Difference between revisions of "Setting up a BIND DNS Server"

m (Mmuehlfeld moved page Setup a basic BIND installation to Setting up a BIND DNS Server: Update title)
(Rewrote page. Clearer structure, better wording, used markups, removed unnecessary content, linked content from other pages to avoid duplicate content.)
Line 1: Line 1:
 
= Introduction =
 
= Introduction =
  
This HowTo describes how to compile and configure a basic BIND installation, that can be used as Samba DC DNS backend. Skip this guide if you already have an existing BIND installation that can be used as a Samba AD backend.
+
If you are planning to set up a Samba Active Directory (AD) domain controller (DC) using the <code>BIND9_DLZ</code> back end, you have to install and configure the BIND DNS server first.
  
If you need to setup a more complex DNS setup than what is possible with the Samba 4 internal DNS, then using BIND as the DNS backend is recommended.
+
The following describes how to set up a basic BIND installation you can use as Samba AD DC back end.
  
  
Line 11: Line 11:
 
= Installing BIND =
 
= Installing BIND =
  
The use of BIND as a backend for your Samba Active Directory Domain Controller is currently only supported in versions 9.8 and 9.9. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[BIND9_DLZ_DNS_Back_End#BIND_9.7_2|DNS dynamic updates via Kerberos for BIND 9.7]] for instructions on configuring BIND 9.7.
+
For a list of supported BIND versions, see [[BIND9_DLZ_DNS_Back_End#Configuring_the_BIND9_DLZ_module|Configuring the BIND9_DLZ module]].
  
If you install BIND from the repositories of your distribution, you can skip the following two steps, but make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as the Samba AD DNS backend.
+
{{Imbox
 +
| type = note
 +
| text = You can not run BIND in a changed root environment, because the <code>BIND9_DLZ</code> must be able to access the Samba Active Directory (AD) database files directly.
 +
}}
  
  
  
== Downloading ==
+
== Package Installation ==
  
Download your desired and Samba 4 supported version from [https://www.isc.org/software/bind https://www.isc.org/software/bind].
+
Installing BIND using packages provided with your distribution is the recommended way. Select this installation mode for an easy installation and to automatically receive updates when available. For details how to install packages, see the distribution's package manager documentation.
  
 +
Make sure that your package provider compiled BIND using the following options:
 +
* <code>--with-gssapi=yes</code> for secure dynamic DNS updates using Kerberos
 +
* <code>--with-dlopen</code> dynamically loadable zones (DLZ)
  
 +
To list the build options:
 +
# named -V
 +
BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
  
== Compiling BIND ==
 
  
To use BIND 9.8.1 or later as Samba AD backend, at least the following two configure options are required:
+
 
 +
 
 +
== Compiling and Installing BIND ==
 +
 
 +
Use this installation mode if you are an advanced user and know how to compile software.
 +
 
 +
 
 +
=== Downloading the Sources ===
 +
 
 +
Download a supported BIND version from https://www.isc.org/software/bind.
 +
 
 +
 
 +
 
 +
=== Compiling BIND ===
 +
 
 +
* Pass at least the following parameters to the <code>configure</code> command:
  
 
  # ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
 
  # ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
  
Please check if there are other options you require for your environment. If you are building BIND 9.8.0, you must use '--with-dlz-dlopen=yes' instead of '--with-dlopen=yes'.
+
: Add further parameters, if required.
  
To build and install:
+
* To build and install, run:
  
 
  # make
 
  # make
Line 38: Line 61:
  
  
= Configuration =
+
=== Adding a User and Group for BIND ===
 +
 
 +
For security reasons, do not run BIND as <code>root</code> user.
 +
 
 +
To create a <code>named</code> group using GID <code>25</code>:
 +
 
 +
# groupadd -g 25 named
 +
 
 +
To create a <code>named</code> account with UID <code>25</code>, primary group <code>named</code>, home directory <code>/var/named/</code>, and without a valid shell:
 +
 
 +
# useradd -u 25 -g named -d /var/named -M -s /sbin/nologin named
 +
 
 +
For details, see the <code>useradd (8)</code> and <code>groupadd (8)</code> man page.
 +
 
 +
 
 +
 
 +
 
 +
 
 +
= Configuring BIND =
 +
 
 +
== Setting up a named.conf file ==
 +
 
 +
To locate the directory, BIND uses to read the <code>named.conf</code> file:
 +
 
 +
# named -V
 +
BIND 9.x.y built with ... '--sysconfdir=/etc' ...
  
