Setting up a BIND DNS Server: Difference between revisions
Mmuehlfeld (talk | contribs) m (Fix link) |
m (/* added note) |
||
(24 intermediate revisions by 4 users not shown) | |||
Line 1: | Line 1: | ||
= Introduction = |
= Introduction = |
||
If you are planning to set up a Samba Active Directory (AD) domain controller (DC) using the <code>BIND9_DLZ</code> back end, you have to install and configure the BIND DNS server first. |
|||
This HowTo describes how to compile and configure a basic BIND installation, that can be used as Samba DC DNS backend. Skip this guide if you already have an existing BIND installation that can be used as a Samba AD backend. |
|||
The following describes how to set up a basic BIND installation you can use as Samba AD DC back end. |
|||
If you need to setup a more complex DNS setup than what is possible with the Samba 4 internal DNS, then using BIND as the DNS backend is recommended. |
|||
{{Imbox |
|||
| type = important |
|||
| text = Samba AD is not compatible with other DNS servers, even if those that supports tkey-gss updates, because parts of Samba (like the DNS management RPC server and the domain join) assume the replicated DNS entries in the AD Database are the same as those exposed over DNS. Likewise the security of the system depends on the ACLs on each DNS entry in AD. |
|||
}} |
|||
{{Imbox |
|||
| type = note |
|||
| text = If you are changing from the internal dns server to a Bind9 dns server, you will also need to read [[Changing_the_DNS_Back_End_of_a_Samba_AD_DC|Changing_the_DNS_Back_End_of_a_Samba_AD_DC]]. |
|||
}} |
|||
Line 11: | Line 21: | ||
= Installing BIND = |
= Installing BIND = |
||
For a list of supported BIND versions, see [[BIND9_DLZ_DNS_Back_End#Configuring_the_BIND9_DLZ_Module|Configuring the BIND9_DLZ module]]. |
|||
The use of BIND as a backend for your Samba Active Directory Domain Controller is currently only supported in versions 9.8 and 9.9. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[Configure_BIND_as_Backend_for_Samba_AD#BIND_9.7_2|DNS dynamic updates via Kerberos for BIND 9.7]] for instructions on configuring BIND 9.7. |
|||
{{Imbox |
|||
| type = note |
|||
| text = You can not run BIND in a changed root environment (chroot), because the <code>BIND9_DLZ</code> must be able to access the Samba Active Directory (AD) database files directly. |
|||
}} |
|||
== Package Installation == |
|||
Installing BIND using packages provided with your distribution is the recommended way. Select this installation mode for an easy installation and to automatically receive updates when available. For details how to install packages, see the distribution's package manager documentation. |
|||
Make sure that your package provider compiled BIND using the following options: |
|||
* <code>--with-gssapi=yes</code> or <code>--with-gssapi=/usr</code> (or similar) for secure dynamic DNS updates using Kerberos |
|||
* <code>--with-dlopen</code> dynamically loadable zones (DLZ) |
|||
{{Imbox |
|||
| type = note |
|||
| text = Later versions of Bind9.9.x have the <code>--with-dlopen</code> option builtin and is not shown by the following command. This happened around Bind 9.9.4 |
|||
}} |
|||
To list the build options: |
|||
# named -V |
|||
BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ... |
|||
== Compiling and Installing BIND == |
|||
If you install BIND from the repositories of your distribution, you can skip the following two steps, but make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as the Samba AD DNS backend. |
|||
Use this installation mode if you are an advanced user and know how to compile software. |
|||
== Downloading == |
=== Downloading the Sources === |
||
Download |
Download a supported BIND version from https://www.isc.org/software/bind. |
||
== Compiling BIND == |
=== Compiling BIND === |
||
* Pass at least the following parameters to the <code>configure</code> command: |
|||
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes |
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes |
