Bind+DLZ+MySQL Hardy

**cycloptivity** · March 2nd, 2009

Since our SVN server isn't really know for its stability; Sorry for the bad formatting

Compile and run Bind9 (9.4.2) on Hardy Heron Server 8.04.1

For some time I have been looking for howto's on this topic however have come up empty; A Post (I also borrowed some of drmoocows examples in this text) on the ubuntu forums lead me to getting started on my attempts again. So after a few hours here is the howto for a working DNS server.

Get the sources

apt-get install dpkg-dev
mkdir -p /usr/local/src/bind9
cd /usr/local/src/bind9
apt-get source bind9
mkdir -p /usr/local/src/mysql
cd /usr/local/src/mysql
apt-get source mysql-server

Get the build essentials

apt-get update
apt-get install mysql-common libncurses5-dev libwrap0-dev libreadline5-dev chrpath automake1.9 doxygen texlive-latex-base gs dpatch gawk fakeroot bison libtool libssl-dev build-essential debhelper gcc

You may also want to install something to administer the MySQL server which is my preferred method which you can do by adding phpmyadmin to the apt-get install list.
Build MySQL & Install

dpkg-buildpackage -rfakeroot -b
cd ..
dpkg -i *.deb

Build Bind9 & Install

cd /usr/local/src/bind9/bind9-9.4.2/
vim debian/rules

Look for the section starting with "configure-stamp:". You'll be adding a flag to the commandline - I added a backslash to the last option, and added --with-dlz-mysql on the next line, also consider --disable-threads \ as they dont work any on a Linux system according to the doco at http://bind-dlz.sourceforge.net/mysql_driver.html

dpkg-buildpackage -rfakeroot -b
cd ..
dpkg -i *.deb

Now you should have both MySQL and Bind compiled and installed and even running with any luck its time to configure Bind

Configuration /etc/bind/named.conf.local

dlz "Mysql zone" {
database "mysql
{host=127.0.0.1 dbname=changeme port=3306 user=changeme pass=changeme}
{select zone from dns_records where zone = '%zone%'}
{select ttl, type, mx_priority, case when lower(type)='txt' then concat('\"', data, '\"')
else data end from dns_records where zone = '%zone%' and host = '%record%'
and not (type = 'SOA' or type = 'NS')}
{select ttl, type, mx_priority, data, resp_person, serial, refresh, retry, expire, minimum
from dns_records where zone = '%zone%' and (type = 'SOA' or type='NS')}
{select ttl, type, host, mx_priority, data, resp_person, serial, refresh, retry, expire,
minimum from dns_records where zone = '%zone%' and not (type = 'SOA' or type = 'NS')}
{select zone from xfr_table where zone = '%zone%' and client = '%client%'}
{update data_count set count = count + 1 where zone ='%zone%'}";
};

You may also want to add forwarders in BIND if you plan to use the server for Internet address lookups.

SQL Here is some test DNS data for you to use

-- phpMyAdmin SQL Dump
-- version 2.11.3deb1ubuntu1.1
-- http://www.phpmyadmin.net
--
-- Host: localhost
-- Generation Time: Sep 24, 2008 at 07:19 PM
-- Server version: 5.0.51
-- PHP Version: 5.2.4-2ubuntu5.3

SET SQL_MODE="NO_AUTO_VALUE_ON_ZERO";

--
-- Database: `bind`
--
CREATE DATABASE `bind` DEFAULT CHARACTER SET latin1 COLLATE latin1_swedish_ci;
USE `bind`;