== Setting up a basic named.conf ==
+
In the previous example, BIND reads the configuration from the <code>/etc/named.conf</code> file.
  
The following example is a basic 'named.conf' for a pure minimal BIND installation without any Samba AD parts. See [[BIND9_DLZ_DNS_Back_End|here]] for how to configure Bind for Samba AD.
+
The following is a basic configuration file:
  
# /etc/named.conf
+
  # Global Configuration Options
  # Global BIND configuration options
 
 
 
  options {
 
  options {
 
   
 
   
Line 54: Line 100:
 
     empty-zones-enable no;
 
     empty-zones-enable no;
 
   
 
   
 +
    # IP addresses and network ranges allowed to query the DNS server:
 
     allow-query {
 
     allow-query {
 
         127.0.0.1;
 
         127.0.0.1;
         10.1.1.0/24;
+
         10.99.1.0/24;
        # add other networks you want to allow to query your DNS
 
 
     };
 
     };
 
   
 
   
 +
    # IP addresses and network ranges allowed to run recursive queries:
 +
    # (Zones not served by this DNS server)
 
     allow-recursion {
 
     allow-recursion {
 +
        127.0.0.1;
 
         10.1.1.0/24;
 
         10.1.1.0/24;
        # add other networks you want to allow to do recursive queries
 
 
     };
 
     };
 
   
 
   
 +
    # Forward queries that can not be answered from own zones
 +
    # to these DNS servers:
 
     forwarders {
 
     forwarders {
        # Google public DNS server here - replace with your own if necessary
 
 
         8.8.8.8;
 
         8.8.8.8;
 
         8.8.4.4;
 
         8.8.4.4;
 
     };
 
     };
 
   
 
   
 +
    # Disable zone transfers
 
     allow-transfer {
 
     allow-transfer {
        # this config is for a single master DNS server
 
 
         none;
 
         none;
 
     };
 
     };
 +
  };
 
   
 
   
  };
+
  # Root Servers
+
  # (Required for recursive DNS queries)
 
 
  # Root servers (required zone for recursive queries)
 
 
  zone "." {
 
  zone "." {
 
     type hint;
 
     type hint;
Line 85: Line 133:
 
  };
 
  };
 
   
 
   
  # Required localhost forward-/reverse zones
+
  # Forward zone: localhost
 
  zone "localhost" {
 
  zone "localhost" {
 
     type master;
 
     type master;
Line 91: Line 139:
 
  };
 
  };
 
   
 
   
 +
# Reverse zone: 127.0.0.
 
  zone "0.0.127.in-addr.arpa" {
 
  zone "0.0.127.in-addr.arpa" {
 
     type master;
 
     type master;
Line 96: Line 145:
 
  };
 
  };
  
We chose '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions.
+
{{Imbox
 +
| type = note
 +
| text = This example does not contain the <code>BIND9_DLZ</code> configuration required for setting up a Samba Active Directory (AD) DNS server. For details how to set up the module, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]].
 +
}}
  
For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'.
+
For details about the used parameters and options, see the <code>named.conf (5)</code> man page.
  
  
  
== Adding a user and group for BIND ==
+
== Downloading the DNS Root Servers List ==
 
 
If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group.
 
 
 
First check if we have an existing `named` group:
 
 
 
# getent group|grep named
 
 
 
Add the user and group if none exists (adapt the UID/GID if required) :
 
 
 
# groupadd -g 25 named
 
# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named
 
  
 +
* Download the latest list of the DNS root servers to the <code>/var/named/named.root</code> file:
  
 +
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
  
== Getting the root name server list ==
+
* Enable the BIND user to read the root servers list:
  
Download the root name server list from InterNIC:
+
# chown root:named /var/named/named.root
 +
# chmod 640 /var/named/named.root
  
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
+
{{Imbox
# chown named:named /var/named/named.root
+
| type = note
 +
| text = Optionally, set up a Cron job to automatically update the file.
 +
}}
  
To have always the current file, you can add a cronjob to automatically download.
 