||
: Add further parameters, if required. |
|||
Please check if there are other options you require for your environment. If you are building BIND 9.8.0, you must use '--with-dlz-dlopen=yes' instead of '--with-dlopen=yes'. |
|||
To build and install: |
* To build and install, run: |
||
# make |
# make |
||
Line 38: | Line 76: | ||
=== Adding a User and Group for BIND === |
|||
= Configuration = |
|||
For security reasons, do not run BIND as <code>root</code> user. |
|||
== Setting up a basic named.conf == |
|||
To create a <code>named</code> group using GID <code>25</code>: |
|||
The following example is a basic 'named.conf' for a pure minimal BIND installation without any Samba AD parts. We will add the Samba required parameters later. |
|||
# |
# groupadd -g 25 named |
||
# Global BIND configuration options |
|||
To create a <code>named</code> account with UID <code>25</code>, primary group <code>named</code>, home directory <code>/var/named/</code>, and without a valid shell: |
|||
# useradd -u 25 -g named -d /var/named -M -s /sbin/nologin named |
|||
For details, see the <code>useradd (8)</code> and <code>groupadd (8)</code> man page. |
|||
= Configuring BIND = |
|||
== Setting up a named.conf file == |
|||
To locate the directory, BIND uses to read the <code>named.conf</code> file: |
|||
# named -V |
|||
BIND 9.x.y built with ... '--sysconfdir=/etc' ... |
|||
In the previous example, BIND reads the configuration from the <code>/etc/named.conf</code> file. |
|||
The following is a basic configuration file: |
|||
# Global Configuration Options |
|||
options { |
options { |
||
Line 54: | Line 115: | ||
empty-zones-enable no; |
empty-zones-enable no; |
||
# IP addresses and network ranges allowed to query the DNS server: |
|||
allow-query { |
allow-query { |
||
127.0.0.1; |
127.0.0.1; |
||
10. |
10.99.1.0/24; |
||
# add other networks you want to allow to query your DNS |
|||
}; |
}; |
||
# IP addresses and network ranges allowed to run recursive queries: |
|||
# (Zones not served by this DNS server) |
|||
allow-recursion { |
allow-recursion { |
||
127.0.0.1; |
|||
10.1.1.0/24; |
10.1.1.0/24; |
||
# add other networks you want to allow to do recursive queries |
|||
}; |
}; |
||
# Forward queries that can not be answered from own zones |
|||
# to these DNS servers: |
|||
forwarders { |
forwarders { |
||
# Google public DNS server here - replace with your own if necessary |
|||
8.8.8.8; |
8.8.8.8; |
||
8.8.4.4; |
8.8.4.4; |
||
}; |
}; |
||
# Disable zone transfers |
|||
allow-transfer { |
allow-transfer { |
||
# this config is for a single master DNS server |
|||
none; |
none; |
||
}; |
}; |
||
}; |
|||
# Root Servers |
|||
}; |
|||
# (Required for recursive DNS queries) |
|||
# Root servers (required zone for recursive queries) |
|||
zone "." { |
zone "." { |
||
type hint; |
type hint; |
||
Line 85: | Line 148: | ||
}; |
}; |
||
# |
# localhost zone |
||
zone "localhost" { |
zone "localhost" { |
||
type master; |
type master; |
||
Line 91: | Line 154: | ||
}; |
}; |
||
# 127.0.0. zone. |
|||
zone "0.0.127.in-addr.arpa" { |
zone "0.0.127.in-addr.arpa" { |
||
type master; |
type master; |
||
Line 96: | Line 160: | ||
}; |
}; |
||
For details about the used parameters and options, see the <code>named.conf (5)</code> man page. |
|||
We chose '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions. |
|||
The previous example does not contain the <code>BIND9_DLZ</code> configuration required for setting up a Samba AD DNS server. For details how to set up the module, see [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. |
|||
For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'. |
|||
{{Imbox |
|||
| type = important |
|||
| text = You must not add the AD domain forward or reverse zone records to the named.conf files, these zones are stored dynamically in AD. |
|||
}} |
|||
== Adding a user and group for BIND == |
|||
== Downloading the DNS Root Servers List == |
|||
If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group. |
|||
