In this quick write up I
am going to go over how to install Bind 9 on Ubuntu 16.04 and do a simple set
up.
Installation
Here is the simple
apt-get command to install bind9
> sudo apt-get
install bind9 bind9-doc
|
Set up
This bind9 server is going to act as an internal DNS server
for me. It’s also going to forward queries that it is not authoritative for to
Google’s DNS servers 8.8.8.8 and 8.8.4.4.
As an example, I am going to set it up to act as the
authoritative DNS server for whiteboardcoder.cm and 10x13.com (but only locally
within my network)
Logging
First let me set up logging.
Out of the box on Ubuntu bind9 logs, via the syslog tool, to
/var/log/syslog. That’s fine and all,
but I prefer to log to a standalone bind9 log file so I am going to set that
up.
First edit /etc/bind/named.conf
> sudo vi
/etc/bind/named.conf
|
Add the following line
include "/etc/bind/named.conf.log";
|
Then create the /etc/bind/named.conf.log file
> sudo vi
/etc/bind/named.conf.log
|
And put the following in it.
(as copied from https://oitibs.com/bind9-logs-on-debian-ubuntu/
[1])
logging {
channel bind_log {
file
"/var/log/bind/bind.log" versions 3 size 5m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default {
bind_log; };
category update {
bind_log; };
category update-security
{ bind_log; };
category security {
bind_log; };
category queries {
bind_log; };
category lame-servers {
null; };
};
|
Run the following commands to create folders and set
ownership.
> sudo mkdir
/var/log/bind
> sudo chown bind:root
/var/log/bind
> sudo chmod 775
/var/log/bind
|
Now tweak an apparmor setting.
> sudo vi
/etc/apparmor.d/usr.sbin.named
|
Update this section (comment out /var/log/named and add
/var/log/bind)
# some people like to
put logs in /var/log/named/ instead of having
# syslog do the heavy
lifting.
#/var/log/named/** rw,
#/var/log/named/ rw,
/var/log/bind/** rw,
/var/log/bind/ rw,
|
Restart apparmor
> sudo systemctl
restart apparmor
|
Now restart the bind9 service
> sudo systemctl
restart bind9
|
Next let me set up a logrotate for this log file.
> sudo vi
/etc/logrotate.d/bind
|
And place the following in it. (this logrotate should rotate the file every
day, add a data extension to the file and compress it… well it won’t compress
the first day backup because of delaycompress… Also it keeps 90 days worth I
figure that is good number for my needs )
/var/log/bind/bind.log
{
rotate 90
daily
dateext
dateformat _%Y-%m-%d
missingok
create 644 bind bind
delaycompress
compress
notifempty
postrotate
/bin/systemctl reload
bind9
endscript
}
|
Now test the logrotate
> sudo logrotate -vf
/etc/logrotate.d/bind
|
Looks like that worked
Bind options
Now let’s edit the /etc/bind/named.conf.options file.
> sudo vi
/etc/bind/named.conf.options
|
acl goodclients {
192.0.0.0/24;
localhost;
localnets;
};
options {
directory
"/var/cache/bind";
recursion
yes;
allow-query
{ goodclients; };
forwarders {
8.8.8.8;
8.8.4.4;
};
forward
only;
dnssec-validation auto;
auth-nxdomain no; # conform
to RFC1035
listen-on-v6
{ any; };
};
|
Since I am only going to use this in my network I limited
the clients to just my internal IP address range.
I also added forwarders to use Googles DNS servers when not
looking up local domains for which this DNS server will be authoritative it
will use the Google ones.
Then restart the service
> sudo systemctl
restart bind9
|
Now let’s test it.
My dns server has ip address 192.168.0.153 so I am going to
use that with the dig command to get some results.
First I am going to tail the log file
> tail -f
/var/log/bind/bind.log
|
Then run this command to test it (the @<ip> tells dig
where to query)
> dig @192.168.0.153
www.pinterest.com +short
|
Wahoo it worked!
Nothing fancy yet I just wanted to make sure it was passing
along its queries to the Google DNS servers.
Set up zones
Edit /etc/bind/named.conf.local to set up zones for DNS this
server will be serve.
> sudo vi
/etc/bind/named.conf.local
|
And place the following in it.
zone "10x13.com"
{
type master;
file
"/etc/bind/zones/db.10x13.com";
};
zone "whiteboardcoder.com"
{
type master;
file
"/etc/bind/zones/db.whiteboardcoder.com";
};
zone "168.192.in-addr.arpa"
{
type master;
file
"/etc/bind/zones/db.168.192";
# 192.168.0.0/16 subnet
};
|
This defines two zones 10x13.com and
whiteboardcoder.com. The file for each
zone will define what to return when there is a DNS lookup for its zone.
Also this contains a reverse lookup 168.192.in-addr-arpa that will handle lookups of IP addresses and return hostnames.
Also this contains a reverse lookup 168.192.in-addr-arpa that will handle lookups of IP addresses and return hostnames.
