Linux Server Details

User Tools

Site Tools

Trace:
dns_-_bind9

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
dns_-_bind9 [2022/07/19 21:13] – external edit 127.0.0.1dns_-_bind9 [2022/07/19 23:57] (current) – Updated formatting admin
Line 4: Line 4:
  
 ===== To setup Bind9 locally: ===== ===== To setup Bind9 locally: =====
 +<code>
  apt-get install bind9  apt-get install bind9
 +</code>
  
 This should install and work ok. Note: Firewall rules are required. See [[Iptables Firewall|Firewall]] section. This should install and work ok. Note: Firewall rules are required. See [[Iptables Firewall|Firewall]] section.
 In order to start using bind locally, edit /etc/resolv.conf In order to start using bind locally, edit /etc/resolv.conf
 +<code>
  search domainname.com  search domainname.com
  nameserver 127.0.0.1  nameserver 127.0.0.1
 +</code>
 (The "search domainname.com" allows you to ping/access subdomain names without typing in the entire address. I.E. ping www will ping www.domainname.com )<br> (The "search domainname.com" allows you to ping/access subdomain names without typing in the entire address. I.E. ping www will ping www.domainname.com )<br>
 Restart bind: - /etc/init.d/bind9 restart Restart bind: - /etc/init.d/bind9 restart
Line 17: Line 21:
 ===== Configing Bind (version 9): ===== ===== Configing Bind (version 9): =====
 Check to see if the following is referenced in /etc/bind/named.conf Check to see if the following is referenced in /etc/bind/named.conf
 +<code>
  include "/etc/bind/named.conf.local"; is in /etc/bind/named.conf  include "/etc/bind/named.conf.local"; is in /etc/bind/named.conf
 +</code>
  
 **Edit the following file:** **Edit the following file:**
 +<code>
  vi /etc/bind/named.conf.local  vi /etc/bind/named.conf.local
- <nowiki>//</nowiki>This file contains all local and changable info. + //This file contains all local and changable info. 
- <nowiki>//</nowiki>Begin File - by creating the following entry: + //Begin File - by creating the following entry: 
- <nowiki>//</nowiki>----------- Begin Kartbuilding.net ------------+ //----------- Begin Kartbuilding.net ------------
  zone "kartbuilding.net" {  zone "kartbuilding.net" {
         type master;         type master;
Line 30: Line 37:
  };  };
    
- <nowiki>//</nowiki>The next is the reverse DNS entry.+ //The next is the reverse DNS entry.
  zone "1.201.136.in-addr.arpa" {  zone "1.201.136.in-addr.arpa" {
          type master;          type master;
          file "/etc/bind/zones/136.201.1.db";          file "/etc/bind/zones/136.201.1.db";
  };  };
- <nowiki>//</nowiki>------------ End of kartbuilding.net ----------+ //------------ End of kartbuilding.net ---------- 
 +</code>
  
 **Create the kartbuilding.net.zone file:** **Create the kartbuilding.net.zone file:**
 +<code>
  vi /etc/bind/zones/kartbuilding.net.zone  vi /etc/bind/zones/kartbuilding.net.zone
- <nowiki>//</nowiki>Begin file --------------------------------+ //Begin file --------------------------------
  $TTL 3h  $TTL 3h
    
Line 60: Line 69:
        IN      A       136.201.1.250   ; the @ is for the no www name. E.g. http://kartbuilding.net (without www's)        IN      A       136.201.1.250   ; the @ is for the no www name. E.g. http://kartbuilding.net (without www's)
  www.portal      IN      A       136.201.1.250  www.portal      IN      A       136.201.1.250
- <nowiki>//</nowiki>End file ------------------------------------+ //End file ------------------------------------ 
 +</code>
  
 **Create Reverse DNS lookup file:** **Create Reverse DNS lookup file:**
 This is just for reverse DNS lookups. Reverse DNS entries also have to be made with your ISP - as reverse DNS entries come from them. This is just for reverse DNS lookups. Reverse DNS entries also have to be made with your ISP - as reverse DNS entries come from them.
 +<code>
  vi /etc/bind/zones/136.201.1.db  vi /etc/bind/zones/136.201.1.db
- <nowiki>//</nowiki>Start of file -------------------------+ //Start of file -------------------------
        IN      SOA     kartbuilding.net. root.kartbuilding.net. (        IN      SOA     kartbuilding.net. root.kartbuilding.net. (
                        ; counter/ Serial                        ; counter/ Serial
Line 76: Line 87:
    
  250     IN      PTR     servername.kartbuilding.net.  250     IN      PTR     servername.kartbuilding.net.
- <nowiki>//</nowiki>End of file ---------------------------+ //End of file --------------------------- 
 +</code>
  
 **Start bind and Test:** **Start bind and Test:**
 +<code>
  /etc/init.d/bind start  /etc/init.d/bind start
  CHECK LOGS::  CHECK LOGS::
Line 87: Line 100:
  Go to http://www.dnsstuff.com and carryout a DNS report.  Go to http://www.dnsstuff.com and carryout a DNS report.
  
