We’ll start out simple in this section with just three hosts, a cname for www, and an mx record. As we integrate DNS with other services we will add more sections. We are using Red Hat 7.1, but there is little here that is distribution-specific. The only thing that might change is the way you handle the startup script.
First, get a copy of the source from the ISC link above and put it in /usr/local/src. Extract it:
[root@srv-3 src]# tar -xzf bind*.gz |
Change to the source tree and run configure:
[root@srv-3 src]# cd bind*
[root@srv-3 bind-9.1.2]# ./configure
creating cache ./config.cache
checking host system type... i586-pc-linux-gnu
checking whether make sets ${MAKE}... yes
checking for ranlib... ranlib
checking for a BSD compatible install... /usr/bin/install -c
checking for ar... /usr/bin/ar
.
.
.
creating doc/Makefile
creating doc/arm/catalog
creating doc/arm/nominum-docbook-html.dsl
creating doc/arm/validate.sh
creating doc/arm/genhtml.sh
creating isc-config.sh
creating config.h
|
Run make and make install: While it is compiling, check out /usr/local/src/bind-9.1.2/doc/arm/Bv9ARM.html
[root@srv-3 bind-9.1.2]# make making all in /usr/local/src/bind-9.1.2/make make[1]: Entering directory `/usr/local/src/bind-9.1.2/make' . . . gcc -g -O2 -o named-checkzone named-checkzone.o check-tool.o ../../lib/dns/libdns.a ../../lib/isc/libisc.a -lnsl -lpthread make[2]: Leaving directory `/usr/local/src/bind-9.1.2/bin/check' make[1]: Leaving directory `/usr/local/src/bind-9.1.2/bin' making all in /usr/local/src/bind-9.1.2/doc make[1]: Entering directory `/usr/local/src/bind-9.1.2/doc' make[1]: Leaving directory `/usr/local/src/bind-9.1.2/doc' [root@srv-3 bind-9.1.2]# [root@srv-3 bind-9.1.2]# make install making install in /usr/local/src/bind-9.1.2/make make[1]: Entering directory `/usr/local/src/bind-9.1.2/make' make[1]: Leaving directory `/usr/local/src/bind-9.1.2/make' . . . /bin/sh ./mkinstalldirs /usr/local/bin /usr/bin/install -c isc-config.sh /usr/local/bin [root@srv-3 bind-9.1.2]# |
Let’s see if all is good and the version checks out:
[root@srv-3 bind-9.1.2]# named -v BIND 9.1.2 |
Here is our /etc/named.conf file:
[root@srv-3 /etc]# cat /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/named.pid";
};
zone "." {
type hint;
file "named.ca";
};
zone "100.50.10.in-addr.arpa" {
type master;
file "db.100.50.10.in-addr.arpa";
};
zone "signalq.com" {
type master;
file "db.signalq.com";
};
|
The directory option tells where the config files are. The pid-file option is useful because we are going to change the user to a nonprivileged user that will need to edit the named.pid file, and we don’t want to do this in /var. The zone “.” section tells where the cache file is. The cache file tells where BIND can find the root servers. The zone 10.50.10… section loads the reverse zone (lookup by ip address) and the zone signalq.com section loads the forward zone.
