CS & IT Solutions

This HOWTO will assist you in getting a Domain Name Server (DNS) up and running using BIND9 on Debian Lenny. When setting up a DNS server it is common practise to use two separate DNS servers for a domain as you are required to have at least two DNS servers running for DNS to work correctly. If one breaks, the other can continue to serve your domain.

However, when I setup my DNS system I did not have the resources on hand to use two different servers for DNS so the setup below will configure one server to run both nameservers. It’s not an ideal solution and is definitely not a best practise solution but one can only work with what you have.

Run BIND in a “chroot” jail, so it is much more difficult for a compromised bind daemon to damage the operating system or compromise other services.

In this HOWTO I will use the fictional domain “sampledns.com”. The nameservers will use 192.168.254.1 and 192.168.254.2 as their IP addresses. Both the domain and namerserver IPs need to be changed to reflect your server details.

Requirements

A Debian Lenny base installation.
At least two static IP addresses that you can use to setup the nameserver information.
Root access to your server.

Pre-Installation notes: (You need to be in the root terminal from here on to the end of this HowTo)

Before proceeding to install, update the necessary packages in Debian with these commands.

Code: Select all

apt-get update

and

Code: Select all

apt-get upgrade

Installing lsb-base and BIND9

To continue we need some Debian building tools since we are going to download source packages:

Code: Select all

apt-get install devscripts

The next two steps were put into 2 seperate code windows to shorten the HowTo a bit since it’s rather lenghy. Each command should be run on a seperate line if not only for the simple reason you can see and deal with any errors that may be presented without having to go back and search logs.

BIND9 depends on lsb-base: (Syntax explanation: the -y tells apt to say yes to all questions, build-dep installs all packages required for -packageX- from the repository and with -b the source gets built straight away.)

Code: Select all

mkdir /usr/local/lsb-base/
cd /usr/local/lsb-base/
apt-get -y build-dep lsb-base
apt-get source lsb-base -b
dpkg -i lsb-base*.deb

Next is BIND9:

Code: Select all

mkdir /usr/local/bind9
cd /usr/local/bind9
apt-get -y build-dep bind9
apt-get source bind9 -b
dpkg -i *.deb

Configure the Master DNS Server

First we need to stop BIND9:

Code: Select all

/etc/init.d/bind9 stop

In order to chroot bind we need to set an option in /etc/default/bind9.

Locate this in /etc/default/bind9:

Code: Select all

vim /etc/default/bind9

OPTIONS=”-u bind”
Replace it with this:

Code: Select all

OPTIONS=”-u bind -t /var/lib/named”

It will now run as user ‘bind’ chrooted in ‘/var/lib/named’.
These steps are required for the chroot jail: (Recommend running each command on a seperate line)

Code: Select all

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/*
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

Bind now has its own dir with space for .pid files and config files. In order to keep things clear we made a symlink back to /etc/.

NOTE: In this next step i ran into a problem where sysklogd was not installed for some reason on one the systems i installed the DNS on.
To Fix:

Code: Select all

apt-get install sysklogd

it will either tell you that you have the latest version or install it with dependencies.

Now edit /etc/init.d/sysklogd to allow logging of bind activity.

Code: Select all

vim /etc/init.d/sysklogd

Replace this:
SYSLOGD=”"

With this:

Code: Select all

SYSLOGD=”-a /var/lib/named/dev/log”

Now restart sysklogd and BIND9:

Code: Select all

/etc/init.d/sysklogd restart

Code: Select all

/etc/init.d/bind9 start

And test:
ping http://www.google.com (NOTE: to stop the ping outputs hit the ctrl + c key, we do not want to packet flood google)

If you get a reply, then your DNS master server is working and ready to use. To complete and use the sampledns.com domain with your new master server. (IMPORTANT: Remember to replace sampledns.com and 192.168.254.1 with your domain information)

Create the zone files:

Start with creating the directory where you will store the zone file.

Code: Select all

mkdir /etc/bind/zones/master/

Now create the zones file: (This file contains all information about the domain)

Code: Select all

vim /etc/bind/zones/master/sampledns.com.db

Add the following (NOTE:replacing sampledns.com and 192.168.254.1 with your own details):

Code: Select all

;
; BIND data file for sampledns.com
;
$TTL    604800
@       IN      SOA     sampledns.com. info.sampledns.com. (
2009051501         ; Serial
7200         ; Refresh
120         ; Retry
2419200         ; Expire
604800)        ; Default TTL
;
@       IN        NS    ns1.sampledns.com.
@       IN        NS    ns2.sampledns.com.
sampledns.com.    IN    MX      10      mail.sampledns.com.
sampledns.com.    IN    A       192.168.254.1
www                     IN      CNAME   sampledns.com.
mail                    IN      A       192.168.254.1
ftp                     IN      CNAME   sampledns.com.
sampledns.com.          IN      TXT     ”v=spf1 ip4:192.168.254.1 a mx ~all”
mail                    IN      TXT     ”v=spf1 a -all”

Here we have created a DNS zone file with both nameservers as well as records for the mail and ftp server for the domain sampledns.com. Trying to go into more detail about what each item reflects above is beyond the scope of this HOWTO and you should do your own research into what each item means.

