DNS server Setup using bind in Ubuntu

Sponsored Link
DNS Stands for Domain Name Service.On the Internet, the Domain Name Service (DNS) stores and associates many types of information with domain names; most importantly, it translates domain names (computer hostnames) to IP addresses. It also lists mail exchange servers accepting e-mail for each domain.

Introduction

BIND (Berkeley Internet Name Domain) is an open reference implementation of the Domain Name System (DNS) protocol and provides a redistributable implementation of the major components of the Domain Name System.

a name server (named)

a resolver library

troubleshooting tools like nslookup and dig

The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service.

Firewall Config

Bind listens on port 53 UDP and TCP. TCP is normally only used during zone transfers so it would appear that you could filter it if you have no slaves. However If the response to a query is greater than 1024 bytes, the server sends a partial response, and client and server will try to redo the transaction with TCP.

Responses that big do not happen often, but they happen. And people do quite often block 53/tcp without their world coming to an end. But this is where one usually inserts the story about the Great DNS Meltdown when more root servers were added. This made queries for the root list greater than 1024 and the whole DNS system started to break down from people violating the DNS spec (RFC1035) and blocking TCP.

Differences in BIND8 and BIND9

Apart from being multi-threaded, and a complete code rewrite -- which should provide better stability and security in the long term, there are other differences

If there is a syntax error in named.conf, BIND9 will log errors and not reload the named server. BIND8 will log errors and the daemon will die!

Extensive support of TSIGs (shared keys) for access control, for example, "update-policy" can be used for fine grained access control of dynamic updates.

The tool for starting/stopping/reloading etc., rndc is different from the v8 ndc -- different communications, authentication and features.

Syntax in zone files is more rigorously checked (e.g. a TTL line must exist)

In named.conf

v8 options ‘check-names' and ‘statistics-interval' are not yet implemented in V9.

the default for the option ‘auth-nxdomain' is now ‘no', if you don't set this manually, BIND 9 logs a corresponding message on startup.

The root server list, often called named.root or root.hints in BIND8 is not necessary in BIND 9, as it is included within the server.

Installing Bind in Ubuntu

sudo apt-get install bind9 dnsutils

This will install all the required packages for bind9

Configuring Bind

If you install Bind from the source code, you will have to edit the file named.conf. However, Ubuntu provides you with a pre-configured Bind, so we will edit named.conf.local file

sudo vi /etc/bind/named.conf.local

This is where we will insert our zones.If you want to know what is zone in DNs check this

DNS zone is a portion of the global DNS namespace. This namespace is defined by RFC 1034, "Domain Names -- Concepts and Facilities" and RFC 1035, ""Domain Names -- Implementation and Specification", and is laid out in a tree structure from right to left, such that divisions of the namespace are performed by prepending a series of characters followed by period (‘.'), to the upper namespace

You need to add the following lines in named.conf.local file

# This is the zone definition. replace example.com with your domain name

zone "example.com" {
type master;
file "/etc/bind/zones/example.com.db";
};

# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in reverse notation -- e.g my network address is 192.168.0

zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};

Now you need to edit the options file

sudo vi /etc/bind/named.conf.options

We need to modify the forwarder. This is the DNS server to which your own DNS will forward the requests he cannot process.

forwarders {
# Replace the address below with the address of your provider's DNS server
123.123.123.123;
};

add the zone definition files (replace example.com with your domain name

sudo mkdir /etc/bind/zones

sudo vi /etc/bind/zones/example.com.db

The zone definition file is where we will put all the addresses / machine names that our DNS server will know.Example zone file as follows

// replace example.com with your domain name. do not forget the . after the domain name!
// Also, replace ns1 with the name of your DNS server
example.com. IN SOA ns1.example.com. admin.example.com. (
// Do not modify the following lines!
2007031001
28800
3600
604800
38400
)

// Replace the following line as necessary:
// ns1 = DNS Server name
// mail = mail server name
// example.com = domain name
example.com. IN NS ns1.example.com.
example.com. IN MX 10 mail.example.com.

