Saucepan

User Tools

Site Tools

Trace: grid_join wireshark ping ssh colour install_ubuntu20.04 sslmgr dhcp install_gitolite install_tigervnc
dns:bind_configure_guide

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
dns:bind_configure_guide [2022/01/19 10:50] bstafforddns:bind_configure_guide [2025/12/15 12:43] (current) – [Logging] bstafford
Line 9: Line 9:
  
 On Ubuntu 16.04, you need to  On Ubuntu 16.04, you need to 
-<code>sudo apt-get install bind9 bind9utils bind9-doc</code>+<code>sudo apt-get install bind9 bind9utils bind9-doc dnsutils</code> 
 + 
 +=====Troubleshooting ===== 
 +<code>named-checkconf</code> 
 +<code>named-checkzone yourdomain.tld /etc/bind/zones/name-of-file.db</code> 
 +===== Other =====
  
 Then <code>vi /etc/bind/named.conf.options</code> Then <code>vi /etc/bind/named.conf.options</code>
Line 110: Line 115:
 <code>tail -f /var/log/syslog</code> <code>tail -f /var/log/syslog</code>
 Also Also
 +
 +<code>sudo mkdir /var/log/named
 +sudo chown bind:bind /var/log/named
 +sudo chmod ug+w /var/log/named</code>
 +
 +
 +''NOTE'' Use ''/var/log/named/'' for logging folder otherwise you will encounter issues with AppArmor
 <code>user@hostname:/etc/bind# cat named.conf.options <code>user@hostname:/etc/bind# cat named.conf.options
 options { options {
Line 130: Line 142:
 logging { logging {
         channel bind_default_log {         channel bind_default_log {
-                file "/var/log/bind/default.log" versions 3 size 5m;+                file "/var/log/named/default.log" versions 3 size 5m;
                 //severity debug 9;                 //severity debug 9;
                 severity info;                 severity info;
Line 139: Line 151:
  
         channel bind_update_log {         channel bind_update_log {
-                file "/var/log/bind/update.log" versions 3 size 5m;+                file "/var/log/named/update.log" versions 3 size 5m;
                 //severity debug 9;                 //severity debug 9;
                 severity info;                 severity info;
Line 148: Line 160:
  
         channel bind_update-security_log {         channel bind_update-security_log {
-                file "/var/log/bind/update-security.log" versions 3 size 5m;+                file "/var/log/named/update-security.log" versions 3 size 5m;
                 //severity debug 9;                 //severity debug 9;
                 severity info;                 severity info;
Line 157: Line 169:
  
         channel bind_security_log {         channel bind_security_log {
-                file "/var/log/bind/security.log" versions 3 size 5m;+                file "/var/log/named/security.log" versions 3 size 5m;
                 //severity debug 9;                 //severity debug 9;
                 severity info;                 severity info;
Line 166: Line 178:
  
         channel bind_query_log {         channel bind_query_log {
-                file "/var/log/bind/query.log" versions 3 size 5m;+                file "/var/log/named/query.log" versions 3 size 5m;
                 //severity debug 10;                 //severity debug 10;
                 severity info;                 severity info;
Line 175: Line 187:
  
         channel bind_lame-servers_log {         channel bind_lame-servers_log {
-                file "/var/log/bind/lame-servers.log" versions 3 size 5m;+                file "/var/log/named/lame-servers.log" versions 3 size 5m;
                 //severity debug 9;                 //severity debug 9;
                 severity info;                 severity info;
Line 183: Line 195:
         };         };
  
-        category default { bind_query_log; }; +        category default { bind_default_log; }; 
-        category update { bind_query_log; }; +        category update { bind_update_log; }; 
-        category update-security { bind_query_log; }; +        category update-security { bind_update-security_log; }; 
-        category security { bind_query_log; };+        category security { bind_security_log; };
         category queries { bind_query_log; };         category queries { bind_query_log; };
-        category lame-servers { bind_query_log; };+        category lame-servers { bind_lame-servers_log; };
 }; };
 </code> </code>
Line 212: Line 224:
   * The service is listed under Windows Services as "ISC BIND".   * The service is listed under Windows Services as "ISC BIND".
   * Create the folders dns\logs under the installation directory (e.g "C:\Program Files\ISC BIND 9\dns\logs")   * Create the folders dns\logs under the installation directory (e.g "C:\Program Files\ISC BIND 9\dns\logs")
 +  * Create the folders dns\keys under the installation directory (e.g "C:\Program Files\ISC BIND 9\dns\keys")
   * Edit the security properties for the installation directory (e.g. "C:\Program Files\ISC BIND 9\") to make sure that the service account you created has read/write permissions to the folder. You may need to click "Advanced" in the "Select Users.." popup and scroll down the list until you find the sevice account as it is local (not domain).   * Edit the security properties for the installation directory (e.g. "C:\Program Files\ISC BIND 9\") to make sure that the service account you created has read/write permissions to the folder. You may need to click "Advanced" in the "Select Users.." popup and scroll down the list until you find the sevice account as it is local (not domain).
-  * Copy the configuraiton files into the etc sub folder off the installation folder (e.g. C:\Program Files\ISC BIND 9\etc). +  * Copy the configuraiton files into the "etcsub-folder off the installation folder (e.g. C:\Program Files\ISC BIND 9\etc). The configuration is below. YOu need three files 
-Edit both named_forwarder_port5353.conf +      * named.conf (this is what BIND uses) 
- Edit "forwarders { 192.168.1.1; 192.168.1.2; };" and set the IP addresses to the DNS servers you want to forward to. +      * named_forward53.conf 
- Replace "c:\windows\system32\" with the installation path (e.g. C:\Program Files\ISC BIND 9\ +      * named_forward5353.conf 
- You may need to add te following to the options { section if DNSSEC is an issue +  * All three files should be identicle except for the port they listen onnamed_forward53.conf should listen on 53, named_forward5353.conf should listen on 5353 and named.conf should listen on the one you actively want to listen onWe have three files so that it is easy to create a script to copy named_forward53.conf or named_forward5353.conf to named.conf. This allows the automation of moving BIND from port 5353 to 53 and vice-versa. Useful during migrations to Infoblox
- dnssec-enable no; +  Copy ''bind.keys'' file to "C:\Program Files\ISC BIND 9\dns\bind.keys" 
- dnssec-validation no; +  * Query logs are in the file "C:\Program Files\ISC BIND 9\dns\logs\queries"
-Copy named_forwarder_port5353.conf to named_forwarder_port53.conf, edit named_forwarder_port53.conf and change the port from 5353 to 53. +
-         listen-on port 5353 { any; }; +
-Copy named_forwarder_port5353.conf to named.conf+
  
