DNS server Setup using bind in Ubuntu
Sponsored Link
Introduction
BIND (Berkeley Internet Name Domain) is an open reference implementation of the Domain Name System (DNS) protocol and provides a redistributable implementation of the major components of the Domain Name System.
a name server (named)
a resolver library
troubleshooting tools like nslookup and dig
The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service.
Firewall Config
Bind listens on port 53 UDP and TCP. TCP is normally only used during zone transfers so it would appear that you could filter it if you have no slaves. However If the response to a query is greater than 1024 bytes, the server sends a partial response, and client and server will try to redo the transaction with TCP.
Responses that big do not happen often, but they happen. And people do quite often block 53/tcp without their world coming to an end. But this is where one usually inserts the story about the Great DNS Meltdown when more root servers were added. This made queries for the root list greater than 1024 and the whole DNS system started to break down from people violating the DNS spec (RFC1035) and blocking TCP.
Differences in BIND8 and BIND9
Apart from being multi-threaded, and a complete code rewrite -- which should provide better stability and security in the long term, there are other differences
If there is a syntax error in named.conf, BIND9 will log errors and not reload the named server. BIND8 will log errors and the daemon will die!
Extensive support of TSIGs (shared keys) for access control, for example, "update-policy" can be used for fine grained access control of dynamic updates.
The tool for starting/stopping/reloading etc., rndc is different from the v8 ndc -- different communications, authentication and features.
Syntax in zone files is more rigorously checked (e.g. a TTL line must exist)
In named.conf
v8 options ‘check-names' and ‘statistics-interval' are not yet implemented in V9.
the default for the option ‘auth-nxdomain' is now ‘no', if you don't set this manually, BIND 9 logs a corresponding message on startup.
The root server list, often called named.root or root.hints in BIND8 is not necessary in BIND 9, as it is included within the server.
Installing Bind in Ubuntu
sudo apt-get install bind9 dnsutils
This will install all the required packages for bind9
Configuring Bind
If you install Bind from the source code, you will have to edit the file named.conf. However, Ubuntu provides you with a pre-configured Bind, so we will edit named.conf.local file
sudo vi /etc/bind/named.conf.local
This is where we will insert our zones.If you want to know what is zone in DNs check this
DNS zone is a portion of the global DNS namespace. This namespace is defined by RFC 1034, "Domain Names -- Concepts and Facilities" and RFC 1035, ""Domain Names -- Implementation and Specification", and is laid out in a tree structure from right to left, such that divisions of the namespace are performed by prepending a series of characters followed by period (‘.'), to the upper namespace
You need to add the following lines in named.conf.local file
# This is the zone definition. replace example.com with your domain name
zone "example.com" {
type master;
file "/etc/bind/zones/example.com.db";
};
# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in reverse notation -- e.g my network address is 192.168.0
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};
Now you need to edit the options file
sudo vi /etc/bind/named.conf.options
We need to modify the forwarder. This is the DNS server to which your own DNS will forward the requests he cannot process.
forwarders {
# Replace the address below with the address of your provider's DNS server
123.123.123.123;
};
add the zone definition files (replace example.com with your domain name
sudo mkdir /etc/bind/zones
sudo vi /etc/bind/zones/example.com.db
The zone definition file is where we will put all the addresses / machine names that our DNS server will know.Example zone file as follows
// replace example.com with your domain name. do not forget the . after the domain name!
// Also, replace ns1 with the name of your DNS server
example.com. IN SOA ns1.example.com. admin.example.com. (
// Do not modify the following lines!
2007031001
28800
3600
604800
38400
)
// Replace the following line as necessary:
// ns1 = DNS Server name
// mail = mail server name
// example.com = domain name
example.com. IN NS ns1.example.com.
example.com. IN MX 10 mail.example.com.
