Kenneth: Created page with "==Summary== Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server. Description: BIND (Berkeley Internet Name Domain) is an implementation of the..."

2016-09-16T18:17:44Z

Created page with "==Summary== Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server. Description: BIND (Berkeley Internet Name Domain) is an implementation of the..."

New page

==Summary==
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.

Description:

BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.

== Quick Installation ==

Install bind, bind tools, and config files:
yum install bind bind-utils caching-nameserver

Start with sample configuration files:
cp /usr/share/doc/bind-9*/sample/etc/* /etc/
cp /usr/share/doc/bind-9*/sample/var/named/* /var/named/

Add the following line under the "options" section of /etc/named.conf:
listen-on { 127.0.0.1; 10.1.100.1; };

Comment out example zones in "view "internal"" section
# zone "my.internal.zone" {
# type master;
# ...

Comment out the "key ddns_key" and "view "external"" sections:
#key ddns_key
#{
# algorithm hmac-md5;
# secret "use /usr/sbin/dns-keygen to generate TSIG keys";
#};
#view "external"
# ...

Configure /etc/resolv.conf:
search test.lab
nameserver 127.0.0.1

Have bind auto start on boot:
chkconfig named on

Start bind:
service named restart

Test bind:
dig www.google.com

==Installation==

[http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html BIND 9 Configuration Reference]

<blockquote>"The Linux DNS Server is called bind or named; we need version 9. It should already be installed on your system, which can be verified using rpm -q bind." [http://sipx-wiki.calivia.com/index.php/HowTo_Configure_DHCP_and_DNS_Servers]</blockquote>

$ yum info bind
Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server.
Description:
BIND (Berkeley Internet Name Domain) is an implementation of the DNS
(Domain Name System) protocols. BIND includes a DNS server (named),
which resolves host names to IP addresses; a resolver library
(routines for applications to use when interfacing with DNS); and
tools for verifying that the DNS server is operating properly.

$ yum info caching-nameserver
Summary: Default BIND configuration files for a caching nameserver
Description:
The caching-nameserver package includes the configuration files which will make
the ISC BIND named DNS name server act as a simple caching nameserver.
A caching nameserver is a DNS Resolver, as defined in RFC 1035, section 7.
ISC BIND named(8) provides a very efficient, flexible and robust resolver as
well as a server of authoritative DNS data - many users use this package
along with BIND to implement their primary system DNS resolver service.
If you would like to set up a caching name server, you'll need to install
bind, bind-libs, and bind-utils along with this package.

Installation:
yum install bind caching-nameserver
chkconfig named on

The package caching-nameserver is needed for several files found in /var/named.

Optional xserver bind configuration tool:
yum install system-config-bind

The following files need to be configured:
* /etc/named.conf
* /etc/resolv.conf
* /etc/sysconfig/named (optional)
* /var/named/example.com.zone
* /var/named/192.168.5.zone

A sample named.conf file can be found here:
/usr/share/doc/bind-9.3.4/sample/etc/named.conf

<s>
cp /usr/share/doc/bind-9.3.3/sample/etc/named.conf /etc/named.conf
cp /usr/share/doc/bind-9.3.3/sample/etc/named.root.hints /etc/named.root.hints
# overwrite...
cp /usr/share/doc/bind-9.3.3/sample/etc/named.rfc1912.zones /etc/named.rfc1912.zones
# optional..
cp /usr/share/doc/bind-9.3.3/sample/etc/rndc.conf /etc/rndc.key
chown root:named /etc/named*
# var stuff
cat /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/named.root
chown root:named /var/named/named.root
</s>

See [[#Default named.conf|Default named.conf]]

The file /etc/named.caching-nameserver.conf has only local resolver lines. There are a few differences in the "options" section that the sample named.conf does not include, which appear to be restrictive in nature. The can be incorporated into the named.conf if needs be.