* Download the latest list of the DNS root servers to the <code>/var/named/named.root</code> file: |
|||
First check if we have an existing `named` group: |
|||
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root |
|||
# getent group|grep named |
|||
* Enable the BIND user to read the root servers list: |
|||
# |
# chown root:named /var/named/named.root |
||
# |
# chmod 640 /var/named/named.root |
||
{{Imbox |
|||
| type = note |
|||
| text = Optionally, set up a Cron job to automatically update the file. |
|||
}} |
|||
== Getting the root name server list == |
|||
== Creating the localhost Zone File == |
|||
Download the root name server list from InterNIC: |
|||
* Create the <code>localhost</code> forward zone in the <code>/var/named/master/localhost.zone</code> file: |
|||
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root |
|||
# chown named:named /var/named/named.root |
|||
To have always the current file, you can add a cronjob to automatically download. |
|||
== Creating the localhost zone file == |
|||
Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone: |
|||
$TTL 3D |
$TTL 3D |
||
Line 147: | Line 208: | ||
IN A 127.0.0.1 |
IN A 127.0.0.1 |
||
* Enable the BIND user to read the zone file: |
|||
# chown named:named /var/named/master/localhost.zone |
|||
# chmod 640 /var/named/master/localhost.zone |
|||
== Creating the 0.0.127.in-addr.arpa zone file == |
|||
== Creating the 0.0.127.in-addr.arpa Zone File == |
|||
* Create the <code>0.0.127.in-addr.arpa</code> reverse zone in the <code>/var/named/master/0.0.127.zone</code> file: |
|||
$TTL 3D |
$TTL 3D |
||
Line 168: | Line 233: | ||
* Enable the BIND user to read the zone file: |
|||
# chown named:named /var/named/master/0.0.127.zone |
|||
== Set permissions on the zone files == |
|||
# chmod 640 /var/named/master/0.0.127.zone |
|||
# chown named:named /var/named/master/*.zone |
|||
# chmod 640 /var/named/master/*.zone |
|||
= Installing & Configuring BIND on Debian based distros = |
|||
== Installing the required packages == |
|||
= Starting BIND = |
|||
You need to install the following packages: |
|||
apt-get install -y bind9 bind9utils |
|||
{{Imbox |
|||
| type = note |
|||
| text = Before continuing, you will need to provision a DC in a new domain or join as a DC to an existing domain or upgrade from the existing internal DNS server to BIND9_DLZ. Various required files will only be created by doing one of the preceeding actions. |
|||
}} |
|||
== Setting up the named.conf files == |
|||
On Debian based distros, you have 5 Bind9 files: |
|||
/etc/default/bind9 |
|||
/etc/bind/named.conf |
|||
/etc/bind/named.conf.options |
|||
/etc/bind/named.conf.local |
|||
/etc/bind/named.conf.default-zones |
|||
Of these, only two or three need to be configured. |
|||
If you only use ipv4, edit : <code>/etc/default/bind9</code> and Change: |
|||
OPTIONS="-u bind" |
|||
To: |
|||
OPTIONS="-u bind -4" |
|||
The second file <code>/etc/bind/named.conf</code>, Shouldn't need modification, as it just contains links to the other <code>named.conf</code> files: |
|||
include "/etc/bind/named.conf.options"; |
|||
include "/etc/bind/named.conf.local"; |
|||
include "/etc/bind/named.conf.default-zones"; |
|||
The third file <code>/etc/bind/named.conf.options</code>, is the one you need to configure for your Active Directory and to setup default ACL's for Bind9. |
|||
// Managing acls |
|||
acl internals { 127.0.0.0/8; 192.168.0.0/24; }; |
|||
options { |
|||
directory "/var/cache/bind"; |
|||
version "Go Away 0.0.7"; |
|||
notify no; |
|||
empty-zones-enable no; |
|||
auth-nxdomain yes; |
|||
forwarders { 8.8.8.8; 8.8.4.4; }; |
|||
allow-transfer { none; }; |
|||
dnssec-validation no; |
|||
dnssec-enable no; |
|||
dnssec-lookaside no; |
|||
// If you only use IPv4. |
|||
listen-on-v6 { none; }; |
|||
// listen on these ipnumbers. |
|||
listen-on port 53 { 192.168.0.6; 127.0.0.1; ::1; }; |
|||
// Added Per Debian buster Bind9. |
|||
// Due to : resolver: info: resolver priming query complete messages in the logs. |
|||
// See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42 |
