[GLLUG] Configuring BIND

Rich Clark rrclark at rrclark.net
Mon May 10 07:47:30 EDT 2004


On Sun, 9 May 2004, Seth Bembeneck wrote:

> I'm trying to set up a dns server, and would like to have it running 2
> domains.
>
> How do I configure it for a domain?

Here's how I do it, with the flat files by hand, based on a copy of
O'Reilly's cricket book, DNS & Bind; I believe I have the 4th edition but
it's not right here in front of me, which covers Bind v9.  I'd recommend
you get a copy of that book, if only from your local library.  The DNS
HOW-TO (http://www.tldp.org/HOWTO/DNS-HOWTO.html) is another good resource
to get straight on how all this works.

Note that I'm set up with auto-updating DHCP/Dynamic-DNS, so my zone files 
don't necessarily point to every machine that is currently on the network; 
some have been attached while working on them for friends and stale 
records are still in the zone files.

/etc/named.conf:

# I've set up an acl to specify which subnets may access the nameserver
acl private-lan{
        192.168/16;
        127.0.0.0/8;
        69.14.152.239;
};

# directives to indicate where to find the zone files and how to 
# accept calls for rndc queries
options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        auth-nxdomain yes;
                query-source address * port 953;

};

# a key is set up to be shared by machines that will slave from this
# master server
key "key"{
        algorithm hmac-md5;
        secret 
"<redacted-long-md5-key>";
};

# access list to control access for slaves holding the proper key
controls{
        inet 127.0.0.1 port 953 allow { 192.168/16; 127/8; 69.14.152.239; 
}  key
s { "key"; };
};

# root servers zone, where we get any lookup that fails locally
zone "." {
        type hint;
        file "named.ca";
};

# localhost forward zone
zone "localhost" {
        type master;
        file "localhost";
};

# localhost reverse zone
zone "127.in-addr.arpa" {
        type master;
        file "127.in-addr.arpa";
};

# internal private lan forward zone
zone "private.rrclark.net" {
        type master;
        file "private.rrclark.net";
        allow-update { key "key"; };
};

# internal private lan reverse zone
zone "1.168.192.in-addr.arpa" {
        type master;
        file "1.168.192.in-addr.arpa";
        allow-update { key "key"; };
};

# vanity domain forward zone
zone "rrclark.net" {
       type master;
       file "rrclark.net";
};

# vanity domain reverse zone - the only function of the vanity domain
# zones is so that lookups on 69.14.152.249 to the nameserver on the
# internal network reverse resolve as rrclark.net instead of
# d14-69-239-152.try.wideopenwest.com.

zone "249.152.14.69.in-addr.arpa" {
       type master;
       file "249.152.14.69.in-addr.arpa";
};


Zone files in /var/named:

cat named.ca
;       This file holds the information on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.INTERNIC.NET
;
;       last update:    Nov 5, 2002
;       related version of root zone:   2002110501
;
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; operated by IANA
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; housed in Japan, operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File


cat localhost
$TTL    86400
@               IN      SOA     private.rrclark.net. rrclark.rrclark.net. 
(
                                100       ; Serial
                                28800   ; Refresh
                                7200    ; Retry
                                604800  ; Expire
                                86400 )  ; Minimum TTL
                        NS      private.rrclark.net.

@                               IN              A               127.0.0.1


cat 127.in-addr.arpa
$TTL    86400
@               IN      SOA     private.rrclark.net. rrclark.rrclark.net. 
(
                                100       ; Serial
                                28800   ; Refresh
                                7200    ; Retry
                                604800  ; Expire
                                86400 )  ; Minimum TTL
                        NS      private.rrclark.net.