The file /usr/share/doc/bind-9.3.3/sample/etc/named.rfc1912.zones is missing the following that /etc/named.rfc1912.zones has (but named.root.hints has it):
zone "." IN {
type hint;
file "named.ca";
};

/etc/resolv.conf:
search t0e.org
nameserver 127.0.0.1

To regenerate the rndc key:
[root@hal ~]# cat /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "wp8YV4CpRykpGe7G8g465Bk0QvVIH8ksd26nst79EZfl8ZaarKD5B0Y4C4zO";
};
[root@hal ~]# rndc-confgen -a
wrote key file "/etc/rndc.key"
[root@hal ~]# cat /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "jyUnvqHOZWGfZnm46KvfoA==";
};

The changes to make to the sample conf file are as follows:
options
{
...
listen-on { 127.0.0.1; 10.10.10.1; };
};

view "internal"
{
...

zone "t0e.org" IN {
type master;
file "t0e.org.zone";
allow-update { key "rndckey"; };
notify yes;
};
zone "10.10.10.in-addr.arpa" {
type master;
file "t0e.org.rev";
allow-update { key "rndckey"; };
notify yes;
};

/* comment out all default zones
zone "my.internal.zone" {
...
zone "my.slave.internal.zone" {
...
// DISABLE COMMENTS
masters { / * put master nameserver IPs here * / 127.0.0.1; } ;
...
zone "my.ddns.internal.zone" {
}
*/
};

/* comment out "ddns_key" section, and do include
key ddns_key
{
...
};
*/
include "/etc/rndc.key";

/* comment out "external" section
view "external"
{
// DISABLE COMMENTS
...
};
*/

The OLD /etc/named.conf I use:
options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
listen-on { 127.0.0.1; 10.10.10.3; 10.10.20.3; };
};

controls {
inet 127.0.0.1 allow { localhost; } keys { rndckey; };
};

include "/etc/rndc.key";

zone "t0e.org" IN {
type master;
file "t0e.org.zone";
allow-update { key "rndckey"; };
notify yes;
};

zone "10.10.10.in-addr.arpa" {
type master;
file "t0e.org.rev";
allow-update { key "rndckey"; };
notify yes;
};

The /var/named/t0e.org.zone I use:
$TTL 300 ; 5 minutes
t0e.org. IN SOA hal.t0e.org. hel.t0e.org. (
20070714 ; serial number
300 ; refresh (5 minutes)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum TTL (1 hour)
)

NS hal.t0e.org.

fw A 10.10.10.1
hal A 10.10.10.3

The /var/named/t0e.org.rev I use:
$TTL 300 ; 5 minutes
10.10.10.in-addr.arpa. IN SOA hal.t0e.org. hal.t0e.org. (
20070714 ; serial number
300 ; refresh (5 minutes)
3600 ; retry (1 hour)
604800 ; expire (1 week)
3600 ; minimum TTL (1 hour)
)

NS hal.t0e.org.

1 PTR fw.t0e.org.
3 PTR hal.t0e.org.

== Records ==

Zone:
<pre>
zone "lab" {
type master;
file "/etc/bind/db.lab";
allow-query { lindonlab; };
};
</pre>

<pre>
;; Domain 'lab'
@ IN SOA ns.keylabs.com. admin.keylabs.com. (
2011052800 ; serial DONT FORGET CHANGE
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day

;; KeyLabs Name servers
IN NS ns.keylabs.com.
IN NS ns2.keylabs.com.

;; MX Record
IN MX 10 ASPMX.L.GOOGLE.COM.

;; TXT Record
IN TXT v=spf1 include:_spf.google.com ~all

;; Address Record
iso IN A 216.119.202.4

;; Quick Subdomain
admin.tr IN A 216.119.202.4

;; CNAME
files IN CNAME iso ;; cname to local domain
portal IN CNAME oeey.com. ;; notice end '.'