In South Africa registering domain names with the .co.za extension requires that Reverse DNS (RDNS) is setup correctly. Other TLD’s don’t necessarily require RDNS but either way it’s good practise to setup RDNS for your DNS server so we’ll do so now.

Create a new file called 192.168.254.rev which follows the convention of the first three IP ranges in your IP address:

Code: Select all

vim /etc/bind/zones/master/192.168.254.rev

Add the following: (NOTE:replacing ns1.sampledns.com, info.sampledns.com and ns2.sampledns.com with your own details):

Code: Select all

$TTL 1d ;
$ORIGIN 254.168.192.IN-ADDR.ARPA.
@       IN      SOA     ns1.sampledns.com.   info.sampledns.com. (
2009051501
7200
120
2419200
604800
)
IN      NS      ns1.sampledns.com.
IN      NS      ns2.sampledns.com.
1       IN      PTR     ns1.sampledns.com.
2       IN      PTR     ns2.sampledns.com.

The reverse lookup files are almost identical to the domain zone files with only minor changes. The first section of this file is exactly the same as the first section of the domain zone file. The bottom section is where it is different. This time we are listing the last part of the IP address first and then the hostname last.

There are 2 IMPORTANT things you must observe here. You have to use the fully qualified domain name here and you must put a “.” at the end of it. These 2 things are important to the file and weird things happen if you do not do it exactaly this way.

You must also change the $ORIGIN section at the top of the RDNS file to reflect the reverse IP address of your server. In this sample our IP address ranges are 192.168.254.1/2 and the reverse of this would be 254.168.192.IN-ADDR.ARPA. In the PTR records at the bottom we assign the final IP range to reflect our two nameservers – i.e. 1 & 2.

Making sure everything is OK-

Now that we have created both zone and reverse files. Now we need to check that our main zone file is good to go. BIND9 breaks very easily so it’s best to run this check before committing your changes.

Code: Select all

cd /etc/bind/zones/master/

Then run:

Code: Select all

named-checkzone sampledns.com sampledns.com.db

You should get an OK status when doing this. If not you need to double check your zone file and make changes until you get an OK status.

Adding zone files to BIND9
We now need to add the zone file data to the named.conf.local file:

Code: Select all

vim /etc/bind/named.conf.local

And add the following to the file: (Replacing sampledns.com with your details)

Code: Select all

zone “sampledns.com” {
type master;
file “/etc/bind/zones/master/sampledns.com.db”;
};

zone “254.168.192.IN-ADDR.ARPA” {
type master;
file “/etc/bind/zones/master/192.168.254.rev”;
};

Testing

We can now restart bind and check if it works: (don’t forget to replace ns1.sampledns.com with your details)
/etc/init.d/bind9 restart
ping ns1.sampledns.com

This should bring bring up a ping result resolving to 192.168.254.1

Try another test:
nslookup ns1.sampledns.com

Should give you 192.168.254.1

Finally run this one:
dig @localhost sampledns.com

If all is OK then you’ll be presented with the zone file information.

At this point you now have a working and usable DNS server.

Troubleshooting

If you’re wondering why updates to the zone file on your master seem to fail, check the serial number inside the zone file. Each time you make a change to the zone file you will need to increase the Serial number in the zone file to ensure that your latest changes are updated.

The serial number is setup and constructed as follows:
2009051501 = (2007)(05)(15)(01)
First 4 digits of the serial indicate the year – i.e. 2009
Next 2 digits of the serial indicate the month – i.e. 05 (May)
Next 2 digits of the serial indicate the date – i.e. 15
The last 2 digits of the serial indicate the revision number for that day – i.e. 01

If you are updating your Serial number but your changes are not being reflected I suggest that you reload your BIND data by executing the following command in a Linux shell:

Code: Select all

rndc reload

If you are running BIND on two different servers you will need to install ntpdate on both servers to ensure that zone transfers happen correctly. Both master and slave servers need to have the exact same time setting for zone transfers to take place:
apt-get -y install ntpdate