dns_-_bind9
Differences
This shows you the differences between two versions of the page.
Both sides previous revisionPrevious revision | |||
dns_-_bind9 [2022/07/19 21:13] – external edit 127.0.0.1 | dns_-_bind9 [2022/07/19 23:57] (current) – Updated formatting admin | ||
---|---|---|---|
Line 4: | Line 4: | ||
===== To setup Bind9 locally: ===== | ===== To setup Bind9 locally: ===== | ||
+ | < | ||
| | ||
+ | </ | ||
This should install and work ok. Note: Firewall rules are required. See [[Iptables Firewall|Firewall]] section. | This should install and work ok. Note: Firewall rules are required. See [[Iptables Firewall|Firewall]] section. | ||
In order to start using bind locally, edit / | In order to start using bind locally, edit / | ||
+ | < | ||
| | ||
| | ||
+ | </ | ||
(The " | (The " | ||
Restart bind: - / | Restart bind: - / | ||
Line 17: | Line 21: | ||
===== Configing Bind (version 9): ===== | ===== Configing Bind (version 9): ===== | ||
Check to see if the following is referenced in / | Check to see if the following is referenced in / | ||
+ | < | ||
| | ||
+ | </ | ||
**Edit the following file:** | **Edit the following file:** | ||
+ | < | ||
vi / | vi / | ||
- | < | + | // |
- | < | + | // |
- | < | + | // |
zone " | zone " | ||
type master; | type master; | ||
Line 30: | Line 37: | ||
}; | }; | ||
- | < | + | //The next is the reverse DNS entry. |
zone " | zone " | ||
type master; | type master; | ||
file "/ | file "/ | ||
}; | }; | ||
- | < | + | // |
+ | </ | ||
**Create the kartbuilding.net.zone file:** | **Create the kartbuilding.net.zone file:** | ||
+ | < | ||
vi / | vi / | ||
- | < | + | // |
$TTL 3h | $TTL 3h | ||
Line 60: | Line 69: | ||
| | ||
| | ||
- | < | + | //End file ------------------------------------ |
+ | </ | ||
**Create Reverse DNS lookup file:** | **Create Reverse DNS lookup file:** | ||
This is just for reverse DNS lookups. Reverse DNS entries also have to be made with your ISP - as reverse DNS entries come from them. | This is just for reverse DNS lookups. Reverse DNS entries also have to be made with your ISP - as reverse DNS entries come from them. | ||
+ | < | ||
vi / | vi / | ||
- | < | + | // |
| | ||
| | ||
Line 76: | Line 87: | ||
| | ||
- | < | + | //End of file --------------------------- |
+ | </ | ||
**Start bind and Test:** | **Start bind and Test:** | ||
+ | < | ||
/ | / | ||
CHECK LOGS:: | CHECK LOGS:: | ||
Line 87: | Line 100: | ||
Go to http:// | Go to http:// | ||
+ | </ | ||
If you don't have bind installed you wont have nslookup and you'll get: | If you don't have bind installed you wont have nslookup and you'll get: | ||
+ | < | ||
| | ||
+ | </ | ||
+ | |||
To solve this: | To solve this: | ||
+ | < | ||
| | ||
+ | </ | ||
===== Setting up A Secondary DNS ===== | ===== Setting up A Secondary DNS ===== | ||
Line 99: | Line 118: | ||
**Config Master** | **Config Master** | ||
To setup the master (main or primary DNS server) the following must be added: | To setup the master (main or primary DNS server) the following must be added: | ||
+ | < | ||
vi / | vi / | ||
| | ||
- | < | + | // |
+ | </ | ||
**Config Slave** | **Config Slave** | ||
Of course bind will have to be installed and it could be perhaps serving out dns for another domain! Edit the following file: | Of course bind will have to be installed and it could be perhaps serving out dns for another domain! Edit the following file: | ||
+ | < | ||
vi / | vi / | ||
- | < | + | //add the following lines: |
zone " | zone " | ||
Line 114: | Line 136: | ||
| | ||
}; | }; | ||
+ | </ | ||
The / | The / | ||
+ | < | ||
mkdir / | mkdir / | ||
chown bind:bind / | chown bind:bind / | ||
- | < | + | //I chose to change ownership of this file rather than chmod it 775. |
+ | </ | ||
The allow-transfer should be included even for the slave zone files, otherwise anyone could do a zone transfer and lookup all your sub domains. See: [[DNS_-_Bind9# | The allow-transfer should be included even for the slave zone files, otherwise anyone could do a zone transfer and lookup all your sub domains. See: [[DNS_-_Bind9# | ||
