dns:bind_configure_guide
This is an old revision of the document!
Table of Contents
Configure BIND on Linux
WINDOWS GUIDE AT BOTTOM OF PAGE.
Remember, if you are using two BIND DNS servers in a master/slave configuration, you must update the serial number of the zone file when you update the file on the master if you want the slave to pick it up.
Remember, if you make a change to a zone, you can make that change live without restarting the DNS service with the following command
rndc reload example.local
On Ubuntu 16.04, you need to
sudo apt-get install bind9 bind9utils bind9-doc
Then
vi /etc/bind/named.conf.options
And add…
options {
directory "/var/cache/bind";
listen-on port 53 { 127.0.0.1; 192.168.1.5; };
listen-on-v6 { any; };
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
};
service bind9 restart
If you are running the local ufw firewall, you may need to open UDP/TCP 53.
Create Zones
vi /etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "example.local" {
type master;
file "/etc/bind/zones/example.local.db";
allow-transfer { slave.ip.address; };
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.99.168.192.in-addr.arpa";
allow-transfer { slave.ip.address; };
};
Configure Zone
vi /etc/bind/zones/example.local.db
$TTL 604800
@ IN SOA ns1.example.local admin.example.local. (
2 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS localhost.
@ IN A 127.0.0.1
@ IN AAAA ::1
; Name servers
example.local. IN NS ns1.example.local.
example.local. IN NS ns2.example.local.
; records for name servers
ns1 IN A 192.168.1.4
ns2 IN A 192.168.1.5
; Other A records
@ IN A 192.168.1.7
www IN A 192.168.1.8
myserver IN A 192.168.1.9
Configure Reverse Zone
vi /etc/bind/zones/rev.99.168.192.in-addr.arpa
$TTL 604800
@ IN SOA example.local. admin.example.local. (
1 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; Name servers
IN NS ns1.example.com.
IN NS ns2.example.com.
; PTR Records
14 IN PTR server1.example.local.
15 IN PTR server2.example.local.
16 IN PTR server3.example.local.
Logging
In Ubuntu 16.04
rndc querylog
tail -f /var/log/syslog
Also
user@hostname:/etc/bind# cat named.conf.options
options {
directory "/var/cache/bind";
listen-on port 53 { 127.0.0.1; 127.0.1.1; 192.168.0.1; };
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
allow-recursion { any; };
allow-query { any; };
allow-query-cache { any; };
};
logging {
channel bind_default_log {
file "/var/log/bind/default.log" versions 3 size 5m;
//severity debug 9;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel bind_update_log {
file "/var/log/bind/update.log" versions 3 size 5m;
//severity debug 9;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel bind_update-security_log {
file "/var/log/bind/update-security.log" versions 3 size 5m;
//severity debug 9;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel bind_security_log {
file "/var/log/bind/security.log" versions 3 size 5m;
//severity debug 9;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel bind_query_log {
file "/var/log/bind/query.log" versions 3 size 5m;
//severity debug 10;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
channel bind_lame-servers_log {
file "/var/log/bind/lame-servers.log" versions 3 size 5m;
//severity debug 9;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category default { bind_query_log; };
category update { bind_query_log; };
category update-security { bind_query_log; };
category security { bind_query_log; };
category queries { bind_query_log; };
category lame-servers { bind_query_log; };
};
Test Transfer
Log on to the slave machine and run
dig @master.ip.address mydomain.local. AXFR
Enable NS Servers to use DNS
I found I had to edit vi /etc/resolvconf/resolv.conf.d/head
and add nameserver 127.0.0.1 to the end of the file, save, exit and then run the following to get the NS servers to correctly access DNS on themselves.
resolvconf --enable-updates
Configure BIND on Windows
- Download Win x64 BIND 9.16.24 from ISC's BIND website. 9.16 is the last version of BIND to be natively supported on Microsoft Windows.
- Extract the zip file.
- As Administrator, run BINDInstall.exe.
- The install window will ask for a target directory. For this guide, we will use the default “C:\Program Files\ISC BIND 9”.
- Set a service account name (this will create a local user). Password must meet the password requirements of the system.
- For the options tick “Automatic Startup” and “Keep Config Files After Uninstall”. Don't bother ticking “Tools Only” (this is if you want to install DIG on a Windows system and not BIND) and DO NOT tick “Start BIND Service After Install.
- Click Install.
- It should prompt you to install Microsoft Visual C++ 2017 Redistributable (x64) 14.16.27033. Even if Visual C++ throws an error, BIND may still be working.
- The service is listed under Windows Services as “ISC BIND”.
- Create the folders dns\logs under the installation directory (e.g “C:\Program Files\ISC BIND 9\dns\logs”)
- Edit the security properties for the installation directory (e.g. “C:\Program Files\ISC BIND 9\”) to make sure that the service account you created has read/write permissions to the folder. You may need to click “Advanced” in the “Select Users..” popup and scroll down the list until you find the sevice account as it is local (not domain).
- Copy the configuraiton files into the etc sub folder off the installation folder (e.g. C:\Program Files\ISC BIND 9\etc).
Edit both named_forwarder_port5353.conf
Edit "forwarders { 192.168.1.1; 192.168.1.2; };" and set the IP addresses to the DNS servers you want to forward to.
Replace "c:\windows\system32\" with the installation path (e.g. C:\Program Files\ISC BIND 9\
You may need to add te following to the options { section if DNSSEC is an issue
dnssec-enable no;
dnssec-validation no;
Copy named_forwarder_port5353.conf to named_forwarder_port53.conf, edit named_forwarder_port53.conf and change the port from 5353 to 53.
listen-on port 5353 { any; };
Copy named_forwarder_port5353.conf to named.conf
Windows BIND Config
This file just tells BIND to listen on port 5353 and forward to two IP addresses.
<config>options {
directory "C:\Program Files\ISC BIND 9\dns";
auth-nxdomain no;
allow-recursion { any; };
allow-query { any; };
version none;
listen-on port 5353 { any; };
minimal-responses yes;
forwarders { 192.168.1.1; 192.168.1.2; };
forward only;
max-cache-ttl 300;
max-ncache-ttl 300;
};
logging {
channel default_file {
file "C:\Program Files\ISC BIND 9\dns\logs\default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "C:\Program Files\ISC BIND 9\dns\logs\general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "C:\Program Files\ISC BIND 9\dns\logs\database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "C:\Program Files\ISC BIND 9\dns\logs\security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "C:\Program Files\ISC BIND 9\dns\logs\config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "C:\Program Files\ISC BIND 9\dns\logs\resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "C:\Program Files\ISC BIND 9\dns\logs\xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "C:\Program Files\ISC BIND 9\dns\logs\xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "C:\Program Files\ISC BIND 9\dns\logs\notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "C:\Program Files\ISC BIND 9\dns\logs\client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "C:\Program Files\ISC BIND 9\dns\logs\unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "C:\Program Files\ISC BIND 9\dns\logs\queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "C:\Program Files\ISC BIND 9\dns\logs\network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "C:\Program Files\ISC BIND 9\dns\logs\update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "C:\Program Files\ISC BIND 9\dns\logs\dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "C:\Program Files\ISC BIND 9\dns\logs\dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "C:\Program Files\ISC BIND 9\dns\logs\lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
}; </config>
Remember, you may need to add the following to the options section. <config> dnssec-enable no;
dnssec-validation no;</config>
dns/bind_configure_guide.1642589400.txt.gz · Last modified: (external edit)