-- --------------------------------------------------------

--
-- Table structure for table `dns_records`
--

CREATE TABLE IF NOT EXISTS `dns_records` (
`id` int(11) NOT NULL auto_increment,
`zone` varchar(64) default NULL,
`host` varchar(64) default NULL,
`type` varchar(8) default NULL,
`data` varchar(64) default NULL,
`ttl` int(11) NOT NULL default '3600',
`mx_priority` int(11) default NULL,
`refresh` int(11) NOT NULL default '3600',
`retry` int(11) NOT NULL default '3600',
`expire` int(11) NOT NULL default '86400',
`minimum` int(11) NOT NULL default '3600',
`serial` bigint(20) NOT NULL default '2008082700',
`resp_person` varchar(64) NOT NULL default 'resp.person.email',
`primary_ns` varchar(64) NOT NULL default 'ns1.yourdns.here',
`data_count` int(11) NOT NULL default '0',
PRIMARY KEY (`id`),
KEY `host` (`host`),
KEY `zone` (`zone`),
KEY `type` (`type`)
) ENGINE=MyISAM DEFAULT CHARSET=latin1 AUTO_INCREMENT=9 ;

--
-- Dumping data for table `dns_records`
--

INSERT INTO `dns_records` (`id`, `zone`, `host`, `type`, `data`, `ttl`, `mx_priority`, `refresh`, `retry`, `expire`, `minimum`, `serial`, `resp_person`, `primary_ns`, `data_count`) VALUES
(7, 'domain.com', 'www2', 'CNAME', 'www.domain.com.', 3600, NULL, 3600, 3600, 86400, 3600, 2008082700, 'resp.person.email', 'ns1.yourdns.here', 0),
(6, 'domain.com', '@', 'A', '1.2.3.4', 3600, NULL, 3600, 3600, 86400, 3600, 2008082700, 'resp.person.email', 'ns1.yourdns.here', 0),
(5, 'domain.com', 'www', 'A', '1.2.3.4', 3600, NULL, 3600, 3600, 86400, 3600, 2008082700, 'resp.person.email', 'ns1.yourdns.here', 0),
(8, 'domain.com', '@', 'MX', 'domain.com.', 3600, 0, 3600, 3600, 86400, 3600, 2008082700, 'resp.person.email', 'ns1.yourdns.here', 0);

Testing You should now be able to use your DNS server if you dont get something like below go back over the steps and feel free to contact Kahn in IRC at irc://dm1.irc.the-mesh.org:6667 #themesh

root@ns1:/usr/local/src/bind9# dig www.domain.com @127.0.0.1

; <<>> DiG 9.4.2-P1 <<>> www.domain.com @127.0.0.1
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3212
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.domain.com. IN A

;; ANSWER SECTION:
www.domain.com. 3600 IN A 1.2.3.4

;; Query time: 13 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Sep 24 19:52:11 2008
;; MSG SIZE rcvd: 48

root@ns1:/usr/local/src/bind9#

**stevenjgarner** · May 22nd, 2009

Many thanks for this. Just successfully deployed BIND+DLZ+MySQL using this on a Xen virtual machine running on LTS Hardy Heron. At first my installation was failing all DNS tests (dig, etc). Turning on the debug severity of logging for BIND (http://www.ludd.luth.se/~kavli/BIND8/logging.html), the surprise was that the installation was working fine, but the zone data with which the SQL table was being populated was all wrong. Fortunately the "Bind with DLZ, MySQL and replication" tutorial at http://en.gentoo-wiki.com/wiki/Setup...ication#Sample, includes data for a sample zone file. After tweaking their suggestions a bit (e.g. you do not want NULL for data in the SOA record), we now have a database-driven BIND as our name server.

Here is the required format of the data for a typical zone:

INSERT INTO `dns_records` (`id`, `zone`, `host`, `type`, `data`, `ttl`, `mx_priority`, `refresh`, `retry`, `expire`, `minimum`, `serial`, `resp_person`, `primary_ns`, `data_count`) VALUES
('', 'domain.com', '@', 'SOA', 'ns1.yourdns.here.', 3600, NULL, 3600, 3600, 86400, 3600, 2008082700, 'resp.person.email.', 'ns1.yourdns.here.', 0),
('', 'domain.com', '@', 'NS', 'ns1.yourdns.here.', 3600, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0),
('', 'domain.com', '@', 'NS', 'ns2.yourdns.here.', 3600, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0),
('', 'domain.com', '@', 'A', '1.2.3.4', 3600, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0),
('', 'domain.com', 'www', 'CNAME', 'domain.com.', 3600, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0),
('', 'domain.com', '@', 'MX', 'mail.domain.com.', 3600, 10, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0),
('', 'domain.com', 'mail', 'A', '1.2.3.5', 3600, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, 0);

