bind9 named Server
Install and configure bind9 primary name server for a simple domain, and secondary name server on separate host.
2021-04-29 Ubuntu 20.0-22.04
The example domain geddy.au:
- ns1.geddy.au
- logical primary name server
- ns2.geddy.au
- logical secondary name server
- s0.geddy.au
- hosts primary name server, web server, IP address 125.63.61.82
- s1.geddy.au
- hosts secondary name server, mail server, IP address 125.63.60.119
Primary name server
Verify you are working on the host for primary name server. Then:
graham:~ sudo vi /etc/hostname/etc/hosts replace contents
s0
/etc/hosts add/change this setting
127.0.1.1 s0.geddy.au
- Verify fully qualified domain name is correct.
/etc/bind/named.conf.options
make it look like as follows
options {
directory "/var/cache/bind";
recursion no;
allow-transfer { none; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// forward to cloudflare not google
forwarders {
1.1.1.1;
1.0.0.1;
}
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
Add forward pointers
This is a primary (master) server so its owns the zone definitions,
which are placed per-zone under /etc/bind/zones/.
It also authorises the secondary servers for the zone.
/etc/bind/named.conf.local append to end
zone "geddy.au" {
type master;
file "/etc/bind/zones/db.geddy.au";
allow-transfer { 125.63.60.119; }; // ns2.geddy.au
};
/etc/bind/zones/db.geddy.au
new file
; BIND data file for geddy.au
;
$TTL 14400
@ IN SOA ns1.geddy.au. admin.geddy.au. (
2109221130 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; domain root
@ IN A 125.63.61.82
; hosts
s0 IN A 125.63.61.82 ; @
s1 IN A 125.63.60.119 ; @
; name servers
@ IN NS ns1.geddy.au.
@ IN NS ns2.geddy.au.
ns1 IN A 125.63.61.82 ; s0
ns2 IN A 125.63.60.119 ; s1
; mail
@ IN MX 10 smtp.geddy.au.
smtp IN A 125.63.60.119 ; s1
; MX requires A record not CNAME, plus corresp PTR
imap IN CNAME s1.geddy.au.
pop IN CNAME s1.geddy.au.
; other services
www IN CNAME s0.geddy.au.
-
The trailing periods on the names (e.g
s1.geddy.au.) in this file are critical. -
In the
SOAline, set domain name and principal email contact (the notation here uses a 'dot' instead of an 'at'). -
The line following
SOAis a serial number, which must be changed to allow named to notice a config change. Use notation YYMMDDHHMM to timestamp last change. -
Substitute correct IP addresses for
s0ands1.
Add reverse pointers into first subnet
The reverse pointer zone file is named after the IP address' subnet
(first three octets)
e.g. 125.63.61.82 → db.125.63.61.
It contains PTR records for all IP addresses in this subnet.
/etc/bind/zones/db.125.63.61 new file
; BIND reverse data file for geddy.au
;
$TTL 14400
@ IN SOA geddy.au. admin.geddy.au. (
2109221134 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ns1.geddy.au.
IN NS ns2.geddy.au.
; PTR records
82 IN PTR www.geddy.au. ; 125.63.61.82
; want reverse lookup to return web server name
-
Ensure
SOAandNSrecords have correct domain name and serial/timestamp. -
Each IP address has a corresponding PTR record at the end specifying
the final octet and the name to be returned on a reverse lookup on
that IP address
e.g. 125.63.61.82 →
www.geddy.au.
/etc/bind/named.conf.local
append to end
zone "60.63.125.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.125.63.60";
};
Add reverse pointers into second subnet
Our example has second host on second subnet so another reverse pointer zone file must be created.
graham:/etc/bind/zones sudo vi db.125.63.60 # reverse pointer file/etc/bind/zones/db.125.63.60 new file
; BIND reverse data file for geddy.au
;
$TTL 14400
@ IN SOA geddy.au. admin.geddy.au. (
2109221136 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
; name servers
IN NS ns1.geddy.au.
IN NS ns2.geddy.au.
; PTR records
119 IN PTR smtp.geddy.au. ; 125.63.60.119
; reverse lookup *must* return smtp server name
- Every open interet smtp mail server must have a PTR record. Mail servers world-wide use the reverse lookup of smtp server by IP address to verify validity of the server (as opposed to the laptop of a pimply 15yo Elbonian hacker).
/etc/bind/named.conf.local
append to end
zone "61.63.125.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.125.63.61";
};
Verify config
graham:/etc/bind named-checkconf # run syntax checks- Fix any configuration errors reported (silence = no errors).
- Ensure last line of status indicates server is running.
-
Amongst the gobbledegoop reported by
dig, the above extract should be found, verifying that the local name server mappedimap.geddy.au→CNAME s1.geddy.au→A 125.63.60.119.
- Ensure
Bind9(port 53) has been opened in firewall.
The primary name server is configured and running, but it is not yet
glued
into the open internet hierarchy of name servers i.e.
as yet it cannot be referred to externally by name.
However, it can be referenced by its IP address for remote testing.
Secondary name server
Verify you are working on the host for secondary name server. Then:
graham:~ sudo vi /etc/hostname/etc/hosts replace contents
smtp
-
Ensure the hostname is
smtpnot the perhaps-expecteds1– this is a mandatory requirement for an smtp server, which we have chosen to co-host with the secondary name server.
/etc/hosts add/change this setting
127.0.1.1 smtp.geddy.au
- Verify fully qualified domain name is correct.
/etc/bind/named.conf.options
make it look as follows
options {
directory "/var/cache/bind";
recursion no;
allow-transfer { none; };
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// forward to cloudflare not google
forwarders {
1.1.1.1;
1.0.0.1;
}
//========================================================================
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//========================================================================
dnssec-validation auto;
listen-on-v6 { any; };
};
- This should be identical to equivalent file on primary name server.
/etc/bind/named.conf.local append to end
zone "geddy.au" {
type slave;
file "/etc/var/lib/zones/db.geddy.au";
masters { 125.63.61.82; }; // s0
};
zone "60.63.125.in-addr.arpa" {
type slave;
file "/var/lib/bind/zones/db.125.63.60";
masters { 125.63.61.82; }; // s0
};
zone "61.63.125.in-addr.arpa" {
type slave;
file "/var/lib/bind/zones/db.125.63.61";
masters { 125.63.61.82; }; // s0
};
- Ensure forward pointer zones and reverse pointer zones are added.
-
This is secondary name server so ensure
type slave. - These zone files save data from the primary server as required.
- Confirm it is configured to use
/var/lib/bind/, otherwise apparmor will prevent state files being created. - Fix any configuration errors reported (silence = no errors).
- Ensure last line of status indicates server is running.
- Ensure
Bind9(port 53) has been opened in firewall.
- Verify that all expected records have been transferred from primary to secondary name server.
-
Verify expected mapping
www.geddy.au→CNAME s0.geddy.au→A 125.62.61.82.
The secondary name server is configured and running, but it is not yet
glued
into the open internet hierarchy of name servers i.e.
as yet it cannot be referred to externally by name.
However, it can be referenced by its IP address for remote testing.
Going live with new name servers
The new name servers need to be patched into the open internet hierarchy
of name servers by your Domain Registrar creating glue
;
records.
They take quite some time to propogate through the tree hierarchy;
allow at least 4 hours.
With Registrar Discount Domain Name Services, you can update the glue records yourself online. At the very least, you can raise a Support Ticket with your Registrar.