Bind: Difference between revisions
Jump to navigation
Jump to search
No edit summary |
No edit summary |
||
| Line 405: | Line 405: | ||
Again: rndc reload;tail -f /var/log/messages | Again: rndc reload;tail -f /var/log/messages | ||
= example weird records | = example weird records = | ||
= SRV records = | == SRV records == | ||
Syntax : | Syntax : | ||
Revision as of 09:11, 2 July 2013
Configuration
named.conf
For an internet Primary DNS server:
//Tripany
include "/etc/bind/slaves.conf";
// Recursion is allowing other hosts to look up domain names not hosted / cached by this bind server
acl "recursehosts" {
127.0.0.1; 212.61.33.42; localhost; 82.94.91.75; 82.92.214.79; 195.64.90.139; 82.94.91.75; 31.160.12.68; 188.204.140.220;
};
include "/etc/bind/named.conf.options";
view "recursehosts" {
match-clients { recursehosts; };
recursion yes;
allow-transfer { "slaves"; };
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.db";
};
view "outside" {
match-clients { any; };
recursion no;
allow-transfer { "slaves"; };
zone "." {
type hint;
file "/etc/bind/db.root";
};
// edns-udp-size 1400;
include "/etc/bind/named.conf.db";
};
If not an internet but an internal server use defaults and only edit named.conf.local
For a slave internet server
include "/etc/bind/masters.conf";
# These hosts are allowed to look up external domain names on this name server (ie domain names that aren't being served specifically by this server)
acl "recursehosts" {
127.0.0.1; localhost; 212.61.33.42; 82.92.214.79; 10.0.0.101; 31.160.12.69; 90.145.83.186; 188.204.140.220;
};
include "/etc/bind/named.conf.options";
# Recursive hosts are allowed to look up domain names for which this named server is not authoritative. The host list is defined in the acl above. The view below defines what they're allowed to do. I'm also allowing master servers to be allowed to transfer domains. The list of master servers is defined in the top include (masters.conf)
view "recursehosts" {
match-clients { "recursehosts"; };
recursion yes;
allow-transfer { "masters"; };
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
# I want recursehosts to be able to see my own zones too!
include "/etc/bind/named.conf.db";
};
# This view is for any hosts not specifically noted in the view above. They get to only look up the domains this server has (included in this view as namedconf.db)
view "outside" {
match-clients { any; };
recursion no;
allow-transfer { "masters"; };
zone "." {
type hint;
file "/etc/bind/db.root";
};
# this is the official zone file db
include "/etc/bind/named.conf.db";
# include cyberfront zone files
include "/etc/bind/named.cyberfront.conf.db";
#include "/etc/bind/named.moondust.conf.db";
# Debian RFC1918 zones
include "/etc/bind/named.conf.local";
};
named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
213.75.63.36;
213.75.63.70;
};
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
# Turned off because most DNSSEC secured zones are incorrectly configured. This leads to flooding of the syslog with (no valid RRSIG) errors
# dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
# Turned off because KPN doesn't support ipv6. This leads to flooding of the syslog with (network unreachable) errors
# listen-on-v6 { any; };
# Not needed because Debian default directory is now linked to /var/named by hand
# directory "/var/named";
};
For an internet nameserver add:
allow-recursion { recursehosts; };
allow-query-cache { recursehosts; };
named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "ops.tripnet.int" in {
type master;
file "soa/ops.tripnet.int";
notify yes;
};
zone "net.tripnet.int" in {
type master;
file "soa/net.tripnet.int";
notify yes;
};
zone "internal.tripnet.int" in {
type master;
file "soa/internal.tripnet.int";
notify yes;
allow-update {localhost;};
};
zone "tripnet.int" in {
type master;
file "soa/tripnet.int";
notify yes;
};
zone "0.0.10.in-addr.arpa" in {
type master;
file "rev/10.0.0.rev";
notify yes;
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "rev/localhost.rev";
};
zone "0.168.192.in-addr.arpa" in {
type master;
file "rev/192.168.0.rev";
notify yes;
};
zone "1.168.192.in-addr.arpa" in {
type master;
file "rev/192.168.1.rev";
notify yes;
allow-update {localhost;};
};
zone "100.168.192.in-addr.arpa" in {
type master;
file "rev/192.168.100.rev";
notify yes;
allow-update {localhost;};
};
example for a nameserver
$TTL 1800 ; TTL
@ IN SOA ns1.edgarbv.com. root.edgarbv.nl. (
2013062100 ; serial
14500 ; refresh
3600 ; retry
604800 ; expire
86400 ; minimum
)
IN NS ns1.edgarbv.com.
IN NS ns2.edgarbv.com.
IN MX 10 mail.edgarbv.com.
IN MX 20 mail2.edgarbv.com.