Make a /var/named directory:
[root@srv-3 /etc]# cd /var [root@srv-3 /var]# ls arpwatch db lib lock lost+found nis preserve spool tmp www cache ftp local log mail opt run state tux yp [root@srv-3 /var]# mkdir named [root@srv-3 /var]# |
Here are our forward and reverse zone files:
[root@srv-3 /var]# cd named [root@srv-3 named]# cat db.signalq.com $TTL 86400 @ IN SOA srv-3.signalq.com. dnsadmin.signalq.com. ( 2001050801 ; Serial 21600 ; Refresh, 6 hours 1800 ; Retry, 30 minutes 1209600 ; Expire, 2 weeks 432000) ; Minimum, 5 days IN NS srv-3.signalq.com. IN MX 10 srv-3.signalq.com. localhost IN A 127.0.0.1 srv-33 IN A 10.50.100.51 srv-3 IN A 10.50.100.52 srv-34 IN A 10.50.100.53 www IN CNAME srv-34 [root@srv-3 named]# [root@srv-3 named]# cat db.100.50.10.in-addr.arpa $TTL 86400 @ IN SOA srv-3.signalq.com. dnsadmin@signalq.com ( 2001050801 ; Serial 21600 ; Refresh, 6 hours 1800 ; Retry, 30 minutes 1209600 ; Expire, 2 weeks 432000) ; Minimum, 5 days IN NS srv-3.signalq.com. 51 IN PTR srv-33.signalq.com. 52 IN PTR srv-3.signalq.com. 53 IN PTR srv-34.signalq.com. [root@srv-3 named]# |
We can make our own named.ca file:
$dig @a.root-servers.net . ns > named.ca |
Here is what it looks like:
$cat named.ca ; <<>> DiG 9.1.0 <<>> @a.root-servers.net . ns ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37920 ;; flags: qr aa rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 518400 IN NS A.ROOT-SERVERS.NET. . 518400 IN NS H.ROOT-SERVERS.NET. . 518400 IN NS C.ROOT-SERVERS.NET. . 518400 IN NS G.ROOT-SERVERS.NET. . 518400 IN NS F.ROOT-SERVERS.NET. . 518400 IN NS B.ROOT-SERVERS.NET. . 518400 IN NS J.ROOT-SERVERS.NET. . 518400 IN NS K.ROOT-SERVERS.NET. . 518400 IN NS L.ROOT-SERVERS.NET. . 518400 IN NS M.ROOT-SERVERS.NET. . 518400 IN NS I.ROOT-SERVERS.NET. . 518400 IN NS E.ROOT-SERVERS.NET. . 518400 IN NS D.ROOT-SERVERS.NET. ;; ADDITIONAL SECTION: A.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.4 H.ROOT-SERVERS.NET. 3600000 IN A 128.63.2.53 C.ROOT-SERVERS.NET. 3600000 IN A 192.33.4.12 G.ROOT-SERVERS.NET. 3600000 IN A 192.112.36.4 F.ROOT-SERVERS.NET. 3600000 IN A 192.5.5.241 B.ROOT-SERVERS.NET. 3600000 IN A 128.9.0.107 J.ROOT-SERVERS.NET. 3600000 IN A 198.41.0.10 K.ROOT-SERVERS.NET. 3600000 IN A 193.0.14.129 L.ROOT-SERVERS.NET. 3600000 IN A 198.32.64.12 M.ROOT-SERVERS.NET. 3600000 IN A 202.12.27.33 I.ROOT-SERVERS.NET. 3600000 IN A 192.36.148.17 E.ROOT-SERVERS.NET. 3600000 IN A 192.203.230.10 D.ROOT-SERVERS.NET. 3600000 IN A 128.8.10.90 ;; Query time: 86 msec ;; SERVER: 198.41.0.4#53(a.root-servers.net) ;; WHEN: Tue May 8 14:52:03 2001 ;; MSG SIZE rcvd: 436 |
Let’s check our forward and reverse zones:
[root@srv-3 named]# named-checkzone db.signalq.com OK [root@srv-3 named]# named-checkzone db.100.50.10.in-addr.arpa OK [root@srv-3 named]# |
All OK!!
