Friday, November 3, 2017

Install and setup bind9 server on Ubuntu 16.04



In this quick write up I am going to go over how to install Bind 9 on Ubuntu 16.04 and do a simple set up.







Installation


Here is the simple apt-get command to install bind9


  > sudo apt-get install bind9 bind9-doc









Set up


This bind9 server is going to act as an internal DNS server for me. It’s also going to forward queries that it is not authoritative for to Google’s DNS servers 8.8.8.8 and 8.8.4.4.

As an example, I am going to set it up to act as the authoritative DNS server for whiteboardcoder.cm and 10x13.com (but only locally within my network)



Logging


First let me set up logging.  Out of the box on Ubuntu bind9 logs, via the syslog tool, to /var/log/syslog.    That’s fine and all, but I prefer to log to a standalone bind9 log file so I am going to set that up.

First edit /etc/bind/named.conf


  > sudo vi /etc/bind/named.conf


Add the following line


include "/etc/bind/named.conf.log";







Then create the /etc/bind/named.conf.log file


  > sudo vi /etc/bind/named.conf.log


And put the following in it.  (as copied from https://oitibs.com/bind9-logs-on-debian-ubuntu/ [1])


logging {
  channel bind_log {
    file "/var/log/bind/bind.log" versions 3 size 5m;
    severity info;
    print-category yes;
    print-severity yes;
    print-time yes;
  };
  category default { bind_log; };
  category update { bind_log; };
  category update-security { bind_log; };
  category security { bind_log; };
  category queries { bind_log; };
  category lame-servers { null; };
};




Run the following commands to create folders and set ownership.


  > sudo mkdir /var/log/bind
  > sudo chown bind:root /var/log/bind
  > sudo chmod 775 /var/log/bind




Now tweak an apparmor setting.


  > sudo vi /etc/apparmor.d/usr.sbin.named


Update this section (comment out /var/log/named and add /var/log/bind)


  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  #/var/log/named/** rw,
  #/var/log/named/ rw,
  /var/log/bind/** rw,
  /var/log/bind/ rw,





Restart apparmor


  > sudo systemctl restart apparmor



Now restart the bind9 service


  > sudo systemctl restart bind9





Next let me set up a logrotate for this log file.



  > sudo vi /etc/logrotate.d/bind


And place the following in it.  (this logrotate should rotate the file every day, add a data extension to the file and compress it… well it won’t compress the first day backup because of delaycompress… Also it keeps 90 days worth I figure that is good number for my needs )


/var/log/bind/bind.log
{
  rotate 90
  daily
  dateext
  dateformat _%Y-%m-%d
  missingok
  create 644 bind bind
  delaycompress
  compress
  notifempty
  postrotate
    /bin/systemctl reload bind9
  endscript
}





Now test the logrotate


  > sudo logrotate -vf /etc/logrotate.d/bind






Looks like that worked








Bind options


Now let’s edit the /etc/bind/named.conf.options file.


  > sudo vi /etc/bind/named.conf.options




acl goodclients {
        192.0.0.0/24;
        localhost;
        localnets;
};
options {
        directory "/var/cache/bind";

        recursion yes;
        allow-query { goodclients; };

        forwarders {
                8.8.8.8;
                8.8.4.4;
        };
        forward only;

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};


Since I am only going to use this in my network I limited the clients to just my internal IP address range.

I also added forwarders to use Googles DNS servers when not looking up local domains for which this DNS server will be authoritative it will use the Google ones.

Then restart the service


  > sudo systemctl restart bind9




Now let’s test it.
My dns server has ip address 192.168.0.153 so I am going to use that with the dig command to get some results.

First I am going to tail the log file


  > tail -f /var/log/bind/bind.log


Then run this command to test it (the @<ip> tells dig where to query)


  > dig @192.168.0.153 www.pinterest.com +short




Wahoo it worked!

Nothing fancy yet I just wanted to make sure it was passing along its queries to the Google DNS servers.







Set up zones


Edit /etc/bind/named.conf.local to set up zones for DNS this server will be serve.  


  > sudo vi /etc/bind/named.conf.local


And place the following in it.


zone "10x13.com" {
        type master;
        file "/etc/bind/zones/db.10x13.com";
};

zone "whiteboardcoder.com" {
        type master;
        file "/etc/bind/zones/db.whiteboardcoder.com";
};

zone "168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.168.192";  # 192.168.0.0/16 subnet
};


This defines two zones 10x13.com and whiteboardcoder.com.  The file for each zone will define what to return when there is a DNS lookup for its zone.

Also this contains a reverse lookup 168.192.in-addr-arpa that will handle lookups of IP addresses and return hostnames.




Create the zones folder


  > sudo mkdir /etc/bind/zones


Next create the /etc/bind/db.10x13.com file


  > sudo vi /etc/bind/zones/db.10x13.com


And in my case I will place the following in it.