 +</code>
 If you don't have bind installed you wont have nslookup and you'll get: If you don't have bind installed you wont have nslookup and you'll get:
 +<code>
  -bash: nslookup: command not found  -bash: nslookup: command not found
 +</code>
 +
 To solve this: To solve this:
 +<code>
  apt-get install dnsutils  apt-get install dnsutils
 +</code>
  
 ===== Setting up A Secondary DNS ===== ===== Setting up A Secondary DNS =====
Line 99: Line 118:
 **Config Master** **Config Master**
 To setup the master (main or primary DNS server) the following must be added: To setup the master (main or primary DNS server) the following must be added:
 +<code>
  vi /etc/bind/zones/kartbuilding.net.zone  vi /etc/bind/zones/kartbuilding.net.zone
  allow-transfer { 88.211.211.211; };  allow-transfer { 88.211.211.211; };
- <nowiki>//</nowiki>where the above ip is the secondary dns server's.+ //where the above ip is the secondary dns server's. 
 +</code>
  
 **Config Slave** **Config Slave**
 Of course bind will have to be installed and it could be perhaps serving out dns for another domain! Edit the following file: Of course bind will have to be installed and it could be perhaps serving out dns for another domain! Edit the following file:
 +<code>
  vi /etc/bind/named.conf.local  vi /etc/bind/named.conf.local
- <nowiki>//</nowiki>add the following lines:+ //add the following lines:
    
  zone "kartbuilding.net" {  zone "kartbuilding.net" {
Line 114: Line 136:
          allow-transfer { 136.201.1.250; };          allow-transfer { 136.201.1.250; };
  };  };
 +</code>
 The /etc/bind/slaves directory must be created, and also bind must be given permission to write to this slaves directory. This is because bind runs as user bind - and can only edit files it owns, or if the directory is chmod'd 775. The /etc/bind/slaves directory must be created, and also bind must be given permission to write to this slaves directory. This is because bind runs as user bind - and can only edit files it owns, or if the directory is chmod'd 775.
 +<code>
  mkdir /etc/bind/slaves  mkdir /etc/bind/slaves
  chown bind:bind /etc/bind/slaves  chown bind:bind /etc/bind/slaves
- <nowiki>//</nowiki>I chose to change ownership of this file rather than chmod it 775.+ //I chose to change ownership of this file rather than chmod it 775. 
 +</code>
  
 The allow-transfer should be included even for the slave zone files, otherwise anyone could do a zone transfer and lookup all your sub domains. See: [[DNS_-_Bind9#Prevent_DNS_lookup_of_sub_domains]] The allow-transfer should be included even for the slave zone files, otherwise anyone could do a zone transfer and lookup all your sub domains. See: [[DNS_-_Bind9#Prevent_DNS_lookup_of_sub_domains]]
Line 127: Line 152:
 ==== bind slave error: permission denied ==== ==== bind slave error: permission denied ====
 On a Ubuntu box, I was getting: On a Ubuntu box, I was getting:
 +<code>
  bind dumping master file: /etc/bind/zones/slaves/: open: permission denied  bind dumping master file: /etc/bind/zones/slaves/: open: permission denied
 +</code>
 Solution: http://smaftoul.wordpress.com/2009/04/17/ubuntu-and-bind-acting-as-slave/ Solution: http://smaftoul.wordpress.com/2009/04/17/ubuntu-and-bind-acting-as-slave/
 +<code>
  vi /etc/apparmor.d/usr.sbin.named  vi /etc/apparmor.d/usr.sbin.named
  #add in:  #add in:
    /etc/bind/zones/slaves/** rw,    /etc/bind/zones/slaves/** rw,
- + </code>
  
