BIND

BIND (or named) is the most widely used Domain Name System (DNS) server.

Note: The organization developing BIND is serving security notices to paying customers up to four days before Linux distributions or the general public.

Related articles

Installation

Install the bind package.

Start/enable the named.service systemd unit.

To use the DNS server locally, use the 127.0.0.1 nameserver (meaning clients like Firefox resolve via 127.0.0.1), see Domain name resolution. This will however require you to #Allow recursion while a firewall might block outside queries to your local named.

Configuration

BIND is configured in /etc/named.conf. The available options are documented in .

Reload the named.service unit to apply configuration changes.

Restrict access to localhost

BIND by default listens on port 53 of all interfaces and IP addresses. To only allow connections from localhost add the following line to the section in /etc/named.conf:

listen-on { 127.0.0.1; };
listen-on-v6 { ::1; };

Set up DNS forwarding

To make BIND forward DNS queries to another DNS server add the clause to the section.

Example to make BIND forward to the Google Public DNS servers:

forwarders {
    8.8.8.8; 2001:4860:4860::8888;
    8.8.4.4; 2001:4860:4860::8844;
};

(As of 9.18, only plaintext DNS servers are supported as forwarders.)

Serve DNS over TLS or HTTPS

To enable serving DNS over TLS or HTTPS in BIND 9.18, define a tls block specifying your certificate, then add listen-on clauses enabling DNS over TLS and HTTPS listeners (as well as a standard DNS listener).

Note that is defined at the top level, not inside the block.

A configuration template for running a domain

Following is a simple home nameserver being set up, using domain.tld as the domain being served world-wide like this wiki's archlinux.org domain is.

A more elaborate example is DNS server with BIND9, while this shows how to set up internal network name resolution.

Creating a zonefile

Create /var/named/domain.tld.zone.

$ORIGIN domain.tld.
$TTL 2h

@               SOA     ns1 hostmaster (
                                2018111111 ; Serial
                                8h         ; Refresh
                                30m        ; Retry
                                1w         ; Expire
                                1h )       ; Negative Cache TTL
                NS      ns1
                NS      ns2
                
@               A       203.0.113.1
                AAAA    2001:db8:113::1
                MX      10 mail
                TXT     "v=spf1 mx"

www             A       203.0.113.1
                AAAA    2001:db8:113::1

ns1             A       203.0.113.4
                AAAA    2001:db8:113::4

ns2             A       198.51.100.5
                AAAA    2001:db8:5100::5

mail            A       198.51.100.6
                AAAA    2001:db8:5100::6
imap            CNAME   mail
smtp            CNAME   mail

$ORIGIN defines the default suffix for all names which do not already end with a (dot), e.g. will be expanded to ⇒ everywhere.

defines the default time-to-live (i.e. cache expiry time) for all records which do not have their own TTL specified. Here it is 2 hours.

Serial must be incremented manually before reloading named every time you change a resource record for the zone. Otherwise secondary servers (replicas or slaves) will not re-transfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone. This example uses the somewhat common format, but this is not required; the serial number can also just start at 1.

Configuring master server

Add your zone to /etc/named.conf:

zone "domain.tld" IN {
        type master;
        file "domain.tld.zone";
        allow-update { none; };
};

Reload the named.service unit to apply the configuration change.

Allow recursion

If you are running your own DNS server, you might as well use it for all DNS lookups, or even locally serve the root-zone yourself following RFC:7706. The former will require the ability to do recursive lookups. In order to prevent DNS Amplification Attacks, recursion is turned off by default for most resolvers. The default Arch /etc/named.conf file allows for recursion only on the loopback interface:

allow-recursion { 127.0.0.1; ::1; };

If you want to provide name service for your local network; e.g. 192.168.0.0/24, you must add the appropriate range of IP addresses to /etc/named.conf:

allow-recursion {
    192.168.0.0/24;
    fd01:2345:6789::/64;
    127.0.0.1;
    ::1;
};

Configuring BIND to serve DNSSEC signed zones

DNSSEC validation is enabled by default. Do not forget to check that "edns" is not disabled.

On master DNS server:

  • generate KSK and ZSK keys:
 $ dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE example.com
 $ dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE example.com
  • change zone configuration:
 zone "example.com" {
       type master;
       allow-transfer { ... };
       auto-dnssec maintain;
       inline-signing yes;
       key-directory "master/";
       file "master/example.com.zone";
 };

Now bind will sign zone automatically. (This example assumes that all required files are in /var/named/master/)

Then you should pass DS records (from dsset-example.com. file) to parent zone owner probably using your registrar website. It glues parent zone with your KSK.

KSK (and corresponding DS records) should be changed rarely because it needs manual intervention, ZSK can be changed more often because this key is usually shorter to be faster in signature checking.

You can schedule old ZSK key expiration and generate new one using:

 $ dnssec-settime -I +172800 -D +345600 Kexample.com.+000+111111.key
 $ dnssec-keygen -S Kexample.com.+000+111111.key -i 152800

Bind should automatically use new ZSK key at appropriate time.

There are external mechanisms such as OpenDNSSEC with fully-automatic key rollover available.

Automatically listen on new interfaces

By default bind scan for new interfaces and stop listening on interfaces which no longer exist every hour. You can tune this value by adding :

interface-interval <rescan-timeout-in-minutes>;

parameter into options section. Max value is 28 days. (40320 min)
You can disable this feature by setting its value to 0.

Then restart the service.

Running BIND in a chrooted environment

Running in a chroot environment is not required but improves security.

Creating the jail house

In order to do this, we first need to create a place to keep the jail, we shall use /srv/named, and then put the required files into the jail.

# mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}

Copy over required system files:

# cp -av /etc/{localtime,named.conf} /srv/named/etc/
# cp -av /usr/lib/engines-1.1/* /srv/named/usr/lib/engines/
# cp -av /var/named/* /srv/named/var/named/.

Set up required nodes in :

# mknod /srv/named/dev/null c 1 3
# mknod /srv/named/dev/random c 1 8

Set ownership of the files:

# chown -R named:named /srv/named

This should create the required file system for the jail.

Service unit

Next we need a replacement unit file so that the service calls bind which will allow force bind into the chroot:

Now, reload systemd with daemon-reload, and start the .

gollark: It treats emojis specially unless you explicitly escape them.
gollark: Not exactly, in Discord.
gollark: The ™️ is highly antimemetic because dark theme and their emojis are the Twitter ones.
gollark: ™ is the actual Unicode character, ™️ is when it's treated as an emoji.
gollark: ™️ ™

See also
This article is issued from Archlinux. The text is licensed under Creative Commons - Attribution - Sharealike. Additional terms may apply for the media files.