of the world. We
will use views to do that. One view for your internal zone (your local network)
and other view for the external zone (rest of the world).
2.
Data used in the examples
| Keyword |
Explanation |
Example |
| YOUR_DOMAIN |
Your domain name |
gentoo.org |
| YOUR_PUBLIC_IP |
The public ip that ISP gives to you |
204.74.99.100 |
| YOUR_LOCAL_IP |
The local ip address |
192.168.1.5 |
| YOUR_LOCAL_NETWORK |
The local network |
192.168.1.0/24 |
| SLAVE_DNS_SERVER |
The ip address of the slave DNS server for your domain. |
209.177.148.228 |
| ADMIN |
The DNS server administrator's name. |
root |
| MODIFICATION |
The modification date of the file zone, with a number added |
2009062901 |
Figure 2.1: Network example |
 |
3.
Configuring BIND
Installation
First, install net-dns/bind.
Code Listing 3.1: Installing bind |
# emerge net-dns/bind
|
Configuring /etc/bind/named.conf
The first thing to configure is /etc/bind/named.conf. The first
part of this step is specifying bind's root directory, the listening port with
the IPs, the pid file, and a line for ipv6 protocol.
Code Listing 3.2: options section |
options {
directory "/var/bind";
listen-on-v6 { none; };
listen-on port 53 { 127.0.0.1; YOUR_LOCAL_IP; };
pid-file "/var/run/named/named.pid";
};
|
The second part of named.conf is the internal view used for our
local network.
Code Listing 3.3: Internal view |
view "internal" {
match-clients { YOUR_LOCAL_NETWORK; localhost; };
recursion yes;
zone "YOUR_DOMAIN" {
type master;
file "pri/YOUR_DOMAIN.internal";
allow-transfer { any; };
};
};
|
The third part of named.conf is the external view used to resolve
our domain name for the rest of the world and to resolve all other domain names
for us (and anyone who wants to use our DNS server).
Code Listing 3.4: External view |
view "external" {
match-clients { any; };
recursion no;
zone "." IN {
type hint;
file "named.ca";
};
zone "127.in-addr.arpa" IN {
type master;
file "pri/127.zone";
allow-update { none; };
notify no;
};
zone "YOUR_DOMAIN" {
type master;
file "pri/YOUR_DOMAIN.external";
allow-query { any; };
allow-transfer { SLAVE_DNS_SERVER; };
};
};
|
The final part of named.conf is the logging policy.
Code Listing 3.5: External view |
logging {
channel default_syslog {
file "/var/log/named/named.log" versions 3 size 5m;
severity debug;
print-time yes;
print-severity yes;
print-category yes;
};
category default { default_syslog; };
};
|
The /var/log/named/ directory must be exist and belong to
named:
Code Listing 3.6: Creating the log file |
# mkdir -p /var/log/named/
# chmod 770 /var/log/named/
# touch /var/log/named/named.log
# chmod 660 /var/log/named/named.log
# chown -R named /var/log/named/
# chgrp -R named /var/log/named/
|
Creating the internal zone file
We use the hostnames and IP adresses of the picture network example. Note that
almost all (not all) domain names finish with "." (dot).
Code Listing 3.7: /var/bind/pri/YOUR_DOMAIN.internal |
$TTL 2d
@ IN SOA ns.YOUR_DOMAIN. ADMIN.YOUR_DOMAIN. (
MODIFICATION ; serial
3h ; refresh
1h ; retry
1w ; expiry
1d ) ; minimum
YOUR_DOMAIN. IN MX 0 mail.YOUR_DOMAIN.
YOUR_DOMAIN. IN TXT "v=spf1 ip4:YOUR_PUBLIC_IP/32 mx ptr mx:mail.YOUR_DOMAIN ~all"
YOUR_DOMAIN. IN NS ns.YOUR_DOMAIN.
YOUR_DOMAIN. IN NS SLAVE_DNS_SERVER
www.YOUR_DOMAIN. IN A 192.168.1.3
ns.YOUR_DOMAIN. IN A 192.168.1.5
mail.YOUR_DOMAIN. IN A 192.168.1.3
router.YOUR_DOMAIN. IN A 192.168.1.1
hell.YOUR_DOMAIN. IN A 192.168.1.3
heaven.YOUR_DOMAIN. IN A 192.168.1.5
desktop.YOUR_DOMAIN. IN A 192.168.1.4
|
Creating the external zone file
Here we only have the subdomains we want for external clients (www, mail and
ns).
Code Listing 3.8: /var/bind/pri/YOUR_DOMAIN.external |
$TTL 2d
@ IN SOA ns.YOUR_DOMAIN. ADMIN.YOUR_DOMAIN. (
MODIFICATION ;serial
3h ;refresh
1h ;retry
1w ;expiry
1d ) ;minimum
YOUR_DOMAIN. IN MX 0 mail.YOUR_DOMAIN.
YOUR_DOMAIN. IN TXT "v=spf1 ip4:YOUR_PUBLIC_IP/32 mx ptr mx:mail.YOUR_DOMAIN ~all"
YOUR_DOMAIN. IN NS ns.YOUR_DOMAIN.
YOUR_DOMAIN. IN NS SLAVE_DNS_SERVER
www.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
ns.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
mail.YOUR_DOMAIN. IN A YOUR_PUBLIC_IP
|
Finishing configuration
You'll need to add named to the default runlevel:
Code Listing 3.9: Add to default runlevel |
# rc-update add named default
|
4.
Configuring clients
Now you can use your own DNS server in all machines of your local network to
resolve domain names. Modify the /etc/resolv.conf file of all
machines of your local network.
Code Listing 4.1: Editing /etc/resolv.conf |
search YOUR_DOMAIN
nameserver YOUR_DNS_SERVER_IP
|
Note that YOUR_DNS_SERVER_IP is the same as YOUR_LOCAL_IP we used in this
document. In the picture the example is 192.168.1.5.
5.
Testing
We are able to test our new DNS server. First, we need to start the service.
Code Listing 5.1: Starting the service manually |
# /etc/init.d/named start
|
Now, we are going to make some host commands to some domains. We can use
any computer of our local network to do this test. If you don't have
net-dns/host installed you can use ping instead. Otherwise, first
run emerge host.
Code Listing 5.2: Performing the test |
$ host www.gentoo.org
www.gentoo.org has address 209.177.148.228
www.gentoo.org has address 209.177.148.229
$ host hell
hell.YOUR_DOMAIN has address 192.168.1.3
$ host router
router.YOUR_DOMAIN has address 192.168.1.1
|
6.
Protecting the server with iptables
If you use iptables to protect your server, you can add these rules for DNS
service.
Code Listing 6.1: Iptables rules |
iptables -A INPUT -p udp --sport 53 -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -A INPUT -p udp --dport 53 -j ACCEPT
iptables -A INPUT -p tcp --sport 53 -j ACCEPT
iptables -A INPUT -p tcp --dport 53 -j ACCEPT
|
|
