Bind (also referred to as named) is a DNS, or domain name server daemon. Bind has the ability to locally cache dns queries as well as serve authoritative name resolution. By using a locally cached dns server you can significantly speed up local dns resolution of commonly resolved names. You can also setup a resolving dns server and assign host names to the ip address of your internal LAN machines.
A caching server helps the most when a host name is asked for many times by local clients. For example, google.com, cnn.com and slashdot.com are all requested many times by most users. By caching the dns query your dns server can respond with the results quickly and without having to use any external bandwidth.
An authoritative DNS server means we control names on a domain. This example will setup a local LAN with internal names on the domain called "domain.lan.
Setting up an authoritative caching DNS server is the best of both worlds. It will resolve local domain.lan names and also cache the results of external names.
BIND (Berkeley Internet Name Domain) is the most commonly used DNS server on the Internet, especially on Unix-like systems, where it is a defacto standard. Supported by Internet Systems Consortium. BIND was originally created by four graduate students with CSRG at the University of California, Berkeley and first released with 4.3BSD. Paul Vixie started maintaining it in 1988 while working for DEC.
A new version of BIND (BIND 9) was written from scratch in part to address the architectural difficulties with auditing the earlier BIND code bases, and also to support DNSSEC (DNS Security Extensions). Other important features of BIND 9 include: TSIG, DNS notify, nsupdate, IPv6, rndc flush, views, multiprocessor support, and an improved portability architecture. It is commonly used on Linux and BSD systems. Wikipedia, Bind
IMPORTANT NOTE: Do not allow external, public access to a DNS server that allows recursive lookups. To do so would expose your server to DNS cache poisoning. This example setup should only be used for internal LAN use only.
Getting Started
This exercise will setup a dns server available to the local LAN (10.10.10/24) in this example. It will cache all queries of external host names from internal clients and also serve out authoritative dns answers about our local LAN machines. This is a fully working example so you can cut/paste the examples below without issue.
By default, OpenBSD installs bind and its support files into /var/named. We will be using the same directory structure for the example. You can use the following 3 files to replace what bind installs by default. The three files we are going to cover are /var/named/etc/named.conf which is the main config file, /var/named/master/db.domain.lan the forward lookup file and /var/named/master/db.10.10.10 which is the reverse lookup file.
As you look at the config files take some time and look at all of the options. There are a lot of things to learn about bind and we are only covering a small subset. Read the man pages and join the bind discussion groups. Block out a few minutes a day and find out what a few of the named.conf options do. You may find out the options here are perfect for your uses or you may want to tweak a few. Just take your time and have fun. Bind (named) is a really good dns server.
Before using the config file take a look it in the scrollable text window below. Under the window you will find a short explanation of the lines that need your attention. If you need more information take a look at the options in the man page. This file can be saved under /var/named/etc/named.conf in the standard OpenBSD install.
// $OpenBSD: Calomel.org named.conf
options {
allow-query { 127.0.0.1; 10.10.10/24; };
allow-recursion { 127.0.0.1; 10.10.10/24; };
allow-transfer { none; };
# dnssec-enable yes;
# dnssec-validation yes;
# dnssec-lookaside . trust-anchor dlv.isc.org.;
forward first;
forwarders { 8.8.4.4, 8.8.8.8; };
query-source address 127.0.0.1 port *;
listen-on { 127.0.0.1; };
listen-on-v6 { none; };
version "Calomel.org";
};
# trusted-keys {
# dlv.isc.org. 257 3 5 "BEAAAAPHMu/5onzrEE7z1egmhg/WPO0+juoZrW3euWEn4MxDCE1+lLy2 brhQv5rN32RKtMzX6Mj70jdzeND4XknW58dnJNPCxn8+jAGl2FZLK8t+ 1uq4W+nnA3qO2+DL+k6BD4mewMLbIYFwe0PG73Te9fZ2kJb56dhgMde5 ymX4BI/oQ+cAK50/xvJv00Frf8kw6ucMTwFlgPe+jnGxPPEmHAte/URk Y62ZfkLoBAADLHQ9IrS2tryAe7mbBZVcOwIeU/Rw/mRx/vwwMCTgNboM QKtUdvNXDrYJDSHZws3xiRXF1Rf+al9UmZfSav/4NWLKjHzpT59k/VSt TDN0YUuWrBNh";
# };
# Trusted dlv.isc.org key pulled from https://secure.isc.org/ops/dlv/dlv.isc.org.named.conf
## enable rndc commands
#controls {
# inet 127.0.0.1 allow { localhost; };
#};
## disable rndc commands
controls { };
logging {
category lame-servers { null; };
};
zone "." {
type hint;
file "standard/root.hint";
};
zone "localhost" {
type master;
file "standard/localhost";
allow-transfer { localhost; };
};
zone "127.in-addr.arpa" {
type master;
file "standard/loopback";
allow-transfer { localhost; };
};
zone "com" {
type delegation-only;
};
zone "net" {
type delegation-only;
};
zone "org" {
type delegation-only;
};
zone "domain.lan" {
type master;
file "master/db.domain.lan";
allow-update { none; };
};
zone "10.10.10.in-addr.arpa" {
type master;
file "master/db.10.0.10";
allow-update { none; };
};
Looking at the named.conf
In the Options section we are going to setup the methods and access control lists bind will run with.
* The "allow-query" and "allow-recursion" list is an access control list (acl) which limits access to the bind daemon to the ips listed.
