Beyond Linux® From Scratch (System V Edition) - Version 11.2

Chapter 20. Major Servers

BIND-9.18.6

Introduction to BIND

The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the BIND Utilities-9.18.6.

This package is known to build and work properly using an LFS-11.2 platform.

Package Information

BIND Dependencies

Required

libuv-1.44.2

Recommended

JSON-C-0.16 and libcap-2.65 with PAM

Optional

cURL-7.84.0, libidn2-2.3.3, libxml2-2.10.0, lmdb-0.9.29, MIT Kerberos V5-1.20, cmocka, geoip, pytest, Sphinx (required to build documentation), and w3m

Optional database backends

Berkeley DB-5.3.28, MariaDB-10.6.9 or MySQL, OpenLDAP-2.6.3, PostgreSQL-14.5, and unixODBC-2.3.11

Optional (to run the test suite)

Net-DNS-1.34

User Notes: https://wiki.linuxfromscratch.org/blfs/wiki/bind

Installation of BIND

Install BIND by running the following commands: 

./configure --prefix=/usr           \
            --sysconfdir=/etc       \
            --localstatedir=/var    \
            --mandir=/usr/share/man \
            --disable-static        &&
make

Issue the following commands to run the complete suite of tests. First, as the root user, set up some test interfaces:

[Note]

Note

If IPv6 is not enabled in the kernel, there will be several error messages: "RTNETLINK answers: Operation not permitted". These messages do not affect the tests. 

bin/tests/system/ifconfig.sh up

The test suite may indicate some skipped tests depending on what configuration options are used. Some tests are marked UNTESTED or does even fail if Net-DNS-1.34 is not installed. To run the tests, as an unprivileged user, execute: 

make -k check

Again as root, clean up the test interfaces: 

bin/tests/system/ifconfig.sh down

Finally, install the package as the root user: 

make install

Command Explanations

--sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc.

--with-libidn2: This parameter enables the IDNA2008 (Internationalized Domain Names in Applications) support.

--enable-fetchlimit: Use this option if you want to be able to limit the rate of recursive client queries. This may be useful on servers which receive a large number of queries.

--disable-linux-caps: BIND can also be built without capability support by using this option, at the cost of some loss of security.

--with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}: Use one (or more) of those options to add Dynamically Loadable Zones support. For more information refer to bind-dlz.sourceforge.net.

--disable-static: This switch prevents installation of static versions of the libraries.

Configuring BIND

Config files

named.conf, root.hints, 127.0.0, rndc.conf, and resolv.conf

Configuration Information

BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.

Create the unprivileged user and group named: 

groupadd -g 20 named &&
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &&
install -d -m770 -o named -g named /srv/named

Set up some files, directories and devices needed by BIND: 

mkdir -p /srv/named &&
cd       /srv/named &&
mkdir -p dev etc/named/{slave,pz} usr/lib/engines var/run/named &&
mknod /srv/named/dev/null c 1 3 &&
mknod /srv/named/dev/urandom c 1 9 &&
chmod 666 /srv/named/dev/{null,urandom} &&
cp /etc/localtime etc

The rndc.conf file contains information for controlling named operations with the rndc utility. Generate a key for use in the named.conf and rndc.conf with the rndc-confgen command: 

rndc-confgen -a -b 512 -t /srv/named

Complete the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys: 

cat >> /srv/named/etc/named.conf << "EOF"
options {
    directory "/etc/named";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

};
zone "." {
    type hint;
    file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
    type master;
    file "pz/127.0.0";
};

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
    category default { default_syslog; default_debug; };
    category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
      null;                               // toss anything sent to
                                          // this channel
  };
};
EOF

Create a zone file with the following contents: 

cat > /srv/named/etc/named/pz/127.0.0 << "EOF"
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
EOF

Create the root.hints file with the following commands:

[Note]

Note

Caution must be used to ensure there are no leading spaces in this file. 

cat > /srv/named/etc/named/root.hints << "EOF"
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
B.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:200::b
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
C.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2::c
D.ROOT-SERVERS.NET.     6D  IN      A       199.7.91.13
D.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2d::d
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
E.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:a8::e
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
G.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:12::d0d
H.ROOT-SERVERS.NET.     6D  IN      A       198.97.190.53
H.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:1::53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
I.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fe::53
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
K.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.     6D  IN      A       199.7.83.42
L.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:9f::42
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
M.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:dc3::35
EOF

The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from https://www.internic.net/domain/named.root. For details, consult the "BIND 9 Administrator Reference Manual".

