= Bind = '''Berkeley Internet Name Domain''' ('''BIND''') is an authoritative, recursive [[Protocols/DNS|DNS]] nameserver. It was developed as the reference implementation of the modern DNS system. Sometimes referred to as '''BIND9''', the binary is '''`named(8)`'''. <> ---- == Installation == Most [[Linux]] and [[BSD]] distributions offer a `bind` package. Supporting programs like [[Bind/Dig|dig(1)]] are sometimes split into a separate package named like `dnsutils`. For `systemd`-capable systems, [[Linux/Systemd|start and enable]] `named.service`. For BSD distributions, try: {{{ /etc/rc.d/named start }}} To launch the server on startup, update `/etc/rc.conf`: {{{ named_enable="YES" }}} === Containers === A [[Docker]] container image is available for the current and stable releases. These are available from [[Docker/Hub|DockerHub]] as `docker.io/internetsystemsconsortium/bind9` (or simply `internetsystemsconsortium/bind9` when using `docker(1)` specifically). Note that this image works automatically as a recursive resolver. To use as an authoritative resolver, additional configuration and [[Docker/BindMounts|bind mounts]] are necessary. Compare the below: {{{ docker run \ --name=bind-recursive \ --restart=always \ --publish 53:53/udp \ --publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ internetsystemsconsortium/bind9:9.18 docker run \ --name=bind-authoritative \ --restart=always \ --publish 53:53/udp \ --publish 53:53/tcp \ --publish 127.0.0.1:953:953/tcp \ --volume /etc/bind \ --volume /var/cache/bind \ --volume /var/lib/bind \ --volume /var/log \ internetsystemsconsortium/bind9:9.18 }}} ---- == Configuration == `named(8)` is configured in `/etc/named.conf`. A basic configuration file is: {{{ options { directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; dnssec-validation auto; listen-on { 127.0.0.1; 192.168.1.1; }; listen-on-v6 { ::1; }; allow-query { 127.0.0.1; 192.168.1.0/24; }; recursion yes; allow-recursion { 127.0.0.1; 192.168.1.0/24; }; }; }}} To check the configuration of `named(8)`, run... {{{ named-checkconf /etc/named.conf }}} === Resursive DNS === To enable recursive DNS, simply include `recursion yes;`. If `allow-recursion` is not set (see above), then `named(8)` falls back on `allow-query-cache`, then on `allow-query`, and finally a default of `localnets` and `localhost`. === Local Domains === For local domains, `named(8)` takes both a '''forward''' and '''reverse zone''' file. {{{ zone "example.com" IN { type primary; file "/var/named/primary/example.com"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type primary; file "/var/named/reverse/192.168.1"; allow-update { none; }; }; }}} Note that `primary` zones have historically been called `master` zones. This terminology will still be found in many documents, and the two are equivalent in practice, but upstream prefers the former. For details on zone files, see [[Bind/ZoneFiles|here]]. === DNSSEC === `named(8)` can be configured to sign DNS. The keys should be saved in `/var/named/primary`. First, update the FORWARD zone configuration, in `/etc/named.conf`. {{{ zone "example.com" IN { type primary; file "/var/named/primary/example.com"; allow-update { none; }; auto-dnssec maintain; inline-signing yes; key-directory "primary/"; }; }}} Then generate the DNSSEC keys themselves. Run... {{{ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com }}} ---- == See also == [[https://bind9.readthedocs.io/en/latest/|Bind9 documentation]] [[Bind/ZoneFiles|Bind zone files]] [[https://man.archlinux.org/man/extra/bind/named.8.en|named(8)]] [[Bind/Dig|dig(1)]] ---- CategoryRicottone