// Replace the IP address with the right IP addresses.
www IN A 192.168.0.2
mta IN A 192.168.0.3
ns1 IN A 192.168.0.1

Create Reverse DNS Zone file

A normal DNS query would be of the form ‘what is the IP of host=www in domain=mydomain.com'. There are times however when we want to be able to find out the name of the host whose IP address = x.x.x.x. Sometimes this is required for diagnostic purposes more frequently these days it is used for security purposes to trace a hacker or spammer, indeed many modern mailing systems use reverse mapping to provide simple authentication using dual look-up, IP to name and name to IP.

In order to perform Reverse Mapping and to support normal recursive and Iterative (non-recursive) queries the DNS designers defined a special (reserved) Domain Name called IN-ADDR.ARPA. This domain allows for all supported Internet IPv4 addresses (and now IPv6).

sudo vi /etc/bind/zones/rev.0.168.192.in-addr.arpa

copy and paste the following sample file

//replace example.com with yoour domain name, ns1 with your DNS server name.
// The number before IN PTR example.com is the machine address of the DNS server. in my case, it's 1, as my IP address is 192.168.0.1.
@ IN SOA ns1.example.com. admin.example.com. (
2007031001;
28800;
604800;
604800;
86400
)

IN NS ns1.example.com.
1 IN PTR example.com

Restart Bind server using the following command

sudo /etc/init.d/bind9 restart

Testing Your DNS Server

Modify the file resolv.conf with the following settings

sudo vi /etc/resolv.conf

Enter the following details save and exit the file

// replace example.com with your domain name, and 192.168.0.1 with the address of your new DNS server.

search example.com
nameserver 192.168.0.1

Test your DNS Using the following command

dig example.com

 

Incoming search terms:

Related posts

94 thoughts on “DNS server Setup using bind in Ubuntu

  1. Everything is fine if I use your IP class in the example but things go wrong with my net 10.10.x.y where x and y may change. I suspect there something wrong with use of in-addr.arpa….any suggestion?

    [Reply]

  2. Everything is fine if I use your IP class in the example but things go wrong with my net 10.10.x.y where x and y may change. I suspect there something wrong with use of in-addr.arpa….any suggestion?

    Just change every 0.168.192.in-addr.arpa to 10.10.in-addr.arpa.
    Also your reverse zone file should be:

    /etc/bind/zones/rev.10.10.in-addr.arpa

    You simply ‘cut’ the host part from the network part, eg. if your network was 10.x.x.x. the network part is ’10’ so the reverse zone file would be rev.10.in-addr.arpa.

    Regards,
    rjc

    [Reply]

  3. Hello,

    I have this weird problem. If i use my own DNS server in the same subnet where the dns server lovcates, it works like a charm. If i go to another subnet then i cannot find any web pages out of my local network (I can locate only pages which i have configured to my dns server). It seems like forwarders won’t work from another subnet.

    network where the dns server locates: 192.168.0.0/24
    DNS servers ip-address: 192.168.0.3
    subnet where the dns server won’t work: 192.168.1.0/24

    Is there something i have missed or missunderstood. Or… would it be better to use caching dns server.

    Regards,

    Terppa

    [Reply]

  4. Can you reach the other network by pinging it? If not it is a routing issue that needs to be resolved before the dns can be fully tested.

    [Reply]

  5. Hello,

    Sorry about my long response time Namol. Finnish spring sometimes surprises you by giving a cold

    Can you reach the other network by pinging it?

    Yes i can. I have even tested it by pinging and tracerouting from both directions. And I do not use firewall at the moment.

    Regards,

    Terppa

    [Reply]

  6. AAARGH!

    well… I fixed the problem. Allow-recursion -directive was the problem (Banging head against wall).

    old config: allow-recursion { localnets; };

    New config: allow-recursion { localnets; 192.168.0/16; };

    I hope somebody who’s english is better than mine, could explain what this allow-recursion do, and how you should configure it

    Regards,

    Terppa

    [Reply]

  7. here you go

    allow-recursion Syntax

    allow-recursion { address_match_list };

    allow-recursion Explination

    allow-recursion defines a match list e.g. IP address(es) which are allowed to issue recursive queries to the server. If the answer to the query already exists in the cache it will be returned irrespective of this statement. If not specified all hosts are allowed to make recursive queries.

