|
Size: 3563
Comment:
|
← Revision 25 as of 2023-06-22 20:13:51 ⇥
Size: 4114
Comment:
|
| Deletions are marked like this. | Additions are marked like this. |
| Line 1: | Line 1: |
| = BIND = | = Bind = |
| Line 3: | Line 3: |
| '''Berkeley Internet Name Domain''' ('''BIND''') is an authoritative, recursive [[Protocols/DNS|DNS]] nameserver. Sometimes referred to as '''BIND9''', specifying the current version. The binary is '''`named(8)`'''. | '''Berkeley Internet Name Domain''' ('''BIND''') is an authoritative, recursive [[Protocols/DNS|DNS]] nameserver. It was developed as the reference implementation of the modern DNS system. |
| Line 5: | Line 5: |
| This was the ''first'' DNS. | Sometimes referred to as '''BIND9''', the binary is '''`named(8)`'''. |
| Line 15: | Line 15: |
| Install the `bind` package through your preferred package manager. Supporting programs like `dig(1)` are sometimes split into a separate package named like `dnsutils`. |
Most [[Linux]] and [[BSD]] distributions offer a `bind` package. Supporting programs like [[Bind/Dig|dig(1)]] are sometimes split into a separate package named like `dnsutils`. |
| Line 33: | Line 31: |
=== Containers === |
|
| Line 35: | Line 37: |
| Note that this image works automatically as a recursive resolver. To use as an authoritative resolver, additional configuration is necessary. Compare the below: | Note that this image works automatically as a recursive resolver. To use as an authoritative resolver, additional configuration and [[Docker/BindMounts|bind mounts]] are necessary. Compare the below: |
| Line 76: | Line 78: |
| listen-on-v6 { ::1; }; | |
| Line 104: | Line 107: |
| type master; file "/var/named/master/example.com"; |
type primary; file "/var/named/primary/example.com"; |
| Line 110: | Line 113: |
| type master; | type primary; |
| Line 116: | Line 119: |
| For details on zone files, see [[BIND/ZoneFiles|here]]. | Note that `primary` zones have historically been called `master` zones. This terminology will still be found in many documents, and the two are equivalent in practice, but upstream prefers the former. For details on zone files, see [[Bind/ZoneFiles|here]]. |
| Line 122: | Line 127: |
| `named(8)` can be configured to sign DNS. The keys should be saved in `/var/named/master`. | `named(8)` can be configured to sign DNS. The keys should be saved in `/var/named/primary`. |
| Line 128: | Line 133: |
| type master; file "/var/named/master/example.com"; |
type primary; file "/var/named/primary/example.com"; |
| Line 134: | Line 139: |
| key-directory "master/"; | key-directory "primary/"; |
| Line 145: | Line 150: |
| ---- == See also == [[https://bind9.readthedocs.io/en/latest/|Bind9 documentation]] [[Bind/ZoneFiles|Bind zone files]] [[https://man.archlinux.org/man/extra/bind/named.8.en|named(8)]] [[Bind/Dig|dig(1)]] |
Bind
Berkeley Internet Name Domain (BIND) is an authoritative, recursive DNS nameserver. It was developed as the reference implementation of the modern DNS system.
Sometimes referred to as BIND9, the binary is named(8).
Installation
Most Linux and BSD distributions offer a bind package. Supporting programs like dig(1) are sometimes split into a separate package named like dnsutils.
For systemd-capable systems, start and enable named.service.
For BSD distributions, try:
/etc/rc.d/named start
To launch the server on startup, update /etc/rc.conf:
named_enable="YES"
Containers
A Docker container image is available for the current and stable releases. These are available from DockerHub as docker.io/internetsystemsconsortium/bind9 (or simply internetsystemsconsortium/bind9 when using docker(1) specifically).
Note that this image works automatically as a recursive resolver. To use as an authoritative resolver, additional configuration and bind mounts are necessary. Compare the below:
docker run \ --name=bind-recursive \ --restart=always \ --publish 53:53/udp \ --publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ internetsystemsconsortium/bind9:9.18 docker run \ --name=bind-authoritative \ --restart=always \ --publish 53:53/udp \ --publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ --volume /etc/bind \ --volume /var/cache/bind \ --volume /var/lib/bind \ --volume /var/log \ internetsystemsconsortium/bind9:9.18
Configuration
named(8) is configured in /etc/named.conf. A basic configuration file is:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
dnssec-validation auto;
listen-on { 127.0.0.1; 192.168.1.1; };
listen-on-v6 { ::1; };
allow-query { 127.0.0.1; 192.168.1.0/24; };
recursion yes;
allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};To check the configuration of named(8), run...
named-checkconf /etc/named.conf
Resursive DNS
To enable recursive DNS, simply include recursion yes;.
If allow-recursion is not set (see above), then named(8) falls back on allow-query-cache, then on allow-query, and finally a default of localnets and localhost.
Local Domains
For local domains, named(8) takes both a forward and reverse zone file.
zone "example.com" IN {
type primary;
file "/var/named/primary/example.com";
allow-update { none; };
};
zone "1.168.192.in-addr.arpa" IN {
type primary;
file "/var/named/reverse/192.168.1";
allow-update { none; };
};Note that primary zones have historically been called master zones. This terminology will still be found in many documents, and the two are equivalent in practice, but upstream prefers the former.
For details on zone files, see here.
DNSSEC
named(8) can be configured to sign DNS. The keys should be saved in /var/named/primary.
First, update the FORWARD zone configuration, in /etc/named.conf.
zone "example.com" IN {
type primary;
file "/var/named/primary/example.com";
allow-update { none; };
auto-dnssec maintain;
inline-signing yes;
key-directory "primary/";
};Then generate the DNSSEC keys themselves. Run...
dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com