;; PTR
1 IN PTR ws1.oeey.com.
</pre>

=== Reverse ===

<pre>
zone "202.119.216.in-addr.arpa" {
type master;
file "/etc/bind/rev.202.119.216";
};
</pre>

<pre>
;; Domain 'lab'
@ IN SOA ns.keylabs.com. admin.keylabs.com. (
2011052800 ; serial DONT FORGET CHANGE
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day

;; KeyLabs Name servers
IN NS ns.keylabs.com.
IN NS ns2.keylabs.com.

;; reverse mapping
;; KeyLabs ( 216.119.192.0 - 216.119.192.253 )
1 IN PTR ws-192-1.keylabs.com.
2 IN PTR ws-192-2.keylabs.com.
</pre>

== Google Applications ==

<pre>
MX Server Settings:
<pre>
; name ttl class rr pref name
; example.com. IN MX 10 mail.example.com.

;;
;; GOOGLE APPS
;;
IN MX 10 ASPMX.L.GOOGLE.COM.
IN MX 20 ALT1.ASPMX.L.GOOGLE.COM.
IN MX 20 ALT2.ASPMX.L.GOOGLE.COM.
IN MX 30 ASPMX2.GOOGLEMAIL.COM.
IN MX 30 ASPMX3.GOOGLEMAIL.COM.
IN MX 30 ASPMX4.GOOGLEMAIL.COM.
IN MX 30 ASPMX5.GOOGLEMAIL.COM.
IN TXT v=spf1 include:_spf.google.com ~all
calendar CNAME ghs.google.com.
docs CNAME ghs.google.com.
mail CNAME ghs.google.com.
</pre>

== Root Hints ==

<pre>
//
// The 'named.root' root cache hints zone for the bind DNS 'named' nameserver.
//
// named's cache must be primed with the addresses of the root zone '.' nameservers.
// The root zone file can be obtained by querying the root 'A' nameserver:
// $ dig . ns @198.41.0.4 > named.root
// Or by download via FTP / HTTP:
// $ wget ftp://ftp.rs.internic.net/domain/named.root
//
// Every view that is to provide recursive service must include this zone.
//
zone "." IN {
type hint;
file "named.root";
}
</pre>

== Secondary Name Server ==

Install bind, bind tools, and config files:
yum install bind bind-utils

Get root hints:
dig . ns @198.41.0.4 > /etc/named.root.hints

/etc/named.conf:
<pre>
// general options
options
{
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

allow-transfer { 216.119.206.253; };
allow-recursion { 216.119.192.0/20; };
version "Not disclosed";
};

// reduce log verbosity on issues outside our control
logging {
category lame-servers { null; };
};

// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/named.root.hints";
};

//
// Reverse DNS
//

zone "206.119.216.in-addr.arpa" {
type slave;
file "slaves/rev.206.119.216.cache";
masters { 216.119.206.253; };
};

//
// Oeey domains below here
//

zone "oeey.com" {
type slave;
file "slaves/db.oeey.cache";
masters { 216.119.206.253; };
};
</pre>

== DNS Security ==

[http://www.ops.ietf.org/dns/dynupd/secure-ddns-howto.html Secure dynamic DNS howto]

[http://www.cymru.com/Documents/secure-bind-template.html Secure BIND Template v7.1 14 May 2009 TEAM CYMRU noc@cymru.com]

=== Hide Version ===

Check Version:
dig @[NS_SERVER] -c CH -t txt version.bind
nslookup -q=txt -class=CHAOS version.bind. 0
dig @nameserver version.bind txt chaos
nslookup -type=txt -class=chaos version.bind nameserver

options
{
...
version "not disclosed";
};

version "surely you must be joking";

References:
* How To Hide BIND DNS Sever Version - http://www.cyberciti.biz/faq/hide-bind9-dns-sever-version/
* Determining/hiding BIND version number - http://www.brandonhutchinson.com/Determining_hiding_BIND_version_number.html
* The FreeBSD Diary -- What version of bind are you running? - http://www.freebsddiary.org/bind-version.php

