The BIND package provides a DNS server and client utilities.
Download (HTTP): http://gd.tuwien.ac.at/infosys/servers/isc/bind9/9.2.2/bind-9.2.2.tar.gz
Download (FTP): ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.2.tar.gz
Download size: 4.8 MB
Estimated Disk space required: 90 MB
Estimated build time: 0.89 SBU
Install BIND by running the following commands:
./configure --prefix=/usr --sysconfdir=/etc && make && make install |
named.conf, root.hints, 127.0.0, rndc.conf
We will configure BIND to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.
First we create the unprivileged user and group named:
groupadd -g 200 named && useradd -m -g named -u 200 -s /bin/false named |
Then we set up some files, directories and devices needed by BIND:
cd /home/named && mkdir -p dev etc/namedb/slave var/run && mknod /home/named/dev/null c 1 3 && mknod /home/named/dev/random c 1 8 && chmod 666 /home/named/dev/{null,random} && mkdir /home/named/etc/namedb/pz && cp /etc/localtime /home/named/etc |
Create the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys:
cat > /home/named/etc/named.conf << "EOF" options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; key "rndc_key" { algorithm hmac-md5; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; EOF |
Create a zone file with the following contents:
cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF |
Create the root.hints file with the following commands:
Note: Caution must be used to insure no leading spaces in this file.
cat > /home/named/etc/namedb/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 EOF |
The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. Consult the BIND 9 Administrator Reference Manual for details.
Create the rndc.conf with the following commands:
cat > /etc/rndc.conf << "EOF" key rndc_key { algorithm "hmac-md5"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; options { default-server localhost; default-key rndc_key; }; EOF |
The rndc.conf file contains information for controlling named operations with the rndc utility.
Create or modify resolv.conf to use the new name server with the following commands:
Note: Replace yourdomain.com with your own valid domain name.
cp /etc/resolv.conf /etc/resolv.conf.bak && cat > /etc/resolv.conf << "EOF" search yourdomain.com nameserver 127.0.0.1 EOF |
Set permissions on the chroot jail with the following command:
chown -R named.named /home/named |
Create the BIND boot script:
cat > /etc/rc.d/init.d/bind << "EOF" #!/bin/bash # Begin $rc_base/init.d/bind # Based on sysklogd script from LFS-3.1 and earlier. # Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org source /etc/sysconfig/rc source $rc_functions case "$1" in start) echo "Starting named..." loadproc /usr/sbin/named -u named -t /home/named -c \ /etc/named.conf ;; stop) echo "Stopping named..." killproc /usr/sbin/named ;; restart) $0 stop sleep 1 $0 start ;; reload) echo "Reloading named..." /usr/sbin/rndc -c /etc/rndc.conf reload ;; status) statusproc /usr/sbin/named ;; *) echo "Usage: $0 {start|stop|restart|status}" exit 1 ;; esac # End $rc_base/init.d/bind EOF |
Add the run level symlinks:
chmod 754 /etc/rc.d/init.d/bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K49bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind && ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind |
Now start BIND with the new boot script:
/etc/rc.d/init.d/bind start |
Test out the new BIND 9 installation. First query the local host address with dig:
dig -x 127.0.0.1 |
Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:
dig beyond.linuxfromscratch.org && dig beyond.linuxfromscratch.org |
The BIND package contains dig, host, rndc, rndc-confgen, named-checkconf, named-checkzone, lwresd, named, dnssec-signzone, dnssec-signkey, dnssec-keygen, dnssec-makekeyset and nsupdate.
dig interrogates DNS servers.
host is a utility for DNS lookups.
rndc controls the operation of BIND.
rndc-confgen generates rndc.conf files.
named-checkconf checks the syntax of named.conf files.
named-checkzone checks zone file validity.
lwresd is a caching-only name server for local process use.
named is the name server daemon.
dnssec-signzone generates signed versions of zone files.
dnssec-signkey signs zone file key sets.
dnssec-keygen is a key generator for secure DNS.
dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen.
nsupdate is used to submit DNS update requests.