// Replace the IP address with the right IP addresses.
www IN A 192.168.0.2
mta IN A 192.168.0.3
ns1 IN A 192.168.0.1
Create Reverse DNS Zone file
A normal DNS query would be of the form ‘what is the IP of host=www in domain=mydomain.com'. There are times however when we want to be able to find out the name of the host whose IP address = x.x.x.x. Sometimes this is required for diagnostic purposes more frequently these days it is used for security purposes to trace a hacker or spammer, indeed many modern mailing systems use reverse mapping to provide simple authentication using dual look-up, IP to name and name to IP.
In order to perform Reverse Mapping and to support normal recursive and Iterative (non-recursive) queries the DNS designers defined a special (reserved) Domain Name called IN-ADDR.ARPA. This domain allows for all supported Internet IPv4 addresses (and now IPv6).
sudo vi /etc/bind/zones/rev.0.168.192.in-addr.arpa
copy and paste the following sample file
//replace example.com with yoour domain name, ns1 with your DNS server name.
// The number before IN PTR example.com is the machine address of the DNS server. in my case, it's 1, as my IP address is 192.168.0.1.
@ IN SOA ns1.example.com. admin.example.com. (
2007031001;
28800;
604800;
604800;
86400
)
IN NS ns1.example.com.
1 IN PTR example.com
Restart Bind server using the following command
sudo /etc/init.d/bind9 restart
Testing Your DNS Server
Modify the file resolv.conf with the following settings
sudo vi /etc/resolv.conf
Enter the following details save and exit the file
// replace example.com with your domain name, and 192.168.0.1 with the address of your new DNS server.
search example.com
nameserver 192.168.0.1
Test your DNS Using the following command
dig example.com
I am unsure about what this means:
// Replace the IP address with the right IP addresses.
www IN A 192.168.0.2
mta IN A 192.168.0.3
ns1 IN A 192.168.0.1
192.168.0.2 is the address that I have given to my DNS server if that matters?
Bind starts OK when the server boots – but how do I create a DNS alias or DNS records for my LAN?
Hi, I tried your post.
when I run dig prabin-dahal.com.np it responds the following:
; <> DiG 9.4.2-P2 <> prabin-dahal.com.np
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42577
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;prabin-dahal.com.np. IN A
;; Query time: 0 msec
;; SERVER: 192.168.0.108#53(192.168.0.108)
;; WHEN: Mon Dec 29 15:38:47 2008
;; MSG SIZE rcvd: 37
but I am not able to ping prabin-dahal.com.np what is the problem?
Prabin,
I have the same problem. I think that, although it says it has got answer, all the lines start with a ; – so there is no data in the answer it got.
Wish I knew what was going wrong!
I’m new to Ubuntu. I want to configure this windows configuration in Ubuntu. If I configure like this, then only i can use ubuntu in whole network. Is it possible. Please help to configure
IP Address: 10.1.171.148
Subnet Mask : 255.255.255.0
Gateway : 10.1.171.1
Primary DNS : 10.1.1.36
Alternate DNS : 10.1.1.37
DNS Suffix for this connection : bheltry.co.in
Hi there,
Guys i’m new to linux and i need some help to configure bind9.
My server is behind a router.
Router ip 86.106.193.xxx
DNS ip 86.106.196.xxx
Server ip 192.168.1.100
Ports 20,21,53,80 forwarded to Server
Can you please mention what changes should I make to the sample configuration you postet at the top ?
Thank you
I have no problem when I start manual bind9 but when I reboot notebook it just [fail] where I can found a problem?
I’ve look at dmesg, syslog, daemon.log, debug there no answer…
hi all i want any one help me please
* Stopping domain name service… bind rndc: connect failed: 127.0.0.1#953: connection refused
[fail]
* Starting domain name service… bind [fail]
also this message appear during restart my bind server and i have copies the rndc file into /var/named/chroot/etc what shuld i do an what IP address i should assugn into my PC??
okay, so I actually did a ddns setup with a completely different walkthrough. I think I somewhat understand it now, but for some reason, Ubuntu Server wants to be a bit flaky.