== Log Queries ==

<pre>
logging
{
/* ..... */
channel query_log {
//file "data/query.log";
syslog kern;
severity debug;
};
category queries { query_log; };
};
</pre>

References:
* DNS BIND logging Clause - http://www.zytrax.com/books/dns/ch7/logging.html
* Troubleshooting - https://help.ubuntu.com/8.04/serverguide/C/dns-troubleshooting.html
* Bind 9 query logging - https://lists.isc.org/pipermail/bind-users/2009-January/074967.html

== Firewall ==

DNS uses UDP port 53 [http://lists.terrasoftsolutions.com/pipermail/yellowdog-general/2003-September/010027.html]
iptables -A INPUT -p udp -i eth0 --destination-port 53 -j ACCEPT

BUT:

"Remember that queries can be TCP-based as well as UDP-based, so you must allow traffic from queriers to TCP port 53 as well as UDP port 53, and from your name server to TCP port 53." [http://www.oreillynet.com/pub/a/network/excerpt/dnsbindcook_ch07/]

"By default host uses UDP when making queries. The -T option makes it use a TCP connection when querying the name server. TCP will be automatically selected for queries that require it, such as zone transfer (AXFR) requests." [http://www.bind9.net/Bv9.6ARM.pdf]

"Please note that here I'm not allowing TCP protocol as I don't have secondary DNS server to do zone transfer. Please note if you have secondary server, add following rules to above rules so that secondary server can do zone transfer from primary DNS server..." http://www.cyberciti.biz/tips/linux-iptables-12-how-to-block-or-open-dnsbind-service-port-53.html]

== IPv4 Only ==

Add "-4" to the bind9 config

/etc/default/bind9:
<pre>
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-4 -u bind"
</pre>

Source: [http://ubuntu-tutorials.com/2009/03/21/configure-bind-9-for-ipv4-or-ipv6-only/ Configure BIND 9 For IPv4 (or IPv6) Only | Ubuntu Tutorials]

== Dynamic DNS ==

Dynamic DNS (DDNS)

See also [[dhcpd#Dynamic DNS]]

/var/named/chroot/etc/named.conf:
<pre>
zone "dnsknowledge.com" IN {
type master;
file "dnsknowledge.com.zone";
allow-update { key rndckey; };
};

# reverse zone
zone "1.168.192.in-addr.arpa" IN {
type master;
file "1.168.192.in-addr.arpa.zone";
allow-update { key rndckey; };
};
</pre>

References:
* CentOS Linux Setup Dynamic DNS (DDNS) - http://www.dnsknowledge.com/tutorials/centos-tutorials/bind-9/howto-setup-dynamic-dns-ddns/

==Issues==
===DNS Cache Poisoning Bug===

Use:
// query-source port 53;

how do I find out if my DNS server is open to such attack:
$ dig +short @{name-server-ip} porttest.dns-oarc.net txt
$ dig +short @ns1.example.com porttest.dns-oarc.net txt
$ dig +short @208.67.222.222 porttest.dns-oarc.net txt

Good:
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"208.67.222.222 is '''GOOD''': 26 queries in 0.1 seconds from 26 ports with std dev 17746.18"

Bad:
z.y.x.w.v.u.t.s.r.q.p.o.n.m.l.k.j.i.h.g.f.e.d.c.b.a.pt.dns-oarc.net.
"125.22.47.139 is '''POOR''': 42 queries in 8.4 seconds from 1 ports with std dev 0.00"

With nslookup:
nslookup -type=txt -timeout=30 porttest.dns-oarc.net
nslookup -type=txt -timeout=30 porttest.dns-oarc.net ns1.your-isp.com
nslookup -type=txt -timeout=30 porttest.dns-oarc.net NS-SERVER-IP

