Install and configure bind9 primary name server for a simple domain,
and secondary name server on separate host.
2021-04-29 Ubuntu 20.0-22.04
The example domain geddy.au:
ns1.geddy.au
logical primary name server
ns2.geddy.au
logical secondary name server
s0.geddy.au
hosts primary name server, web server, IP address 125.63.61.82
s1.geddy.au
hosts secondary name server, mail server, IP address 125.63.60.119
Primary name server
Verify you are working on the host for primary name server. Then:
graham:~sudo vi /etc/hostnamegraham:~sudo hostname s0graham:~sudo vi /etc/hostsgraham:~hostname --all-fqdns
s0.geddy.au
Verify fully qualified domain name is correct.
graham:~sudo apt install bind9 bin9utils bind9-docgraham:~sudo rndc stop # stop primary named for updating
graham:~cd /etc/bindgraham:/etc/bindsudo vi named.conf.options
Add forward pointers
This is a primary (master) server so its owns the zone definitions,
which are placed per-zone under /etc/bind/zones/.
It also authorises the secondary servers for the zone.
graham:/etc/bindsudo vi named.conf.localgraham:/etc/bindsudo mkdir -p zones # container for zone files
graham:/etc/bindcd zonesgraham:/etc/bind/zonessudo vi db.geddy.au # forward pointer file
The trailing periods on the names (e.g
s1.geddy.au.)
in this file are critical.
In the SOA line, set domain name and principal email contact
(the notation here uses a 'dot' instead of an 'at').
The line following SOA is a serial number,
which must be changed to allow named to notice
a config change. Use notation YYMMDDHHMM to timestamp last change.
Substitute correct IP addresses for s0 and s1.
Add reverse pointers into first subnet
The reverse pointer zone file is named after the IP address' subnet
(first three octets)
e.g. 125.63.61.82 → db.125.63.61.
It contains PTR records for all IP addresses in this subnet.
graham:/etc/bind/zonessudo vi db.125.63.61 # reverse pointer file
Ensure SOA and NS records have correct
domain name and serial/timestamp.
Each IP address has a corresponding PTR record at the end specifying
the final octet and the name to be returned on a reverse lookup on
that IP address
e.g. 125.63.61.82 → www.geddy.au.
graham:/etc/bind/zonescd ..graham:/etc/bindsudo vi named.conf.local
Add reverse pointers into second subnet
Our example has second host on second subnet so another reverse pointer
zone file must be created.
graham:/etc/bind/zonessudo vi db.125.63.60 # reverse pointer file
Every open interet smtp mail server must have a PTR record.
Mail servers world-wide use the reverse lookup of smtp server by IP address
to verify validity of the server
(as opposed to the laptop of a pimply 15yo Elbonian hacker).
graham:/etc/bind/zonescd ..graham:/etc/bindsudo vi named.conf.local
Verify config
graham:/etc/bindnamed-checkconf # run syntax checks
Fix any configuration errors reported (silence = no errors).
graham:/etc/bindsudo rndc start # start primary named again
Ensure last line of status indicates server is running.
graham:/etc/binddig @localhost imap.geddy.au # query primary named locally
…
;; QUESTION SECTION:
;imap.geddy.au. IN A
;; ANSWER SECTION:
imap.geddy.au. 14400 IN CNAME s1.geddy.au.
s1.geddy.au. 14400 IN A 125.63.60.119
Amongst the gobbledegoop reported by dig, the above extract
should be found, verifying that the local name server mapped
imap.geddy.au →
CNAME s1.geddy.au →
A 125.63.60.119.
graham:/etc/bindsudo ufw allow Bind9 # poke hole in firewall
graham:/etc/bindsudo ufw status verbose
Status: active
To Action From
-- ------ ----
OpenSSH ALLOW Anywhere
Bind9 ALLOW Anywhere
OpenSSH (v6) ALLOW Anywhere (v6)
Bind9 (v6) ALLOW Anywhere (v6)
Ensure Bind9 (port 53) has been opened in firewall.