In any case, started, the rndc.key file was owned by bind and couldn’t be opened by the DHCP daemon. Created a copy of the .key file in /etc/dhcp3 and chowned it to root. restarted bind, restarted dhcp3. No complaints, except the name server could only resolve itself and not the client I connected via DHCP. That might be because I configured the client box with a fixed IP because I’m sharing a network and don’t have a personal gateway server and don’t want the IT guys to threaten me with expulsion. If you know if a ddns configuration works with fixed-address hosts in dhcpd.conf, that would be a wonderful thing to know. Also, if you want to know the reason I’d do DDNS rather that static DNS is because I’m trying to manage 30+ machines, which isn’t really nice. The most work I want is maintaining a list of machine addresses and automating everything else.
Then I ran a command, the box froze, I restarted it.
After restarting the box, the zones folder as well as the key files could not be accessed by dhcpd, bind, or sudo just about anything, regardless of permissions, and even if I change permissions to the admin account and restart the box.
DHCP: I don’t want to configure and keep track of IP addresses for 30+ boxes.
DDNS: I don’t want to configure /etc/hosts for 30+ boxes.
Then onto centralizing user authentication, and when we finally get a half-decent server, home folders.
hi, I have follow steep by steep this tutorial, but when try to restart bind9 I get this error:
rndc: connect failed: 127.0.0.1#953: connection refused
and the bind9 don’t start just say [fail]
whys is this error ?
What to check if it does not work? I followed each step. Can you help me?
I changed the /etc/resolv.conf with my dns server and dig example.com does not resolves but if I put dns forwarders it works great!
What do you think?
hi, im using ubuntu server 9.04 and bind9. my server is resolving upper router so if i ping it’s domain, i can’t get a reply..
If it does not work look in /var/log/syslog for errors.
Hi Friends..
i have install ubuntu lamp server 8.10 for DNS Server..
i hav a problum at..
@@@@@@@@@@@@@@@@@@@@@@@@@@
zone “example.com” {
type master;
file “/etc/bind/zones/example.com.db”;
};
@@@@@@@@@@@@@@@@@@@@@@@@@@
What should be replaced at the place of example.com….
i know my server’s..
host name- hhhhhh
domain- local (only local, no use of .com, .org, .net etc)
$TTL 604800
@ IN SOA ns2.junkie.home. root.junkie.home. (
1;
28800;
3600;
604800;
38400;
)
NS ns2.junkie.home.
A 10.0.0.2
www CNAME @
katya A 10.0.0.3
Hi, i would like to know how to configure forwarder as below:
All Domains –> forwarder 1 & forwarder 2
Domain 1 –> forwarder 3
Domain 2 –> forwarder 4
Thank you.
Unfortunately forwarders are part of the nameserver itself and not domain specific.
You’d have to set up a second nameserver with the other domain in it to designate a different forwarder.
There’s no reason for that, since a forwarder answers dns queries for what is not within that name server. If your goal is to have some machines get a dns return of NXDOMAIN for some dns queries, then multiple dns servers will be necessary.
Hi All,
I had several errors also with the above tutorial, but I think its mainly down to cut and paste. In the zone definitions part when you cut and paste it into nano (or vi presumably) it looses its quote marks “” and causes errors when restarting bind. Hope this helps.
Rich
Rename named.conf.local to named.conf.
In this text, there are some citations from the book “Pro DNS and BIND” from Apress. It is published under Creative Common License, so it is OK, as long as the work is attributed to its author…
Check for example the section about reverse mapping…
http://www.zytrax.com/books/dns/ch3/
Hi there,
Is it possible to add a second zone so I can host example.com and example2.com that resolve to two different IP addresses in the one subnet? With MX records in each could I run two mail servers?
Thanks
Dave,
It’s very common, and entirely possible.
All that needs to be done is edit named.conf (as done in this tutorial as named.conf.local), add in another “zone “example.com {” section pointing to another file for your second domain. Then, create the example.com.db (named for your domain) for your new domain as done in this tutorial. Pretty much, it’s just a rerun of this tutorial.
The MX record within your “example.com.db” is for that domain alone, so set it as you wish.
Thanks Dan I’ll be attacking this today!
Cheers for your reply.
Dave
just to say thanks… this worked for me ^.^
I followed ur note.thank u it was great but i cannot understand why my server does not work properly.
