BIND 9 has evolved to be a very flexible, full-featured DNS system. Whatever your application is, BIND 9 probably has the required features. As the first, oldest, and most commonly deployed solution, there are more network engineers who are already familiar with BIND 9 than with any other system.
Step 1: Install Packages
This installation expects apache to be already running
# sudo apt install bind9 bind9-utils
Step 2: Configure BIND9 Basics
Change bind default settings and make sure bind always starts with proper user /etc/default/bind9
# run resolvconf? RESOLVCONF=no # startup options for the server OPTIONS="-u bind"
BIND9 has a specific file containing various of its generic options /etc/bind/named.conf.options
// BIND9 : Options
options {
// Zone Directory
directory "/var/cache/bind";
// GeoIP Directory
geoip-directory "/var/lib/GeoIP";
// set dnssec validation on auto
dnssec-validation auto;
// conform to RFC1035
auth-nxdomain no;
// Do not listen on IPv6
listen-on-v6 { none; };
// Listen of defined addresses only
listen-on { 127.0.0.1; <internal-ip>; <public-ip>; };
// Do not make public version of BIND
version none;
// set allow query
allow-query { any; };
allow-query-cache { trusted; };
allow-recursion { trusted; };
// PID file
pid-file "/var/run/named/named.pid";
// This statement defines the file-name to which data will be
// written when the command rndc stats is issued.
statistics-file "/var/log/named/named.stats";
// This statement defines whether zone statistics will be maintained.
zone-statistics yes;
// By default DNS uses UDP port 53 for queries but is defined to allow both TCP and UDP.
// The tcp-clients allows the user to define the maximum number of TCP connections to be supported.
// The BIND 9 default is 100.
tcp-clients 50;
rate-limit {
ipv4-prefix-length 32;
window 10;
responses-per-second 25;
errors-per-second 5;
nxdomains-per-second 5;
slip 2;
};
};
BIND9 has a specific file containing various of its generic logging options /etc/bind/named.conf.log :
logging {
channel update_debug {
file "/var/log/named/update_debug.log" versions 3 size 100k;
severity debug;
print-severity yes;
print-time yes;
};
channel security_info {
file "/var/log/named/security_info.log" versions 1 size 100k;
severity info;
print-severity yes;
print-time yes;
};
channel bind_log {
file "/var/log/named/bind.log" versions 3 size 1m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
// Fail2Ban configuration
channel security_file {
file "/var/log/named/security.log" versions 3 size 1m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
category default { bind_log; };
category lame-servers { null; };
category update { update_debug; };
category update-security { update_debug; };
category security { security_info; };
};
BIND9 has the generic configuration file, which includes all other filesĀ /etc/bind/named.conf:
// This is the primary configuration file for the BIND DNS server named.
// BIND9 : Trusted & Managed Keys
include "/etc/bind/bind.keys";
// BIND9 : Transfer Keys
include "/etc/bind/tsig.keys";
// BIND9 : Main Options
include "/etc/bind/named.conf.options";
// BIND9 : RNDC Key Controls
include "/etc/bind/rndc.key";
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// BIND9 : Logging Options
include "/etc/bind/named.conf.log";
// Standard Zones to Load
include "/etc/bind/named.conf.default-zones";
// add entries for other zones below here
include "/etc/bind/loaded_zones.conf";
Step 3: TSIG: Local Control
The purpose of this signature is to authenticate transactions with BIND
# rndc-confgen > /etc/bind/rndc.conf # chown root:bind /etc/bind/rndc.conf # chmod 640 /etc/bind/rndc.conf
Copy the key section of /etc/bind/rndc.conf to /etc/bind/rndc.key file, change its permissions:
# chown root:bind /etc/bind/rndc.key # chmod 640 /etc/bind/rndc.key
Add the following into the primary bind configuration file /etc/bind/named.conf
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
Step 4: TSIG: Secondary Zones
This post is not specifcally meant for setting up DNS zones as there are sufficient sites dedicated on that, however there are some things to take into account, for example making sure that secondary bind servers use secure keys to transfer zones.
Make sure that the zone file (exmaple) contains a definition of keys /etc/bind/loaded_zones.conf on the Primary Server
zone "mydomain.org" in {
type master;
file "/var/cache/bind/mydomain.org.db";
allow-transfer {
key "tsig-key";
};
also-notify { <secondary-bind-server-ip>; };
};
Also properly configured on the secondary servers /etc/bind/loaded_zones.conf
zone "mydomain.org" in {
type slave;
file "/var/cache/bind/mydomain.org.db";
masters { <primary-bind-server-ip>; };
allow-notify { <primary-bind-server-ip>; };
};
On the primary server generate a relationship key
# dnssec-keygen -a HMAC-SHA512 -b 512 -n HOST -r /dev/urandom host1-host2
the key is in the file ‘host1-host2.+163+00000.private’ . Nothing directly uses this file, but the base-64 encoded string following “Key:” can be extracted from the file and used as a shared secret. Use this key and define it in the keyfile used for transfers /etc/bind/tskig.keys
// Transfer Keys
key "tsig-key" {
algorithm HMAC-SHA512;
secret "<key generated with dnssec-keygen command>";
};