01
Install BINDBIND stands for Berkeley Internet Name Domain and is an implementation of the DNS protocols. On a Debian 7 system you can install the latest version of BIND by running the following command:
# apt-get install bind9
To fi nd your version of BIND, execute the following command:
# named -v
BIND 9.8.4-rpz2+rl005.12-P1
04
The dig utilityThe dig utility can show you the same DNS related information as host, however, dig’s output is more populated by default. In order to fi nd the DNS servers of the co.uk domain with the help of dig, you could do this by executing the following command:
$ dig co.uk. ns
Trying to perform a AXFR query with dig fails:
$ dig @localhost co.uk. axfr
; <<>> DiG 9.8.4-rpz2+rl005.12-P1 <<>> @ localhost co.uk. axfr
; (2 servers found) ;; global options: +cmd ; Transfer failed.
AXFR is a mechanism for replicating DNS data across DNS servers, but it can also be used for evil purposes. The DNS Administrator is responsible for allowing the access to the AXFR protocol to specifi c machines and restricting it to the rest of the world.
02
What is Cache DNS server?A caching-only DNS server does not contain information about a domain; it just contains information based on the results of the DNS queries it has already performed. The main reason that DNS caching works well is because DNS data does not change frequently.
05
The /etc/resolv.conf fileThe quickest way to see your DNS confi guration is by looking at the /etc/resolv.conf fi le, where you can see the IP address for each DNS server used; each entry starts with the nameserver keyword. There is no point in using anything but an IP address for a DNS server. Usually, the administrator deals with this fi le when setting up a Linux machine; otherwise it is populated when your Linux machine gets its network confi guration using DHCP.
03
The host utilityHost produces a clean output and that is the main reason for liking it – it can easily be used inside shell scripts. Its last parameter, which is optional, is the name of the DNS server to ask. If not given, it uses the /etc/resolv.conf fi le to fi nd a DNS server to ask.
Used with the -t mx parameters, host shows the mail servers for a domain or a subdomain: # host -t mx linuxuser.co.uk
linuxuser.co.uk mail is handled by 10 mail.imagine-publishing.co.uk.
linuxuser.co.uk mail is handled by 20 mail2.imagine-publishing.co.uk.
The numbers that you see after the “handled by” are the preference values that indicate the mail exchanger’s priority. A preference value by itself is not important, what is important is its relationship to the other values.
Mail servers should attempt to deliver to the mail exchangers with the lowest values fi rst. If the delivery fails for some reason, then the mail exchanger with the next highest value will be tried. If two or more mail exchangers have the same preference value, it is up to the mail server to decide which one to choose. The primary DNS server is responsible for defi ning the email server for a domain or a subdomain.
Used with the -t ns parameters, host shows the DNS Servers for a domain.
03
The host utility11
Manage the caching DNS serverYou already know how to start the DNS server. The following command stops it:
# /etc/init.d/bind9 stop And then this command restarts it: # /etc/init.d/bind9 restart
[....] Stopping domain name service...: bind9waiting for pid 24713 to die . ok
[ ok ] Starting domain name service...: bind9.
09
The /etc/bind/db.root fi leThe db.root fi le holds the information on root name servers, denoted by a single dot, needed to initialise the cache of internet domain name servers. You can manually generate it by running the following command:
$ dig @a.root-servers.net . NS > db.root
10
The configuration fileThe default BIND confi guration is almost ready to support a caching DNS server. You will only need to explicitly turn recursion on and then it will all be done. This action can be completed by adding a line inside ‘named.conf.options’ that contains the ‘recursion yes;’ text.
The next step then is to run the BIND server process as follows:
# /etc/init.d/bind9 start
You will also need to add an access control list to reduce traffi c and increase security, and you will learn about access control lists a little later on in Step 14. The DNS service will usually listen to port number 53, as you can clearly see from the following output:
# telnet localhost 53 Trying ::1...
Connected to localhost.
06
The rndc utilityThe rndc executable is the name server control utility. It controls the operation of the name server and it communicates with the named process using a TCP connection. The rndc utility has a confi guration fi le called rndc. conf that has structure and syntax similar to named.conf. You can type man rndc-confgen and man rndc.conf for more information.
07
Other types of DNS serversThere are three more types of DNS servers: primary, secondary and forwarding. Each domain should have at least one primary and one secondary DNS server.
A primary DNS server (or Master) defi nes one or more zone fi les for which this DNS is authoritative. A zone has been assigned to a DNS server using an NS Resource Record.
A secondary DNS server (or Slave) mainly acts as the backup of the primary DNS server in case it goes down for some reason.
A forwarding DNS server is almost identical to a caching server from the perspective of a client. Its difference is that it does not perform recursive queries itself; it just forwards them to another DNS server, gets the response back and then caches the results.
It is not possible to fi nd out from a query result whether it was answered from a zone master or from a slave.
08
The /etc/bind directoryAll confi guration fi les related to BIND are located inside the /etc/bind directory. You will need root access to make changes to it and you will have to restart the named process for the changes to take effect.
BIND keeps some other fi les inside /var/ cache/bind:
# ls -l /var/cache/bind/ total 24
-rw-r--r-- 1 bind bind 698 Oct 15 09:46 managed-keys.bind
-rw-r--r-- 1 bind bind 512 Oct 15 09:46 managed-keys.bind.jnl
-rw-r--r-- 1 bind bind 9446 Oct 15 11:17 named_dump.db
-rw-r--r-- 1 bind bind 1103 Oct 14 10:58 named.stats
10
The confi guration fi le for the caching server12
Use the caching DNS serverA caching server is used like a regular DNS server. If you want to reduce the DNS traffi c on your LAN, you should put the IP of the caching server in the /etc/resolv.conf fi le and comment out all other DNS servers. However, this can be dangerous because if the caching DNS server stops working for some reason, your network will not be able to operate normally.
13
The log files of BINDAll log messages from BIND are stored in the /var/log/syslog fi le. The named command can produce a large amount of log messages, so you might decide that you want to decrease the log level using rndc after making sure that your DNS server works without any problems.
14
Access control lists (ACL)An acl list defi nes which hosts can and cannot access a DNS server. The following lines defi ne a new access control list:
acl OTENET { 2.86/16; localhost; localnets; };
The defi nition of the list does not automatically make the list active. You should add the following line to turn on the OTENET access control list:
allow-query { OTENET; };
As soon as the DNS server starts running, many unknown hosts will try to connect to it; so do not delay generating as many access lists as needed to protect your DNS server.
15
Check your configurationBIND comes with many tools that can help you to check the correctness of your current confi guration. These tools include named-checkconf, named-checkzone and named-compilezone.
16
Test the cache DNS serverIn order to test your DNS server, try to query a domain that is not the DNS cache and see how much time it takes to answer the query. Next, ask the same DNS query and you should see a way better response time.
17
Advantages of a caching serverThe advantages of using a cache DNS server on your network are less LAN traffi c and less Internet traffi c. You also get DNS responses quicker for queries that have already been answered by the caching server.
BIND has a handy command to dump all the records of a DNS server to a single fi le. It can then re-read this data when it starts again: # rndc dumpdb -all
# ls -l /var/cache/bind/named_dump.db -rw-r--r-- 1 bind bind 9446 Oct 15 11:15 /var/cache/bind/named_dump.db
For the purposes of this tutorial, the most useful utility is named-checkconf which checks the syntactical validity of your confi guration. If there are no syntax errors in your current confi guration, you will get no output. No tool can catch logical DNS errors.