Difference between revisions of "Setting up a BIND DNS Server"

m (Fix link)
m (Fix link)
Line 11: Line 11:
 
= Installing BIND =
 
= Installing BIND =
  
The use of BIND as a backend for your Samba Active Directory Domain Controller is currently only supported in versions 9.8 and 9.9. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[Configure_BIND_as_Backend_for_Samba_AD#BIND_9.7_2|DNS dynamic updates via Kerberos for BIND 9.7]] for instructions on configuring BIND 9.7.
+
The use of BIND as a backend for your Samba Active Directory Domain Controller is currently only supported in versions 9.8 and 9.9. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section [[Configure_BIND_as_backend_for_Samba_AD#BIND_9.7_2|DNS dynamic updates via Kerberos for BIND 9.7]] for instructions on configuring BIND 9.7.
  
 
If you install BIND from the repositories of your distribution, you can skip the following two steps, but make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as the Samba AD DNS backend.
 
If you install BIND from the repositories of your distribution, you can skip the following two steps, but make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as the Samba AD DNS backend.

Revision as of 14:24, 17 October 2015

Introduction

This HowTo describes how to compile and configure a basic BIND installation, that can be used as Samba DC DNS backend. Skip this guide if you already have an existing BIND installation that can be used as a Samba AD backend.

If you need to setup a more complex DNS setup than what is possible with the Samba 4 internal DNS, then using BIND as the DNS backend is recommended.



Installing BIND

The use of BIND as a backend for your Samba Active Directory Domain Controller is currently only supported in versions 9.8 and 9.9. Users of bind 9.7 are strongly encouraged to upgrade! If this is not possible, refer to the section DNS dynamic updates via Kerberos for BIND 9.7 for instructions on configuring BIND 9.7.

If you install BIND from the repositories of your distribution, you can skip the following two steps, but make sure that it was compiled with the '--with-gssapi' and '--with-dlopen' options (see below) before using it as the Samba AD DNS backend.


Downloading

Download your desired and Samba 4 supported version from https://www.isc.org/software/bind.


Compiling BIND

To use BIND 9.8.1 or later as Samba AD backend, at least the following two configure options are required:

# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes

Please check if there are other options you require for your environment. If you are building BIND 9.8.0, you must use '--with-dlz-dlopen=yes' instead of '--with-dlopen=yes'.

To build and install:

# make
# make install


Configuration

Setting up a basic named.conf

The following example is a basic 'named.conf' for a pure minimal BIND installation without any Samba AD parts. We will add the Samba required parameters later.

# /etc/named.conf
# Global BIND configuration options

options {

    auth-nxdomain yes;
    directory "/var/named";
    notify no;
    empty-zones-enable no;

    allow-query {
        127.0.0.1;
        10.1.1.0/24;
        # add other networks you want to allow to query your DNS
    };

    allow-recursion {
        10.1.1.0/24;
        # add other networks you want to allow to do recursive queries
    };

    forwarders {
        # Google public DNS server here - replace with your own if necessary
        8.8.8.8;
        8.8.4.4;
    };

    allow-transfer {
        # this config is for a single master DNS server
        none;
    };

};

 
# Root servers (required zone for recursive queries)
zone "." {
   type hint;
   file "named.root";
};

# Required localhost forward-/reverse zones 
zone "localhost" {
    type master;
    file "master/localhost.zone";
};

zone "0.0.127.in-addr.arpa" {
    type master;
    file "master/0.0.127.zone";
};

We chose '/var/named' as directory in 'named.conf' to be the place where our zonefiles, etc. reside. If you want to place them on a different location, please regard this in all further instructions.

For more details on the parameters used in the sample 'named.conf', see 'man 5 named.conf'.


Adding a user and group for BIND

If you don't want to run bind as root (and I'm sure you don't want that!), we add an account and group.

First check if we have an existing `named` group:

# getent group|grep named

Add the user and group if none exists (adapt the UID/GID if required) :

# groupadd -g 25 named
# useradd -g named -u 25 -d /var/named -M -s /sbin/nologin named


Getting the root name server list

Download the root name server list from InterNIC:

# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
# chown named:named /var/named/named.root

To have always the current file, you can add a cronjob to automatically download.


Creating the localhost zone file

Create a forward zone file ('/var/named/master/localhost.zone') for your 'localhost' zone:

$TTL 3D

$ORIGIN localhost.

@       1D      IN     SOA     @       root (
                       2013050101      ; serial
                       8H              ; refresh
                       2H              ; retry
                       4W              ; expiry
                       1D              ; minimum
                       )

@       IN      NS      @
        IN      A       127.0.0.1


Creating the 0.0.127.in-addr.arpa zone file

Create a reverse zone file ('/var/named/master/0.0.127.zone') for your '0.0.127.in-addr.arpa' zone:

$TTL 3D

@       IN      SOA     localhost. root.localhost. (
                        2013050101      ; Serial
                        8H              ; Refresh
                        2H              ; Retry
                        4W              ; Expire
                        1D              ; Minimum TTL
                        )

       IN      NS      localhost.

1      IN      PTR     localhost.


Set permissions on the zone files

# chown named:named /var/named/master/*.zone
# chmod 640 /var/named/master/*.zone



Starting BIND

# named -u named

If the configuration is valid, you should see no errors on the console and in the system logfile.

To have BIND automatically started at boot time, it's recommended to create a init.d script or start it by systemd.



Testing your zone

Now we will try to lookup our zone entries. We tell the 'host' command to use the resolver on 127.0.0.1, so that we don't query a foreign DNS server that is also configured in '/etc/resolv.conf'.

First check the forward lookup for 'localhost':

# host localhost. 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

localhost has address 127.0.0.1

And then the reverse lookup for '127.0.0.1':

# host 127.0.0.1 127.0.0.1
Using domain server:
Name: 127.0.0.1
Address: 127.0.0.1#53
Aliases: 

1.0.0.127.in-addr.arpa domain name pointer localhost.



Configuring BIND as Samba Active Directory backend

See Configure BIND as backend for Samba AD.