Create the zones folder
> sudo mkdir
/etc/bind/zones
|
Next create the /etc/bind/db.10x13.com file
> sudo vi /etc/bind/zones/db.10x13.com
|
And in my case I will place the following in it.
$TTL 900
@ IN SOA
ns1.10x13.com. admin.10x13.com. (
1 ;<serial-number>
900
;<time-to-refresh>
900 ;<time-to-retry>
604800
;<time-to-expire>
900)
;<minimum-TTL>
;List Nameservers
IN NS
ns1.10x13.com.
IN NS
ns3.10x13.com.
;address to name mapping
test1.10x13.com.
IN A 192.168.0.80
test2.10x13.com.
IN A 192.168.0.99
ns1.10x13.com.
IN A 192.168.0.153
ns3.10x13.com.
IN A 192.168.0.153
|
Here is an explanation line by line of what is going
on. (see this site https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-bind-zone.html
[2] for more detailed info)
$TTL 900
Sets the default Time to live. This is the length of time, in seconds, that
a zone resource record is valid. (It can be overridden per resource)
@ IN
SOA ns1.10x13.com.
admin.10x13.com. (
SOA (Start of Authority), this sets what
name server is authoritative for this namespace. In this case the namserver is ns1.10x13.com
after that an email address is given as a contact point admin.10x13.com will be
interpreted as admin@10x13.com
1 ;<serial-number>
This is the serial number. Every time you updated this record increment
this number and the changes will be loaded.
(This is something I have not used in the past I typically just
restarted bind9, but I think it’s a better idea to use this)
900 ;<time-to-refresh>
Time, in seconds, before a slave DNS must
re-query this server for info on this domain.
900 ;<time-to-retry>
Time, in seconds, for a slave DNS server
to wait before issuing a refresh request to the master DNS.
604800 ;<time-to-expire>
If the master has not replied to a
request to a slave DNS in the time to expire, in seconds, the slave DNS will no
longer respond to request for this domain.
900)
;<minimum-TTL>
Time, in seconds, how long other
nameservers cache the zone’s info.
;List Nameservers
IN
NS ns1.10x13.com.
IN
NS ns3.10x13.com.
List all namerservers for this zone. You should have at least two, though they can
point to the same IP address J
;address to name
mapping
test1.10x13.com. IN
A 192.168.0.80
test2.10x13.com. IN
A 192.168.0.99
ns1.10x13.com. IN A
192.168.0.153
ns3.10x13.com. IN A
192.168.0.153
The actual domain name to IP address
mapping. In this simple case I am just
creating A records. The given subdomain
results in the given IP address.
Now let me create the other two zone files
> sudo vi /etc/bind/zones/db.whiteboardcoder.com
|
And in my case I will place the following in it.
$TTL 900
@ IN SOA
ns1.10x13.com. admin.10x13.com. (
1 ;<serial-number>
900
;<time-to-refresh>
900
;<time-to-retry>
604800
;<time-to-expire>
900) ;<minimum-TTL>
;List Nameservers
IN NS ns1.10x13.com.
IN NS ns3.10x13.com.
;address to name mapping
test1.whiteboardcoder.com.
IN A 192.168.0.80
test2.whiteboardcoder.com.
IN A 192.168.0.99
;Now for aliases
www
IN CNAME ghs.google.com.
offtopic
IN CNAME ghs.google.com.
*
IN CNAME
whiteboardcoder.com.
|
This file has aliases, CNAMEs, in addition to the A records. CNAME (Canonical Name) is an alias
> sudo vi /etc/bind/zones/db.168.192
|
And in my case I will place the following in it.
$TTL
900
@
IN SOA ns1.10x13.com. admin.10x13.com. (
2 ;<serial-number>
900 ;<time-to-refresh>
900 ;<time-to-retry>
604800 ;<time-to-expire>
900) ;<minimum-TTL>
; name servers
IN NS ns1.10x13.com.
IN NS ns2.10x13.com.
; PTR Records
153.0
IN PTR ns1.10x13.com. ; 192.168.0.153
153.0
IN PTR ns2.10x13.com. ; 192.168.0.153
80.0
IN PTR test1.10x13.com. ; 192.168.0.80
99.0
IN PTR test2.10x13.com. ; 192.168.0.99
99.0
IN PTR test2.whiteboardcoder.com. ;
192.168.0.99
|
Restart and test
Now restart the bind9 service
> sudo systemctl
restart bind9
|
Then run this command to test it (the @<ip> tells dig
where to query)
> dig +short @192.168.0.153
test1.10x13.com
> dig +short @192.168.0.153
test2.10x13.com
|
> dig +short @192.168.0.153
test1.whiteboardcoder.com
> dig +short @192.168.0.153
test2.whiteboardcoder.com
|
Now to look up an IP address and get a domain name.
> dig +short -x
192.168.0.80
> dig +short -x
192.168.0.99
|
References
[1] Bind9 logs on debian
Accessed
10/2017
[2] Bind9 reference guide
Accessed
10/2017
hlo im using free nom as a register ,how much time should i wait
ReplyDelete