|||
minimal-responses yes; |
|||
// Add any subnets or hosts you want to allow to use this DNS server |
|||
allow-query { "internals"; }; |
|||
allow-query-cache { "internals"; }; |
|||
// Add any subnets or hosts you want to allow to use recursive queries |
|||
recursion yes; |
|||
allow-recursion { "internals"; }; |
|||
// https://wiki.samba.org/index.php/Dns-backend_bind |
|||
// DNS dynamic updates via Kerberos (optional, but recommended) |
|||
// ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz |
|||
// or AFTER upgrading your dns from internal to bind9_dlz |
|||
// Before Samba 4.9.0 |
|||
// tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; |
|||
// From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. ) |
|||
tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; |
|||
}; |
|||
The fourth file <code>/etc/bind/named.conf.local</code>, just needs the addition of one line, to link in another file provided by Samba: |
|||
include "/var/lib/samba/bind-dns/named.conf"; |
|||
The last file <code>/etc/bind/named.conf.default-zones</code> does not require any changes. |
|||
= Starting the Daemon = |
|||
To start the BIND daemon as the <code>named</code> user, run |
|||
# named -u named |
# named -u named |
||
Alternatively, use your operating system tools, such as <code>systemctl</code> or <code>service</code>, to start the daemon. See your distribution's documentation for details. |
|||
If the configuration is valid, you should see no errors on the console and in the system logfile. |
|||
{{Imbox |
|||
To have BIND automatically started at boot time, it's recommended to create a init.d script or start it by systemd. |
|||
| type = note |
|||
| text = Enable the daemon to start automatically when the system boots. For details, see your distribution's documentation. |
|||
}} |
|||
{{Imbox |
|||
| type = note |
|||
| text = You should ensure that you never <code>reload</code> Bind9, you should check your init files and change <code>reload</code> to <code>restart</code>, you should also check <code>/etc/logrotate.d/named</code> etc. |
|||
}} |
|||
= Testing Your Zones = |
|||
The following examples query the DNS service on the local machine (<code>127.0.0.1</code>): |
|||
= Testing your zone = |
|||
To test the <code>localhost</code> forward zone: |
|||
Now we will try to lookup our zone entries. We tell the 'host' command to use the resolver on 127.0.0.1, so that we don't query a foreign DNS server that is also configured in '/etc/resolv.conf'. |
|||
# host -t A localhost 127.0.0.1 |
|||
First check the forward lookup for 'localhost': |
|||
# host localhost. 127.0.0.1 |
|||
Using domain server: |
Using domain server: |
||
Name: 127.0.0.1 |
Name: 127.0.0.1 |
||
Address: 127.0.0.1#53 |
Address: 127.0.0.1#53 |
||
Aliases: |
Aliases: |
||
localhost has address 127.0.0.1 |
localhost has address 127.0.0.1 |
||
To test the <code>0.0.127.in-addr.arpa</code> reverse zone: |
|||
And then the reverse lookup for '127.0.0.1': |
|||
# host 127.0.0.1 127.0.0.1 |
|||
# host -t PTR 127.0.0.1 127.0.0.1 |
|||
Using domain server: |
Using domain server: |
||
Name: 127.0.0.1 |
Name: 127.0.0.1 |
||
Address: 127.0.0.1#53 |
Address: 127.0.0.1#53 |
||
Aliases: |
Aliases: |
||
1.0.0.127.in-addr.arpa domain name pointer localhost. |
1.0.0.127.in-addr.arpa domain name pointer localhost. |
||
Line 215: | Line 380: | ||
= Configuring BIND as Samba Active Directory backend = |
|||
= Configuring the BIND9_DLZ module = |
|||
See [[Configure_BIND_as_backend_for_Samba_AD|Configure BIND as backend for Samba AD]]. |
|||
For details, see See [[BIND9_DLZ_DNS_Back_End|BIND9_DLZ DNS Back End]]. |
|||
---- |
|||
[[Category:Active Directory]] |
|||
[[Category:DNS]] |
Revision as of 14:44, 2 September 2019
Introduction
If you are planning to set up a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ
back end, you have to install and configure the BIND DNS server first.
The following describes how to set up a basic BIND installation you can use as Samba AD DC back end.