* The "allow-transfer" is disabled for this server. We do not have more than one dns server, so we do not allow zone transfers from this machine.
* Our dns server needs to ask another external dns server for queries we do not know. The "forwarders" directive is the list of fast dns server you have access to. Check at the end of this exercise about how to test dns server speed from your location. Our example has a few OpenDNS servers as "forwarders". Check out the OpenDNS site to find out more about their other free services like adult site blocking, phishing site blocks and statistics. The directive "forward first" simply tells bind to query the forwarders if our server does not have the answer. This means if we are not the authority for the domain or if we do not have a cached answer then ask the forwarders.
* "listen-on" is the ip the daemon will listen for queries on. We are listening on localhost and you can use pf to forward queries from the local lan to the dns server.
* Finally, "version" is the version information the server will send to client who ask for it. We do not need anyone to know what version of Bind we are really running so we can replace the version string with the name of our machine or any other string.
In the Logging section we are simply asking the server to log all requests except lame-servers. Those are servers who are not valid and can be ignored.
The Zone sections tell our bind server what to do when a query comes in. For example, if a query from a local machine asks for Google.com then zone "com" { type delegation-only; }; instructs our bind server to delegate the query to a "forwards" dns server. If a query comes in for one of our local machine names like host2.domain.lan then our dns server will look in the file db.domain.lan for the answer.
Looking at the locally resolving db files
Once the bind server is installed and you have the named.conf file in place you can now setup the db files for your lan. Below are two files that support forward and reverse dns lookups. You will need both files.
The first file is the db.domain.lan and is the forward resolving db file. If you ask for the ip address associated with dhcp4.domain.lan bind will look in this file and respond with the ip 10.10.10.4. The forward lookup file contains A records only and has a default dns cache timeout of 86,400 seconds or 24 hours.
The scrollable text window below contains the /var/named/master/db.domain.lan
domain.lan. 86400 IN SOA dns.domain.lan. root.dns.domain.lan. ( 1 10800 3600 6044800 86400 )
86400 IN NS dns.domain.lan.
dns.domain.lan. 86400 IN A 10.10.10.1
host2.domain.lan. 86400 IN A 10.10.10.2
host3.domain.lan. 86400 IN A 10.10.10.3
dhcp4.domain.lan. 86400 IN A 10.10.10.4
dhcp5.domain.lan. 86400 IN A 10.10.10.5
dhcp6.domain.lan. 86400 IN A 10.10.10.6
dhcp7.domain.lan. 86400 IN A 10.10.10.7
dhcp8.domain.lan. 86400 IN A 10.10.10.8
dhcp9.domain.lan. 86400 IN A 10.10.10.9
dhcp10.domain.lan. 86400 IN A 10.10.10.10
dhcp11.domain.lan. 86400 IN A 10.10.10.11
dhcp12.domain.lan. 86400 IN A 10.10.10.12
dhcp13.domain.lan. 86400 IN A 10.10.10.13
dhcp14.domain.lan. 86400 IN A 10.10.10.14
The following config is the db.10.10.10 and is considered to be the reverse lookup file. If a clients asks for the host name for the ip address 10.10.10.8 named will reply with dhcp8.domain.lan. The db file contains the PTR also referred to as pointer references from the ip to the host name.
The scrollable text window below contains the /var/named/master/db.10.10.10
10.10.10.in-addr.arpa. 86400 IN SOA dns.domain.lan. root.dns.domain.lan. ( 1 10800 3600 6044800 86400 )
86400 IN NS dns.domain.lan.
1.10.10.10.in-addr.arpa. 86400 IN PTR dns.domain.lan.
2.10.10.10.in-addr.arpa. 86400 IN PTR host2.domain.lan.
3.10.10.10.in-addr.arpa. 86400 IN PTR host3.domain.lan.
4.10.10.10.in-addr.arpa. 86400 IN PTR dhcp4.domain.lan.
5.10.10.10.in-addr.arpa. 86400 IN PTR dhcp5.domain.lan.
6.10.10.10.in-addr.arpa. 86400 IN PTR dhcp6.domain.lan.
7.10.10.10.in-addr.arpa. 86400 IN PTR dhcp7.domain.lan.
8.10.10.10.in-addr.arpa. 86400 IN PTR dhcp8.domain.lan.
9.10.10.10.in-addr.arpa. 86400 IN PTR dhcp9.domain.lan.
10.10.10.10.in-addr.arpa. 86400 IN PTR dhcp10.domain.lan.
11.10.10.10.in-addr.arpa. 86400 IN PTR dhcp11.domain.lan.
12.10.10.10.in-addr.arpa. 86400 IN PTR dhcp12.domain.lan.
13.10.10.10.in-addr.arpa. 86400 IN PTR dhcp13.domain.lan.
14.10.10.10.in-addr.arpa. 86400 IN PTR dhcp14.domain.lan.
Starting Bind
To start bind manually execute the daemon using "named -4". To start Bind (named) at boot you can edit your /etc/rc.conf.local file and put in the following line. If you have not made a rc.conf.local file you can always edit the /etc/rc.conf file and put the "-4" option in the named directive. The "-4" argument will simply start bind and listen to ipv4 address only.
named_flags="-4"
HELPFUL HINT: Check out our DNS Verify (ip to hostname to ip) script. It will help you verify your hostnames match your ip addresses and spot any problems in name resolution.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment