Beyond Linux^® From Scratch - Version 6.3

Chapter 19. Major Servers

Prev
Apache-2.2.8
Next
NFS Utilities-1.1.2
Up
Home

BIND-9.4.1-P1

Introduction to BIND

The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the BIND Utilities-9.4.1-P1.

Package Information

Download (HTTP): http://gd.tuwien.ac.at/infosys/servers/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz
Download (FTP): ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz
Download MD5 sum: 44e0514e6105ddaa235394045d9aeb0c
Download size: 6.1 MB
Estimated disk space required: 98 MB
Estimated build time: 1.9 SBU (additional 11 minutes, processor independent, to run the complete test suite)

Additional Downloads

Optional patch (if net-tools is not installed): http://www.linuxfromscratch.org/patches/blfs/6.3/bind-9.4.1-P1-use_iproute2-1.patch

BIND Dependencies

Optional

Optional (to run the test suite)

Net-DNS-0.57 and Net-tools-1.60 (you may omit net-tools by using the optional patch to utilize iproute2)

Optional (to rebuild documentation)

teTeX-3.0 and libxslt-1.1.22

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/bind

Installation of BIND

If you have chosen not to install net-tools, apply the iproute2 patch with the following command:

patch -Np1 -i ../bind-9.4.1-P1-use_iproute2-1.patch

Install BIND by running the following commands:

./configure --prefix=/usr \
            --sysconfdir=/etc \
            --localstatedir=/var \
            --mandir=/usr/share/man \
            --enable-threads \
            --with-libtool &&
sed -i "s@198.32.64.12@199.7.83.42@" \
    lib/dns/rootns.c &&
make

Issue the following commands to run the complete suite of tests. First, as the root user, set up some test interfaces:

bin/tests/system/ifconfig.sh up

Now run the test suite as an unprivileged user:

make check 2>&1 | tee check.log

Again as root, clean up the test interfaces:

bin/tests/system/ifconfig.sh down

Issue the following command to check that all 148 tests ran successfully:

grep "R:PASS" check.log | wc -l

Finally, install the package as the root user:

make install &&
chmod 755 /usr/lib/lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.? &&

cd doc &&
install -v -d -m755 /usr/share/doc/bind-9.4.1-P1/{arm,draft,misc,rfc} &&
install -v -m644 arm/*.html \
    /usr/share/doc/bind-9.4.1-P1/arm &&
install -v -m644 draft/*.txt \
    /usr/share/doc/bind-9.4.1-P1/draft &&
install -v -m644 rfc/* \
    /usr/share/doc/bind-9.4.1-P1/rfc &&
install -v -m644 \
    misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \
    /usr/share/doc/bind-9.4.1-P1/misc

Command Explanations

--sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc.

--enable-threads: This parameter enables multi-threading capability.

--with-libtool: This parameter forces the building of dynamic libraries and links the installed binaries to these libraries.

sed -i "s@198.32.64.12@199.7.83.42@" lib/dns/rootns.c: Use updated address for L.ROOT-SERVERS.NET.

chmod 755 /usr/lib/{lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.?}: Enable the execute bit to prevent a warning when using ldd to check library dependencies.

cd doc; install ...: These commands install additional package documentation. Omit any or all of these commands if desired.

Configuring BIND

Config files

named.conf, root.hints, 127.0.0, rndc.conf and resolv.conf

Configuration Information

BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.

Create the unprivileged user and group named:

groupadd -g 20 named &&
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &&
install -d -m770 -o named -g named /srv/named

Set up some files, directories and devices needed by BIND:

cd /srv/named &&
mkdir -p dev etc/namedb/slave var/run &&
mknod /srv/named/dev/null c 1 3 &&
mknod /srv/named/dev/random c 1 8 &&
chmod 666 /srv/named/dev/{null,random} &&
mkdir /srv/named/etc/namedb/pz &&
cp /etc/localtime /srv/named/etc

Then, generate a key for use in the named.conf and rdnc.conf files using the rndc-confgen command:

rndc-confgen -r /dev/urandom -b 512 | \
    grep -m 1 "secret" | cut -d '"' -f 2

Create the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys:

cat > /srv/named/etc/named.conf << "EOF"
 options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "<Insert secret from rndc-confgen's output here>";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
     category default { default_syslog; default_debug; };
     category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
     null;                                // toss anything sent to
                                          // this channel
  };
};

EOF

Create the rndc.conf file with the following commands:

cat > /etc/rndc.conf << "EOF"
key rndc_key {
algorithm "hmac-md5";
    secret
    "<Insert secret from rndc-confgen's output here>";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};
EOF

The rndc.conf file contains information for controlling named operations with the rndc utility.

Create a zone file with the following contents:

cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF"
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
EOF

Create the root.hints file with the following commands:

[Note]

Note

Caution must be used to ensure there are no leading spaces in this file.

cat > /srv/named/etc/namedb/root.hints << "EOF"
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       199.7.83.42
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
EOF

The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root. Consult the BIND 9 Administrator Reference Manual for details.

Create or modify resolv.conf to use the new name server with the following commands:

[Note]

Note

Replace <yourdomain.com> with your own valid domain name.

cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search <yourdomain.com>
nameserver 127.0.0.1
EOF

Set permissions on the chroot jail with the following command:

chown -R named.named /srv/named

Boot Script

To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the blfs-bootscripts-20080816 package.

make install-bind

Now start BIND with the new boot script:

/etc/rc.d/init.d/bind start

Testing BIND

Test out the new BIND 9 installation. First query the local host address with dig:

dig -x 127.0.0.1

Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:

dig www.linuxfromscratch.org &&
dig www.linuxfromscratch.org

You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual located at doc/arm/Bv9ARM.html in the package source tree, for further configuration options.

Contents

Installed Programs: dig, dnssec-keygen, dnssec-signzone, host, isc-config.sh, lwresd, named, named-checkconf, named-checkzone, nslookup, nsupdate, rndc, and rndc-confgen

Installed Libraries: libbind9.{so,a}, libdns.{so,a}, libisc.{so,a}, libisccc.{so,a}, libisccfg.{so,a}, and liblwres.{so,a}

Installed Directories: /srv/named, /usr/include/bind9, /usr/include/dns, /usr/include/dst, /usr/include/isc, /usr/include/isccc, /usr/include/isccfg, /usr/include/lwres, and /usr/share/doc/bind-9.4.1-P1

Short Descriptions

dig	interrogates DNS servers.
dnssec-keygen	is a key generator for secure DNS.
dnssec-signzone	generates signed versions of zone files.
host	is a utility for DNS lookups.
lwresd	is a caching-only name server for local process use.
named	is the name server daemon.
named-checkconf	checks the syntax of `named.conf` files.
named-checkzone	checks zone file validity.
nslookup	is a program used to query Internet domain nameservers.
nsupdate	is used to submit DNS update requests.
rndc	controls the operation of BIND.
rndc-confgen	generates `rndc.conf` files.

Last updated on 2008-05-09 07:42:27 -0500

Prev
Apache-2.2.8
Next
NFS Utilities-1.1.2
Up
Home