Differences between revisions 4 and 5
Revision 4 as of 2022-09-16 14:47:31
Size: 2323
Editor: DominicRicottone
Comment:
Revision 5 as of 2022-09-23 17:57:36
Size: 2480
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 16: Line 16:

For BSD distributions, try:

{{{
/etc/rc.d/named start
}}}

To launch the server on startup, update `/etc/rc.conf`:

{{{
named_enable="YES"
}}}

Bind

Berkeley Internet Name Domain (bind) is an authoritative, recursive DNS server. Sometimes referred to as bind9, specifying the current version. The executable is named(8).

Contents

  1. Bind
    1. Installation
    2. Configuration
      1. Resursive DNS
      2. Local Domains
      3. DNSSEC

Installation

Install the bind package through your preferred package manager.

For systemd-capable systems, start and enable named.service.

For BSD distributions, try: 

/etc/rc.d/named start

To launch the server on startup, update /etc/rc.conf: 

named_enable="YES"

Configuration

named(8) is configured in /etc/named.conf. A basic configuration file is: 

options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";

    dnssec-validation auto;

    listen-on { 127.0.0.1; 192.168.1.1; };
    allow-query { 127.0.0.1; 192.168.1.0/24; };
    recursion yes;
    allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};

To check the configuration of named(8), run... 

named-checkconf /etc/named.conf

Resursive DNS

To enable recursive DNS, simply include recursion yes;.

If allow-recursion is not set (see above), then named(8) falls back on allow-query-cache, then on allow-query, and finally a default of localnets and localhost.

Local Domains

For local domains, named(8) takes both a forward and reverse zone file. 

zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
    type master;
    file "/var/named/reverse/192.168.1";
    allow-update { none; };
};

For details on zone files, see here.

DNSSEC

named(8) can be configured to sign DNS. The keys should be saved in /var/named/master.

First, update the FORWARD zone configuration, in /etc/named.conf. 

zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };

    auto-dnssec maintain;
    inline-signing yes;
    key-directory "master/";
};

Then generate the DNSSEC keys themselves. Run... 

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com

CategoryRicottone

Bind (last edited 2023-06-22 20:13:51 by DominicRicottone)