 +Remember, you cannot set the port of a nslookup query on Windows. The documentation says it is supported but it silently doesn't work.
 +
 +Remember, you may need to add the following to the options section.
 +<code> dnssec-enable no;
 + dnssec-validation no;</code>
 +
 +This was needed when forwarding to Infoblox (which had DNSSEC disabled). The BIND logs showed something similar to the following
 +<code>12-Dec-2018 10:05:24.294 managed-keys-zone: Initializing automatic trust anchor management for zone '.'; DNSKEY ID 20326 is now trusted, waiving the normal 30-day waiting period.
 +12-Dec-2018 11:36:07.683 managed-keys-zone: Key 20326 for zone . is now trusted (acceptance timer complete)
 +12-Dec-2018 11:43:40.942   validating C:\Program Files\ISC BIND 9\/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 11:43:40.958   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 11:44:18.302   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 11:44:18.302   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 11:49:17.050   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 11:49:17.066   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 11:59:07.186   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 11:59:07.186   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 12:00:21.172   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 12:00:21.172   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 12:02:04.971   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 12:02:04.971   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 14:19:30.328   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 14:19:32.734   validating internal.test/SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 14:19:38.968 validating test.internal.test/A: bad cache hit (cds.internal.test/DS)
 +12-Dec-2018 14:19:51.078 validating test.internal.test/A: bad cache hit (cds.internal.test/DS)
 +12-Dec-2018 14:31:11.044   validating ./SOA: got insecure response; parent indicates it should be secure
 +12-Dec-2018 14:31:11.701   validating ./SOA: got insecure response; parent indicates it should be secure</code>
 ==== Windows BIND Config ==== ==== Windows BIND Config ====
 This file just tells BIND to listen on port 5353 and forward to two IP addresses. This file just tells BIND to listen on port 5353 and forward to two IP addresses.
  
-<config>options {+<code>options {
  directory "C:\Program Files\ISC BIND 9\dns";  directory "C:\Program Files\ISC BIND 9\dns";
  auth-nxdomain no;  auth-nxdomain no;
Line 233: Line 270:
  allow-query { any; };  allow-query { any; };
  version none;  version none;
 +        bindkeys-file "C:\Program Files\ISC BIND 9\dns\bind.keys";
 +        managed-keys-directory "C:\Program Files\ISC BIND 9\dns\keys";
 +        dnssec-validation auto;        
         listen-on port 5353 { any; };         listen-on port 5353 { any; };
  minimal-responses yes;  minimal-responses yes;
Line 346: Line 386:
  category lame-servers { lame-servers_file; };  category lame-servers { lame-servers_file; };
 }; };
-</config>+</code>
  
-Remember, you may need to add the following to the options section. +This is the ''bind.keys'' file. 
-<config> dnssec-enable no; +<code># The bind.keys file is used to override the built-in DNSSEC trust anchors 
- dnssec-validation no;</config>+# which are included as part of BIND 9.  As of the current release, the only 
 +# trust anchors it contains are those for the DNS root zone ("."), and for 
 +# the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org").  Trust anchors 
 +# for any other zones MUST be configured elsewhere; if they are configured 
 +# here, they will not be recognized or used by named. 
 +
 +# The built-in trust anchors are provided for convenience of configuration. 
 +# They are not activated within named.conf unless specifically switched on. 
 +# To use the built-in root key, set "dnssec-validation auto;" in 
 +# named.conf options.  To use the built-in DLV key, set 
 +# "dnssec-lookaside auto;" Without these options being set, 
 +# the keys in this file are ignored. 
 +
 +# This file is NOT expected to be user-configured. 
 +
 +# These keys are current as of Feburary 2017.  If any key fails to 
 +# initialize correctly, it may have expired.  In that event you should 
 +# replace this file with a current version.  The latest version of 
 +# bind.keys can always be obtained from ISC at https://www.isc.org/bind-keys. 
 + 
 +managed-keys { 
 +   
 +        # This key (20326) is to be published in the root zone in 2017. 
 +        # Servers which were already using the old key (19036) should 
 +        # roll seamlessly to this new one via RFC 5011 rollover. Servers 
 +        # being set up for the first time can use the contents of this 
 +        # file as initializing keys; thereafter, the keys in the 
 +        # managed key database will be trusted and maintained 
 +        # automatically. 
 +        . initial-key 257 3 8 "AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3 
 +                +/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kv 
 +                ArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF 
 +                0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+e 
 +                oZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfd 
 +                RUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwN 
 +                R1AkUTV74bU="; 
 +};</code> 
 +Remember, you may need to add the following to the options section if you don't get the keys right
 +<code> dnssec-enable no; 
 + dnssec-validation no;</code>
  
dns/bind_configure_guide.1642589400.txt.gz · Last modified: (external edit)