Samba AD is not compatible with other DNS servers, even if those that supports tkey-gss updates, because parts of Samba (like the DNS management RPC server and the domain join) assume the replicated DNS entries in the AD Database are the same as those exposed over DNS. Likewise the security of the system depends on the ACLs on each DNS entry in AD. |
If you are changing from the internal dns server to a Bind9 dns server, you will also need to read Changing_the_DNS_Back_End_of_a_Samba_AD_DC. |
Installing BIND
For a list of supported BIND versions, see Configuring the BIND9_DLZ module.
You can not run BIND in a changed root environment (chroot), because the BIND9_DLZ must be able to access the Samba Active Directory (AD) database files directly. |
Package Installation
Installing BIND using packages provided with your distribution is the recommended way. Select this installation mode for an easy installation and to automatically receive updates when available. For details how to install packages, see the distribution's package manager documentation.
Make sure that your package provider compiled BIND using the following options:
--with-gssapi=yes
or--with-gssapi=/usr
(or similar) for secure dynamic DNS updates using Kerberos--with-dlopen
dynamically loadable zones (DLZ)
Later versions of Bind9.9.x have the --with-dlopen option builtin and is not shown by the following command. This happened around Bind 9.9.4 |
To list the build options:
# named -V BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
Compiling and Installing BIND
Use this installation mode if you are an advanced user and know how to compile software.
Downloading the Sources
Download a supported BIND version from https://www.isc.org/software/bind.
Compiling BIND
- Pass at least the following parameters to the
configure
command:
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
- Add further parameters, if required.
- To build and install, run:
# make # make install
Adding a User and Group for BIND
For security reasons, do not run BIND as root
user.
To create a named
group using GID 25
:
# groupadd -g 25 named
To create a named
account with UID 25
, primary group named
, home directory /var/named/
, and without a valid shell:
# useradd -u 25 -g named -d /var/named -M -s /sbin/nologin named
For details, see the useradd (8)
and groupadd (8)
man page.
Configuring BIND
Setting up a named.conf file
To locate the directory, BIND uses to read the named.conf
file:
# named -V BIND 9.x.y built with ... '--sysconfdir=/etc' ...
In the previous example, BIND reads the configuration from the /etc/named.conf
file.
The following is a basic configuration file:
# Global Configuration Options options { auth-nxdomain yes; directory "/var/named"; notify no; empty-zones-enable no; # IP addresses and network ranges allowed to query the DNS server: allow-query { 127.0.0.1; 10.99.1.0/24; }; # IP addresses and network ranges allowed to run recursive queries: # (Zones not served by this DNS server) allow-recursion { 127.0.0.1; 10.1.1.0/24; }; # Forward queries that can not be answered from own zones # to these DNS servers: forwarders { 8.8.8.8; 8.8.4.4; }; # Disable zone transfers allow-transfer { none; }; }; # Root Servers # (Required for recursive DNS queries) zone "." { type hint; file "named.root"; }; # localhost zone zone "localhost" { type master; file "master/localhost.zone"; }; # 127.0.0. zone. zone "0.0.127.in-addr.arpa" { type master; file "master/0.0.127.zone"; };
For details about the used parameters and options, see the named.conf (5)
man page.
The previous example does not contain the BIND9_DLZ
configuration required for setting up a Samba AD DNS server. For details how to set up the module, see BIND9_DLZ DNS Back End.
You must not add the AD domain forward or reverse zone records to the named.conf files, these zones are stored dynamically in AD. |
Downloading the DNS Root Servers List
- Download the latest list of the DNS root servers to the
/var/named/named.root
file:
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
- Enable the BIND user to read the root servers list:
# chown root:named /var/named/named.root # chmod 640 /var/named/named.root
Optionally, set up a Cron job to automatically update the file. |
Creating the localhost Zone File
- Create the
localhost
forward zone in the/var/named/master/localhost.zone
file:
$TTL 3D $ORIGIN localhost. @ 1D IN SOA @ root ( 2013050101 ; serial 8H ; refresh 2H ; retry 4W ; expiry 1D ; minimum ) @ IN NS @ IN A 127.0.0.1
- Enable the BIND user to read the zone file:
# chown named:named /var/named/master/localhost.zone # chmod 640 /var/named/master/localhost.zone
Creating the 0.0.127.in-addr.arpa Zone File
- Create the
0.0.127.in-addr.arpa
reverse zone in the/var/named/master/0.0.127.zone
file:
$TTL 3D @ IN SOA localhost. root.localhost. ( 2013050101 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D ; Minimum TTL ) IN NS localhost. 1 IN PTR localhost.
