Bind: Difference between revisions
Jump to navigation
Jump to search
Line 2: | Line 2: | ||
== named.conf == | == named.conf == | ||
For an internet DNS server: | === For an internet Primary DNS server: === | ||
<pre> | <pre> | ||
//Tripany | //Tripany | ||
Line 38: | Line 38: | ||
}; | }; | ||
</pre> | </pre> | ||
If not an internet but an internal server use defaults and only edit named.conf.local | |||
=== For a slave internet server === | |||
<pre> | |||
include "/etc/bind/masters.conf"; | |||
# These hosts are allowed to look up external domain names on this name server (ie domain names that aren't being served specifically by this server) | |||
acl "recursehosts" { | |||
127.0.0.1; localhost; 212.61.33.42; 82.92.214.79; 10.0.0.101; 31.160.12.69; 90.145.83.186; 188.204.140.220; | |||
}; | |||
include "/etc/bind/named.conf.options"; | |||
# Recursive hosts are allowed to look up domain names for which this named server is not authoritative. The host list is defined in the acl above. The view below defines what they're allowed to do. I'm also allowing master servers to be allowed to transfer domains. The list of master servers is defined in the top include (masters.conf) | |||
view "recursehosts" { | |||
match-clients { "recursehosts"; }; | |||
recursion yes; | |||
allow-transfer { "masters"; }; | |||
// prime the server with knowledge of the root servers | |||
zone "." { | |||
type hint; | |||
file "/etc/bind/db.root"; | |||
}; | |||
// be authoritative for the localhost forward and reverse zones, and for | |||
// broadcast zones as per RFC 1912 | |||
zone "localhost" { | |||
type master; | |||
file "/etc/bind/db.local"; | |||
}; | |||
zone "127.in-addr.arpa" { | |||
type master; | |||
file "/etc/bind/db.127"; | |||
}; | |||
zone "0.in-addr.arpa" { | |||
type master; | |||
file "/etc/bind/db.0"; | |||
}; | |||
zone "255.in-addr.arpa" { | |||
type master; | |||
file "/etc/bind/db.255"; | |||
}; | |||
# I want recursehosts to be able to see my own zones too! | |||
include "/etc/bind/named.conf.db"; | |||
}; | |||
# This view is for any hosts not specifically noted in the view above. They get to only look up the domains this server has (included in this view as namedconf.db) | |||
view "outside" { | |||
match-clients { any; }; | |||
recursion no; | |||
allow-transfer { "masters"; }; | |||
zone "." { | |||
type hint; | |||
file "/etc/bind/db.root"; | |||
}; | |||
# this is the official zone file db | |||
include "/etc/bind/named.conf.db"; | |||
# include cyberfront zone files | |||
include "/etc/bind/named.cyberfront.conf.db"; | |||
#include "/etc/bind/named.moondust.conf.db"; | |||
# Debian RFC1918 zones | |||
include "/etc/bind/named.conf.local"; | |||
}; | |||
</pre> | |||
== named.conf.options == | == named.conf.options == |
Revision as of 13:03, 10 June 2013
Configuration
named.conf
For an internet Primary DNS server:
//Tripany include "/etc/bind/slaves.conf"; // Recursion is allowing other hosts to look up domain names not hosted / cached by this bind server acl "recursehosts" { 127.0.0.1; 212.61.33.42; localhost; 82.94.91.75; 82.92.214.79; 195.64.90.139; 82.94.91.75; 31.160.12.68; 188.204.140.220; }; include "/etc/bind/named.conf.options"; view "recursehosts" { match-clients { recursehosts; }; recursion yes; allow-transfer { "slaves"; }; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones"; include "/etc/bind/named.conf.db"; }; view "outside" { match-clients { any; }; recursion no; allow-transfer { "slaves"; }; zone "." { type hint; file "/etc/bind/db.root"; }; // edns-udp-size 1400; include "/etc/bind/named.conf.db"; };
If not an internet but an internal server use defaults and only edit named.conf.local
For a slave internet server
include "/etc/bind/masters.conf"; # These hosts are allowed to look up external domain names on this name server (ie domain names that aren't being served specifically by this server) acl "recursehosts" { 127.0.0.1; localhost; 212.61.33.42; 82.92.214.79; 10.0.0.101; 31.160.12.69; 90.145.83.186; 188.204.140.220; }; include "/etc/bind/named.conf.options"; # Recursive hosts are allowed to look up domain names for which this named server is not authoritative. The host list is defined in the acl above. The view below defines what they're allowed to do. I'm also allowing master servers to be allowed to transfer domains. The list of master servers is defined in the top include (masters.conf) view "recursehosts" { match-clients { "recursehosts"; }; recursion yes; allow-transfer { "masters"; }; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; }; zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; # I want recursehosts to be able to see my own zones too! include "/etc/bind/named.conf.db"; }; # This view is for any hosts not specifically noted in the view above. They get to only look up the domains this server has (included in this view as namedconf.db) view "outside" { match-clients { any; }; recursion no; allow-transfer { "masters"; }; zone "." { type hint; file "/etc/bind/db.root"; }; # this is the official zone file db include "/etc/bind/named.conf.db"; # include cyberfront zone files include "/etc/bind/named.cyberfront.conf.db"; #include "/etc/bind/named.moondust.conf.db"; # Debian RFC1918 zones include "/etc/bind/named.conf.local"; };