This is when i test my domain
; <> DiG 9.6.1-P2 <> brightfuture.com.et
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30061
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;brightfuture.com.et. IN A
;; Query time: 0 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Mar 11 21:56:48 2010
;; MSG SIZE rcvd: 37
pls help me .thank u guys.
I’m going crazy. I’m very new at this. I followed these steps to the letter. But my bind9 fails to start. When I go /etc/init.d/bind9 start it says failed in the right corner of the screen. When I go /etc/init.d/bind9 status it says it couldn’t locate the PID file. Again I’m very familiar with networking, but linux is very new to me. I was for years Windows only guy, but I want to broaden my horizons.
Thank you for your answers and your patinece.
Metatron,
If it can’t locate a pid file, that means it isn’t running. a PID file holds the process id of the application, and is created when the application is started by the initialization script. (/etc/init.d/bind9)
“/etc/init.d/bind9 start” should fix your problem, or at least steer you into different problems 🙂
Hello,
I have installed DNS server and started it. When I am using command “dig http://www.example.com” from user machine its giving following output.
————————————-
; <> Dig 9.5.1-P2 <> example.com
;; global options: printcmd
;; connection timed out; no servers could be reached
—————————————-
Where can I possibly go wrong while doing this?
Thanks
I have to add following code in
/etc/bind/named.conf.options file.
options {
dump-file “/var/cache/bind/dump.db”;
};
I am not able to see dump.db file at the specified location. will the file be generated by server? or do we have to add an empty file there?
I have recently configured DNS service in my server, when ever i try to start service (/etc/init.d/bind start) it gives an error.
# /etc/init.d/bind9 start
* Starting domain name service… bind9
…fail!
#/etc/init.d/bind9 restart
* Stopping domain name service… bind9
rndc: connect failed: 127.0.0.1#953: connection refused
…done.
* Starting domain name service… bind9
…fail!
Syslog error,
May 4 12:47:49 sfdlabs named[23866]: starting BIND 9.6.1-P2 -u bind -t /var/lib/named
May 4 12:47:49 sfdlabs named[23866]: built with ‘–prefix=/usr’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–sysconfdir=/etc/bind’ ‘–localstatedir=/var’ ‘–enable-threads’ ‘–enable-largefile’ ‘–with-libtool’ ‘–enable-shared’ ‘–enable-static’ ‘–with-openssl=/usr’ ‘–with-gssapi=/usr’ ‘–with-gnu-ld’ ‘–with-dlz-postgres=no’ ‘–with-dlz-mysql=no’ ‘–with-dlz-bdb=yes’ ‘–with-dlz-filesystem=yes’ ‘–with-dlz-ldap=yes’ ‘–with-dlz-stub=yes’ ‘–with-geoip=/usr’ ‘–enable-ipv6’ ‘CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2’ ‘LDFLAGS=-Wl,-Bsymbolic-functions’ ‘CPPFLAGS=’ ‘CXXFLAGS=-g -O2’ ‘FFLAGS=-g -O2’
May 4 12:47:49 sfdlabs named[23866]: adjusted limit on open files from 1024 to 1048576
May 4 12:47:49 sfdlabs named[23866]: found 4 CPUs, using 4 worker threads
May 4 12:47:49 sfdlabs named[23866]: using up to 4096 sockets
May 4 12:47:49 sfdlabs named[23866]: loading configuration from ‘/etc/bind/named.conf’
May 4 12:47:49 sfdlabs named[23866]: none:0: open: /etc/bind/named.conf: permission denied
May 4 12:47:49 sfdlabs named[23866]: loading configuration: permission denied
May 4 12:47:49 sfdlabs named[23866]: exiting (due to fatal error)
May 4 12:47:49 sfdlabs kernel: [1542760.915286] type=1503 audit(1272957469.765:38): operation=”open” pid=23869 parent=23865 profile=”/usr/sbin/named” requested_mask=”r::” denied_mask=”r::” fsuid=107 ouid=107 name=”/var/lib/named/etc/bind/named.conf”
Looking forward to your support