The primary name server is configured and running, but it is not yet
glued into the open internet hierarchy of name servers i.e.
as yet it cannot be referred to externally by name.
However, it can be referenced by its IP address for remote testing.
Secondary name server
Verify you are working on the host for secondary name server. Then:
graham:~sudo vi /etc/hostname
Ensure the hostname is smtp not the
perhaps-expected s1 –
this is a mandatory requirement for an smtp server,
which we have chosen to co-host with the secondary name server.
graham:~sudo hostname smtpgraham:~sudo vi /etc/hostsgraham:~hostname --all-fqdns
smtp.geddy.au
Verify fully qualified domain name is correct.
graham:~sudo apt install bind9 bin9utils bind9-docgraham:~sudo rndc stop # stop secondary named for updating
graham:~cd /etc/bindgraham:/etc/bindsudo vi named.conf.options
This should be identical to equivalent file on primary name server.
graham:/etc/bindsudo vi named.conf.local
Ensure forward pointer zones and reverse pointer zones are added.
This is secondary name server so ensure
type slave.
These zone files save data from the primary server as required.
graham:/etc/bindsudo mkdir -p /var/lib/bind/zones # container for cached zone files
graham:/etc/bindsudo chown root:bind /var/lib/bind/zonesgraham:/etc/bindsudo chmod 2775 /var/lib/bind/zonesgraham:/etc/bindnamed-checkconf # run syntax checks
Confirm it is configured to use /var/lib/bind/,
otherwise apparmor will prevent state files being created.
Fix any configuration errors reported (silence = no errors).
graham:/etc/bindsudo rndc start # start secondary named again
Ensure last line of status indicates server is running.
graham:/etc/bindsudo ufw allow Bind9 # poke hole in firewall
graham:/etc/bindsudo ufw status verbose
Ensure Bind9 (port 53) has been opened in firewall.
graham:/etc/binddig @ns1.geddy.au -tAXFR geddy.au # induce backup from primary to secondary
…
geddy.au. 14400 IN SOA geddy.au. admin.geddy.au. 2208042148 604800 86400 2419200 604800
geddy.au. 14400 IN NS ns1.geddy.au.
geddy.au. 14400 IN NS ns2.geddy.au.
geddy.au. 14400 IN MX 10 smtp.geddy.au.
geddy.au. 14400 IN A 125.63.61.82
imap.geddy.au. 14400 IN CNAME s1.geddy.au.
ns1.geddy.au. 14400 IN A 125.63.61.82
ns2.geddy.au. 14400 IN A 125.63.60.119
pop.geddy.au. 14400 IN CNAME s1.geddy.au.
s0.geddy.au. 14400 IN A 125.63.61.82
s1.geddy.au. 14400 IN A 125.63.60.119
smtp.geddy.au. 14400 IN A 125.63.60.119
www.geddy.au. 14400 IN CNAME s0.geddy.au.
Verify that all expected records have been transferred from primary
to secondary name server.
graham:/etc/binddig @localhost www.geddy.au # query secondary named locally
…
;; QUESTION SECTION:
;www.geddy.au. IN A
;; ANSWER SECTION:
www.geddy.au. 14400 IN CNAME s0.geddy.au.
s0.geddy.au. 14400 IN A 125.63.61.82
Verify expected mapping www.geddy.au →
CNAME s0.geddy.au →
A 125.62.61.82.
The secondary name server is configured and running, but it is not yet
glued into the open internet hierarchy of name servers i.e.
as yet it cannot be referred to externally by name.
However, it can be referenced by its IP address for remote testing.
Going live with new name servers
The new name servers need to be patched into the open internet hierarchy
of name servers by your Domain Registrar creating glue;
records.
They take quite some time to propogate through the tree hierarchy;
allow at least 4 hours.
With Registrar
Discount Domain Name Services,
you can update the glue records yourself online.
At the very least, you can raise a Support Ticket with your Registrar.