Howto: Setup a DNS server with bind

[huggy77]

in reference to

Code:

# This is the zone definition. replace example.com with your domain name
zone "example.com" {
        type master;
        file "/etc/bind/zones/example.com.db";
        };

# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in reverse notation - e.g my network address is 192.168.0
zone "0.168.192.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};

the box ip i want visible is: 10.10.10.2, router is 10.10.10.1
would that make my rev. 0.10.10.10????

[randomnote1]

in reference to

Code:

# This is the zone definition. replace example.com with your domain name
zone "example.com" {
        type master;
        file "/etc/bind/zones/example.com.db";
        };

# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in reverse notation - e.g my network address is 192.168.0
zone "0.168.192.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};

the box ip i want visible is: 10.10.10.2, router is 10.10.10.1
would that make my rev. 0.10.10.10????

that's correct.....you just need the network address

[jo calamine]

what version of ubuntu has the pre configured bind files? loaded the latest and it does not. Is there a version that has bind already loaded or would I still have to load bind?

[Coogan]

I'm getting this error when trying to start Bind:

Code:

Nov 21 21:59:47 localhost named[10645]: starting BIND 9.3.2 -u bind
Nov 21 21:59:47 localhost named[10645]: found 1 CPU, using 1 worker thread
Nov 21 21:59:47 localhost named[10645]: loading configuration from '/etc/bind/named.conf'
Nov 21 21:59:47 localhost named[10645]: /etc/bind/named.conf:55: unknown option 'forwarders'
Nov 21 21:59:47 localhost named[10645]: loading configuration: failure
Nov 21 21:59:47 localhost named[10645]: exiting (due to fatal error)

Here's the forwarders part in named.conf:

Code:

forwarders {
  205.152.37.23;
  };

Any idea what I'm doing wrong? I'm trying to set up an DNS server that'll act as a local cache (Bellsouth's DNS kinda sucks) and so I set up a few internal websites and servers.

Coog

[mikemaggio]

I've just finished setting this up. When I restart the service I get this error:

rndc: connect failed: connection refused

Any ideas on what I might have done wrong?

[stijn_pol]

Just wanted to let you guys know: don't use '_' in your server names. For some reason I did this and it wasted hours to find out. Stupid... yes indeed

[phormion]

stijn_pol, underscores in host names are illegal according to RFCs (I can't remember if it was the DNS RFCs or another one, it was explained on the bind-users list). This was checked in older versions of BIND (for example 8.x); BIND 9.2 didn't perform host name checking, but the feature was reimplemented in BIND 9.3 and that's what I think bit you.

You can work around that using the 'check-names' option, if you're *really* convinced you need underscores in your hostnames.

For diagnosing problems in your BIND configuration, named-checkconf or named-checkzone are your friends. They are part of the BIND source package, although I don't know in which Ubuntu package they are installed.

[velorider]

To get the dns to updated for dhcp clients I had to add the "allow-update" directive to the zone:

zone "example.com" {
type master;
file "/etc/bind/zones/example.com.db";
allow-update {192.168.1.0/24;};
};

[phormion]

velorider, BIND doesn't accept zone updates by defaults, which makes sense if you think of the implications of allowing people to update your DNS and redirecting your traffic to who knows what host. Also, 'allow-update' is considered insecure in the BIND 9.3 administrator's manual (see here). The best way is to use something like TSIG. Oh, and did you say you allow DHCP clients to update the DNS? That's also not a good idea, how can you trust a client not being hacked, and wreaking havoc on your DNS namespace?

What I'd recommend is to have the DHCP server send the DNS updates, most servers should support that.

Also, If you're running a publicly accessible DNS server, I would suggest your configuration with http://www.dnsreport.com, especially the 'open dns server' item.

[CopaceticOpus]

One more step to get it to work:
You must rename the named.conf.local to named.conf

I want to point out that this isn't correct. The default setup is for named.conf to include named.conf.local. There should be a line at the end of your named.conf which looks like this:

Code:

include "/etc/bind/named.conf.local";

For my setup, I wanted to use BIND to divert all domains ending in ".dev" to a local IP, and to act as a cache for all other requests. This is a nice easy way to set up a local testing environment. Here's how my setup looks:

named.conf.local:

Code:

zone "dev" {
  type master;
  file "/etc/bind/db.dev";
};

zone "1.168.192.in-addr.arpa" {
  type master;
  file "/etc/bind/db.192.168.1";
};

db.dev:

Code:

;
; BIND data file for dev sites
;
$TTL    604800
@       IN      SOA     dev. root.dev. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      dev.
@       IN      A       192.168.1.10
*.dev.  14400   IN      A       192.168.1.10

db.192.168.1:

Code:

;
; BIND reverse data file for dev domains
;
$TTL    604800
@       IN      SOA     dev. root.dev. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      dev.
10      IN      PTR     dev.

In this example, 192.168.1.10 is the computer hosting the ".dev" sites. I'm not an expert in this, but my setup seems to be working well. I think it's unfortunate that the syntax of these files is so obscure, compared to Apache's easy-to-read config files.