1                       PTR     localhost.


cat private.rrclark.net
$ORIGIN .
$TTL 86400      ; 1 day
private.rrclark.net     IN SOA  rich.private.rrclark.net. 
rrclark.rich.private.rrclark.net. (
                                101304     ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      geek.private.rrclark.net.
                        NS      rich.private.rrclark.net.
                        A       192.168.1.1
                        MX      10 rich.private.rrclark.net.
$ORIGIN private.rrclark.net.
$TTL 129600     ; 1 day 12 hours
bob                     A       192.168.1.226
$TTL 86400      ; 1 day
firewall                CNAME   rich
geek                    A       192.168.1.3
$TTL 129600     ; 1 day 12 hours
karen                   A       192.168.1.253
$TTL 86400      ; 1 day
mail                    CNAME   rich
news                    CNAME   rich
$TTL 129600     ; 1 day 12 hours
OEMComputer             A       192.168.1.254
$TTL 86400      ; 1 day
ren                     A       192.168.1.7
rich                    CNAME   private.rrclark.net.
stimpy                  A       192.168.1.5
wireless                A       192.168.1.20


cat 1.168.192.in-addr.arpa
$ORIGIN .
$TTL 86400      ; 1 day
1.168.192.in-addr.arpa  IN SOA  rich.private.rrclark.net. 
rrclark.rrclark.net. (
                                1217       ; serial
                                28800      ; refresh (8 hours)
                                7200       ; retry (2 hours)
                                604800     ; expire (1 week)
                                86400      ; minimum (1 day)
                                )
                        NS      geek.private.rrclark.net.
                        NS      rich.private.rrclark.net.
$ORIGIN 1.168.192.in-addr.arpa.
1                       PTR     private.rrclark.net.
20                      PTR     wireless.private.rrclark.net.
$TTL 129600     ; 1 day 12 hours
226                     PTR     bob.private.rrclark.net.
253                     PTR     karen.private.rrclark.net.
254                     PTR     OEMComputer.private.rrclark.net.
$TTL 86400      ; 1 day
3                       PTR     geek.private.rrclark.net.
5                       PTR     stimpy.private.rrclark.net.
7                       PTR     ren.private.rrclark.net.


cat rrclark.net
@       300     IN      SOA     rich.rrclark.net.       
rrclark.rrclark.net. (
                        601006 ; serial
                        18300 ; refresh
                        5M ; retry
                        183000; expire
                        5M ; default_ttl
                        )
rrclark.net.    300             IN      NS      rrclark.net.
@               300     IN      NS      ns1.easydns.net.
@               300     IN      NS      ns2.easydns.net.
@               300     IN      NS      remote1.easydns.com.
@               300     IN      NS      remote2.easydns.com.
private.rrclark.net.            300             IN      NS      
ns1.rrclark.net.
@               300     IN      A       69.14.152.239
@                       IN      MX      5       rrclark.net.
@                       IN      MX      10      smtp.easydns.com.
@                       IN      MX      100     smtp2.easydns.com.
@                       IN      TXT     "v=spf1 a mx ptr ip4:69.14.152.239 
include:mail.spamblocked.com -all"

rich    300     IN      CNAME   rrclark.net.
ns1     300     IN      CNAME   rrclark.net.
news    300     IN      CNAME   rrclark.net.
mail    300     IN      CNAME   rrclark.net.
www     300     IN      CNAME   rrclark.net.
ftp     300     IN      CNAME   rrclark.net.


cat 249.152.14.69.in-addr.arpa
$TTL    300
@               IN      SOA     rich.rrclark.net.       
rrclark.rrclark.net. (
                        2001101004 ; serial
                        10M ; refresh
                        5M ; retry
                        1550M ; expire
                        5M ; default_ttl
                        )
                NS      ns.rrclark.net.
                NS      ns1.easydns.com.
                NS      ns2.easydns.com.
                NS      remote1.easydns.com.
                NS      remote2.easydns.com.
@       IN      PTR     rrclark.net


> I have webmin but with out knowing what I'm doing every thing is confusing
> :-)

Study up at least with the DNS Howto.  It's rough going at first and kind 
of cryptic, but the more you look at it, the better it will sink in.

> Also, will BIND work ok with SmoothWall (I'm going to try SmoothWall for my
> firewall).

Bind doesn't care what firewall you have, as long as incoming tcp/udp
requests on port 53 can make it to the server.

Rich
-- 
   "Normally, supporting your company in public is a perfectly 
   respectable pastime, but when you're trying to build a house 
   of cards, the last thing you should do is blow hard and wave 
   your hands like a madman."
Rupert Goodwins, ZDNET UK, 4/22/2004, on SCO Group CEO Darl McBride   
   TINLC Unit #2309 - Death to all spammer accounts. - WWSB?


More information about the linux-user mailing list