    [Reply]

  8. why when i do “sudo /etc/init.d/bind9 restart”

    i have in the terminal “* Stopping domain name service… bind rndc: connect failed: 127.0.0.1#953: connection refused
    [fail]
    * Starting domain name service… bind [fail] ”

    thanks

    [Reply]

  9. why when i do “sudo /etc/init.d/bind9 restart”

    i have “* Stopping domain name service… bind rndc: connect failed: 127.0.0.1#953: connection refused [fail]
    * Starting domain name service… bind [fail]

    thanks

    [Reply]

  10. @diogo
    You are using a chroot version of BIND with a sample rndc.key file located in the /etc directory instead of the /var/named/chroot/etc/ directory. Copy the file to the correct location and restart named to fix the problem.

    [Reply]

  11. my rndc.key file is located in etc/bind, and i don’t have the /var/named/chroot/etc/ directory, i have to create it?

    thanks

    [Reply]

  12. @diogo

    I had the same problem. It’s a problem of “copy/paste”. If you watch the file “/var/log/syslog” (tail -f /var/log/syslog) and try restart bind, you’ll see something similar to these:

    May 26 21:20:26 SeprecoServer64 named[4637]: starting BIND 9.3.4 -u bind
    May 26 21:20:26 SeprecoServer64 named[4637]: found 2 CPUs, using 2 worker threads
    May 26 21:20:26 SeprecoServer64 named[4637]: loading configuration from ‘/etc/bind/named.conf’
    May 26 21:20:26 SeprecoServer64 named[4637]: /etc/bind/named.conf.local:25: expected quoted string near ‘“’
    May 26 21:20:26 SeprecoServer64 named[4637]: loading configuration: unexpected token
    May 26 21:20:26 SeprecoServer64 named[4637]: exiting (due to fatal error)

    I resolve these deleting and manually typing the next lines from /etc/bind/named.conf.local :

    zone “example.com” {
    type master;
    file “/etc/bind/zones/example.com.db”;
    };

    zone “0.168.192.in-addr.arpa” {
    type master;
    file “/etc/bind/zones/rev.0.168.192.in-addr.arpa”;
    };

    P.D: Sorry for my English

    [Reply]

  13. Hiya

    I tried to do something similar but with dynamic dns so I want the client to use dnsupdate to update the server.
    Basically, it works like this:
    – I have set-up a dns server on a machine,
    – a client got an IP address from a dhcp server (I have no control over this server),
    – dnsupdate is used on the client to register (forward) in the server – this works.

    The problem I have is the following:
    slow ping to any of the two machines from any of these machines.
    The ping time is ok put ping interval is very long. This behavior go away using ping -n

    May be this is due to reverse mapping which is not set because I have no idea on how to do it ?

    Any thoughts ?

    [Reply]

  14. I wish to setup my domain name to refer to my server all the time, all over the internet, how do i do this?

    [Reply]

  15. Sorry, i already found it in gutsy repository. So, who already use it? What do u think about?

    [Reply]

  16. huff.. here is my error when i was tested it using nslookup:

    server can’t find MyDomainName : SERVFAIL

    is there anybody know what should i do ?

    [Reply]

  17. What must I do if I need to configure the dns server to server several subnets? Do I need to create a reverse dns file for each subnet?

    [Reply]

  18. Problem with repeating domain name…

    Hi there, I tried to blindly use the examples as laid out above, just to make sure
    that the config is right – and when I do to test I test with nslookup specifying my
    machine with the running bind9 daemon as the server :

    nslookup
    > server localhost
    Default server: localhost
    Address: 127.0.0.1#53
    > example.com
    Server: localhost
    Address: 127.0.0.1#53

    ** server can’t find example.com.example.com: SERVFAIL
    >

    So my question is, why is it looking for exmaple.com.example.com ???? I have
    changed resolv.conf appropriately also

    search example.com
    nameserver 10.252.115.148

    my example.com.db looks like this:

    example.com. IN SOA ns1.example.com. (
    // Do not modify the following lines!
    2007031001
    28800
    3600
    604800
    38400
    )

