Bind

From Edgar BV Wiki
Jump to navigation Jump to search

Configuration

named.conf

For an internet Primary DNS server:

//xxx
include "/etc/bind/slaves.conf";
// Recursion is allowing other hosts to look up domain names not hosted / cached by this bind server

acl "recursehosts" {
        127.0.0.1; 212.61.33.42; localhost; 82.94.91.75; 82.92.214.79; 195.64.90.139; 82.94.91.75; 31.160.12.68; 188.204.140.220;
};

include "/etc/bind/named.conf.options";

view "recursehosts" {
        match-clients { recursehosts; };
        recursion yes;
        allow-transfer { "slaves"; };

include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.db";
};

view "outside" {
        match-clients { any; };
        recursion no;
        allow-transfer { "slaves"; };

zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// edns-udp-size 1400;
include "/etc/bind/named.conf.db";
};

If not an internet but an internal server use defaults and only edit named.conf.local

For a slave internet server

include "/etc/bind/masters.conf";

# These hosts are allowed to look up external domain names on this name server (ie domain names that aren't being served specifically by this server)

acl "recursehosts" {
        127.0.0.1; localhost; 212.61.33.42; 82.92.214.79; 10.0.0.101; 31.160.12.69; 90.145.83.186; 188.204.140.220;
};

include "/etc/bind/named.conf.options";

# Recursive hosts are allowed to look up domain names for which this named server is not authoritative. The host list is defined in the acl above. The view below defines what they're allowed to do. I'm also allowing master servers to be allowed to transfer domains. The list of master servers is defined in the top include (masters.conf)

view "recursehosts" {
        match-clients { "recursehosts"; };
        recursion yes;
        allow-transfer { "masters"; };

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

# I want recursehosts to be able to see my own zones too!
include "/etc/bind/named.conf.db";

};
# This view is for any hosts not specifically noted in the view above. They get to only look up the domains this server has (included in this view as namedconf.db)

view "outside" {
        match-clients { any; };
        recursion no;
        allow-transfer { "masters"; };

zone "." {
        type hint;
        file "/etc/bind/db.root";
};

# this is the official zone file db
include "/etc/bind/named.conf.db";
# include cyberfront zone files
include "/etc/bind/named.cyberfront.conf.db";
#include "/etc/bind/named.moondust.conf.db";
# Debian RFC1918 zones
include "/etc/bind/named.conf.local";
};

named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable
        // nameservers, you probably want to use them as forwarders.
        // Uncomment the following block, and insert the addresses replacing
        // the all-0's placeholder.

         forwarders {
                213.75.63.36;
                213.75.63.70;
         };

        //========================================================================
        // If BIND logs error messages about the root key being expired,
        // you will need to update your keys.  See https://www.isc.org/bind-keys
        //========================================================================
# Turned off because most DNSSEC secured zones are incorrectly configured. This leads to flooding of the syslog with (no valid RRSIG) errors
#       dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035

# Turned off because KPN doesn't support ipv6. This leads to flooding of the syslog with (network unreachable) errors
#       listen-on-v6 { any; };

# Not needed because Debian default directory is now linked to /var/named by hand
#        directory "/var/named";
};

For an internet nameserver add:

        allow-recursion { recursehosts; };
        allow-query-cache { recursehosts; };

named.conf.local

//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";

zone "ops.mynet.int" in {
    type master;
    file "soa/ops.mynet.int";
        notify yes;
};

zone "net.mynet.int" in {
        type master;
        file "soa/net.mynet.int";
        notify yes;
};

zone "internal.mynet.int" in {
    type master;
    file "soa/internal.mynet.int";
        notify yes;
    allow-update {localhost;};
};

zone "mynet.int" in {
    type master;
    file "soa/mynet.int";
    notify yes;
};

zone "0.0.10.in-addr.arpa" in {
        type master;
        file "rev/10.0.0.rev";
        notify yes;
};

zone "0.0.127.in-addr.arpa" in {
    type master;
    file "rev/localhost.rev";
};

zone "0.168.192.in-addr.arpa" in {
        type master;
        file "rev/192.168.0.rev";
        notify yes;
};

zone "1.168.192.in-addr.arpa" in {
    type master;
    file "rev/192.168.1.rev";
        notify yes;
    allow-update {localhost;};
};

zone "100.168.192.in-addr.arpa" in {
    type master;
    file "rev/192.168.100.rev";
        notify yes;
    allow-update {localhost;};
};

example for a nameserver

$TTL 1800       ; TTL
@ IN SOA ns1.edgarbv.com. root.edgarbv.nl. (
        2013062100      ; serial
        14500           ; refresh
        3600            ; retry
        604800          ; expire
        86400           ; minimum
)

        IN      NS      ns1.edgarbv.com.
        IN      NS      ns2.edgarbv.com.

        IN      MX      10      mail.edgarbv.com.
        IN      MX      20      mail2.edgarbv.com.