named.conf.options
options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 213.75.63.36; 213.75.63.70; }; //======================================================================== // If BIND logs error messages about the root key being expired, // you will need to update your keys. See https://www.isc.org/bind-keys //======================================================================== # Turned off because most DNSSEC secured zones are incorrectly configured. This leads to flooding of the syslog with (no valid RRSIG) errors # dnssec-validation auto; auth-nxdomain no; # conform to RFC1035 # Turned off because KPN doesn't support ipv6. This leads to flooding of the syslog with (network unreachable) errors # listen-on-v6 { any; }; # Not needed because Debian default directory is now linked to /var/named by hand # directory "/var/named"; };
For an internet nameserver add:
allow-recursion { recursehosts; }; allow-query-cache { recursehosts; };
named.conf.local
// // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918"; zone "ops.tripnet.int" in { type master; file "soa/ops.tripnet.int"; notify yes; }; zone "net.tripnet.int" in { type master; file "soa/net.tripnet.int"; notify yes; }; zone "internal.tripnet.int" in { type master; file "soa/internal.tripnet.int"; notify yes; allow-update {localhost;}; }; zone "tripnet.int" in { type master; file "soa/tripnet.int"; notify yes; }; zone "0.0.10.in-addr.arpa" in { type master; file "rev/10.0.0.rev"; notify yes; }; zone "0.0.127.in-addr.arpa" in { type master; file "rev/localhost.rev"; }; zone "0.168.192.in-addr.arpa" in { type master; file "rev/192.168.0.rev"; notify yes; }; zone "1.168.192.in-addr.arpa" in { type master; file "rev/192.168.1.rev"; notify yes; allow-update {localhost;}; }; zone "100.168.192.in-addr.arpa" in { type master; file "rev/192.168.100.rev"; notify yes; allow-update {localhost;}; };
example /var/named/soa/internal.tripnet.int
@ IN SOA router.tripnet.int. root.router.tripnet.int. ( 2001072027 ; serial, todays date + todays serial 10800 ; refresh 3600 ; retry 604800 ; expire 86400 ) ; minimum TTL ; IN NS router.tripnet.int. IN NS tripserv.tripnet.int. IN MX 10 router.tripnet.int. ; ; Netwerk locaal ip 192.168. netmask 255.255.255.0 ; lindy 10 IN A 192.168.0.20 ;Cl=3 marylene 10 IN A 192.168.0.21 ;Cl=3 amber 10 IN A 192.168.0.22 ;Cl=3 yvette 10 IN A 192.168.0.23 ;Cl=3 crystel 10 IN A 192.168.0.24 ;Cl=3 treske 10 IN A 192.168.0.25 ;Cl=3 sharon 10 IN A 192.168.0.26 ;Cl=3 serena 10 IN A 192.168.0.27 ;Cl=3 treske-ii 10 IN A 192.168.0.28 ;Cl=3 catherine 10 IN A 192.168.0.29 ;Cl=3 marjolein 10 IN A 192.168.0.30 ;Cl=3 maggotbox 10 IN A 192.168.0.31 ;Cl=3
example /var/named/rev/192.168.0.rev
0.168.192.in-addr.arpa. IN SOA router.tripnet.int. root.router.tripnet.int. ( 2002083046 ; serial 8H ; refresh 2H ; retry 1W ; expire 1D ; minimum ) IN NS router.tripnet.int. IN NS tripserv.tripnet.int. IN MX 10 router.tripnet.int. 1 IN PTR router.ops.tripnet.int. 2 IN PTR tripserv.ops.tripnet.int. 3 IN PTR tripevo.ops.tripnet.int. 4 IN PTR tripdev.ops.tripnet.int. 5 IN PTR tripraid.ops.tripnet.int. 6 IN PTR tripbook.ops.tripnet.int. 8 IN PTR tripenclosure.ops.tripnet.int. 9 IN PTR soap.tripnet.int.
slaves.conf
// Slave servers acl "slaves" { // 87.233.134.184; // Moondust machine 213.193.253.120; // ns-01.etryx.com 213.239.175.248; // ns-02.etryx.com // 82.92.214.79; // old ns2.euhost.nl // 82.95.80.17; // old ns2.euhost.nl 212.61.33.42; // 82.94.91.75; // tripany.com machine // 31.160.12.69; // ns2.euhost.nl 188.204.140.220; // ns2.euhost.nl 127.0.0.1; localhost; };
Adding a new domain
New Domain: www.domain.com
212.61.33.42
Add the following in /etc/bind/named.conf.db
zone "domain.com" in { type master; file "soa/domain.com"; notify yes; };
Add the following in /var/named/soa/domain.com
@ IN SOA ns1.euhost.nl. root.ns1.euhost.nl. ( 2011103102 ; serial FORMAT: YYYYMMDDXX 14800 ; refresh 3600 ; retry 604800 ; expire 86400 ; minimum ) IN NS ns1.euhost.nl. IN NS ns2.euhost.nl. IN MX 10 mail.tripany.com. IN A 188.204.140.195 ; Standard localhost IN A 188.204.140.195 www IN A 188.204.140.195 ftp IN A 188.204.140.195
ssh -l USERNAME ns2.euhost.nl
Add the following in /etc/bind/named.conf.db
zone "domain.com" in { type master; file "soa/domain.com"; notify yes; };
rndc reload;tail -f /var/log/messages
Quit the SSH back to 212.61.33.42
Again: rndc reload;tail -f /var/log/messages