Bind

From MattWiki
noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.


Bind Logging

Enable/Disable Query Logging

To enable or disable the query logging within Bind, run the following command. The results will show in the main Bind log.

rndc querylog

Log Format

E(0)DC

The query log entry reports the client’s IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C).

+EDC on a query indicates that it is:

  • Recursive (+) - it has come from a client or a server that is forwarding queries to your server
  • The sender is using EDNS0 (E) (using larger UDP packet sizes and signalling the size that can be accepted)
  • The sender understands DNSSEC (D) - this is a request to your server to include any DNSSEC material associated with answer in the query reply.
  • DNSSEC validation checking is disabled (C) - the sender wants the answer anyway, even if the validation checks fail.

Setup A - All logs in a single file

The following command will put all the log entries into a single file (located at /var/log/named/bind.log).


logging{
  channel simple_log {
    file "/var/log/named/bind.log" versions 10 size 5m;
    severity dynamic;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default{
    simple_log;
  };
};

Fully Automatic DNSSEC Zone Signing

To enable automatic signing, add the auto-dnssec option to the zone statement in `named.conf`. auto-dnssec has two possible arguments: `allow` or `maintain`.

With auto-dnssec allow, named can search the key directory for keys matching the zone, insert them into the zone, and use them to sign the zone. It will do so only when it receives an rndc sign <zonename>.

auto-dnssec maintain includes the above functionality, but will also automatically adjust the zone's DNSKEY records on schedule according to the keys' timing metadata. (See dnssec-keygen(8) and dnssec-settime(8) for more information.)

named will periodically search the key directory for keys matching the zone, and if the keys' metadata indicates that any change should be made the zone, such as adding, removing, or revoking a key, then that action will be carried out. By default, the key directory is checked for changes every 60 minutes; this period can be adjusted with the `dnssec-loadkeys-interval`, up to a maximum of 24 hours. The rndc loadkeys forces named to check for key updates immediately.

If keys are present in the key directory the first time the zone is loaded, the zone will be signed immediately, without waiting for an rndc sign or rndc loadkeys command. (Those commands can still be used when there are unscheduled key changes, however.)

When new keys are added to a zone, the TTL is set to match that of any existing DNSKEY RRset. If there is no existing DNSKEY RRset, then the TTL will be set to the TTL specified when the key was created (using the dnssec-keygen -L option), if any, or to the SOA TTL.

If you wish the zone to be signed using NSEC3 instead of NSEC, submit an NSEC3PARAM record via dynamic update prior to the scheduled publication and activation of the keys. If you wish the NSEC3 chain to have the OPTOUT bit set, set it in the flags field of the NSEC3PARAM record. The NSEC3PARAM record will not appear in the zone immediately, but it will be stored for later reference. When the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM record will appear in the zone.

Using the auto-dnssec option requires the zone to be configured to allow dynamic updates, by adding an allow-update or update-policy statement to the zone configuration. If this has not been done, the configuration will fail.[1]

Bind Notes

How to find the version number for Bind

Using dig

dig @127.0.0.1 version.bind chaos txt

Using nslookup

nslookup -q=txt -class=CHAOS version.bind. 0

Or if you have access to the daemon on the server, you may run

named -v

You may also restrict access to the version command

acl "trusted"   { {127.0.0/8; };
};

zone "bind" chaos {
        type master;
        file "/var/named/bind";
        allow-query { trusted; };
        allow-transfer { none; };
};

Then create this file in /var/named/bind:

TTL 1D
$ORIGIN bind.
@	1D  CHAOS SOA	localhost. 	root.localhost. (
 			1
			3H
			1H
			1W
			1D  )
	CHAOS  NS	localhost.

This will disallow any query on version except from local host.