  
  
 +
== Creating the localhost Zone File ==
  
== Creating the localhost zone file ==
+
* Create the <code>localhost</code> forward zone in the <code>/var/named/master/localhost.zone</code> file:
 
 
Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone:
 
  
 
  $TTL 3D
 
  $TTL 3D
Line 147: Line 191:
 
         IN      A      127.0.0.1
 
         IN      A      127.0.0.1
  
 +
* Enable the BIND user to read the zone file:
 +
# chown named:named /var/named/master/localhost.zone
 +
# chmod 640 /var/named/master/localhost.zone
  
  
== Creating the 0.0.127.in-addr.arpa zone file ==
 
  
Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone:
+
== Creating the 0.0.127.in-addr.arpa Zone File ==
 +
 
 +
* Create the <code>0.0.127.in-addr.arpa</code> reverse zone in the <code>/var/named/master/0.0.127.zone</code> file:
  
 
  $TTL 3D
 
  $TTL 3D
Line 168: Line 216:
  
  
 +
* Enable the BIND user to read the zone file:
  
== Set permissions on the zone files ==
+
# chown named:named /var/named/master/0.0.127.zone
 +
# chmod 640 /var/named/master/0.0.127.zone
  
# chown named:named /var/named/master/*.zone
 
# chmod 640 /var/named/master/*.zone
 
  
  
  
  
 +
= Starting the Daemon =
  
= Starting BIND =
+
To start the BIND daemon as the <code>named</code> user, run
  
 
  # named -u named
 
  # named -u named
  
If the configuration is valid, you should see no errors on the console and in the system logfile.
+
Alternatively, use your operating system tools, such as <code>systemctl</code> or <code>service</code>, to start the daemon. See you distribution's documentation for details.
  
To have BIND automatically started at boot time, it's recommended to create a init.d script or start it by systemd.
+
{{Imbox
 +
| type = note
 +
| text = Enable the daemon to start automatically when the system boots. For details, see your distribution's documentation.
 +
}}
  
  
  
  
 +
= Testing Your Zones =
  
= Testing your zone =
+
The following examples query the DNS service on the local machine (<code>127.0.0.1</code>):
  
Now we will try to lookup our zone entries. We tell the 'host' command to use the resolver on 127.0.0.1, so that we don't query a foreign DNS server that is also configured in '/etc/resolv.conf'.
+
To test the <code>localhost</code> forward zone:
  
First check the forward lookup for 'localhost':
+
  # host -t A localhost 127.0.0.1
  # host localhost. 127.0.0.1
 
 
  Using domain server:
 
  Using domain server:
 
  Name: 127.0.0.1
 
  Name: 127.0.0.1
 
  Address: 127.0.0.1#53
 
  Address: 127.0.0.1#53
 
  Aliases:  
 
  Aliases:  
 
 
  localhost has address 127.0.0.1
 
  localhost has address 127.0.0.1
  
And then the reverse lookup for '127.0.0.1':
+
To test the <code>0.0.127.in-addr.arpa</code> reverse zone:
  # host 127.0.0.1 127.0.0.1
+
 
 +
  # host -t PTR 127.0.0.1 127.0.0.1
 
  Using domain server:
 
  Using domain server:
 
  Name: 127.0.0.1
 
  Name: 127.0.0.1
 
  Address: 127.0.0.1#53
 
  Address: 127.0.0.1#53
 
  Aliases:  
 
  Aliases:  
 
 
  1.0.0.127.in-addr.arpa domain name pointer localhost.
 
  1.0.0.127.in-addr.arpa domain name pointer localhost.
  
Line 215: Line 266:
  
  
= Configuring BIND as Samba Active Directory backend =
 
  
See [[BIND9_DLZ_DNS_Back_End|Configuring BIND9_DLZ as Back End for Samba AD]].
+
= Configuring the BIND9_DLZ module =
 +
 
 +
For details, see See [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]].

Revision as of 20:33, 19 October 2016

Introduction

If you are planning to set up a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ back end, you have to install and configure the BIND DNS server first.

The following describes how to set up a basic BIND installation you can use as Samba AD DC back end.



Installing BIND

For a list of supported BIND versions, see Configuring the BIND9_DLZ module.


Package Installation

Installing BIND using packages provided with your distribution is the recommended way. Select this installation mode for an easy installation and to automatically receive updates when available. For details how to install packages, see the distribution's package manager documentation.