... note the many instances of NULL; note the FQDN's (fully-qualified-domain-name's, with a period at the end). I was interested to read in http://bind-dlz.sourceforge.net/mysql_driver.html that the MySQL DLZ driver is single threaded, which could be a performance issue with some name servers. You might want to look at the Postgres driver which is threaded.

About secondary name servers. The standard recommendation is to use MySQL replication so the same database information is driving BIND DLZ on both the primary and secondary name server. We want to have all our database information clustered using DRBD on more than one server, so we're looking into an SSH tunnel from BIND DLZ through to the MySQL DRBD cluster.

My next step to optimize this a bit (before I load up on squillions of zone records) is to normalize the SQL table into 3 tables - one for the domain, one for the SOA information, and one for the zone records. Should make things a lot cleaner when I attempt to create a web-interface. Should be okay, as we can edit the DLZ configuration in named.conf.local with the necessary SQL joins.

Many thanks also to Raphael Burnes, who pointed much of this out to me. You won't stay anonymous forever!

**Disty** · April 22nd, 2010

Sorry to drag this thread back up- and this time it's on Karmic too, but I'm getting very poor stability of BIND with mysql/dlz.

Here are some error messages from /var/log/syslog:

Code:

Apr 22 21:12:17 dnsdebug named[6613]: mysql driver unable to return result set for lookup query
Apr 22 21:12:17 dnsdebug kernel: [285552.573949] type=1503 audit(1271963537.759:53): operation="open" pid=6618 parent=1 profile="/usr/sbin/named" requested_mask="::rw" denied_mask="::rw" fsuid=107 ouid=0 name="/dev/tty"
Apr 22 21:12:17 dnsdebug named[6613]: mysql driver unable to return result set for lookup query
Apr 22 21:13:17 dnsdebug named[6613]: last message repeated 7 times

Any ideas what could be causing this or how I could fix it? I constantly have to restart BIND!

**chaseleightone** · August 11th, 2011

I got stuck installing on Ubuntu 10.04.3 LTS (Lucid Lynx) at the step:

Build MySQL & Install step, here's what I did:

cd mysql-dfsg-5.1-5.1.41
./configure --prefix=/usr/local/mysql

... and towards the end of the config I ran into a snag with:

config.status: error: cannot find input file: Docs/Makefile.in

not really adept at fixing compiling errors, I am reaching out for any advice on how to proceed with this. I'm also writing this up as a blog post on:

http://fanaticaltenacity.blogspot.co...-dns-name.html

**capsula4** · September 17th, 2011

Very nice tutorial, this really helped me a lot!!

The only thing I cannot get to work are the dns records with "@" as host

In the examples given on this post, "www MX" and "www2 CNAME" worked great for me, but none of the "host=@" records worked.

Any idea?

Thanks!

**wazza75** · November 25th, 2012

Thanks for the article. I just have one query, since you are not specially configuring mysql in any way, is it really necessary to build mysql from source? Can you just install mysql from the repositories and install bind9 from source?

Warwick

**Andruk Tatum** · January 7th, 2013

I had to add this to debian/rules to get it to successfully compile with any DLZ option:

the line was:

Code:

export CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE $(DEBUG) $(OPT)

is now:

Code:

export CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE $(DEBUG) $(OPT) -DDLZ

This fixes linking issues with the contrib/dlz/drivers/sdlz_helper.c file.