Line 127: | Line 152: | ||
==== bind slave error: permission denied ==== | ==== bind slave error: permission denied ==== | ||
On a Ubuntu box, I was getting: | On a Ubuntu box, I was getting: | ||
+ | < | ||
bind dumping master file: / | bind dumping master file: / | ||
+ | </ | ||
Solution: http:// | Solution: http:// | ||
+ | < | ||
vi / | vi / | ||
#add in: | #add in: | ||
/ | / | ||
- | + | </ | |
===== Slow DNS lookup issues with bind9 ===== | ===== Slow DNS lookup issues with bind9 ===== | ||
If ping or netstat etc. takes a long time to return an ip - there is a problem. Carry out the following test: | If ping or netstat etc. takes a long time to return an ip - there is a problem. Carry out the following test: | ||
+ | < | ||
dig www.burkesys.com | dig www.burkesys.com | ||
+ | </ | ||
Identify the time taken. Try the same test on a different computer (your local one etc.). If it takes 2000+ msec (milliseconds) this is poor. | Identify the time taken. Try the same test on a different computer (your local one etc.). If it takes 2000+ msec (milliseconds) this is poor. | ||
After looking at problems found here: http:// | After looking at problems found here: http:// | ||
I realised bind9 was doing a lookup via ipv6. Although ipv6 is enabled in my default debian install, there is no ipv6 network. Bind9 however does a lookup over ipv6 first, then times out and tries ipv4. | I realised bind9 was doing a lookup via ipv6. Although ipv6 is enabled in my default debian install, there is no ipv6 network. Bind9 however does a lookup over ipv6 first, then times out and tries ipv4. | ||
- | Solutions: Disable ipv6 on Debian Sarge, or Disable ipv6 bind lookup, or use a different dns server for lookups. | + | Solutions: Disable ipv6 on Debian Sarge, or Disable ipv6 bind lookup, or use a different dns server for lookups. |
It is difficult to cleanly disable ipv6 on Sarge, requiring reboot and trial and error. <br> | It is difficult to cleanly disable ipv6 on Sarge, requiring reboot and trial and error. <br> | ||
In order to Disable ipv6 lookup on bind9 with Debian Sarge - a recompile is required. If you are using debian packages (like me) this is not ideal. <br> | In order to Disable ipv6 lookup on bind9 with Debian Sarge - a recompile is required. If you are using debian packages (like me) this is not ideal. <br> | ||
The default bind9 that ships with Debian Etch (9.3.2-P1.0-1) can easily be configured to use ipv4 by: | The default bind9 that ships with Debian Etch (9.3.2-P1.0-1) can easily be configured to use ipv4 by: | ||
+ | < | ||
vi / | vi / | ||
| | ||
- | < | + | //-4 = to use ipv4 only. |
As I was using Debian Sarge, and wanted a quick solution to my DNS lookup times, I decided to use my ISP dns server *only* for lookups. This entry is in / | As I was using Debian Sarge, and wanted a quick solution to my DNS lookup times, I decided to use my ISP dns server *only* for lookups. This entry is in / | ||
+ | < | ||
| | ||
| | ||
| | ||
+ | </ | ||
Bind will still serve out all domain names when requested. The above simply uses the ISP's dns server for lookups on the server. | Bind will still serve out all domain names when requested. The above simply uses the ISP's dns server for lookups on the server. | ||
+ | |||
===== Solving Problems, Failings and Warnings from DNS report by www.dnsstuff.com ===== | ===== Solving Problems, Failings and Warnings from DNS report by www.dnsstuff.com ===== | ||
- | **Open DNS servers fail warnings** | + | |
+ | Open DNS servers fail warnings | ||
Typically bind will allow any other server/ip to query it and use it as a DNS server for its queries. Therefore - a foreign server could be doing a dns lookup for hundreds of domains etc. and may overload your dns server! Here is how to solve this: | Typically bind will allow any other server/ip to query it and use it as a DNS server for its queries. Therefore - a foreign server could be doing a dns lookup for hundreds of domains etc. and may overload your dns server! Here is how to solve this: | ||
