Submitter: Doug Hunley


This document describes the process of installing Bind 9.x on your Linux box as a Caching DNS server.

The steps to install it are as follows:

  1. Install Openssl
  2. Download the latest stable release from ISC.org *
  3. Extract the tarball like so:
    • tar zxvf bind-9.x.tar.gz
    • cd bind-9.x
  4. Configure the software:
    • ./configure --prefix=/usr \
    • --sysconfdir=/etc \
    • --enable-threads \
    • --localstatedir=/var/state \
    • --with-libtool \
    • --with-openssl=/usr/ssl
  5. Compile it:
    • make
  6. Remove all existing Bind software:
    • rpm -q -a | grep '^bind' | while read line
    • do
    • rpm -e --nodeps $line
    • done
  7. Install your new Bind:
    • make install
    • cd doc/man/bin (not needed on 9.2.0 and above)
    • for i in 1 5 8 (not needed on 9.2.0 and above)
    • do (not needed on 9.2.0 and above)
    • install *.$i /usr/man/man$i (not needed on 9.2.0 and above)
    • done (not needed on 9.2.0 and above)
    • cd ../dnssec (not needed on 9.2.0 and above)
    • install *.8 /usr/man/man8 (not needed on 9.2.0 and above)
  8. Update your library resolutions:
    • ldconfig -v
  9. Create the Bind user and group
    • groupadd named
    • useradd -d /var/named -g named -s /bin/false named
  10. Adjust the group/perms on /var/run
    • vigr (add named to the 'daemon' group)
    • chown root:daemon /var/run
    • chmod 775 /var/run
  11. Create the Bind rundir
    • mkdir -p /var/named/pz
    • chown -R named:named /var/named
    • chmod -R 755 /var/named
  12. Create a script to maintain the root.hints file
    • cat << "EOF" > update_named
    • #!/bin/sh
    • cd /var/named
    • wget http://dns.vrx.net/tech/rootzone/db.root
    • if [ -s /var/named/db.root ] ; then
    • chown named:named /var/named/db.root
    • /etc/rc.d/named stop
    • mv /var/named/root.hints /var/named/root.hints.old
    • mv /var/named/db.root /var/named/root.hints
    • /etc/rc.d/named start
    • fi
    • EOF
  13. Make the script executable, and execute it (Bind will probably fail, but your root.hints file will get updated like we wanted)
    • chmod 700 update_named
    • ./update_named
  14. Move the script to your monthly cron directory
    • mv update_named /etc/cron.monthly
  15. Create /var/named/pz/127.0.0 as below,
  16. $TTL 1D
    
    @           1D IN SOA   localhost. root.localhost. (
                        42      ; serial (d. adams)
                        3H      ; refresh
                        15M     ; retry
                        1W      ; expiry
                        1D )        ; minimum
    
                1D IN NS    localhost.
    1           1D IN PTR   localhost.
    
    
  17. Create /var/named/pz/192.168.1
    • ln -s 127.0.0 192.168.1
  18. Create /etc/resolv.conf
    • echo "nameserver 127.0.0.1" > /etc/resolv.conf
  19. Create your rndc password (we'll use "hush" for ours)
    • mmencode (this command is part of the metamail package)
    • hush
    • aHVz (mmencode returns this)
    • ^C
  20. Create /etc/rndc.conf
  21.    // this file is used by the rndc utility
            options {
            // what host should rndc attempt to control by default
                default-server localhost;
            // and what key should it use to communicate with named
                default-key "rndc-key";
            };
    
            server localhost {
            // always use this key with this host
                key "rndc-key";
            };
    
            key "rndc-key" {
            // how was the key encoded
                algorithm hmac-md5;
            // what's the password
                secret "aHVz";
            };
    
            // secret was generated by running mmencode on command line
            // and then entering a secret phrase
        
    
  22. Create /etc/rndc.key
  23.    // this file is used when named starts up and sees that
            // there is a key assigned to the control channel
            key "rndc-key" {
            // how was the key encoded
                algorithm hmac-md5;
            // what's the password
                secret "aHVz" ;
            };
        
    
  24. And finally, create /etc/named.conf as below
  25.    // This is a configuration file for named (from BIND 9.0 or later).
            // It would normally be installed as /etc/named.conf.
            //
            // Changed to match secure example from LASG 5/17/00
            // Changed to match Linux Journal example 9/17/00
            // Added new "view' sections to stop fingerprinting of Bind 9.x per
            // Bugtraq 1/31/00
            // Added rndc key stuff per DNS & Bind (Rev. 4) Chapter 11
            // added use-id-pool and more comments based on above chapter
    
                 options {
                // Directory where bind should create files if
                // not explicitly stated
                directory "/var/named";
    
                // whom do we allow to do zone tranfers
                allow-transfer { 192.168.1.0/24; };
    
                // new in Bind 9.x to allow RFC1886 -> RFC2874 conversion
                // to support IPv6
                // allow-v6-synthesis { 192.168.1.10; };
                // OBSOLETED in 9.3.0 + !!
    