Tools:
*[http://www.doxpara.com/ DoxPara - DNS Checker]

Information and Alerts:
*[http://www.linuxjournal.com/content/dns-bug-why-you-should-care The DNS Bug: Why You Should Care | Linux Journal]
*[http://www.linuxjournal.com/content/understanding-kaminskys-dns-bug Understanding Kaminsky's DNS Bug | Linux Journal]
*[http://www.us-cert.gov/cas/techalerts/TA08-190B.html US-CERT Technical Cyber Security Alert TA08-190B -- Multiple DNS implementations vulnerable to cache poisoning]

References:
*[http://www.cyberciti.biz/faq/dns-cache-poisoning-test/ Find Out If My DNS Server Free From DNS Cache Poisoning Bug Or Not]
*[http://www.cyberciti.biz/tips/windows-verify-dns-cache-posinging-bug.html Verify DNS Cache Poisoning Bug Using Windows XP / Vista / 2003 / 2008 System Command Prompt]
*[http://www.cyberciti.biz/tips/freebsd-bind-dns-cache-poisoning.html Security Alert: FreeBSD-SA-08:06.bind DNS cache Poisoning]

===How do I share a dynamic zone between multiple views===
[http://www.isc.org/index.pl?/sw/bind/FAQ.php Frequently Asked Questions about BIND 9]:
Q: How do I share a dynamic zone between multiple views?
A: You choose one view to be master and the second a slave and transfer the zone between views.

===Journal file creation failed===
When trying to add a new client record...
Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': adding an RR at 'KENDAWG.t0e.org' A
Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': adding an RR at 'KENDAWG.t0e.org' TXT
Jun 16 10:23:09 hal named[29054]: journal file t0e.org.zone.jnl does not exist, creating it
Jun 16 10:23:09 hal named[29054]: t0e.org.zone.jnl: create: permission denied
Jun 16 10:23:09 hal named[29054]: client 127.0.0.1#32925: updating zone 't0e.org/IN': error: journal open failed: unexpected error
Jun 16 10:23:09 hal dhcpd: Unable to add forward map from KENDAWG.t0e.org to 10.10.10.229: timed out

#This did not work...
#cd /var/named
#touch t0e.org.zone.jnl
#chown root:named t0e.org.zone.jnl
#service named restart

#This did work...
cd /var/
chown -R named:named named
service named restart

===Unexpected RCODE (SERVFAIL)===
I get several RCODE error messages in the /var/log/messages log file. These are caused by bad external name servers, not our DNS server.

*[http://www.servertalk.in/ftopic4932.html How to Stop the "unexpected RCODE (SERVFAIL)" Messages?]
*[http://www.menandmice.com/knowledgehub/bindlogmsgs Log messages for BIND 8 named, named-xfer, ndc and some for BIND 9]

===Updating Zone Info===
This [http://www.webservertalk.com/archive69-2005-10-1228049.html article] may indicate a way to generate the .jnl files:
nsupdate

'''Important note: Editing the Zone files while dynamic updates are active...''' [http://sipx-wiki.calivia.com/index.php/HowTo_Configure_DHCP_and_DNS_Servers]

When dynamic update is enabled for a zone, the zone can no longer be manually edited as normal.

The DNS server keeps a journal (.jnl) file of incoming updates. The file is not automatically syncronized with the zone file, but can be forced with the "rndc stop" command. Extreme care has to be exercised when manually updating a zone subject to dynamic updates.

When using BIND 9.3 the following can be used, which does not require that named be stopped:

1. rndc freeze example.com
2. edit the zone
3. rndc unfreeze example.com

Remember to increment the serial number in the zone file as you make changes.

===Freeze failed not found===
[root@fw ~]# rndc freeze
rndc: 'freeze' failed: unexpected end of input

[root@fw ~]# rndc freeze t0e.org
rndc: 'freeze' failed: not found

[root@fw ~]# rndc freeze t0e.org internal
rndc: 'freeze' failed: unknown class/type

This is caused by the "view" configuration.