- | <del> | + | |
+ | |||
+ | <code> | ||
vi / | vi / | ||
- | < | + | //put the following as the very first line (note the ip of secondary dns server): |
acl recurseallow { 136.201.1.250; | acl recurseallow { 136.201.1.250; | ||
- | < | + | //at the bottom of the same file put: |
- | < | + | // |
allow-recursion { recurseallow; | allow-recursion { recurseallow; | ||
- | </del> | + | </code> |
Debian squeeze by default will only allow localhost and localnets to perform dns lookups. To allow a particular IP or IP range to carry out dns lookups with your dns server, you need to add the following: | Debian squeeze by default will only allow localhost and localnets to perform dns lookups. To allow a particular IP or IP range to carry out dns lookups with your dns server, you need to add the following: | ||
+ | < | ||
vi / | vi / | ||
| | ||
directory "/ | directory "/ | ||
- | | + | // If there is a firewall between you and nameservers you want |
- | | + | // to talk to, you may need to fix the firewall to allow multiple |
- | < | + | |
auth-nxdomain no; # conform to RFC1035 | auth-nxdomain no; # conform to RFC1035 | ||
listen-on-v6 { any; }; | listen-on-v6 { any; }; | ||
allow-recursion { ip.address.range/ | allow-recursion { ip.address.range/ | ||
}; | }; | ||
+ | </ | ||
Ref: http:// | Ref: http:// | ||
+ | < | ||
#On fedora, its a little different due to how the named options are stored. Here is the config: | #On fedora, its a little different due to how the named options are stored. Here is the config: | ||
vi / | vi / | ||
Line 186: | Line 228: | ||
directory "/ | directory "/ | ||
auth-nxdomain no; | auth-nxdomain no; | ||
- | | + | //The following it to have a closed DNS Server. |
allow-recursion { localhost; }; | allow-recursion { localhost; }; | ||
}; | }; | ||
- | < | + | // |
- | < | + | // a caching only nameserver config |
- | < | + | // |
zone " | zone " | ||
+ | </ | ||
Thats it. You now have a closed DNS server. | Thats it. You now have a closed DNS server. | ||
---- | ---- | ||
Line 200: | Line 243: | ||
===== Old Config Example and Other Information ===== | ===== Old Config Example and Other Information ===== | ||
Make the following file: - / | Make the following file: - / | ||
+ | < | ||
$TTL 3h | $TTL 3h | ||
Line 224: | Line 268: | ||
;Sub Mail domains | ;Sub Mail domains | ||
| | ||
+ | </ | ||
==== To Flush all DNS entries from CACHE -> ==== | ==== To Flush all DNS entries from CACHE -> ==== | ||
+ | < | ||
rndc flush | rndc flush | ||
+ | </ | ||
==== To Efficiently RELOAD DNS after adding a DNS entry -> ==== | ==== To Efficiently RELOAD DNS after adding a DNS entry -> ==== | ||
+ | < | ||
rndc reload | rndc reload | ||
rndc reload domain.com | rndc reload domain.com | ||
+ | </ | ||
+ | |||
===== Prevent DNS lookup of sub domains ===== | ===== Prevent DNS lookup of sub domains ===== | ||
The " | The " | ||
+ | < | ||
host -l domain.com ip.of.their.ns.server | host -l domain.com ip.of.their.ns.server | ||
#to find all of the authorative ns servers do the following: | #to find all of the authorative ns servers do the following: | ||
Line 240: | Line 290: | ||
> set type=ns | > set type=ns | ||
> domain.com | > domain.com | ||
+ | </ | ||
Another tool to do domain lookups is: | Another tool to do domain lookups is: | ||
+ | < | ||
dig -t axfr | dig -t axfr | ||
+ | </ | ||
Typically it is an oversight which allows the above, especially on secondary ns's. The following line needs to be added to the slave dns entries: | Typically it is an oversight which allows the above, especially on secondary ns's. The following line needs to be added to the slave dns entries: | ||
+ | |||
+ | < | ||
vi / | vi / | ||
#add the following for each slave zone, including the master ip address for example. | #add the following for each slave zone, including the master ip address for example. | ||
| | ||
+ | </ | ||
---- | ---- | ||
dns_-_bind9.1658261600.txt.gz · Last modified: 2022/07/19 21:13 by 127.0.0.1