|
⇤ ← Revision 1 as of 2020-11-10 18:36:31
Size: 546
Comment:
|
Size: 2322
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 3: | Line 3: |
| '''Berkeley Internet Name Domain''' ('''bind''') is an authoritative, recursive DNS server. Sometimes referred to as '''bind9''', specifying the current version. | '''Berkeley Internet Name Domain''' ('''bind''') is an authoritative, recursive DNS server. Sometimes referred to as '''bind9''', specifying the current version. The executable is '''`named(8)`'''. |
| Line 17: | Line 17: |
| ---- | |
| Line 19: | Line 20: |
| ---- | |
| Line 23: | Line 23: |
| `bind(8)` is configured in `/etc/named.conf`. A basic configuration file is: | `named(8)` is configured in `/etc/named.conf`. A basic configuration file is: |
| Line 26: | Line 26: |
| options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; dnssec-validation auto; listen-on { 127.0.0.1; 192.168.1.1; }; allow-query { 127.0.0.1; 192.168.1.0/24; }; recursion yes; allow-recursion { 127.0.0.1; 192.168.1.0/24; }; }; }}} To check the configuration of `named(8)`, run... {{{ named-checkconf /etc/named.conf }}} === Resursive DNS === To enable recursive DNS, simply include `recursion yes;`. If `allow-recursion` is not set (see above), then `named(8)` falls back on `allow-query-cache`, then on `allow-query`, and finally a default of `localnets` and `localhost`. === Local Domains === For local domains, `named(8)` takes both a '''forward''' and '''reverse zone''' file. {{{ zone "example.com" IN { type master; file "/var/named/master/example.com"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "/var/named/reverse/192.168.1"; allow-update { none; }; }; }}} For details on zone files, see [[Bind/ZoneFiles|here]]. === DNSSEC === `bind(2)` can be configured to sign DNS. The keys should be saved in `/var/named/master`. First, update the FORWARD zone configuration, in `/etc/named.conf`. {{{ zone "example.com" IN { type master; file "/var/named/master/example.com"; allow-update { none; }; auto-dnssec maintain; inline-signing yes; key-directory "master/"; }; }}} Then generate the DNSSEC keys themselves. Run... {{{ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com |
bind
Berkeley Internet Name Domain (bind) is an authoritative, recursive DNS server. Sometimes referred to as bind9, specifying the current version. The executable is named(8).
Installation
Install the bind package through your preferred package manager.
For systemd-capable systems, start and enable named.service.
Configuration
named(8) is configured in /etc/named.conf. A basic configuration file is:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
dnssec-validation auto;
listen-on { 127.0.0.1; 192.168.1.1; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
recursion yes;
allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};To check the configuration of named(8), run...
named-checkconf /etc/named.conf
Resursive DNS
To enable recursive DNS, simply include recursion yes;.
If allow-recursion is not set (see above), then named(8) falls back on allow-query-cache, then on allow-query, and finally a default of localnets and localhost.
Local Domains
For local domains, named(8) takes both a forward and reverse zone file.
zone "example.com" IN {
type master;
file "/var/named/master/example.com";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type master;
file "/var/named/reverse/192.168.1";
allow-update { none; };
};For details on zone files, see here.
DNSSEC
bind(2) can be configured to sign DNS. The keys should be saved in /var/named/master.
First, update the FORWARD zone configuration, in /etc/named.conf.
zone "example.com" IN {
type master;
file "/var/named/master/example.com";
allow-update { none; };
auto-dnssec maintain;
inline-signing yes;
key-directory "master/";
};Then generate the DNSSEC keys themselves. Run...
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com