Create or modify resolv.conf to use the new name server with the following commands:

[Note]

Note

Replace <yourdomain.com> with your own valid domain name. 

cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search <yourdomain.com>
nameserver 127.0.0.1
EOF

Set permissions on the chroot jail with the following command: 

chown -R named:named /srv/named

Boot Script

To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the blfs-bootscripts-20220722 package: 

make install-bind

Now start BIND with the following command: 

/etc/rc.d/init.d/bind start

Testing BIND

Test out the new BIND 9 installation. First query the local host address with dig: 

dig -x 127.0.0.1

Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address: 

dig www.linuxfromscratch.org &&
dig www.linuxfromscratch.org

You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual (see below) for further configuration options.

Administrator Reference Manual (ARM)

The ARM documentation (do not confuse with the processor architecture) is included in the source package. The documentation is in .rst format which means, it can be converted in human readable formats if Sphinx is installed. As time of writing, sphinx is not included in the BLFS book and therefore, the instructions above do not install the docs.

When BIND is set up, especially when to operate in a real live scenario, it is highly recommended to consult the ARM documentation. ISC provides an updated set of excellent documentation along with every release so it can be easily be viewed and/or downloaded - so there is no excuse to not read the docs. The formats ISC provides are PDF, epub and html at https://downloads.isc.org/isc/bind9/9.18.6/doc/arm/.

Contents

Installed Programs: arpaname, ddns-confgen, delv, dig, dnssec-cds, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-keymgr, dnssec-revoke, dnssec-settime, dnssec-signzone, dnssec-verify, host, mdig, named, named-checkconf, named-checkzone, named-compilezone (symlink), named-journalprint, named-nzd2nzf, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen, and tsig-keygen (symlink)
Installed Libraries: libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so, libisccfg.so, and libns.so
Installed Directories: /usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,ns,pk11,pkcs11}, /usr/lib/named, /usr/lib/python3.10/site-packages/isc, and /srv/named

Short Descriptions

arpaname

translates IP addresses to the corresponding ARPA names

ddns-confgen

generates a key for use by nsupdate and named

delv

is a new debugging tool that is a successor to dig

dig

interrogates DNS servers

dnssec-cds

changes DS records for a child zone based on CDS/CDNSKEY

dnssec-checkds

is a DNSSEC delegation consistency checking tool

dnssec-coverage

verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage

dnssec-dsfromkey

outputs the Delegation Signer (DS) resource record (RR)

dnssec-importkey

reads a public DNSKEY record and generates a pair of .key/.private files

dnssec-keyfromlabel

gets keys with the given label from a cryptography hardware device and builds key files for DNSSEC

dnssec-keygen

is a key generator for secure DNS

dnssec-keymgr

ensures correct DNSKEY coverage based on a defined policy

dnssec-revoke

sets the REVOKED bit on a DNSSEC key

dnssec-settime

sets the key timing metadata for a DNSSEC key

dnssec-signzone

generates signed versions of zone files

dnssec-verify

verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete

host

is a utility for DNS lookups

mdig

is a version of dig that allows multiple queries at once

named

is the name server daemon

named-checkconf

checks the syntax of named.conf files

named-checkzone

checks zone file validity

named-compilezone

is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format

named-journalprint

prints the zone journal in human-readable form

named-rrchecker

reads an individual DNS resource record from standard input and checks if it is syntactically correct

named-nzd2nzf

converts an NZD database to NZF text format

nsec3hash

generates an NSEC3 hash based on a set of NSEC3 parameters

nslookup

is a program used to query Internet domain nameservers

nsupdate

is used to submit DNS update requests

rndc

controls the operation of BIND

rndc-confgen

generates rndc.conf files

tsig-keygen

is a symlink to ddns-confgen