Graham Eddy

bind9 named Server

Install and configure bind9 primary name server for a simple domain, and secondary name server on separate host.

2021-04-29 Ubuntu 20.0-22.04


The example domain geddy.au:

ns1.geddy.au
logical primary name server
ns2.geddy.au
logical secondary name server
s0.geddy.au
hosts primary name server, web server, IP address 125.63.61.82
s1.geddy.au
hosts secondary name server, mail server, IP address 125.63.60.119

Primary name server

Verify you are working on the host for primary name server. Then:

graham:~ sudo vi /etc/hostname
/etc/hosts replace contents
s0
graham:~ sudo hostname s0 graham:~ sudo vi /etc/hosts
/etc/hosts add/change this setting
127.0.1.1  s0.geddy.au
graham:~ hostname --all-fqdns s0.geddy.au graham:~ sudo apt install bind9 bin9utils bind9-doc graham:~ sudo rndc stop # stop primary named for updating graham:~ cd /etc/bind graham:/etc/bind sudo vi named.conf.options
/etc/bind/named.conf.options make it look like as follows
options {
    directory "/var/cache/bind";
    recursion no;
    allow-transfer { none; };

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // forward to cloudflare not google
    forwarders {
        1.1.1.1;
        1.0.0.1;
    }

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on-v6 { any; };
};

Add forward pointers

This is a primary (master) server so its owns the zone definitions, which are placed per-zone under /etc/bind/zones/. It also authorises the secondary servers for the zone.

graham:/etc/bind sudo vi named.conf.local
/etc/bind/named.conf.local append to end
zone "geddy.au" {
    type master;
    file "/etc/bind/zones/db.geddy.au";
    allow-transfer { 125.63.60.119; };      // ns2.geddy.au
};
graham:/etc/bind sudo mkdir -p zones # container for zone files graham:/etc/bind cd zones graham:/etc/bind/zones sudo vi db.geddy.au # forward pointer file
/etc/bind/zones/db.geddy.au new file
; BIND data file for geddy.au
;
$TTL    14400
@       IN      SOA     ns1.geddy.au. admin.geddy.au. (
                        2109221130      ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; domain root
@               IN  A       125.63.61.82

; hosts
s0              IN  A       125.63.61.82           ; @
s1              IN  A       125.63.60.119          ; @

; name servers
@               IN  NS       ns1.geddy.au.
@               IN  NS       ns2.geddy.au.
ns1             IN  A        125.63.61.82          ; s0
ns2             IN  A        125.63.60.119         ; s1

; mail
@               IN  MX    10 smtp.geddy.au.
smtp            IN  A        125.63.60.119         ; s1
                    ; MX requires A record not CNAME, plus corresp PTR
imap            IN  CNAME    s1.geddy.au.
pop             IN  CNAME    s1.geddy.au.

; other services
www             IN  CNAME    s0.geddy.au.

Add reverse pointers into first subnet

The reverse pointer zone file is named after the IP address' subnet (first three octets) e.g. 125.63.61.82 → db.125.63.61. It contains PTR records for all IP addresses in this subnet.

graham:/etc/bind/zones sudo vi db.125.63.61 # reverse pointer file
/etc/bind/zones/db.125.63.61 new file
; BIND reverse data file for geddy.au
;
$TTL    14400
@       IN      SOA     geddy.au. admin.geddy.au. (
                        2109221134      ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; name servers
        IN      NS      ns1.geddy.au.
        IN      NS      ns2.geddy.au.

; PTR records
82      IN      PTR     www.geddy.au.   ; 125.63.61.82
                        ; want reverse lookup to return web server name
graham:/etc/bind/zones cd .. graham:/etc/bind sudo vi named.conf.local
/etc/bind/named.conf.local append to end
zone "60.63.125.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.125.63.60";
};

Add reverse pointers into second subnet

Our example has second host on second subnet so another reverse pointer zone file must be created.

graham:/etc/bind/zones sudo vi db.125.63.60 # reverse pointer file
/etc/bind/zones/db.125.63.60 new file
; BIND reverse data file for geddy.au
;
$TTL    14400
@       IN      SOA     geddy.au. admin.geddy.au. (
                        2109221136      ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL

; name servers
        IN      NS      ns1.geddy.au.
        IN      NS      ns2.geddy.au.

