Submit a Ticket
Support Center » Knowledgebase » How to install DNS server (bind9) on VPS or Cloud - Linux

How to install DNS server (bind9) on VPS or Cloud - Linux

IF YOU ARE NOT FAMILIAR WITH MANUALLY INSTALL AND EDIT OF NAMESERVERS, WE SUGGEST YOU TO GET CONTROL PANEL FOR YOUR SERVER.


This document describes the process of installing Bind 9.x on your Linux box as a Caching DNS server.

The steps to install it are as follows:

  1. Download the latest stable release from ISC.org *
  2. Extract the tarball like so:
    • tar zxvf bind-9.x.tar.gz
    • cd bind-9.x
  3. Configure the software:
    • ./configure --prefix=/usr \
    • --sysconfdir=/etc \
    • --enable-threads \
    • --localstatedir=/var/state \
    • --with-libtool \
    • --with-openssl=/usr/ssl
  4. Compile it:
    • make
  5. Remove all existing Bind software:
    • rpm -q -a | grep '^bind' | while read line
    • do
    • rpm -e --nodeps $line
    • done
  6. Install your new Bind:
    • make install
    • cd doc/man/bin (not needed on 9.2.0 and above)
    • for i in 1 5 8 (not needed on 9.2.0 and above)
    • do (not needed on 9.2.0 and above)
    • install *.$i /usr/man/man$i (not needed on 9.2.0 and above)
    • done (not needed on 9.2.0 and above)
    • cd ../dnssec (not needed on 9.2.0 and above)
    • install *.8 /usr/man/man8 (not needed on 9.2.0 and above)
  7. Update your library resolutions:
    • ldconfig -v
  8. Create the Bind user and group
    • groupadd named
    • useradd -d /var/named -g named -s /bin/false named
  9. Adjust the group/perms on /var/run
    • vigr (add named to the 'daemon' group)
    • chown root:daemon /var/run
    • chmod 775 /var/run
  10. Create the Bind rundir
    • mkdir -p /var/named/pz
    • chown -R named:named /var/named
    • chmod -R 755 /var/named
  11. Create a script to maintain the root.hints file
    • cat << "EOF" > update_named
    • #!/bin/sh
    • cd /var/named
    • wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /var/named/db.root
    • if [ -s /var/named/db.root ] ; then
    • chown named:named /var/named/db.root
    • /etc/rc.d/named stop
    • mv /var/named/root.hints /var/named/root.hints.old
    • mv /var/named/db.root /var/named/root.hints
    • /etc/rc.d/named start
    • fi
    • EOF
  12. Make the script executable, and execute it (Bind will probably fail, but your root.hints file will get updated like we wanted)
    • chmod 700 update_named
    • ./update_named
  13. Move the script to your monthly cron directory
    • mv update_named /etc/cron.monthly
  14. Create /var/named/pz/127.0.0 as below,
  15. $TTL 1D
    
    @           1D IN SOA   localhost. root.localhost. (
                        42      ; serial (d. adams)
                        3H      ; refresh
                        15M     ; retry
                        1W      ; expiry
                        1D )        ; minimum
    
                1D IN NS    localhost.
    1           1D IN PTR   localhost.
    
    
  16. Create /var/named/pz/192.168.1
    • ln -s 127.0.0 192.168.1
  17. Create /etc/resolv.conf
    • echo "nameserver 127.0.0.1" > /etc/resolv.conf
  18. Create your rndc password (we'll use "hush" for ours)
    • mmencode (this command is part of the metamail package)
    • hush
    • aHVz (mmencode returns this)
    • ^C
  19. Create /etc/rndc.conf
  20.    // this file is used by the rndc utility
            options {
            // what host should rndc attempt to control by default
                default-server localhost;
            // and what key should it use to communicate with named
                default-key "rndc-key";
            };
    
            server localhost {
            // always use this key with this host
                key "rndc-key";
            };
    
            key "rndc-key" {
            // how was the key encoded
                algorithm hmac-md5;
            // what's the password
                secret "aHVz";
            };
    
            // secret was generated by running mmencode on command line
            // and then entering a secret phrase
        
    
  21. Create /etc/rndc.key
  22.    // this file is used when named starts up and sees that
            // there is a key assigned to the control channel
            key "rndc-key" {
            // how was the key encoded
                algorithm hmac-md5;
            // what's the password
                secret "aHVz" ;
            };
        
    
  23. And finally, create /etc/named.conf as below
  24.    // This is a configuration file for named (from BIND 9.0 or later).
            // It would normally be installed as /etc/named.conf.
            //
            // Changed to match secure example from LASG 5/17/00
            // Changed to match Linux Journal example 9/17/00
            // Added new "view' sections to stop fingerprinting of Bind 9.x per
            // Bugtraq 1/31/00
            // Added rndc key stuff per DNS & Bind (Rev. 4) Chapter 11
            // added use-id-pool and more comments based on above chapter
    
                 options {
                // Directory where bind should create files if
                // not explicitly stated
                directory "/var/named";
    
                // whom do we allow to do zone tranfers
                allow-transfer { 192.168.1.0/24; };
    
                // new in Bind 9.x to allow RFC1886 -> RFC2874 conversion
                // to support IPv6
                // allow-v6-synthesis { 192.168.1.10; };
                // OBSOLETED in 9.3.0 + !!
    
