Differences between revisions 9 and 11 (spanning 2 versions)
Revision 9 as of 2022-09-24 01:03:18
Size: 2498
Editor: DominicRicottone
Comment:
Revision 11 as of 2022-09-24 01:08:05
Size: 2603
Editor: DominicRicottone
Comment:
Deletions are marked like this. Additions are marked like this.
Line 14: Line 14:

Supporting programs like `dig(1)` are sometimes split into a separate package named like `dnsutils`.
Line 86: Line 88:
For details on zone files, see [[Bind/ZoneFiles|here]]. For details on zone files, see [[BIND/ZoneFiles|here]].

BIND

Berkeley Internet Name Domain (BIND) is an authoritative, recursive DNS nameserver. Sometimes referred to as BIND9, specifying the current version. The binary is named(8).

Contents

  1. BIND
    1. Installation
    2. Configuration
      1. Resursive DNS
      2. Local Domains
      3. DNSSEC

Installation

Install the bind package through your preferred package manager.

Supporting programs like dig(1) are sometimes split into a separate package named like dnsutils.

For systemd-capable systems, start and enable named.service.

For BSD distributions, try: 

/etc/rc.d/named start

To launch the server on startup, update /etc/rc.conf: 

named_enable="YES"

Configuration

named(8) is configured in /etc/named.conf. A basic configuration file is: 

options {
    directory "/var/named";
    dump-file "/var/named/data/cache_dump.db";
    statistics-file "/var/named/data/named_stats.txt";

    dnssec-validation auto;

    listen-on { 127.0.0.1; 192.168.1.1; };
    allow-query { 127.0.0.1; 192.168.1.0/24; };
    recursion yes;
    allow-recursion { 127.0.0.1; 192.168.1.0/24; };
};

To check the configuration of named(8), run... 

named-checkconf /etc/named.conf

Resursive DNS

To enable recursive DNS, simply include recursion yes;.

If allow-recursion is not set (see above), then named(8) falls back on allow-query-cache, then on allow-query, and finally a default of localnets and localhost.

Local Domains

For local domains, named(8) takes both a forward and reverse zone file. 

zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };
};

zone "1.168.192.in-addr.arpa" IN {
    type master;
    file "/var/named/reverse/192.168.1";
    allow-update { none; };
};

For details on zone files, see here.

DNSSEC

named(8) can be configured to sign DNS. The keys should be saved in /var/named/master.

First, update the FORWARD zone configuration, in /etc/named.conf. 

zone "example.com" IN {
    type master;
    file "/var/named/master/example.com";
    allow-update { none; };

    auto-dnssec maintain;
    inline-signing yes;
    key-directory "master/";
};

Then generate the DNSSEC keys themselves. Run... 

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com

CategoryRicottone

Bind (last edited 2023-06-22 20:13:51 by DominicRicottone)