How To Configure BIND as a DNS Server

The aim is to setup two DNS servers:
Master DNS server – OpenWRT router -192.168.0.1 – FQDN: ns1.example.com
Slave DNS server – Debian server – 192.168.0.2 – FQDN: ns2.example.com
Web Server – 192.168.0.3 – FQDN: example.com

  1. Setting the Hostname on the Name Servers
  2. Install Bind on Both Name Servers
  3. Configure the Master Bind Server
  4. Configure the Slave Bind Server

1. Setting the hostname

Edit /etc/hosts file so it looks like this

127.0.0.1       localhost
192.168.0.1     ns1.example.com ns1

and for debian server:

127.0.0.1       localhost
192.168.0.2     ns2.example.com ns2

then edit the /etc/hostname so it looks like this:

ns1

and for debian box:

ns2

2. Instal BIND

On the OpenWRT router from the ssh run the following:
Uninstall preinstalled dnsmasq:

/etc/init.d/dnsmasq stop
opkg remove dnsmasq

then install BIND

opkg update
opkg install bind-server bind-tools

On a debian box run:

 sudo apt-get update
 sudo apt-get install bind9 bind9utils bind9-doc

3. Configure the Master Bind Server

On the OpenWRT box the bind directory structure is a bit different from the one on debian as there is only one file that holds all the config: /etc/bind/named.conf

We need to add few bits to it (highlighted in red)

// this section defines who is allow to submit queries to the server
acl goodclients {
        192.168.0.0/24;
        localhost;
        localnets;
};

options {
        directory "/tmp";

        recursion yes;
        allow-transfer { none; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

// prime the server with knowledge of the root servers
zone "." {
        type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};

zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

// here we define our zones

zone "example.com" {
    type master;
    file "/etc/bind/zones/db.example.com";
    allow-transfer { 192.168.0.2; };
};

zone "0.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.192.168.0";
    allow-transfer { 192.168.0.2; };
};

Create the Forward Zone File

In the /etc/bind folder create zones subfolder then create db.example.com file and paste this content:

$TTL 604800
@ IN SOA ns1.example.com. root.example.com. (
                        10 ; Serial
                    604800 ; Refresh
                     86400 ; Retry
                   2419200 ; Expire
                  604800 ) ; Negative Cache TTL
;

; Name servers
example.com. IN NS ns1.example.com.
example.com. IN NS ns2.example.com.

; A records for name servers
ns1 IN A 192.168.0.1
ns2 IN A 192.168.0.2

; Other A records
@         IN A 192.168.0.3
www       IN A 192.168.0.3
computer1 IN A 192.168.0.4
printer   IN A 192.168.0.5

IMPORTANT bit to remember here is to change the serial number each time this file is edited!

 

Create the Reverse Zone File

In /etc/bind/zones create file: db.192.168.0 and paste this content:

 

$TTL    604800
@       IN      SOA     example.com. admin.example.com. (
                 10       ; Serial
           604800         ; Refresh
            86400         ; Retry
          2419200         ; Expire
           604800 )       ; Negative Cache TTL
;

; Name servers
IN      NS      ns1.example.com.
IN      NS      ns2.example.com.

; PTR Records
1               IN      NS      ns1.example.com.
2               IN      NS      ns2.example.com.
3               IN      NS      www.example.com.
5               IN      NS      printer.example.com.
4               IN      NS      computer1.example.com.

Testing

named-checkconf /etc/bind/named.conf

If there is a problem with the config this will tell you where to look in the config file. If the config is fine there is no output.
Next we check our zones:

named-checkzone example.com /etc/bind/zones/db.example.com

If your file has no problems, it should tell you that it loaded the correct serial number and give the “OK” message;

zone example.com/IN: loaded serial 10
OK

then we do the same thing to the reverse lookup zone file.

if everthing is OK the we enable and start the BIND service:

/etc/init.d/named enable
/etc/init.d/named start

With the server running run this:

dig ANY intra @localhost

and if everything is setup correctly you should get something like this:

root@wrt:/etc/bind/zones# dig any example.com @localhost

; <<>> DiG 9.9.6-P1 <<>> any example.com @localhost
;; global options: +cmd
;; Got answer:
;; ->>HEADER<

 

Configure the Slave Bind Server

Configuring the Options File

Now on our debian box we edit the config file

nano /etc/bind/named.conf.options

Edit the options section so it looks like this:

options {
directory "/var/cache/bind";
recursion no;
allow-transfer { none; };

dnssec-validation auto;

auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};

Save and close the file when you are finished.

Configuring the Local Configuration File

sudo nano /etc/bind/named.conf.local

We will create each of our zone specifications.

First, we will work on the forward zone:

zone "example.com" {
};

and edit it so it looks like this:

zone "example.com" {
type slave;
file "db.example.com";
masters { 192.168.0.1; };
};

This completes our forward zone setup.

We can use this same exact format to take care of our reverse zone config:

zone "0.168.192.in-addr.arpa" {
type slave;
file "db.192.168.0";
masters { 192.168.0.1; };
};

When you are finished, you can save and close the file.

To check that zone transfer was successful run:

sudo tail -f /var/log/syslog

That should have some entries to indicate that the zone files have been transferred correctly.

To configure DHCP follow here.

Good source of BIND config knowledge here.

Leave a Reply

Your email address will not be published. Required fields are marked *

14 + 4 =

This site uses Akismet to reduce spam. Learn how your comment data is processed.