        IN      A       37.252.124.72

; Name server definitions
ns1     IN      A       37.252.124.72
ns2     IN      A       37.252.124.72

; Mail server definitions
mail    IN      A       37.252.124.72
mail2   IN      A       37.252.124.72

; Standard
localhost       IN      A       127.0.0.1
www             IN      A       37.252.124.72
ftp             IN      A       37.252.124.72
webmail         IN      A       37.252.124.72

; Special
webmail         IN      A       37.252.124.72

example /var/named/soa/internal.mynet.int

$TTL 1800       ; TTL
@       IN      SOA     router.mynet.int. root.router.mynet.int. (
                        2001072027      ; serial, todays date + todays serial
                        10800           ; refresh
                        3600            ; retry
                        604800          ; expire
                        86400 )         ; minimum TTL
;
                        IN NS   router.mynet.int.
                        IN NS   tripserv.mynet.int.
                        IN MX 10 router.mynet.int.
;
; Netwerk locaal ip 192.168. netmask 255.255.255.0
;
lindy   10      IN      A       192.168.0.20    ;Cl=3
marylene 10     IN      A       192.168.0.21    ;Cl=3
amber   10      IN      A       192.168.0.22    ;Cl=3
yvette 10       IN      A       192.168.0.23    ;Cl=3
crystel 10      IN      A       192.168.0.24    ;Cl=3
treske  10      IN      A       192.168.0.25    ;Cl=3
sharon  10      IN      A       192.168.0.26    ;Cl=3
serena  10      IN      A       192.168.0.27    ;Cl=3
treske-ii 10    IN      A       192.168.0.28    ;Cl=3
catherine 10    IN      A       192.168.0.29    ;Cl=3
marjolein 10    IN      A       192.168.0.30    ;Cl=3
maggotbox 10    IN      A       192.168.0.31    ;Cl=3

example /var/named/rev/192.168.0.rev

0.168.192.in-addr.arpa. IN      SOA     router.mynet.int. root.router.mynet.int. (
                        2002083046 ; serial
                        8H      ; refresh
                        2H      ; retry
                        1W      ; expire
                        1D      ; minimum
                        )

                        IN  NS  router.mynet.int.
                        IN  NS  tripserv.mynet.int.
                        IN  MX  10 router.mynet.int.

1       IN      PTR     router.ops.mynet.int.
2       IN      PTR     tripserv.ops.mynet.int.
3       IN      PTR     tripevo.ops.mynet.int.
4       IN      PTR     tripdev.ops.mynet.int.
5       IN      PTR     tripraid.ops.mynet.int.
6       IN      PTR     tripbook.ops.mynet.int.
8       IN      PTR     tripenclosure.ops.mynet.int.
9       IN      PTR     soap.mynet.int.

slaves.conf

// Slave servers

acl "slaves" {
                //
                87.233.134.184;         // Moondust machine
                213.193.253.120;        // ns-01.etryx.com
                213.239.175.248;        // ns-02.etryx.com
//              82.92.214.79;           // old ns2.hoster.nl
//              82.95.80.17;            // old ns2.hoster.nl
                212.61.33.42;
//              82.94.91.75;            // xxx.com machine
//              31.160.12.69;           // ns2.hoster.nl
                188.204.140.220;        // ns2.hoster.nl
                127.0.0.1;
                localhost;
};

masters.conf

// Master Servers

acl "masters" {
        212.61.33.42; 90.145.83.186; 31.160.12.69;
};

Adding a new domain

New Domain: www.domain.com

212.61.33.42

Add the following in /etc/bind/named.conf.db

zone "domain.com" in {
        type master;
        file "soa/domain.com";
        notify yes;
};

Add the following in /var/named/soa/domain.com

@ IN SOA ns1.hoster.nl. root.ns1.hoster.nl. (
                2011103102      ;       serial     FORMAT: YYYYMMDDXX
                14800           ;       refresh
                3600            ;       retry
                604800          ;       expire
                86400           ;       minimum
)

                IN      NS      ns1.hoster.nl.
                IN      NS      ns2.hoster.nl.

                IN      MX      10 mail.xxx.com.
                IN      TXT     v=spf1 mx -all

                IN      A       188.204.140.195
                IN      AAAA    2a02:2770:3:0:21a:4aff:feec:b31d

; Standard
localhost       IN      A       188.204.140.195
www             IN      A       188.204.140.195
ftp             IN      A       188.204.140.195
imap            IN      A       188.204.140.195
mail            IN      A       188.204.140.195
pop             IN      A       188.204.140.195
pop3            IN      A       188.204.140.195
smtp            IN      A       188.204.140.195


ssh -l USERNAME ns2.hoster.nl


Add the following in /etc/bind/named.conf.db

zone "domain.com" in {
        type master;
        file "soa/domain.com";
        notify yes;
};


rndc reload;tail -f /var/log/messages


Quit the SSH back to 212.61.33.42


Again: rndc reload;tail -f /var/log/messages

example weird records

SRV records

Syntax : _service._protocolName IN SRV priority weight portNO subdns.domain.comservice = http (80), https (443), pop (110), smtp (25), imap (445), ldap (389), ftp (21), ssh (22), telnet (23), rpc (135) and others protocolName = tcp or udp priority = digit, lowers get first priority weight = digit, higher get used often portNO = the digit relevant to the service name listed above

These are eg. used for Exchange servers that need autodiscover, eg:

_autodiscover._tcp      IN      SRV 10 10 443 tripexch1.xxx-ad.local.

To test:

nslookup
set type=SRV
autodiscover._tcp.xxx-ad.local

should give you something like:

Server:         192.168.0.2
Address:        192.168.0.2#53

_autodiscover._tcp.xxx-ad.local     service = 10 10 443 tripexch1.xxx-ad.local.