Setting up a BIND DNS Server: Difference between revisions
Mmuehlfeld (talk | contribs) (Splitted this guide about building BIND from the old "DNS Backend BIND" into a new page) |
(No difference)
|
Revision as of 17:37, 25 August 2015
Introduction
This HowTo describes how to compile and configure a basic BIND installation, that can be used as Samba DC DNS backend. Skip this guide if you already have an existing BIND installation that can be used as a Samba AD backend.
If you need to setup a more complex DNS setup than what is possible with the Samba 4 internal DNS, then using BIND as the DNS backend is recommended.
Installing BIND
The use of BIND as a backend for your Samba Active Directory Domain Controller is currently only supported in versions 9.8 and 9.9. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section DNS dynamic updates via Kerberos for BIND 9.7 for instructions on configuring BIND 9.7.
If you install BIND from the repositories of your distribution, you can skip the following two steps, but make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as the Samba AD DNS backend.
Downloading
Download your desired and Samba 4 supported version from https://www.isc.org/software/bind.
Compiling BIND
To use BIND 9.8.1 or later as Samba AD backend, at least the following two configure options are required:
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
Please check if there are other options you require for your environment. If you are building BIND 9.8.0, you must use '--with-dlz-dlopen=yes' instead of '--with-dlopen=yes'.
To build and install:
# make # make install
Configuration
Setting up a basic named.conf
The following example is a basic 'named.conf' for a pure minimal BIND installation without any Samba AD parts. We will add the Samba required parameters later.
# /etc/named.conf # Global BIND configuration options options { auth-nxdomain yes; directory "/var/named"; notify no; empty-zones-enable no; allow-query { 127.0.0.1; 10.1.1.0/24; # add other networks you want to allow to query your DNS }; allow-recursion { 10.1.1.0/24; # add other networks you want to allow to do recursive queries }; forwarders { # Google public DNS server here - replace with your own if necessary 8.8.8.8; 8.8.4.4; }; allow-transfer { # this config is for a single master DNS server none; }; }; # Root servers (required zone for recursive queries) zone "." { type hint; file "named.root"; }; # Required localhost forward-/reverse zones zone "localhost" { type master; file "master/localhost.zone"; }; zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone"; };
We chose '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions.
For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'.
Adding a user and group for BIND
If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group.
First check if we have an existing `named` group:
# getent group|grep named
Add the user and group if none exists (adapt the UID/GID if required) :
# groupadd -g 25 named # useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named
Getting the root name server list
Download the root name server list from InterNIC:
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root # chown named:named /var/named/named.root
To have always the current file, you can add a cronjob to automatically download.
Creating the localhost zone file
Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone:
$TTL 3D $ORIGIN localhost. @ 1D IN SOA @ root ( 2013050101 ; serial 8H ; refresh 2H ; retry 4W ; expiry 1D ; minimum ) @ IN NS @ IN A 127.0.0.1
Creating the 0.0.127.in-addr.arpa zone file
Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone:
$TTL 3D @ IN SOA localhost. root.localhost. ( 2013050101 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D ; Minimum TTL ) IN NS localhost. 1 IN PTR localhost.
Set permissions on the zone files
# chown named:named /var/named/master/*.zone # chmod 640 /var/named/master/*.zone
Starting BIND
# named -u named
If the configuration is valid, you should see no errors on the console and in the system logfile.
To have BIND automatically started at boot time, it's recommended to create a init.d script or start it by systemd.
Testing your zone
Now we will try to lookup our zone entries. We tell the 'host' command to use the resolver on 127.0.0.1, so that we don't query a foreign DNS server that is also configured in '/etc/resolv.conf'.
First check the forward lookup for 'localhost':
# host localhost. 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: localhost has address 127.0.0.1
And then the reverse lookup for '127.0.0.1':
# host 127.0.0.1 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: 1.0.0.127.in-addr.arpa domain name pointer localhost.