Let’s test with a live named and do some dig queries:
[root@srv-3 named]#named [root@srv-3 named]# dig @srv-3 signalq.com any ; <<>> DiG 9.1.2 <<>> @srv-3 signalq.com any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 15967 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;signalq.com. IN ANY ;; ANSWER SECTION: signalq.com. 86400 IN SOA srv-3.signalq.com. dnsadmin.signalq.com. 2001050801 21600 1800 1209600 432000 signalq.com. 86400 IN NS srv-3.signalq.com. signalq.com. 86400 IN MX 10 srv-3.signalq.com. ;; AUTHORITY SECTION: signalq.com. 86400 IN NS srv-3.signalq.com. ;; ADDITIONAL SECTION: srv-3.signalq.com. 86400 IN A 10.50.100.52 ;; Query time: 14 msec ;; SERVER: 10.50.100.52#53(srv-3) ;; WHEN: Tue May 8 16:02:43 2001 ;; MSG SIZE rcvd: 140 [root@srv-3 named]# dig @srv-3 100.50.10.in-addr.arpa any ; <<>> DiG 9.1.2 <<>> @srv-3 100.50.10.in-addr.arpa any ;; global options: printcmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21245 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;100.50.10.in-addr.arpa. IN ANY ;; ANSWER SECTION: 100.50.10.in-addr.arpa. 86400 IN SOA srv-3.signalq.com. dnsadmin@signalq.com.100.50.10.in-addr.arpa. 2001050801 21600 1800 1209600 432000 100.50.10.in-addr.arpa. 86400 IN NS srv-3.signalq.com. ;; AUTHORITY SECTION: 100.50.10.in-addr.arpa. 86400 IN NS srv-3.signalq.com. ;; ADDITIONAL SECTION: srv-3.signalq.com. 86400 IN A 10.50.100.52 ;; Query time: 13 msec ;; SERVER: 10.50.100.52#53(srv-3) ;; WHEN: Tue May 8 16:06:22 2001 ;; MSG SIZE rcvd: 158 |
Now a reverse query:
[root@srv-3 named]# dig -x 10.50.100.53 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25145 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 1 ;; QUESTION SECTION: ;53.100.50.10.in-addr.arpa. IN PTR ;; ANSWER SECTION: 53.100.50.10.in-addr.arpa. 86400 IN PTR srv-34.signalq.com. ;; AUTHORITY SECTION: 100.50.10.in-addr.arpa. 86400 IN NS srv-3.signalq.com. ;; ADDITIONAL SECTION: srv-3.signalq.com. 86400 IN A 10.50.100.52 ;; Query time: 10 msec ;; SERVER: 10.50.100.52#53(10.50.100.52) ;; WHEN: Tue May 8 16:13:28 2001 ;; MSG SIZE rcvd: 113 |
Now, it would be nice to run as a nonprivileged user, so we will use the -u flag and create a user called bindrun with a uid of 53:
[root@srv-3 /etc]# adduser -u 53 bindrun |
named will have to create named.pid, so we will change the ownership of /var/named:
[root@srv-3 /etc]# cd /var [root@srv-3 /var]# chown bindrun named |
Lastly, we put:
/usr/local/sbin/named -u 53
at the bottom of /etc/rc.local so that named will start when the server starts.
Note that there is also an option (-t) to start up BIND in a chrooted environment that you can use to make BIND more secure. What this means is that even if a security hole is exploited to get access to your machine via named, then the only part of the filesystem that the intruder will see is your chrooted “jail”.
Let’s reboot to make sure all starts up, and then look at /var/log/messages:
[root@srv-3 /root]# tail /var/log/messages ... /usr/local/sbin/named[618]: starting BIND 9.1.2 -u 53 ... /usr/local/sbin/named[618]: using 1 CPU ... /usr/local/sbin/named[624]: loading configuration from '/etc/named.conf' ... /usr/local/sbin/named[624]: the default for the 'auth-nxdomain' option is now 'no' ... /usr/local/sbin/named[624]: no IPv6 interfaces found ... /usr/local/sbin/named[624]: listening on IPv4 interface lo, 127.0.0.1#53 ... /usr/local/sbin/named[624]: listening on IPv4 interface eth0, 10.50.100.52#53 ... /usr/local/sbin/named[624]: running |
We are running!!!