The Bind Install

Installing Bind

yum -y install bind caching-nameserver

Configuring Bind

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dnskey

You need to now build the /etc/named.conf file. It should look something like this:

//
options {
        listen-on port 53 { 192.168.1.1; };
        directory       "/etc/named";
        dump-file       "/etc/named/data/cache_dump.db";
        statistics-file "/etc/named/data/named_stats.txt";
        memstatistics-file "/etc/named/data/named_mem_stats.txt";
        query-source    port 53;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
key dnskey {
        algorithm HMAC-MD5;
        secret "asiomasdfeCEDDo1JTt8Q==";
};

zone "." {
        type hint;
        file "named.cache";
};

zone "example.com" IN {   
        type master;   
        file "example.com.zone";   
        allow-update { key dnskey; }; 
};
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.1.zone";
        allow-update { key dnskey; }; 
};
zone "lan.example.com" {
        type slave;
        file "lan.example.com.zone";
        masters { 192.168.10.2; };
};

After you build the /etc/named.conf file you need to make the zone files that will live in the directory /etc/named. You will need to create a file for each "zone" entry from the above file.

Here is the "Forward Looking" Zone file

mattrude.com.zone:

; zone file for mattrude.com
$TTL 6000    ; 172800 secs default TTL for zone
mattrude.com. IN      SOA   westley.mattrude.com. samantha.mattrude.com. (
                      1          ; serial number
                      5m         ; refresh (5 minutes)
                      15         ; retry (15 seconds)
                      1w         ; expire (1 week)
                      3h         ; minimum (3 hours)
                      )
              IN      NS      samantha.mattrude.com.
              IN      MX  10  samantha.mattrude.com.
samantha      IN      A       192.168.1.2
mythtv        IN      A       192.168.1.3
desktop       IN      A       192.168.1.9
wireless      IN      A       192.168.1.20
www           IN      CNAME   mythtv.mattrude.com.
wiki          IN      CNAME   mythtv.mattrude.com.
mail          IN      CNAME   samantha.mattrude.com.
vpn           IN      CNAME   samantha.mattrude.com.

And Here's the Backwards looking zone file. 192.168.1.zone:

; zone file for 192.168.1.0/24
$TTL    86400 ; 24 hours could have been written as 24h or 1d
$ORIGIN 1.168.192.IN-ADDR.ARPA.
@  1D  IN        SOA westley.mattrude.com.      postmaster.mattrude.com. (
                      1           ; serial
                      5m          ; refresh (5 minutes)
                      15          ; retry (15 seconds)
                      1w          ; expire (1 week)
                      3h          ; minimum (3 hours)
                      )
; server host definitions
             IN  NS      westley.mattrude.com.
             IN  NS      samantha.mattrude.com.
             IN  MX  10  samantha.mattrude.com.
1            IN  PTR     westley.mattrude.com.
2            IN  PTR     samantha.mattrude.com.
3            IN  PTR     mythtv.mattrude.com.

Finishing up

Make sure bind is set to auto start when the computer starts

/sbin/chkconfig named on
/sbin/chkconfig --list named

Then Start Bind

/sbin/service named start

Bind Master Slave Setup

To start out, the master server needs to have UDP & TCP ports 53 open to be able to transfer records between the two hosts. With IPTables, you will need to add the below entries to /etc/sysconfig/iptables.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

The slave host only needs UDP port 53 open.

-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

Bind Configurations

DNS-over-TLS/DOH Forwarders

Cloudflare DOT Forwarder

tls cloudflare-DoT {
    ca-file "/etc/ssl/certs/ca-certificates.crt";
    remote-hostname "one.one.one.one";
};

options {
    forwarders port 853 tls cloudflare-DoT {
        1.1.1.1;
        1.0.0.1;
    };
};

OpenDNS DOT Forwarder

tls OpenDNS-DoT {
    ca-file "/etc/ssl/certs/ca-certificates.crt";
    remote-hostname "dns.opendns.com";
};

options {
    forwarders port 853 tls OpenDNS-DoT {
        208.67.222.222;
        208.67.220.220;
    };
};

Bind Documentation


Bind Notes

To Turn off Named's chroot

To Turn off Named's chroot edit this file

vim /etc/sysconfig/named

And change the last line from:

ROOTDIR=/var/chroot/named/

To:

ROOTDIR=/

RNDC

rndc status
for a in mattrude.com wireless.mattrude.com 1.168.192.in-addr.arpa 2.168.192.in-addr.arpa; do rndc -s mythtv.mattrude.com -c /etc/rndc.config retransfer $a; done

References