Make sure that your package provider compiled BIND using the following options:

  • --with-gssapi=yes for secure dynamic DNS updates using Kerberos
  • --with-dlopen dynamically loadable zones (DLZ)

To list the build options:

# named -V
BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...



Compiling and Installing BIND

Use this installation mode if you are an advanced user and know how to compile software.


Downloading the Sources

Download a supported BIND version from https://www.isc.org/software/bind.


Compiling BIND

  • Pass at least the following parameters to the configure command:
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
Add further parameters, if required.
  • To build and install, run:
# make
# make install


Adding a User and Group for BIND

For security reasons, do not run BIND as root user.

To create a named group using GID 25:

# groupadd -g 25 named

To create a named account with UID 25, primary group named, home directory /var/named/, and without a valid shell:

# useradd -u 25 -g named -d /var/named -M -s /sbin/nologin named

For details, see the useradd (8) and groupadd (8) man page.



Configuring BIND

Setting up a named.conf file

To locate the directory, BIND uses to read the named.conf file:

# named -V
BIND 9.x.y built with ... '--sysconfdir=/etc' ...

In the previous example, BIND reads the configuration from the /etc/named.conf file.

The following is a basic configuration file:

# Global Configuration Options
options {

    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;

    # IP addresses and network ranges allowed to query the DNS server:
    allow-query {
        127.0.0.1;
        10.99.1.0/24;
    };

    # IP addresses and network ranges allowed to run recursive queries:
    # (Zones not served by this DNS server)
    allow-recursion {
        127.0.0.1;
        10.1.1.0/24;
    };

    # Forward queries that can not be answered from own zones
    # to these DNS servers:
    forwarders {
        8.8.8.8;
        8.8.4.4;
    };

    # Disable zone transfers 
    allow-transfer {
        none;
    };
 };

# Root Servers
# (Required for recursive DNS queries)
zone "." {
   type hint;
   file "named.root";
};

# Forward zone: localhost
zone "localhost" {
    type master;
    file "master/localhost.zone";
};

# Reverse zone: 127.0.0.
zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

For details about the used parameters and options, see the named.conf (5) man page.


Downloading the DNS Root Servers List

  • Download the latest list of the DNS root servers to the /var/named/named.root file:
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
  • Enable the BIND user to read the root servers list:
# chown root:named /var/named/named.root
# chmod 640 /var/named/named.root


Creating the localhost Zone File

  • Create the localhost forward zone in the /var/named/master/localhost.zone file:
$TTL 3D

$ORIGIN localhost.

@       1D      IN     SOA     @       root (
                       2013050101      ; serial
                       8H              ; refresh
                       2H              ; retry
                       4W              ; expiry
                       1D              ; minimum
                       )

@       IN      NS      @
        IN      A       127.0.0.1
  • Enable the BIND user to read the zone file:
# chown named:named /var/named/master/localhost.zone
# chmod 640 /var/named/master/localhost.zone


Creating the 0.0.127.in-addr.arpa Zone File

  • Create the 0.0.127.in-addr.arpa reverse zone in the /var/named/master/0.0.127.zone file:
$TTL 3D

@       IN      SOA     localhost. root.localhost. (
                        2013050101      ; Serial
                        8H              ; Refresh
                        2H              ; Retry
                        4W              ; Expire
                        1D              ; Minimum TTL
                        )

       IN      NS      localhost.

1      IN      PTR     localhost.


  • Enable the BIND user to read the zone file:
# chown named:named /var/named/master/0.0.127.zone
# chmod 640 /var/named/master/0.0.127.zone



Starting the Daemon

To start the BIND daemon as the named user, run

# named -u named

Alternatively, use your operating system tools, such as systemctl or service, to start the daemon. See you distribution's documentation for details.



Testing Your Zones

The following examples query the DNS service on the local machine (127.0.0.1):

To test the localhost forward zone:

# host -t A localhost 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 
localhost has address 127.0.0.1

To test the 0.0.127.in-addr.arpa reverse zone:

# host -t PTR 127.0.0.1 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 
1.0.0.127.in-addr.arpa domain name pointer localhost.



Configuring the BIND9_DLZ module

For details, see See BIND9_DLZ DNS Back End.