; PTR records
119     IN      PTR     smtp.geddy.au.  ; 125.63.60.119
                        ; reverse lookup *must* return smtp server name
graham:/etc/bind/zones cd .. graham:/etc/bind sudo vi named.conf.local
/etc/bind/named.conf.local append to end
zone "61.63.125.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/db.125.63.61";
};

Verify config

graham:/etc/bind named-checkconf # run syntax checks graham:/etc/bind sudo rndc start # start primary named again graham:/etc/bind dig @localhost imap.geddy.au # query primary named locally … ;; QUESTION SECTION: ;imap.geddy.au. IN A ;; ANSWER SECTION: imap.geddy.au. 14400 IN CNAME s1.geddy.au. s1.geddy.au. 14400 IN A 125.63.60.119 graham:/etc/bind sudo ufw allow Bind9 # poke hole in firewall graham:/etc/bind sudo ufw status verbose Status: active To Action From -- ------ ---- OpenSSH ALLOW Anywhere Bind9 ALLOW Anywhere OpenSSH (v6) ALLOW Anywhere (v6) Bind9 (v6) ALLOW Anywhere (v6)

The primary name server is configured and running, but it is not yet glued into the open internet hierarchy of name servers i.e. as yet it cannot be referred to externally by name. However, it can be referenced by its IP address for remote testing.

Secondary name server

Verify you are working on the host for secondary name server. Then:

graham:~ sudo vi /etc/hostname
/etc/hosts replace contents
smtp
graham:~ sudo hostname smtp graham:~ sudo vi /etc/hosts
/etc/hosts add/change this setting
127.0.1.1  smtp.geddy.au
graham:~ hostname --all-fqdns smtp.geddy.au graham:~ sudo apt install bind9 bin9utils bind9-doc graham:~ sudo rndc stop # stop secondary named for updating graham:~ cd /etc/bind graham:/etc/bind sudo vi named.conf.options
/etc/bind/named.conf.options make it look as follows
options {
    directory "/var/cache/bind";
    recursion no;
    allow-transfer { none; };

    // If there is a firewall between you and nameservers you want
    // to talk to, you may need to fix the firewall to allow multiple
    // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

    // forward to cloudflare not google
    forwarders {
        1.1.1.1;
        1.0.0.1;
    }

    //========================================================================
    // If BIND logs error messages about the root key being expired,
    // you will need to update your keys.  See https://www.isc.org/bind-keys
    //========================================================================
    dnssec-validation auto;

    listen-on-v6 { any; };
};
graham:/etc/bind sudo vi named.conf.local
/etc/bind/named.conf.local append to end
zone "geddy.au" {
    type slave;
    file "/etc/bind/zones/db.geddy.au";
    masters { 125.63.61.82; };      // s0
};

zone "60.63.125.in-addr.arpa" {
    type slave;
    file "/etc/bind/zones/db.125.63.60";
    masters { 125.63.61.82; };      // s0
};

zone "61.63.125.in-addr.arpa" {
    type slave;
    file "/etc/bind/zones/db.125.63.61";
    masters { 125.63.61.82; };      // s0
};
graham:/etc/bind sudo mkdir -p zones # container for cached zone files graham:/etc/bind named-checkconf # run syntax checks graham:/etc/bind sudo rndc start # start secondary named again graham:/etc/bind sudo ufw allow Bind9 # poke hole in firewall graham:/etc/bind sudo ufw status verbose graham:/etc/bind dig @ns1.geddy.au -tAXFR geddy.au # induce backup from primary to secondary … geddy.au. 14400 IN SOA geddy.au. admin.geddy.au. 2208042148 604800 86400 2419200 604800 geddy.au. 14400 IN NS ns1.geddy.au. geddy.au. 14400 IN NS ns2.geddy.au. geddy.au. 14400 IN MX 10 smtp.geddy.au. geddy.au. 14400 IN A 125.63.61.82 imap.geddy.au. 14400 IN CNAME s1.geddy.au. ns1.geddy.au. 14400 IN A 125.63.61.82 ns2.geddy.au. 14400 IN A 125.63.60.119 pop.geddy.au. 14400 IN CNAME s1.geddy.au. s0.geddy.au. 14400 IN A 125.63.61.82 s1.geddy.au. 14400 IN A 125.63.60.119 smtp.geddy.au. 14400 IN A 125.63.60.119 www.geddy.au. 14400 IN CNAME s0.geddy.au. graham:/etc/bind dig @localhost www.geddy.au # query secondary named locally … ;; QUESTION SECTION: ;www.geddy.au. IN A ;; ANSWER SECTION: www.geddy.au. 14400 IN CNAME s0.geddy.au. s0.geddy.au. 14400 IN A 125.63.61.82

The secondary name server is configured and running, but it is not yet glued into the open internet hierarchy of name servers i.e. as yet it cannot be referred to externally by name. However, it can be referenced by its IP address for remote testing.

Going live with new name servers

The new name servers need to be patched into the open internet hierarchy of name servers by your Domain Registrar creating glue; records. They take quite some time to propogate through the tree hierarchy; allow at least 4 hours.

With Registrar Discount Domain Name Services, you can update the glue records yourself online. At the very least, you can raise a Support Ticket with your Registrar.