    // Replace the following line as necessary:
    // ns1 = DNS Server name
    // mail = mail server name
    // example.com = domain name
    example.com. IN NS ns1.example.com.
    example.com. IN MX 10 mail.example.com.

    www IN A 192.168.0.2
    mta IN A 192.168.0.3
    ns1 IN A 192.168.0.1

    =======================================

    my rev.0.168.192.in-addr.arpa looks like this:

    @ IN SOA ns1.example.com. admin.example.com. (
    2007031001;
    28800;
    604800;
    604800;
    86400
    )

    IN NS example.com.
    1 IN PTR example.com

    ===============

    What gives??

    Thanks for any pointers…

    Cheers, Alex.

    [Reply]

  19. hello plz i need some help!
    i have a virtual machine running linux and i using only one ip address! i need to know how should i write the reverse zones in the named.conf file?! i have many domains?! how can i be able to write many zone using the same ip address?! doesnt it conflict?!

    [Reply]

  20. sorry bas i didnt understand what is this have to do with my question here?! can u help?!

    [Reply]

  21. @Fasdf- Please don’t refer to the operating system as GNU/Linux. Instead say, BSD/GNU/X11/Apache/MIT/[Insert_critical_tools_here]/Linux.</peeve>

    [Reply]

  22. what is wrong with u !!! freak!!! i have a question!!! is this a forum to answer for questions or what?!! or some drama theaters?!! i had my question!!! who can reply on it?!! i dont care if it is GNU or LINUX OR FEDORA OR NETBSD!!! i have a question about BIND DNS!!!! soooooooooo?!

    [Reply]

  23. @kassab ziad

    If you want to write reverse zone in named.conf

    // This is example reverse map for class C 192.168.0.0
    zone “0.168.192.IN-ADDR.ARPA” in{
    type master;
    file “192.168.0.rev”;
    };

    Now in 192.168.0.rev file you need to specify your ip and domains

    sample file

    $TTL 86400 ; 24 hours could have been written as 24h or 1d
    $ORIGIN 0.168.192.IN-ADDR.ARPA.
    @ 1D IN SOA ns1.example.com. mymail.example.com. (
    2002022401 ; serial
    3H ; refresh
    15 ; retry
    1w ; expire
    3h ; minimum
    )
    ; server host definitions
    1 IN PTR ns1.example.com.
    2 IN PTR http://www.example.com.
    ; non server domain hosts
    3 IN PTR bill.example.com.
    4 IN PTR fred.example.com.

    [Reply]

  24. Hello all,

    i wonder if someone with the right expertise to point me where i made the mistake. i am unable to start/stop bind9 and i tried to follow the solutions posted by Oscar but failed still.

    this is the error i got when tried to restart bind9 -> /etc/init.d/bind9 restart

    *stopping domain name service … bind
    rndc : error: none:0 open: /etc/bind/rndc.key: permission denied
    rndc: could not load rndc configuration [fail]
    *starting domain name service … bind
    chmod : changing permission of ‘/var/run/bind/run': operation not permitted
    named : chroot(): Operation not permitted [fail]

    this is what i got in /var/log/ cat daemon.log
    ….
    ….
    June 27 09:57:29 Server1 named[4208] loading configuration: permission denied
    June 27 09:57:29 Server1 named[4208] exiting (due to fatal error)
    …..

    what have i done wrong ? could someone please advise?

    Thanks a lot.

    Savio

    [Reply]

  25. Savio,

    that’s a good question, you have to sudo the command. i ran the command you typed and got the same error, but when i ran “sudo /etc/init.d/bind9 restart” it worked fine.

    /etc/bind$ sudo /etc/init.d/bind9 restart
    Password:
    * Stopping domain name service… bind [ OK ]
    * Starting domain name service… bind [ OK ]

    hope that works for you.

    [Reply]

Leave a comment

Your email address will not be published. Required fields are marked *