[http://www.plug.org/pipermail/plug/2007-November/028407.html Unable to freeze zone - Bind DNS - problem with views?]

[http://www.plug.org/pipermail/plug/2007-November/028417.html Unable to freeze zone - Bind DNS - problem with views? Reply]:
rndc freeze t0e.org in internal

=== client query (cache) denied ===

Error:
ns named[13434]: client 65.46.140.82#36817: query (cache) 'txfrwll/AAAA/IN' denied

Cause:
*This means a recursive request came from the client and was denied. This is good if the client is not an internal system.

Solution:
* If the client is an internal system that should allow for recursion, add it to the allow-recursion.

For example:
allow-recursion { 10.0.0.0/8; };

=== client update denied ===

Error:
ns named[13434]: client 71.195.222.228#54866: update 'keylabs.com/IN' denied

Cause:
* Some client attempted to update your DNS records. Bastards.

"Someone is trying to update your DNS data using the RFC2136 Dynamic Update protocol." [http://www.bind9.net/BIND-FAQ]

"This is a "feature" of some (newer) windows versions, that try to register their name in the nameserver that they got configured (e.g. via dhcp). I think there is a registry key to disable this behaviour, this should help you to fix the problem." [http://archive.cert.uni-stuttgart.de/suse-security/2003/09/msg00044.html]

Solution:
* If the client is a DHCP server that you want to allow an update DNS transfer through, add it to the allow-transfer:

Example:
allow-transfer { 216.119.202.2; }

=== lame server resolving ===

Error:
Sep 16 04:16:37 ns named[13434]: lame server resolving 'networking.itags.org' (in 'itags.org'?): 74.86.171.244#53

Cause:
* "A lame server is one that's not responding to a name request it is expected to handle. " [http://workbench.cadenhead.org/news/2802/my-name-server-totally-lame]
* "lame-servers - Lame servers. These are misconfigurations in remote servers, discovered by BIND 9 when trying to query those servers during resolution." [http://www.bind9.net/manual/bind/9.3.2/Bv9ARM.ch06.html]

Solution:
* If you don't want to be notifed of these, you can turn off the logging of this event: [http://forums.deftechgroup.com/archive/index.php/t-600.html]

logging {
// Do not log zones that aren't registered in this server (lame servers)
category lame-servers { null; };
};

=== unexpected RCODE resolving ===

Error:
Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'ns3.fs.net/A/IN': 216.165.108.10#53
Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'ns1.fs.net/A/IN': 216.165.108.10#53
Sep 16 04:33:55 ns named[13691]: unexpected RCODE (SERVFAIL) resolving 'www.scs.stanford.edu/A/IN': 216.165.108.10#53

Sep 16 06:57:43 ns named[13691]: unexpected RCODE (REFUSED) resolving 'gapingvoid.com/A/IN': 87.117.237.205#53
Sep 16 06:57:43 ns named[13691]: unexpected RCODE (REFUSED) resolving 'gapingvoid.com/A/IN': 87.117.237.66#53

Cause:
* Problems with external Name Servers

Solution:
* Nothing you can do. You can hide "lame-servers" which should hide this error.

References:
*[http://www.kholix.com/wiki/index.php/Unexpected_rcode_%28SERVFAIL%29 Unexpected rcode (SERVFAIL) - KhoLiX Wiki]

== underscore - bad owner name ==

Record:
<pre>
a_b A 10.1.1.1
</pre>

Error:
<pre>
fio.onpar.net.zone:37: a_b.fio.onpar.net: bad owner name (check-names)
zone fio.onpar.net/IN: loading master file fio.onpar.net.zone: bad owner name (check-names)
_default/fio.onpar.net/IN: bad owner name (check-names)
</pre>