                // tell Bind to check the names in zone files
                // since it no longer does this by default
                // (unimplemented 9.3.0+)
                check-names master warn;
    
                // sets the size of something or other to 20Mb ;)
                datasize 20M;
    
                // sets the size of the journal to 5Mb
                max-journal-size 5M;
    
                // Bind 9.x doesn't recognize this yet :(
                // deallocate-on-exit no;
    
                // where should Bind put a dump of its cache
                // if told to dump it
                dump-file "named_dump.db";
    
                // how often should bind check for new
                // interfaces toi listen on. we turn
                // this off by setting it to 0
                interface-interval 0;
    
                // specify what interfaces/ips to listen on
                // as the default is all of them
                listen-on { 192.168.1.10; 127.0.0.1; };
    
                // define a mximum size of cached records
                // new in Bind 9.x
                max-cache-size 20M;
    
                // where to right stats of memory usage
                // Bind 9.x doesn't recognize this yet :(
                memstatistics-file "named.memstats";
    
                // where to put out pid file
                // absolute path since we don't want
                // it in /var/named
                pid-file "/var/run/named.pid";
    
                // force Bind to use port 53 for its
                // network operation to other DNS
                // servers (Bind 9 uses high ports
                // by default). Makes firewalling easier
                query-source address * port 53;
                transfer-source * port 53;
                notify-source * port 53;
    
                // where to dump Bind server stats
                statistics-file "named.stats";
    
                // force Bind to be "more" random in assiging
                // message ids
                use-id-pool yes;
    
                // If the chaos view below doesn't work
                // for some reason, still give out a bogus
                // answer for Bind version requests
                version "This is not the port you're looking for.";
    
                // keep stats on a zone basis
                zone-statistics yes;
                 };
    
                 controls { 
                // this allows rndc to be used from the localhost
                // to talk to bind on the loopback interface
                // using the key defined as 'rndc-key'
                inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
                 };
    
                 // the rest of the key configuration is in
                 // /etc/rndc.conf and the key itself is in
                 // /etc/rndc.key
                 key "rndc-key" {
                // how was key encoded
                algorithm hmac-md5;
                // what is the pass-phrase for the key
                secret "aHVz" ;
                 };
    
                 logging {
                channel named_info {
                    // log to syslog instead of a file
                    syslog;
                    // include the category of the event in the log
                    print-category yes;
                    // include the severity of the event in the log
                    print-severity yes;
                    // include the time of the event in the log
                    print-time yes;
                };
    
                // Processing of client requests
                category client { named_info; };
    
                // named.conf parsing and processing
                category config { named_info; };
    
                // Messages relating to internal memory structures
                category database { named_info; };
    
                // This is the default for any category not specifically defined
                category default { named_info; };
    
                // The catch-all. Anything without a category of its own
                category general { named_info; };
    
                // Uncomment if you dont want to know about lame server.
                // Leave commented and it defaults to the
                // value of default above
                // category lame-servers { null; };
    
                // The NOTIFY protocol
                category notify { named_info; };
    
                // Network operations
                category network { named_info; };
    
                // DNS resolution like recursive lookups, etc..
                category resolver { named_info; };
    
                // Approval and denial of requests
                category security { named_info; };
    
                // Dynamic updates
                category update { named_info; };
    
                // Queries. Duh.
                category queries { named_info; };
    
                // Zone transfers received
                category xfer-in { named_info; };
    
                // Zone transfers sent
                category xfer-out { named_info; };
                };
    
                // this is where we define different versions
                // of our zones based on where the client is
                // coming from.
                // the first view that matches a client is
                // the one that gets used, so order can be
                // important
                view "external-chaos" chaos {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    recursion no;
                    zone "." {
                        type hint;
                        // this causes a null response to queries
                        // about the Bind version
                        file "/dev/null";
                    };
                };
        
                view "external" {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    zone "." {
                        type hint;
                        file "root.hints";
                    };
                };
        
                view "external-127" {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    zone "0.0.127.in-addr.arpa" {
                        type master;
                        file "pz/127.0.0";
                        allow-update {
                            none;
                        };
                    };
                };
        
                view "external-192" {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    zone "1.168.192.in-addr.arpa" {
                        type master;
                        file "pz/192.168.1";
                        allow-update {
                            none;
                        };
                    };
                };
        
    
  26. The only thing left to do is start Bind:
    • /usr/sbin/named -u named

Congrats! You now have a fairly secure, caching name server that can be controlled using rndc!

Enjoy your new Bind server!

searchSearch Index