Differences between revisions 1 and 13 (spanning 12 versions)
Revision 1 as of 2020-11-10 18:36:31
Size: 546
Editor: DominicRicottone
Comment:
Revision 13 as of 2023-04-03 00:51:05
Size: 3563
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 1: Line 1:
= bind = = BIND =
Line 3: Line 3:
'''Berkeley Internet Name Domain''' ('''bind''') is an authoritative, recursive DNS server. Sometimes referred to as '''bind9''', specifying the current version. '''Berkeley Internet Name Domain''' ('''BIND''') is an authoritative, recursive [[Protocols/DNS|DNS]] nameserver. Sometimes referred to as '''BIND9''', specifying the current version. The binary is '''`named(8)`'''.

This was the ''first'' DNS.
Line 15: Line 17:
Supporting programs like `dig(1)` are sometimes split into a separate package named like `dnsutils`.
Line 16: Line 20:

For BSD distributions, try:

{{{
/etc/rc.d/named start
}}}

To launch the server on startup, update `/etc/rc.conf`:

{{{
named_enable="YES"
}}}

A [[Docker]] container image is available for the current and stable releases. These are available from [[Docker/Hub|DockerHub]] as `docker.io/internetsystemsconsortium/bind9` (or simply `internetsystemsconsortium/bind9` when using `docker(1)` specifically).

Note that this image works automatically as a recursive resolver. To use as an authoritative resolver, additional configuration is necessary. Compare the below:

{{{
docker run \
  --name=bind-recursive \
  --restart=always \
  --publish 53:53/udp \
  --publish 53:53/tcp \
  --publish 127.0.0.1:953:953/tcp \
  internetsystemsconsortium/bind9:9.18

docker run \
  --name=bind-authoritative \
  --restart=always \
  --publish 53:53/udp \
  --publish 53:53/tcp \
  --publish 127.0.0.1:953:953/tcp \
  --volume /etc/bind \
  --volume /var/cache/bind \
  --volume /var/lib/bind \
  --volume /var/log \
  internetsystemsconsortium/bind9:9.18
}}}

----
Line 19: Line 63:
----
Line 23: Line 65:
`bind(8)` is configured in `/etc/named.conf`. A basic configuration file is: `named(8)` is configured in `/etc/named.conf`. A basic configuration file is:
Line 26: Line 68:
options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";

    dnssec-validation auto;

    listen-on { 127.0.0.1; 192.168.1.1; };
    allow-query { 127.0.0.1; 192.168.1.0/24; };
    recursion yes;
    allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};
}}}

To check the configuration of `named(8)`, run...

{{{
named-checkconf /etc/named.conf
}}}



=== Resursive DNS ===

To enable recursive DNS, simply include `recursion yes;`.

If `allow-recursion` is not set (see above), then `named(8)` falls back on `allow-query-cache`, then on `allow-query`, and finally a default of `localnets` and `localhost`.



=== Local Domains ===

For local domains, `named(8)` takes both a '''forward''' and '''reverse zone''' file.

{{{
zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
    type master;
    file "/var/named/reverse/192.168.1";
    allow-update { none; };
};
}}}

For details on zone files, see [[BIND/ZoneFiles|here]].



=== DNSSEC ===

`named(8)` can be configured to sign DNS. The keys should be saved in `/var/named/master`.

First, update the FORWARD zone configuration, in `/etc/named.conf`.

{{{
zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };

    auto-dnssec maintain;
    inline-signing yes;
    key-directory "master/";
};
}}}

Then generate the DNSSEC keys themselves. Run...

{{{
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com

BIND

Berkeley Internet Name Domain (BIND) is an authoritative, recursive DNS nameserver. Sometimes referred to as BIND9, specifying the current version. The binary is named(8).

This was the first DNS.

Contents

  1. BIND
    1. Installation
    2. Configuration
      1. Resursive DNS
      2. Local Domains
      3. DNSSEC

Installation

Install the bind package through your preferred package manager.

Supporting programs like dig(1) are sometimes split into a separate package named like dnsutils.

For systemd-capable systems, start and enable named.service.

For BSD distributions, try: 

/etc/rc.d/named start

To launch the server on startup, update /etc/rc.conf: 

named_enable="YES"

A Docker container image is available for the current and stable releases. These are available from DockerHub as docker.io/internetsystemsconsortium/bind9 (or simply internetsystemsconsortium/bind9 when using docker(1) specifically).

Note that this image works automatically as a recursive resolver. To use as an authoritative resolver, additional configuration is necessary. Compare the below: 

docker run \
  --name=bind-recursive \
  --restart=always \
  --publish 53:53/udp \
  --publish 53:53/tcp \
  --publish 127.0.0.1:953:953/tcp \
  internetsystemsconsortium/bind9:9.18

docker run \
  --name=bind-authoritative \
  --restart=always \
  --publish 53:53/udp \
  --publish 53:53/tcp \
  --publish 127.0.0.1:953:953/tcp \
  --volume /etc/bind \
  --volume /var/cache/bind \
  --volume /var/lib/bind \
  --volume /var/log \
  internetsystemsconsortium/bind9:9.18

Configuration

named(8) is configured in /etc/named.conf. A basic configuration file is: 

options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";

    dnssec-validation auto;

    listen-on { 127.0.0.1; 192.168.1.1; };
    allow-query { 127.0.0.1; 192.168.1.0/24; };
    recursion yes;
    allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};

To check the configuration of named(8), run... 

named-checkconf /etc/named.conf

Resursive DNS

To enable recursive DNS, simply include recursion yes;.

If allow-recursion is not set (see above), then named(8) falls back on allow-query-cache, then on allow-query, and finally a default of localnets and localhost.

Local Domains

For local domains, named(8) takes both a forward and reverse zone file. 

zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
    type master;
    file "/var/named/reverse/192.168.1";
    allow-update { none; };
};

For details on zone files, see here.

DNSSEC

named(8) can be configured to sign DNS. The keys should be saved in /var/named/master.

First, update the FORWARD zone configuration, in /etc/named.conf. 

zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };

    auto-dnssec maintain;
    inline-signing yes;
    key-directory "master/";
};

Then generate the DNSSEC keys themselves. Run... 

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com

CategoryRicottone

Bind (last edited 2023-06-22 20:13:51 by DominicRicottone)