DNS server Setup using bind in Ubuntu

Sponsored Link
DNS Stands for Domain Name Service.On the Internet, the Domain Name Service (DNS) stores and associates many types of information with domain names; most importantly, it translates domain names (computer hostnames) to IP addresses. It also lists mail exchange servers accepting e-mail for each domain.

Introduction

BIND (Berkeley Internet Name Domain) is an open reference implementation of the Domain Name System (DNS) protocol and provides a redistributable implementation of the major components of the Domain Name System.

a name server (named)

a resolver library

troubleshooting tools like nslookup and dig

The BIND DNS Server is used on the vast majority of name serving machines on the Internet, providing a robust and stable architecture on top of which an organization's naming architecture can be built. The resolver library included in the BIND distribution provides the standard APIs for translation between domain names and Internet addresses and is intended to be linked with applications requiring name service.

Firewall Config

Bind listens on port 53 UDP and TCP. TCP is normally only used during zone transfers so it would appear that you could filter it if you have no slaves. However If the response to a query is greater than 1024 bytes, the server sends a partial response, and client and server will try to redo the transaction with TCP.

Responses that big do not happen often, but they happen. And people do quite often block 53/tcp without their world coming to an end. But this is where one usually inserts the story about the Great DNS Meltdown when more root servers were added. This made queries for the root list greater than 1024 and the whole DNS system started to break down from people violating the DNS spec (RFC1035) and blocking TCP.

Differences in BIND8 and BIND9

Apart from being multi-threaded, and a complete code rewrite -- which should provide better stability and security in the long term, there are other differences

If there is a syntax error in named.conf, BIND9 will log errors and not reload the named server. BIND8 will log errors and the daemon will die!

Extensive support of TSIGs (shared keys) for access control, for example, "update-policy" can be used for fine grained access control of dynamic updates.

The tool for starting/stopping/reloading etc., rndc is different from the v8 ndc -- different communications, authentication and features.

Syntax in zone files is more rigorously checked (e.g. a TTL line must exist)

In named.conf

v8 options ‘check-names' and ‘statistics-interval' are not yet implemented in V9.

the default for the option ‘auth-nxdomain' is now ‘no', if you don't set this manually, BIND 9 logs a corresponding message on startup.

The root server list, often called named.root or root.hints in BIND8 is not necessary in BIND 9, as it is included within the server.

Installing Bind in Ubuntu

sudo apt-get install bind9 dnsutils

This will install all the required packages for bind9

Configuring Bind

If you install Bind from the source code, you will have to edit the file named.conf. However, Ubuntu provides you with a pre-configured Bind, so we will edit named.conf.local file

sudo vi /etc/bind/named.conf.local

This is where we will insert our zones.If you want to know what is zone in DNs check this

DNS zone is a portion of the global DNS namespace. This namespace is defined by RFC 1034, "Domain Names -- Concepts and Facilities" and RFC 1035, ""Domain Names -- Implementation and Specification", and is laid out in a tree structure from right to left, such that divisions of the namespace are performed by prepending a series of characters followed by period (‘.'), to the upper namespace

You need to add the following lines in named.conf.local file

# This is the zone definition. replace example.com with your domain name

zone "example.com" {
type master;
file "/etc/bind/zones/example.com.db";
};

# This is the zone definition for reverse DNS. replace 0.168.192 with your network address in reverse notation -- e.g my network address is 192.168.0

zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};

Now you need to edit the options file

sudo vi /etc/bind/named.conf.options

We need to modify the forwarder. This is the DNS server to which your own DNS will forward the requests he cannot process.

forwarders {
# Replace the address below with the address of your provider's DNS server
123.123.123.123;
};

add the zone definition files (replace example.com with your domain name

sudo mkdir /etc/bind/zones

sudo vi /etc/bind/zones/example.com.db

The zone definition file is where we will put all the addresses / machine names that our DNS server will know.Example zone file as follows

// replace example.com with your domain name. do not forget the . after the domain name!
// Also, replace ns1 with the name of your DNS server
example.com. IN SOA ns1.example.com. admin.example.com. (
// Do not modify the following lines!
2007031001
28800
3600
604800
38400
)

// Replace the following line as necessary:
// ns1 = DNS Server name
// mail = mail server name
// example.com = domain name
example.com. IN NS ns1.example.com.
example.com. IN MX 10 mail.example.com.