The named daemon was also failing to start, so I checked syslog to see what was going on. I had to run the following commands to get the named daemon to successfully start (make sure there is a "bind" user in /etc/passwd):

Code:

sudo touch /var/log/query.log
sudo chown bind /var/log/query.log
sudo chgrp bind /var/log/query.log

**Andruk Tatum** · January 12th, 2013

You can create a read-only Postgres user (I called mine "bind9_dlz_readonly") by executing the following SQL:

Code:

--
-- Create the bind9_dlz_readonly user, 
-- without privileges to create databases, 
-- without privileges to create users, 
-- and with an encrypted password.
--
CREATE USER bind9_dlz_readonly NOCREATEDB NOCREATEUSER WITH ENCRYPTED PASSWORD '<password>';

--
-- Revoke all permissions on the bind9_dlz database (that's 
-- what I called mine) from the user we just created.
--
-- Note that you have to do this on every database you don't 
-- want the bind9_dlz_readonly user to be able to connect to.
--
REVOKE ALL ON DATABASE bind9_dlz FROM bind9_dlz_readonly;

--
-- Grant connection privileges to the bind9_dlz_readonly user.
--
GRANT CONNECT TO DATABASE bind9_dlz TO bind9_dlz_readonly;

--
-- Grant selection (read) privileges to the bind9_dlz_readonly 
-- user on the bind9_dlz and dns_xfr tables.
--
GRANT SELECT ON dns_record, dns_xfr TO bind9_dlz_readonly;

If you are using psql, you can check the privileges on all databases by using the
\list
command.

It returns a table that looks like

Code:

   Name    |  Owner   | Encoding |   Collate   |    Ctype    |       Access privileges       
-----------+----------+----------+-------------+-------------+-------------------------------
 bind9_dlz | postgres | UTF8     | en_US.UTF-8 | en_US.UTF-8 | =Tc/postgres                 +
           |          |          |             |             | postgres=CTc/postgres        +
           |          |          |             |             | bind9_dlz_readonly=c/postgres
           .          .          .             .             .                               
           .          .          .             .             .                               
           .          .          .             .             .

Where the access privileges is of the format
<(username>=<permissions/<user who granted permissions>

And access privileges are indicated by:

r -- SELECT
w -- UPDATE
a -- INSERT
d -- DELETE
D -- TRUNCATE
x -- REFERENCES
t -- TRIGGER
X -- EXECUTE
U -- USAGE
C -- CREATE
c -- CONNECT
T -- TEMPORARY
arwdDxt -- all table privileges (differs for other types of objects)

So the lines in the table above would be read as:

Any user (PUBLIC) has been granted TEMPORARY (T) and CONNECT (c) privileges by the postgres user.
The postgres user has been granted CREATE DATABASE (C), TEMPORARY (T), and CONNECT (c) privileges by the postgres user.
The bind9_dlz_readonly user has been granted CONNECT (c) privileges by the postgres user.

The postgres user granting privileges to itself makes sense because it is the owner of the database.

To list the table access privileges, you can use the
\dp
command.

It returns a table that looks like

Code:

                                        Access privileges
 Schema |       Name        |   Type   |       Access privileges       | Column access privileges 
--------+-------------------+----------+-------------------------------+--------------------------
 public | dns_record        | table    | postgres=arwdDxt/postgres    +| 
        |                   |          | bind9_dlz_readonly=r/postgres | 
 public | dns_record_id_seq | sequence |                               | 
 public | dns_xfr           | table    | postgres=arwdDxt/postgres    +| 
        |                   |          | bind9_dlz_readonly=r/postgres |

So the lines in the above table would be read as:

The postgres user has been granted all table privileges (INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCE, and TRIGGER) by the postgres user on the dns_record table.
The bind9_dlz_readonly user has been granted SELECT privileges by the postgres user on the dns_record table.
The postgres user has been granted all table privileges (INSERT, SELECT, UPDATE, DELETE, TRUNCATE, REFERENCE, and TRIGGER) by the postgres user on the dns_xfr table.
The bind9_dlz_readonly user has been granted SELECT privileges by the postgres user on the dns_xfr table.

References:
http://stackoverflow.com/questions/5...ct-permissions