Bind

From MattWiki
(Redirected from Named)
Jump to: navigation, search
noteThis Page was written with Ubuntu 16.04 LTS in mind, and may not work correctly with other versions or distributions.

Bind Logging

Enable/Disable Query Logging

To enable or disable the query logging within Bind, run the following command. The results will show in the main Bind log.

rndc querylog

Log Format

E(0)DC

The query log entry reports the client’s IP address and port number, and the query name, class and type. Next it reports whether the Recursion Desired flag was set (+ if set, - if not set), if the query was signed (S), EDNS was in use (E), if TCP was used (T), if DO (DNSSEC Ok) was set (D), or if CD (Checking Disabled) was set (C).

+EDC on a query indicates that it is:

  • Recursive (+) - it has come from a client or a server that is forwarding queries to your server
  • The sender is using EDNS0 (E) (using larger UDP packet sizes and signalling the size that can be accepted)
  • The sender understands DNSSEC (D) - this is a request to your server to include any DNSSEC material associated with answer in the query reply.
  • DNSSEC validation checking is disabled (C) - the sender wants the answer anyway, even if the validation checks fail.

Setup A - All logs in a single file

The following command will put all the log entries into a single file (located at /var/log/named/bind.log).


logging{
  channel simple_log {
    file "/var/log/named/bind.log" versions 10 size 5m;
    severity dynamic;
    print-time yes;
    print-severity yes;
    print-category yes;
  };
  category default{
    simple_log;
  };
};

Bind Notes

How to find the version number for Bind

Using dig

dig @127.0.0.1 version.bind chaos txt

Using nslookup

nslookup -q=txt -class=CHAOS version.bind. 0

Or if you have access to the daemon on the server, you may run

named -v

You may also restrict access to the version command

acl "trusted"   { {127.0.0/8; };
};

zone "bind" chaos {
        type master;
        file "/var/named/bind";
        allow-query { trusted; };
        allow-transfer { none; };
};

Then create this file in /var/named/bind:

TTL 1D
$ORIGIN bind.
@	1D  CHAOS SOA	localhost. 	root.localhost. (
 			1
			3H
			1H
			1W
			1D  )
	CHAOS  NS	localhost.

This will disallow any query on version except from local host.

The Bind Install

Installing Bind

yum -y install bind caching-nameserver

Configuring Bind

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST dnskey

You need to now build the /etc/named.conf file. It should look something like this:

//
options {
        listen-on port 53 { 192.168.1.1; };
        directory       "/etc/named";
        dump-file       "/etc/named/data/cache_dump.db";
        statistics-file "/etc/named/data/named_stats.txt";
        memstatistics-file "/etc/named/data/named_mem_stats.txt";
        query-source    port 53;
};
logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};
key dnskey {
        algorithm HMAC-MD5;
        secret "asiomasdfeCEDDo1JTt8Q==";
};

zone "." {
        type hint;
        file "named.cache";
};

zone "example.com" IN {   
        type master;   
        file "example.com.zone";   
        allow-update { key dnskey; }; 
};
zone "1.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.1.zone";
        allow-update { key dnskey; }; 
};
zone "lan.example.com" {
        type slave;
        file "lan.example.com.zone";
        masters { 192.168.10.2; };
};

After you build the /etc/named.conf file you need to make the zone files that will live in the directory /etc/named. You will need to create a file for each "zone" entry from the above file.

Here is the "Forward Looking" Zone file

mattrude.com.zone:

; zone file for mattrude.com
$TTL 6000    ; 172800 secs default TTL for zone
mattrude.com. IN      SOA   westley.mattrude.com. samantha.mattrude.com. (
                      1          ; serial number
                      5m         ; refresh (5 minutes)
                      15         ; retry (15 seconds)
                      1w         ; expire (1 week)
                      3h         ; minimum (3 hours)
                      )
              IN      NS      samantha.mattrude.com.
              IN      MX  10  samantha.mattrude.com.
samantha      IN      A       192.168.1.2
mythtv        IN      A       192.168.1.3
desktop       IN      A       192.168.1.9
wireless      IN      A       192.168.1.20
www           IN      CNAME   mythtv.mattrude.com.
wiki          IN      CNAME   mythtv.mattrude.com.
mail          IN      CNAME   samantha.mattrude.com.
vpn           IN      CNAME   samantha.mattrude.com.

And Here's the Backwards looking zone file. 192.168.1.zone:

; zone file for 192.168.1.0/24
$TTL    86400 ; 24 hours could have been written as 24h or 1d
$ORIGIN 1.168.192.IN-ADDR.ARPA.
@  1D  IN        SOA westley.mattrude.com.      postmaster.mattrude.com. (
                      1           ; serial
                      5m          ; refresh (5 minutes)
                      15          ; retry (15 seconds)
                      1w          ; expire (1 week)
                      3h          ; minimum (3 hours)
                      )
; server host definitions
             IN  NS      westley.mattrude.com.
             IN  NS      samantha.mattrude.com.
             IN  MX  10  samantha.mattrude.com.
1            IN  PTR     westley.mattrude.com.
2            IN  PTR     samantha.mattrude.com.
3            IN  PTR     mythtv.mattrude.com.

Finishing up

Make sure bind is set to auto start when the computer starts

/sbin/chkconfig named on
/sbin/chkconfig --list named

Then Start Bind

/sbin/service named start

Bind Master Slave Setup

To start out, the master server needs to have UDP & TCP ports 53 open to be able to transfer records between the two hosts. With IPTables, you will need to add the below entries to /etc/sysconfig/iptables.

-A INPUT -m state --state NEW -m tcp -p tcp --dport 53 -j ACCEPT
-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

The slave host only needs UDP port 53 open.

-A INPUT -m state --state NEW -m udp -p udp --dport 53 -j ACCEPT

Bind Documentation


Bind Notes

To Turn off Named's chroot

To Turn off Named's chroot edit this file

vim /etc/sysconfig/named

And change the last line from:

ROOTDIR=/var/chroot/named/

To:

ROOTDIR=/

RNDC

rndc status
for a in mattrude.com wireless.mattrude.com 1.168.192.in-addr.arpa 2.168.192.in-addr.arpa; do rndc -s mythtv.mattrude.com -c /etc/rndc.config retransfer $a; done