[GLLUG] Configuring BIND
Rich Clark
rrclark at rrclark.net
Mon May 10 07:47:30 EDT 2004
On Sun, 9 May 2004, Seth Bembeneck wrote:
> I'm trying to set up a dns server, and would like to have it running 2
> domains.
>
> How do I configure it for a domain?
Here's how I do it, with the flat files by hand, based on a copy of
O'Reilly's cricket book, DNS & Bind; I believe I have the 4th edition but
it's not right here in front of me, which covers Bind v9. I'd recommend
you get a copy of that book, if only from your local library. The DNS
HOW-TO (http://www.tldp.org/HOWTO/DNS-HOWTO.html) is another good resource
to get straight on how all this works.
Note that I'm set up with auto-updating DHCP/Dynamic-DNS, so my zone files
don't necessarily point to every machine that is currently on the network;
some have been attached while working on them for friends and stale
records are still in the zone files.
/etc/named.conf:
# I've set up an acl to specify which subnets may access the nameserver
acl private-lan{
192.168/16;
127.0.0.0/8;
69.14.152.239;
};
# directives to indicate where to find the zone files and how to
# accept calls for rndc queries
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
query-source address * port 953;
};
# a key is set up to be shared by machines that will slave from this
# master server
key "key"{
algorithm hmac-md5;
secret
"<redacted-long-md5-key>";
};
# access list to control access for slaves holding the proper key
controls{
inet 127.0.0.1 port 953 allow { 192.168/16; 127/8; 69.14.152.239;
} key
s { "key"; };
};
# root servers zone, where we get any lookup that fails locally
zone "." {
type hint;
file "named.ca";
};
# localhost forward zone
zone "localhost" {
type master;
file "localhost";
};
# localhost reverse zone
zone "127.in-addr.arpa" {
type master;
file "127.in-addr.arpa";
};
# internal private lan forward zone
zone "private.rrclark.net" {
type master;
file "private.rrclark.net";
allow-update { key "key"; };
};
# internal private lan reverse zone
zone "1.168.192.in-addr.arpa" {
type master;
file "1.168.192.in-addr.arpa";
allow-update { key "key"; };
};
# vanity domain forward zone
zone "rrclark.net" {
type master;
file "rrclark.net";
};
# vanity domain reverse zone - the only function of the vanity domain
# zones is so that lookups on 69.14.152.249 to the nameserver on the
# internal network reverse resolve as rrclark.net instead of
# d14-69-239-152.try.wideopenwest.com.
zone "249.152.14.69.in-addr.arpa" {
type master;
file "249.152.14.69.in-addr.arpa";
};
Zone files in /var/named:
cat named.ca
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
;
; last update: Nov 5, 2002
; related version of root zone: 2002110501
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by IANA
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
cat localhost
$TTL 86400
@ IN SOA private.rrclark.net. rrclark.rrclark.net.
(
100 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
NS private.rrclark.net.
@ IN A 127.0.0.1
cat 127.in-addr.arpa
$TTL 86400
@ IN SOA private.rrclark.net. rrclark.rrclark.net.
(
100 ; Serial
28800 ; Refresh
7200 ; Retry
604800 ; Expire
86400 ) ; Minimum TTL
NS private.rrclark.net.
1 PTR localhost.
cat private.rrclark.net
$ORIGIN .
$TTL 86400 ; 1 day
private.rrclark.net IN SOA rich.private.rrclark.net.
rrclark.rich.private.rrclark.net. (
101304 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS geek.private.rrclark.net.
NS rich.private.rrclark.net.
A 192.168.1.1
MX 10 rich.private.rrclark.net.
$ORIGIN private.rrclark.net.
$TTL 129600 ; 1 day 12 hours
bob A 192.168.1.226
$TTL 86400 ; 1 day
firewall CNAME rich
geek A 192.168.1.3
$TTL 129600 ; 1 day 12 hours
karen A 192.168.1.253
$TTL 86400 ; 1 day
mail CNAME rich
news CNAME rich
$TTL 129600 ; 1 day 12 hours
OEMComputer A 192.168.1.254
$TTL 86400 ; 1 day
ren A 192.168.1.7
rich CNAME private.rrclark.net.
stimpy A 192.168.1.5
wireless A 192.168.1.20
cat 1.168.192.in-addr.arpa
$ORIGIN .
$TTL 86400 ; 1 day
1.168.192.in-addr.arpa IN SOA rich.private.rrclark.net.
rrclark.rrclark.net. (
1217 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS geek.private.rrclark.net.
NS rich.private.rrclark.net.
$ORIGIN 1.168.192.in-addr.arpa.
1 PTR private.rrclark.net.
20 PTR wireless.private.rrclark.net.
$TTL 129600 ; 1 day 12 hours
226 PTR bob.private.rrclark.net.
253 PTR karen.private.rrclark.net.
254 PTR OEMComputer.private.rrclark.net.
$TTL 86400 ; 1 day
3 PTR geek.private.rrclark.net.
5 PTR stimpy.private.rrclark.net.
7 PTR ren.private.rrclark.net.
cat rrclark.net
@ 300 IN SOA rich.rrclark.net.
rrclark.rrclark.net. (
601006 ; serial
18300 ; refresh
5M ; retry
183000; expire
5M ; default_ttl
)
rrclark.net. 300 IN NS rrclark.net.
@ 300 IN NS ns1.easydns.net.
@ 300 IN NS ns2.easydns.net.
@ 300 IN NS remote1.easydns.com.
@ 300 IN NS remote2.easydns.com.
private.rrclark.net. 300 IN NS
ns1.rrclark.net.
@ 300 IN A 69.14.152.239
@ IN MX 5 rrclark.net.
@ IN MX 10 smtp.easydns.com.
@ IN MX 100 smtp2.easydns.com.
@ IN TXT "v=spf1 a mx ptr ip4:69.14.152.239
include:mail.spamblocked.com -all"
rich 300 IN CNAME rrclark.net.
ns1 300 IN CNAME rrclark.net.
news 300 IN CNAME rrclark.net.
mail 300 IN CNAME rrclark.net.
www 300 IN CNAME rrclark.net.
ftp 300 IN CNAME rrclark.net.
cat 249.152.14.69.in-addr.arpa
$TTL 300
@ IN SOA rich.rrclark.net.
rrclark.rrclark.net. (
2001101004 ; serial
10M ; refresh
5M ; retry
1550M ; expire
5M ; default_ttl
)
NS ns.rrclark.net.
NS ns1.easydns.com.
NS ns2.easydns.com.
NS remote1.easydns.com.
NS remote2.easydns.com.
@ IN PTR rrclark.net
> I have webmin but with out knowing what I'm doing every thing is confusing
> :-)
Study up at least with the DNS Howto. It's rough going at first and kind
of cryptic, but the more you look at it, the better it will sink in.
> Also, will BIND work ok with SmoothWall (I'm going to try SmoothWall for my
> firewall).
Bind doesn't care what firewall you have, as long as incoming tcp/udp
requests on port 53 can make it to the server.
Rich
--
"Normally, supporting your company in public is a perfectly
respectable pastime, but when you're trying to build a house
of cards, the last thing you should do is blow hard and wave
your hands like a madman."
Rupert Goodwins, ZDNET UK, 4/22/2004, on SCO Group CEO Darl McBride
TINLC Unit #2309 - Death to all spammer accounts. - WWSB?
More information about the linux-user
mailing list