IN A 37.252.124.72
; Name server definitions
ns1 IN A 37.252.124.72
ns2 IN A 37.252.124.72
; Mail server definitions
mail IN A 37.252.124.72
mail2 IN A 37.252.124.72
; Standard
localhost IN A 127.0.0.1
www IN A 37.252.124.72
ftp IN A 37.252.124.72
webmail IN A 37.252.124.72
; Special
webmail IN A 37.252.124.72
example /var/named/soa/internal.tripnet.int
$TTL 1800 ; TTL
@ IN SOA router.tripnet.int. root.router.tripnet.int. (
2001072027 ; serial, todays date + todays serial
10800 ; refresh
3600 ; retry
604800 ; expire
86400 ) ; minimum TTL
;
IN NS router.tripnet.int.
IN NS tripserv.tripnet.int.
IN MX 10 router.tripnet.int.
;
; Netwerk locaal ip 192.168. netmask 255.255.255.0
;
lindy 10 IN A 192.168.0.20 ;Cl=3
marylene 10 IN A 192.168.0.21 ;Cl=3
amber 10 IN A 192.168.0.22 ;Cl=3
yvette 10 IN A 192.168.0.23 ;Cl=3
crystel 10 IN A 192.168.0.24 ;Cl=3
treske 10 IN A 192.168.0.25 ;Cl=3
sharon 10 IN A 192.168.0.26 ;Cl=3
serena 10 IN A 192.168.0.27 ;Cl=3
treske-ii 10 IN A 192.168.0.28 ;Cl=3
catherine 10 IN A 192.168.0.29 ;Cl=3
marjolein 10 IN A 192.168.0.30 ;Cl=3
maggotbox 10 IN A 192.168.0.31 ;Cl=3
example /var/named/rev/192.168.0.rev
0.168.192.in-addr.arpa. IN SOA router.tripnet.int. root.router.tripnet.int. (
2002083046 ; serial
8H ; refresh
2H ; retry
1W ; expire
1D ; minimum
)
IN NS router.tripnet.int.
IN NS tripserv.tripnet.int.
IN MX 10 router.tripnet.int.
1 IN PTR router.ops.tripnet.int.
2 IN PTR tripserv.ops.tripnet.int.
3 IN PTR tripevo.ops.tripnet.int.
4 IN PTR tripdev.ops.tripnet.int.
5 IN PTR tripraid.ops.tripnet.int.
6 IN PTR tripbook.ops.tripnet.int.
8 IN PTR tripenclosure.ops.tripnet.int.
9 IN PTR soap.tripnet.int.
slaves.conf
// Slave servers
acl "slaves" {
//
87.233.134.184; // Moondust machine
213.193.253.120; // ns-01.etryx.com
213.239.175.248; // ns-02.etryx.com
// 82.92.214.79; // old ns2.euhost.nl
// 82.95.80.17; // old ns2.euhost.nl
212.61.33.42;
// 82.94.91.75; // tripany.com machine
// 31.160.12.69; // ns2.euhost.nl
188.204.140.220; // ns2.euhost.nl
127.0.0.1;
localhost;
};
masters.conf
// Master Servers
acl "masters" {
212.61.33.42; 90.145.83.186; 31.160.12.69;
};
Adding a new domain
New Domain: www.domain.com
212.61.33.42
Add the following in /etc/bind/named.conf.db
zone "domain.com" in {
type master;
file "soa/domain.com";
notify yes;
};
Add the following in /var/named/soa/domain.com
@ IN SOA ns1.euhost.nl. root.ns1.euhost.nl. (
2011103102 ; serial FORMAT: YYYYMMDDXX
14800 ; refresh
3600 ; retry
604800 ; expire
86400 ; minimum
)
IN NS ns1.euhost.nl.
IN NS ns2.euhost.nl.
IN MX 10 mail.tripany.com.
IN A 188.204.140.195
; Standard
localhost IN A 188.204.140.195
www IN A 188.204.140.195
ftp IN A 188.204.140.195
ssh -l USERNAME ns2.euhost.nl
Add the following in /etc/bind/named.conf.db
zone "domain.com" in {
type master;
file "soa/domain.com";
notify yes;
};
rndc reload;tail -f /var/log/messages
Quit the SSH back to 212.61.33.42
Again: rndc reload;tail -f /var/log/messages
example weird records
SRV records
Syntax : _service._protocolName IN SRV priority weight portNO subdns.domain.comservice = http (80), https (443), pop (110), smtp (25), imap (445), ldap (389), ftp (21), ssh (22), telnet (23), rpc (135) and others protocolName = tcp or udp priority = digit, lowers get first priority weight = digit, higher get used often portNO = the digit relevant to the service name listed above
These are eg. used for Exchange servers that need autodiscover, eg:
_autodiscover._tcp IN SRV 10 10 443 tripexch1.tripany-ad.local.
To test:
nslookup set type=SRV autodiscover._tcp.tripany-ad.local
should give you something like:
Server: 192.168.0.2 Address: 192.168.0.2#53 _autodiscover._tcp.tripany-ad.local service = 10 10 443 tripexch1.tripany-ad.local.