// Replace the IP address with the right IP addresses.
www IN A 192.168.0.2
mta IN A 192.168.0.3
ns1 IN A 192.168.0.1

Create Reverse DNS Zone file

A normal DNS query would be of the form ‘what is the IP of host=www in domain=mydomain.com'. There are times however when we want to be able to find out the name of the host whose IP address = x.x.x.x. Sometimes this is required for diagnostic purposes more frequently these days it is used for security purposes to trace a hacker or spammer, indeed many modern mailing systems use reverse mapping to provide simple authentication using dual look-up, IP to name and name to IP.

In order to perform Reverse Mapping and to support normal recursive and Iterative (non-recursive) queries the DNS designers defined a special (reserved) Domain Name called IN-ADDR.ARPA. This domain allows for all supported Internet IPv4 addresses (and now IPv6).

sudo vi /etc/bind/zones/rev.0.168.192.in-addr.arpa

copy and paste the following sample file

//replace example.com with yoour domain name, ns1 with your DNS server name.
// The number before IN PTR example.com is the machine address of the DNS server. in my case, it's 1, as my IP address is 192.168.0.1.
@ IN SOA ns1.example.com. admin.example.com. (
2007031001;
28800;
604800;
604800;
86400
)

IN NS ns1.example.com.
1 IN PTR example.com

Restart Bind server using the following command

sudo /etc/init.d/bind9 restart

Testing Your DNS Server

Modify the file resolv.conf with the following settings

sudo vi /etc/resolv.conf

Enter the following details save and exit the file

// replace example.com with your domain name, and 192.168.0.1 with the address of your new DNS server.

search example.com
nameserver 192.168.0.1

Test your DNS Using the following command

dig example.com

 

You may also like...

94 Responses

  1. Mike says:

    I am unsure about what this means:

    // Replace the IP address with the right IP addresses.
    www IN A 192.168.0.2
    mta IN A 192.168.0.3
    ns1 IN A 192.168.0.1

    192.168.0.2 is the address that I have given to my DNS server if that matters?

    Bind starts OK when the server boots – but how do I create a DNS alias or DNS records for my LAN?

  2. Prabin Dahal says:

    Hi, I tried your post.
    when I run dig prabin-dahal.com.np it responds the following:

    ; <> DiG 9.4.2-P2 <> prabin-dahal.com.np
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42577
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;prabin-dahal.com.np. IN A

    ;; Query time: 0 msec
    ;; SERVER: 192.168.0.108#53(192.168.0.108)
    ;; WHEN: Mon Dec 29 15:38:47 2008
    ;; MSG SIZE rcvd: 37

    but I am not able to ping prabin-dahal.com.np what is the problem?

  3. Ian says:

    Prabin,

    I have the same problem. I think that, although it says it has got answer, all the lines start with a ; – so there is no data in the answer it got.

    Wish I knew what was going wrong!

  4. S.Sathiya Seelan says:

    I’m new to Ubuntu. I want to configure this windows configuration in Ubuntu. If I configure like this, then only i can use ubuntu in whole network. Is it possible. Please help to configure

    IP Address: 10.1.171.148
    Subnet Mask : 255.255.255.0
    Gateway : 10.1.171.1

    Primary DNS : 10.1.1.36
    Alternate DNS : 10.1.1.37
    DNS Suffix for this connection : bheltry.co.in

  5. Storm says:

    Hi there,

    Guys i’m new to linux and i need some help to configure bind9.
    My server is behind a router.
    Router ip 86.106.193.xxx
    DNS ip 86.106.196.xxx
    Server ip 192.168.1.100
    Ports 20,21,53,80 forwarded to Server

    Can you please mention what changes should I make to the sample configuration you postet at the top ?

    Thank you

  6. Alexey says:

    I have no problem when I start manual bind9 but when I reboot notebook it just [fail] where I can found a problem?

    I’ve look at dmesg, syslog, daemon.log, debug there no answer…

  7. Moustafa says:

    hi all i want any one help me please
    * Stopping domain name service… bind rndc: connect failed: 127.0.0.1#953: connection refused
    [fail]
    * Starting domain name service… bind [fail]
    also this message appear during restart my bind server and i have copies the rndc file into /var/named/chroot/etc what shuld i do an what IP address i should assugn into my PC??

  8. Jacob says:

    okay, so I actually did a ddns setup with a completely different walkthrough. I think I somewhat understand it now, but for some reason, Ubuntu Server wants to be a bit flaky.