 ===== Slow DNS lookup issues with bind9 ===== ===== Slow DNS lookup issues with bind9 =====
 If ping or netstat etc. takes a long time to return an ip - there is a problem. Carry out the following test: If ping or netstat etc. takes a long time to return an ip - there is a problem. Carry out the following test:
 +<code>
  dig www.burkesys.com  dig www.burkesys.com
 +</code>
 Identify the time taken. Try the same test on a different computer (your local one etc.). If it takes 2000+ msec (milliseconds) this is poor. Identify the time taken. Try the same test on a different computer (your local one etc.). If it takes 2000+ msec (milliseconds) this is poor.
 After looking at problems found here: http://www.unixadmintalk.com/f59/bind-9-2-4-1-very-slow-resolving-uncached-querres-129112/index2.html and http://v6fix.net/db/bind9-ipv6-transport.html After looking at problems found here: http://www.unixadmintalk.com/f59/bind-9-2-4-1-very-slow-resolving-uncached-querres-129112/index2.html and http://v6fix.net/db/bind9-ipv6-transport.html
 I realised bind9 was doing a lookup via ipv6. Although ipv6 is enabled in my default debian install, there is no ipv6 network. Bind9 however does a lookup over ipv6 first, then times out and tries ipv4. I realised bind9 was doing a lookup via ipv6. Although ipv6 is enabled in my default debian install, there is no ipv6 network. Bind9 however does a lookup over ipv6 first, then times out and tries ipv4.
  
-Solutions: Disable ipv6 on Debian Sarge, or Disable ipv6 bind lookup, or use a different dns server for lookups. <br>+Solutions: Disable ipv6 on Debian Sarge, or Disable ipv6 bind lookup, or use a different dns server for lookups. 
 It is difficult to cleanly disable ipv6 on Sarge, requiring reboot and trial and error. <br> It is difficult to cleanly disable ipv6 on Sarge, requiring reboot and trial and error. <br>
 In order to Disable ipv6 lookup on bind9 with Debian Sarge - a recompile is required. If you are using debian packages (like me) this is not ideal. <br> In order to Disable ipv6 lookup on bind9 with Debian Sarge - a recompile is required. If you are using debian packages (like me) this is not ideal. <br>
 The default bind9 that ships with Debian Etch (9.3.2-P1.0-1) can easily be configured to use ipv4 by: The default bind9 that ships with Debian Etch (9.3.2-P1.0-1) can easily be configured to use ipv4 by:
 +<code>
  vi /etc/default/bind9  vi /etc/default/bind9
  OPTIONS="-4 -u bind"  OPTIONS="-4 -u bind"
- <nowiki>//</nowiki>-4 = to use ipv4 only.+ //-4 = to use ipv4 only.
 As I was using Debian Sarge, and wanted a quick solution to my DNS lookup times, I decided to use my ISP dns server *only* for lookups. This entry is in /etc/resolv.conf and I put the following syntax: As I was using Debian Sarge, and wanted a quick solution to my DNS lookup times, I decided to use my ISP dns server *only* for lookups. This entry is in /etc/resolv.conf and I put the following syntax:
 +<code>
  search domainname.com  search domainname.com
  nameserver 43.111.98.12  nameserver 43.111.98.12
  nameserver 43.111.21.45  nameserver 43.111.21.45
 +</code>
 Bind will still serve out all domain names when requested. The above simply uses the ISP's dns server for lookups on the server. Bind will still serve out all domain names when requested. The above simply uses the ISP's dns server for lookups on the server.
 +
 ===== Solving Problems, Failings and Warnings from DNS report by www.dnsstuff.com ===== ===== Solving Problems, Failings and Warnings from DNS report by www.dnsstuff.com =====
-**Open DNS servers fail warnings**+ 
 +Open DNS servers fail warnings
  
 Typically bind will allow any other server/ip to query it and use it as a DNS server for its queries. Therefore - a foreign server could be doing a dns lookup for hundreds of domains etc. and may overload your dns server! Here is how to solve this: Typically bind will allow any other server/ip to query it and use it as a DNS server for its queries. Therefore - a foreign server could be doing a dns lookup for hundreds of domains etc. and may overload your dns server! Here is how to solve this:
-<del>+ 
 + 
 +<code>
  vi /etc/bind/named.conf.options  vi /etc/bind/named.conf.options
- <nowiki>//</nowiki>put the following as the very first line (note the ip of secondary dns server):+ //put the following as the very first line (note the ip of secondary dns server):
  acl recurseallow { 136.201.1.250; 127.0.0.1; 88.211.211.211; };  acl recurseallow { 136.201.1.250; 127.0.0.1; 88.211.211.211; };
- <nowiki>//</nowiki> at the bottom of the same file put: + //at the bottom of the same file put: 
-         <nowiki>//</nowiki>recursion no;+         //recursion no;
         allow-recursion { recurseallow; };         allow-recursion { recurseallow; };
-</del>+</code> 
  
 Debian squeeze by default will only allow localhost and localnets to perform dns lookups. To allow a particular IP or IP range to carry out dns lookups with your dns server, you need to add the following: Debian squeeze by default will only allow localhost and localnets to perform dns lookups. To allow a particular IP or IP range to carry out dns lookups with your dns server, you need to add the following:
 +<code>
  vi /etc/bind/named.conf.options  vi /etc/bind/named.conf.options
  options {  options {
         directory "/var/cache/bind";         directory "/var/cache/bind";
    