Cause:
* Bind doesn't like underscores, but you can get around this by using the full domain name:
<pre>
a_b.fio.onpar.net A 10.1.1.1
</pre>

== Configuration Defaults ==

===Default named.conf===
<nowiki>
//
// Sample named.conf BIND DNS server 'named' configuration file
// for the Red Hat BIND distribution.
//
// See the BIND Administrator's Reference Manual (ARM) for details, in:
// file:///usr/share/doc/bind-*/arm/Bv9ARM.html
// Also see the BIND Configuration GUI : /usr/bin/system-config-bind and
// its manual.
//
options
{
/* make named use port 53 for the source of all queries, to allow
* firewalls to block all ports except 53:
*/
query-source port 53;
query-source-v6 port 53;

// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";

};
logging
{
/* If you want to enable debugging, eg. using the 'rndc trace' command,
* named will try to write the 'named.run' file in the $directory (/var/named).
* By default, SELinux policy does not allow named to modify the /var/named directory,
* so put the default debug log file in data/ :
*/
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
//
// All BIND 9 zones are in a "view", which allow different zones to be served
// to different types of client addresses, and for options to be set for groups
// of zones.
//
// By default, if named.conf contains no "view" clauses, all zones are in the
// "default" view, which matches all clients.
//
// If named.conf contains any "view" clause, then all zones MUST be in a view;
// so it is recommended to start off using views to avoid having to restructure
// your configuration files in the future.
//
view "localhost_resolver"
{
/* This view sets up named to be a localhost resolver ( caching only nameserver ).
* If all you want is a caching-only nameserver, then you need only define this view:
*/
match-clients { localhost; };
match-destinations { localhost; };
recursion yes;
# all views must contain the root hints zone:
include "/etc/named.root.hints";

/* these are zones that contain definitions for all the localhost
* names and addresses, as recommended in RFC1912 - these names should
* ONLY be served to localhost clients:
*/
include "/etc/named.rfc1912.zones";
};
view "internal"
{
/* This view will contain zones you want to serve only to "internal" clients
that connect via your directly attached LAN interfaces - "localnets" .
*/
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
// all views must contain the root hints zone:
include "/etc/named.root.hints";

// include "named.rfc1912.zones";
// you should not serve your rfc1912 names to non-localhost clients.

// These are your "authoritative" internal zones, and would probably
// also be included in the "localhost_resolver" view above :

zone "my.internal.zone" {
type master;
file "my.internal.zone.db";
};
zone "my.slave.internal.zone" {
type slave;
file "slaves/my.slave.internal.zone.db";
masters { /* put master nameserver IPs here */ 127.0.0.1; } ;
// put slave zones in the slaves/ directory so named can update them
};
zone "my.ddns.internal.zone" {
type master;
allow-update { key ddns_key; };
file "slaves/my.ddns.internal.zone.db";
// put dynamically updateable zones in the slaves/ directory so named can update them
};
};
key ddns_key
{
algorithm hmac-md5;
secret "use /usr/sbin/dns-keygen to generate TSIG keys";
};
view "external"
{
/* This view will contain zones you want to serve only to "external" clients
* that have addresses that are not on your directly attached LAN interface subnets:
*/
match-clients { !localnets; !localhost; };
match-destinations { !localnets; !localhost; };

recursion no;
// you'd probably want to deny recursion to external clients, so you don't
// end up providing free DNS service to all takers

// all views must contain the root hints zone:
include "/etc/named.root.hints";

// These are your "authoritative" external zones, and would probably
// contain entries for just your web and mail servers:

zone "my.external.zone" {
type master;
file "my.external.zone.db";
};
};
</nowiki>

== keywords ==

[[Category:Linux]]

Linux/BIND - Revision history

Kenneth: Created page with "==Summary== Summary: The Berkeley Internet Name Domain (BIND) DNS (Domain Name System) server. Description: BIND (Berkeley Internet Name Domain) is an implementation of the..."