$TTL 900
@       IN      SOA     ns1.10x13.com. admin.10x13.com. (
                                1       ;<serial-number>
                              900       ;<time-to-refresh>
                              900       ;<time-to-retry>
                           604800       ;<time-to-expire>
                              900)      ;<minimum-TTL>
;List Nameservers
        IN      NS      ns1.10x13.com.
        IN      NS      ns3.10x13.com.
;address to name mapping
test1.10x13.com.        IN      A       192.168.0.80
test2.10x13.com.        IN      A       192.168.0.99
ns1.10x13.com.          IN      A       192.168.0.153
ns3.10x13.com.          IN      A       192.168.0.153







Here is an explanation line by line of what is going on.  (see this site https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/3/html/Reference_Guide/s1-bind-zone.html [2]  for more detailed info)

$TTL 900

Sets the default Time to live.  This is the length of time, in seconds, that a zone resource record is valid. (It can be overridden per resource)

@       IN      SOA     ns1.10x13.com. admin.10x13.com. (

SOA (Start of Authority), this sets what name server is authoritative for this namespace.  In this case the namserver is ns1.10x13.com after that an email address is given as a contact point admin.10x13.com will be interpreted as admin@10x13.com

1 ;<serial-number>

This is the serial number.  Every time you updated this record increment this number and the changes will be loaded.   (This is something I have not used in the past I typically just restarted bind9, but I think it’s a better idea to use this)


900       ;<time-to-refresh>

Time, in seconds, before a slave DNS must re-query this server for info on this domain.


900       ;<time-to-retry>

Time, in seconds, for a slave DNS server to wait before issuing a refresh request to the master DNS.


604800       ;<time-to-expire>

If the master has not replied to a request to a slave DNS in the time to expire, in seconds, the slave DNS will no longer respond to request for this domain.


 900)      ;<minimum-TTL>

Time, in seconds, how long other nameservers cache the zone’s info.


;List Nameservers
        IN      NS      ns1.10x13.com.
        IN      NS      ns3.10x13.com.

List all namerservers for this zone.  You should have at least two, though they can point to the same IP address J


;address to name mapping
test1.10x13.com.        IN      A       192.168.0.80
test2.10x13.com.        IN      A       192.168.0.99
ns1.10x13.com.          IN      A       192.168.0.153
ns3.10x13.com.          IN      A       192.168.0.153

The actual domain name to IP address mapping.  In this simple case I am just creating A records.  The given subdomain results in the given IP address.




Now let me create the other two zone files


  > sudo vi /etc/bind/zones/db.whiteboardcoder.com


And in my case I will place the following in it.


$TTL 900
@       IN      SOA     ns1.10x13.com. admin.10x13.com. (
                                1       ;<serial-number>
                              900       ;<time-to-refresh>
                              900       ;<time-to-retry>
                           604800       ;<time-to-expire>
                              900)      ;<minimum-TTL>
;List Nameservers
       IN       NS          ns1.10x13.com.
       IN       NS          ns3.10x13.com.
;address to name mapping
test1.whiteboardcoder.com.   IN      A       192.168.0.80
test2.whiteboardcoder.com.   IN      A       192.168.0.99
;Now for aliases
www                          IN      CNAME ghs.google.com.
offtopic                     IN      CNAME ghs.google.com.
*                            IN      CNAME whiteboardcoder.com.


This file has aliases, CNAMEs, in addition to the A records.  CNAME (Canonical Name) is an alias





  > sudo vi /etc/bind/zones/db.168.192


And in my case I will place the following in it.


$TTL    900
@       IN      SOA     ns1.10x13.com. admin.10x13.com. (
                                2       ;<serial-number>
                              900       ;<time-to-refresh>
                              900       ;<time-to-retry>
                           604800       ;<time-to-expire>
                              900)      ;<minimum-TTL>
; name servers
      IN      NS      ns1.10x13.com.
      IN      NS      ns2.10x13.com.

; PTR Records
153.0   IN      PTR     ns1.10x13.com.      ; 192.168.0.153
153.0   IN      PTR     ns2.10x13.com.      ; 192.168.0.153
80.0    IN      PTR     test1.10x13.com.           ; 192.168.0.80
99.0    IN      PTR     test2.10x13.com.           ; 192.168.0.99
99.0    IN      PTR     test2.whiteboardcoder.com. ; 192.168.0.99







Restart and test


Now restart the bind9 service


  > sudo systemctl restart bind9



Then run this command to test it (the @<ip> tells dig where to query)


  > dig +short @192.168.0.153 test1.10x13.com
  > dig +short @192.168.0.153 test2.10x13.com








  > dig +short @192.168.0.153 test1.whiteboardcoder.com
  > dig +short @192.168.0.153 test2.whiteboardcoder.com







Now to look up an IP address and get a domain name.


  > dig +short -x 192.168.0.80
  > dig +short -x 192.168.0.99





References


[1]        Bind9 logs on debian
                Accessed 10/2017
[2]        Bind9 reference guide
                Accessed 10/2017



1 comment:

  1. hlo im using free nom as a register ,how much time should i wait

    ReplyDelete