-        <nowiki>//</nowiki> If there is a firewall between you and nameservers you want +        // If there is a firewall between you and nameservers you want 
-        <nowiki>//</nowiki> to talk to, you may need to fix the firewall to allow multiple +        // to talk to, you may need to fix the firewall to allow multiple 
-  <nowiki>//</nowiki>..........+  //..........
         auth-nxdomain no;    # conform to RFC1035         auth-nxdomain no;    # conform to RFC1035
         listen-on-v6 { any; };         listen-on-v6 { any; };
         allow-recursion { ip.address.range/26; 172.20.20.0/24; ip.address; };         allow-recursion { ip.address.range/26; 172.20.20.0/24; ip.address; };
  };  };
 +</code>
 Ref: http://debianserver.wikidot.com/squeeze:intranet-dns-cache Ref: http://debianserver.wikidot.com/squeeze:intranet-dns-cache
  
 +<code>
  #On fedora, its a little different due to how the named options are stored. Here is the config:  #On fedora, its a little different due to how the named options are stored. Here is the config:
  vi /etc/named.conf  vi /etc/named.conf
Line 186: Line 228:
         directory "/var/named/chroot/var/named";         directory "/var/named/chroot/var/named";
         auth-nxdomain no;         auth-nxdomain no;
-        <nowiki>//</nowiki>The following it to have a closed DNS Server.+        //The following it to have a closed DNS Server.
         allow-recursion { localhost; };         allow-recursion { localhost; };
  };  };
- <nowiki>//</nowiki> + // 
- <nowiki>//</nowiki> a caching only nameserver config + // a caching only nameserver config 
- <nowiki>//</nowiki>+ //
  zone "." {.................  zone "." {.................
 +</code>
 Thats it. You now have a closed DNS server. Thats it. You now have a closed DNS server.
 ---- ----
Line 200: Line 243:
 ===== Old Config Example and Other Information ===== ===== Old Config Example and Other Information =====
 Make the following file: - /etc/bind/kartbuilding.net Make the following file: - /etc/bind/kartbuilding.net
 +<code>
  
      $TTL 3h      $TTL 3h
Line 224: Line 268:
      ;Sub Mail domains      ;Sub Mail domains
      lists      MX      5 lists      lists      MX      5 lists
 +</code>
  
 ==== To Flush all DNS entries from CACHE -> ==== ==== To Flush all DNS entries from CACHE -> ====
 +<code>
  rndc flush  rndc flush
 +</code>
  
 ==== To Efficiently RELOAD DNS after adding a DNS entry -> ==== ==== To Efficiently RELOAD DNS after adding a DNS entry -> ====
 +<code>
  rndc reload   <nowiki>//</nowiki>use this instead of reloading all of bind  rndc reload   <nowiki>//</nowiki>use this instead of reloading all of bind
  rndc reload domain.com   <nowiki>//</nowiki>use this to reload just the domain.com config file  rndc reload domain.com   <nowiki>//</nowiki>use this to reload just the domain.com config file
 +</code>
 +
  
 ===== Prevent DNS lookup of sub domains ===== ===== Prevent DNS lookup of sub domains =====
 The "host" utility, which is default with debian, will attempt to perform a zone transfer in order to look at all of the sub domains! The syntax is: The "host" utility, which is default with debian, will attempt to perform a zone transfer in order to look at all of the sub domains! The syntax is:
 +<code>
  host -l domain.com ip.of.their.ns.server  host -l domain.com ip.of.their.ns.server
  #to find all of the authorative ns servers do the following:  #to find all of the authorative ns servers do the following:
Line 240: Line 290:
  > set type=ns  > set type=ns
  > domain.com  > domain.com
 +</code>
  
 Another tool to do domain lookups is: Another tool to do domain lookups is:
 +<code>
  dig -t axfr  dig -t axfr
 +</code>
  
 Typically it is an oversight which allows the above, especially on secondary ns's. The following line needs to be added to the slave dns entries: Typically it is an oversight which allows the above, especially on secondary ns's. The following line needs to be added to the slave dns entries:
 +
 +<code>
  vi /etc/bind/named.conf.local  vi /etc/bind/named.conf.local
  #add the following for each slave zone, including the master ip address for example.  #add the following for each slave zone, including the master ip address for example.
  allow-transfer { some.ip.address.of.yours.eg.master.ns; };  allow-transfer { some.ip.address.of.yours.eg.master.ns; };
 +</code>
 ---- ----
  
dns_-_bind9.1658261600.txt.gz · Last modified: 2022/07/19 21:13 by 127.0.0.1