    In any case, started, the rndc.key file was owned by bind and couldn’t be opened by the DHCP daemon. Created a copy of the .key file in /etc/dhcp3 and chowned it to root. restarted bind, restarted dhcp3. No complaints, except the name server could only resolve itself and not the client I connected via DHCP. That might be because I configured the client box with a fixed IP because I’m sharing a network and don’t have a personal gateway server and don’t want the IT guys to threaten me with expulsion. If you know if a ddns configuration works with fixed-address hosts in dhcpd.conf, that would be a wonderful thing to know. Also, if you want to know the reason I’d do DDNS rather that static DNS is because I’m trying to manage 30+ machines, which isn’t really nice. The most work I want is maintaining a list of machine addresses and automating everything else.

    Then I ran a command, the box froze, I restarted it.
    After restarting the box, the zones folder as well as the key files could not be accessed by dhcpd, bind, or sudo just about anything, regardless of permissions, and even if I change permissions to the admin account and restart the box.

    DHCP: I don’t want to configure and keep track of IP addresses for 30+ boxes.
    DDNS: I don’t want to configure /etc/hosts for 30+ boxes.

    Then onto centralizing user authentication, and when we finally get a half-decent server, home folders.

  9. rey says:

    hi, I have follow steep by steep this tutorial, but when try to restart bind9 I get this error:

    rndc: connect failed: 127.0.0.1#953: connection refused

    and the bind9 don’t start just say [fail]

    whys is this error ?

  10. mcsedude says:

    What to check if it does not work? I followed each step. Can you help me?

  11. mcsedude says:

    I changed the /etc/resolv.conf with my dns server and dig example.com does not resolves but if I put dns forwarders it works great!

    What do you think?

  12. gojeg says:

    hi, im using ubuntu server 9.04 and bind9. my server is resolving upper router so if i ping it’s domain, i can’t get a reply..

  13. jdaniel says:

    If it does not work look in /var/log/syslog for errors.

  14. Sushil says:

    Hi Friends..
    i have install ubuntu lamp server 8.10 for DNS Server..
    i hav a problum at..
    @@@@@@@@@@@@@@@@@@@@@@@@@@
    zone “example.com” {
    type master;
    file “/etc/bind/zones/example.com.db”;
    };
    @@@@@@@@@@@@@@@@@@@@@@@@@@

    What should be replaced at the place of example.com….

    i know my server’s..
    host name- hhhhhh
    domain- local (only local, no use of .com, .org, .net etc)

  15. junkie says:

    $TTL 604800
    @ IN SOA ns2.junkie.home. root.junkie.home. (
    1;
    28800;
    3600;
    604800;
    38400;
    )
    NS ns2.junkie.home.

    A 10.0.0.2
    www CNAME @
    katya A 10.0.0.3

  16. shah says:

    Hi, i would like to know how to configure forwarder as below:

    All Domains –> forwarder 1 & forwarder 2

    Domain 1 –> forwarder 3

    Domain 2 –> forwarder 4

    Thank you.

  17. dan says:

    Unfortunately forwarders are part of the nameserver itself and not domain specific.
    You’d have to set up a second nameserver with the other domain in it to designate a different forwarder.
    There’s no reason for that, since a forwarder answers dns queries for what is not within that name server. If your goal is to have some machines get a dns return of NXDOMAIN for some dns queries, then multiple dns servers will be necessary.

  18. Rich says:

    Hi All,
    I had several errors also with the above tutorial, but I think its mainly down to cut and paste. In the zone definitions part when you cut and paste it into nano (or vi presumably) it looses its quote marks “” and causes errors when restarting bind. Hope this helps.
    Rich

  19. Anand Phulwani says:

    Rename named.conf.local to named.conf.

  20. Matthieu says:

    In this text, there are some citations from the book “Pro DNS and BIND” from Apress. It is published under Creative Common License, so it is OK, as long as the work is attributed to its author…
    Check for example the section about reverse mapping…
    http://www.zytrax.com/books/dns/ch3/

  21. Dave says:

    Hi there,

    Is it possible to add a second zone so I can host example.com and example2.com that resolve to two different IP addresses in the one subnet? With MX records in each could I run two mail servers?

    Thanks

  22. Dan says:

    Dave,

    It’s very common, and entirely possible.
    All that needs to be done is edit named.conf (as done in this tutorial as named.conf.local), add in another “zone “example.com {” section pointing to another file for your second domain. Then, create the example.com.db (named for your domain) for your new domain as done in this tutorial. Pretty much, it’s just a rerun of this tutorial.

    The MX record within your “example.com.db” is for that domain alone, so set it as you wish.

  23. Dave says:

    Thanks Dan I’ll be attacking this today!

    Cheers for your reply.