                // tell Bind to check the names in zone files
                // since it no longer does this by default
                // (unimplemented 9.3.0+)
                check-names master warn;
    
                // sets the size of something or other to 20Mb ;)
                datasize 20M;
    
                // sets the size of the journal to 5Mb
                max-journal-size 5M;
    
                // Bind 9.x doesn't recognize this yet :(
                // deallocate-on-exit no;
    
                // where should Bind put a dump of its cache
                // if told to dump it
                dump-file "named_dump.db";
    
                // how often should bind check for new
                // interfaces toi listen on. we turn
                // this off by setting it to 0
                interface-interval 0;
    
                // specify what interfaces/ips to listen on
                // as the default is all of them
                listen-on { 192.168.1.10; 127.0.0.1; };
    
                // define a mximum size of cached records
                // new in Bind 9.x
                max-cache-size 20M;
    
                // where to right stats of memory usage
                // Bind 9.x doesn't recognize this yet :(
                memstatistics-file "named.memstats";
    
                // where to put out pid file
                // absolute path since we don't want
                // it in /var/named
                pid-file "/var/run/named.pid";
    
                // force Bind to use port 53 for its
                // network operation to other DNS
                // servers (Bind 9 uses high ports
                // by default). Makes firewalling easier
                query-source address * port 53;
                transfer-source * port 53;
                notify-source * port 53;
    
                // where to dump Bind server stats
                statistics-file "named.stats";
    
                // force Bind to be "more" random in assiging
                // message ids
                use-id-pool yes;
    
                // If the chaos view below doesn't work
                // for some reason, still give out a bogus
                // answer for Bind version requests
                version "This is not the port you're looking for.";
    
                // keep stats on a zone basis
                zone-statistics yes;
                 };
    
                 controls { 
                // this allows rndc to be used from the localhost
                // to talk to bind on the loopback interface
                // using the key defined as 'rndc-key'
                inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
                 };
    
                 // the rest of the key configuration is in
                 // /etc/rndc.conf and the key itself is in
                 // /etc/rndc.key
                 key "rndc-key" {
                // how was key encoded
                algorithm hmac-md5;
                // what is the pass-phrase for the key
                secret "aHVz" ;
                 };
    
                 logging {
                channel named_info {
                    // log to syslog instead of a file
                    syslog;
                    // include the category of the event in the log
                    print-category yes;
                    // include the severity of the event in the log
                    print-severity yes;
                    // include the time of the event in the log
                    print-time yes;
                };
    
                // Processing of client requests
                category client { named_info; };
    
                // named.conf parsing and processing
                category config { named_info; };
    
                // Messages relating to internal memory structures
                category database { named_info; };
    
                // This is the default for any category not specifically defined
                category default { named_info; };
    
                // The catch-all. Anything without a category of its own
                category general { named_info; };
    
                // Uncomment if you dont want to know about lame server.
                // Leave commented and it defaults to the
                // value of default above
                // category lame-servers { null; };
    
                // The NOTIFY protocol
                category notify { named_info; };
    
                // Network operations
                category network { named_info; };
    
                // DNS resolution like recursive lookups, etc..
                category resolver { named_info; };
    
                // Approval and denial of requests
                category security { named_info; };
    
                // Dynamic updates
                category update { named_info; };
    
                // Queries. Duh.
                category queries { named_info; };
    
                // Zone transfers received
                category xfer-in { named_info; };
    
                // Zone transfers sent
                category xfer-out { named_info; };
                };
    
                // this is where we define different versions
                // of our zones based on where the client is
                // coming from.
                // the first view that matches a client is
                // the one that gets used, so order can be
                // important
                view "external-chaos" chaos {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    recursion no;
                    zone "." {
                        type hint;
                        // this causes a null response to queries
                        // about the Bind version
                        file "/dev/null";
                    };
                };
        
                view "external" {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    zone "." {
                        type hint;
                        file "root.hints";
                    };
                };
        
                view "external-127" {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    zone "0.0.127.in-addr.arpa" {
                        type master;
                        file "pz/127.0.0";
                        allow-update {
                            none;
                        };
                    };
                };
        
                view "external-192" {
                    // you could use 'any' or even 'localnets' here
                    // instead of specifying each IP range
                    // however, it should be noted that 'localnets'
                    // means ANY network Bind is directly connected
                    // to which might include your ISP
                    match-clients { 192.168.1.0/24; 127/8; };
                    zone "1.168.192.in-addr.arpa" {
                        type master;
                        file "pz/192.168.1";
                        allow-update {
                            none;
                        };
                    };
                };
        
    
  25. The only thing left to do is start Bind:
    • /usr/sbin/named -u named

Congrats! You now have a fairly secure, caching name server that can be controlled using rndc!

Enjoy your new Bind server!

 This answer was helpful  This answer was not helpful
 Back