- Enable the BIND user to read the zone file:
# chown named:named /var/named/master/0.0.127.zone # chmod 640 /var/named/master/0.0.127.zone
Installing & Configuring BIND on Debian based distros
Installing the required packages
You need to install the following packages:
apt-get install -y bind9 bind9utils
Before continuing, you will need to provision a DC in a new domain or join as a DC to an existing domain or upgrade from the existing internal DNS server to BIND9_DLZ. Various required files will only be created by doing one of the preceeding actions. |
Setting up the named.conf files
On Debian based distros, you have 5 Bind9 files:
/etc/default/bind9 /etc/bind/named.conf /etc/bind/named.conf.options /etc/bind/named.conf.local /etc/bind/named.conf.default-zones
Of these, only two or three need to be configured.
If you only use ipv4, edit : /etc/default/bind9
and Change:
OPTIONS="-u bind"
To:
OPTIONS="-u bind -4"
The second file /etc/bind/named.conf
, Shouldn't need modification, as it just contains links to the other named.conf
files:
include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
The third file /etc/bind/named.conf.options
, is the one you need to configure for your Active Directory and to setup default ACL's for Bind9.
// Managing acls acl internals { 127.0.0.0/8; 192.168.0.0/24; }; options { directory "/var/cache/bind"; version "Go Away 0.0.7"; notify no; empty-zones-enable no; auth-nxdomain yes; forwarders { 8.8.8.8; 8.8.4.4; }; allow-transfer { none; }; dnssec-validation no; dnssec-enable no; dnssec-lookaside no; // If you only use IPv4. listen-on-v6 { none; }; // listen on these ipnumbers. listen-on port 53 { 192.168.0.6; 127.0.0.1; ::1; }; // Added Per Debian buster Bind9. // Due to : resolver: info: resolver priming query complete messages in the logs. // See: https://gitlab.isc.org/isc-projects/bind9/commit/4a827494618e776a78b413d863bc23badd14ea42 minimal-responses yes; // Add any subnets or hosts you want to allow to use this DNS server allow-query { "internals"; }; allow-query-cache { "internals"; }; // Add any subnets or hosts you want to allow to use recursive queries recursion yes; allow-recursion { "internals"; }; // https://wiki.samba.org/index.php/Dns-backend_bind // DNS dynamic updates via Kerberos (optional, but recommended) // ONE of the following lines should be enabled AFTER you provision or join a DC with bind9_dlz // or AFTER upgrading your dns from internal to bind9_dlz // Before Samba 4.9.0 // tkey-gssapi-keytab "/var/lib/samba/private/dns.keytab"; // From Samba 4.9.0 ( You will need to run samba_dnsupgrade if upgrading your Samba version. ) tkey-gssapi-keytab "/var/lib/samba/bind-dns/dns.keytab"; };
The fourth file /etc/bind/named.conf.local
, just needs the addition of one line, to link in another file provided by Samba:
include "/var/lib/samba/bind-dns/named.conf";
The last file /etc/bind/named.conf.default-zones
does not require any changes.
Starting the Daemon
To start the BIND daemon as the named
user, run
# named -u named
Alternatively, use your operating system tools, such as systemctl
or service
, to start the daemon. See your distribution's documentation for details.
Enable the daemon to start automatically when the system boots. For details, see your distribution's documentation. |
You should ensure that you never reload Bind9, you should check your init files and change reload to restart , you should also check /etc/logrotate.d/named etc. |
Testing Your Zones
The following examples query the DNS service on the local machine (127.0.0.1
):
To test the localhost
forward zone:
# host -t A localhost 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: localhost has address 127.0.0.1
To test the 0.0.127.in-addr.arpa
reverse zone:
# host -t PTR 127.0.0.1 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: 1.0.0.127.in-addr.arpa domain name pointer localhost.
Configuring the BIND9_DLZ module
For details, see See BIND9_DLZ DNS Back End.