    Dave

  24. wepawetmose says:

    just to say thanks… this worked for me ^.^

  25. dada says:

    I followed ur note.thank u it was great but i cannot understand why my server does not work properly.
    This is when i test my domain

    ; <> DiG 9.6.1-P2 <> brightfuture.com.et
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 30061
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;brightfuture.com.et. IN A

    ;; Query time: 0 msec
    ;; SERVER: 192.168.1.1#53(192.168.1.1)
    ;; WHEN: Thu Mar 11 21:56:48 2010
    ;; MSG SIZE rcvd: 37

    pls help me .thank u guys.

  26. Metatron says:

    I’m going crazy. I’m very new at this. I followed these steps to the letter. But my bind9 fails to start. When I go /etc/init.d/bind9 start it says failed in the right corner of the screen. When I go /etc/init.d/bind9 status it says it couldn’t locate the PID file. Again I’m very familiar with networking, but linux is very new to me. I was for years Windows only guy, but I want to broaden my horizons.
    Thank you for your answers and your patinece.

  27. Dan says:

    Metatron,
    If it can’t locate a pid file, that means it isn’t running. a PID file holds the process id of the application, and is created when the application is started by the initialization script. (/etc/init.d/bind9)

    “/etc/init.d/bind9 start” should fix your problem, or at least steer you into different problems 🙂

  28. prad says:

    Hello,
    I have installed DNS server and started it. When I am using command “dig http://www.example.com” from user machine its giving following output.

    ————————————-
    ; <> Dig 9.5.1-P2 <> example.com
    ;; global options: printcmd
    ;; connection timed out; no servers could be reached
    —————————————-

    Where can I possibly go wrong while doing this?

    Thanks

  29. prad says:

    I have to add following code in
    /etc/bind/named.conf.options file.

    options {
    dump-file “/var/cache/bind/dump.db”;
    };

    I am not able to see dump.db file at the specified location. will the file be generated by server? or do we have to add an empty file there?

  30. Gulab Pasha says:

    I have recently configured DNS service in my server, when ever i try to start service (/etc/init.d/bind start) it gives an error.

    # /etc/init.d/bind9 start
    * Starting domain name service… bind9
    …fail!

    #/etc/init.d/bind9 restart
    * Stopping domain name service… bind9
    rndc: connect failed: 127.0.0.1#953: connection refused
    …done.
    * Starting domain name service… bind9
    …fail!

    Syslog error,

    May 4 12:47:49 sfdlabs named[23866]: starting BIND 9.6.1-P2 -u bind -t /var/lib/named
    May 4 12:47:49 sfdlabs named[23866]: built with ‘–prefix=/usr’ ‘–mandir=/usr/share/man’ ‘–infodir=/usr/share/info’ ‘–sysconfdir=/etc/bind’ ‘–localstatedir=/var’ ‘–enable-threads’ ‘–enable-largefile’ ‘–with-libtool’ ‘–enable-shared’ ‘–enable-static’ ‘–with-openssl=/usr’ ‘–with-gssapi=/usr’ ‘–with-gnu-ld’ ‘–with-dlz-postgres=no’ ‘–with-dlz-mysql=no’ ‘–with-dlz-bdb=yes’ ‘–with-dlz-filesystem=yes’ ‘–with-dlz-ldap=yes’ ‘–with-dlz-stub=yes’ ‘–with-geoip=/usr’ ‘–enable-ipv6’ ‘CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2’ ‘LDFLAGS=-Wl,-Bsymbolic-functions’ ‘CPPFLAGS=’ ‘CXXFLAGS=-g -O2’ ‘FFLAGS=-g -O2’
    May 4 12:47:49 sfdlabs named[23866]: adjusted limit on open files from 1024 to 1048576
    May 4 12:47:49 sfdlabs named[23866]: found 4 CPUs, using 4 worker threads
    May 4 12:47:49 sfdlabs named[23866]: using up to 4096 sockets
    May 4 12:47:49 sfdlabs named[23866]: loading configuration from ‘/etc/bind/named.conf’
    May 4 12:47:49 sfdlabs named[23866]: none:0: open: /etc/bind/named.conf: permission denied
    May 4 12:47:49 sfdlabs named[23866]: loading configuration: permission denied
    May 4 12:47:49 sfdlabs named[23866]: exiting (due to fatal error)
    May 4 12:47:49 sfdlabs kernel: [1542760.915286] type=1503 audit(1272957469.765:38): operation=”open” pid=23869 parent=23865 profile=”/usr/sbin/named” requested_mask=”r::” denied_mask=”r::” fsuid=107 ouid=107 name=”/var/lib/named/etc/bind/named.conf”

    Looking forward to your support

Leave a Reply

Your email address will not be published. Required fields are marked *