Bind

From wiki.techunit.org
Jump to: navigation, search

Introduction

  • Realized on Debian 8 (Jessie).
  • bind version : 9.9.5

The goal of this page is to provide a simple guide to create and manage DNS with Bind.

Option configuration

Installation

aptitude install bind9 -y
  • Do not forget to
    • Modify /etc/resolv.conf : set nameserver 127.0.0.1
    • Open TCP and UDP on port 53

Reload configuration

rndc reload

Internal server

Basic configuration

  • Edit /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
        listen-on port 53 { any; };
        allow-query { any; };

        #Replace the addresses by what you want
        forwarders {
        8.8.8.8; # google 1
        8.8.4.4; # google 2
        # ...
        };
        #forward-only;

};

Forward only configuration

options {
        directory "/var/cache/bind";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
        listen-on port 53 { 127.0.0.1; <server-ip>; };
        allow-query { any; };

        #Replace the addresses by what you want
        forwarders {
        8.8.8.8; # google 1
        8.8.4.4; # google 2
        # ...
        };
        forward-only;

};

This configuration is enough for an internal use only

Public server

Secure the access

  • To prevent the server from DNS amplification attack, allow only your subnets to request the server
  • Edit /etc/bind/named.conf.options
options {
        directory "/var/cache/bind";

        version "Stay away"; # Display this when requesting the version from dig

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
        listen-on port 53 { localhost; <server-ip(s)>; };
        allow-query { any; };      # Allow only your LAN(s) to request server
        allow-query-cache { localhost; 10.0.0.0/24;}; 
        allow-recursion { localhost; 10.0.0.0/24;};

        #Replace the addresses by what you want
        forwarders {
        8.8.8.8; # google 1
        8.8.4.4; # google 2
        # ...
        };

};

Chroot bind

  • Create chroot environment
mkdir -p /var/lib/bind/{dev,etc,var,var/run/named,var/cache/bind}
mknod /var/lib/bind/dev/null c 1 3
mknod /var/lib/bind/dev/random c 1 8
chmod 666 /var/lib/bind/dev/{null,random}
cp /etc/localtime /var/lib/bind/etc/
cp -a /etc/bind /var/lib/bind/etc/
cp -a /var/cache/bind/* /var/lib/bind/var/cache/bind/
chgrp bind /var/lib/bind
chmod 750 /var/lib/bind
  • Edit /etc/default/bind
#OPTIONS="-u bind"
OPTIONS="-u bind -t /var/lib/bind"

Zone configuration

declaration file

Include file

  • Edit /etc/bind/named.conf
# Add file to path
include "/etc/bind/named.conf.zones";

Declare zone

  • Edit /var/cache/bind/named.conf.zones
zone "int.example.com" {
        type master;
        file "/var/cache/bind/db.int.example.com";
};

zone "0.0.10.in-addr.arpa" {
        type master;
        file "/var/cache/bind/db.0.0.10";
};

Allow access

  • Edit /etc/bind/named.conf.zones
view "external" {

 match-clients {any;};

 zone "example.com" {
        type master;
        file "/var/cache/bind/db.example.com";
 };

};
view "internal" {

 match-clients { 127.0.0.1; 10.0.0.0/24; };
 zone "int.example.com" {
        type master;
        file "/var/cache/bind/db.int.example.com";
 };

 zone "0.0.10.in-addr.arpa" {
        type master;
        file "/var/cache/bind/db.0.0.10";
 };
};

Zone file

  • example.com
  • 10.0.0.0/24

Direct lookup

  • Create /etc/bind/db.example.com
$ORIGIN example.com.
$TTL 86400 ; 24h
@       IN      SOA     nameserver1.example.com. root.example.com. (
                                      2015092300 ; Serial 
                                      28800      ; Refresh
                                      9000       ; Retry
                                      2764800    ; Expire
                                      10800 )    ; Minimum

@               IN      A       10.0.0.4
@               IN      NS      nameserver1
@               IN      NS      nameserver2
nameserver1     IN      A       10.0.0.5
nameserver2     IN      A       10.0.0.6
mx1             IN      A       10.0.0.7
mx2             IN      A       10.0.0.8

www             IN      CNAME   @


@               IN      MX      1 mx1
@               IN      MX      2 mx2

; dynamic address
$GENERATE 100-200 guest-$       IN A        10.0.0.$

Reverse lookup

  • Create /etc/bind/0.0.10.in-addr.arpa
$TTL 86400 ; 24h
@       IN      SOA     nameserver1.example.com. root.example.com.  (
                                      2015092300 ; Serial
                                      28800      ; Refresh
                                      9000       ; Retry
                                      2764800    ; Expire
                                      10800 )    ; Minimum

0.0.10.in-addr.arpa. IN  NS     nameserver1.example.com.
0.0.10.in-addr.arpa. IN  NS     nameserver2.example.com.

0               IN      PTR     network.example.com.
255             IN      PTR     broadcast.example.com.

4               IN      PTR     example.com.
5               IN      PTR     nameserver1.example.com.
6               IN      PTR     nameserver2.example.com.
7               IN      PTR     mx1.example.com.
8               IN      PTR     mx2.example.com.

;dynamic address name
$GENERATE 100-200 $     IN PTR  guest-$.example.com.

Zone replication

  • master server : 10.0.0.1
  • slave server  : 10.0.0.2

On master

  • Modify /etc/bind/named.conf.options
        notify yes;
        also-notify { 10.0.0.2;};
        allow-transfer { 10.0.0.2;};
        allow-update {none;};

On slave

  • Modify /etc/bind/named.conf.zones
zone "zone1.lab" {
        type slave;
        file "/var/cache/bind/db.zone1.lab";
        masters {10.0.0.1;};
};

zone "zone2.lab" {
        type slave;
        file "/var/cache/bind/db.zone2.lab";
        masters {10.0.0.1;};
};

Elliot
techUnit's cofounder