15.2. BIND
BIND
(Berkeley Internet Name Domain), the DNS
server included in Red Hat Enterprise Linux. It focuses on the structure of its configuration files, and describes how to administer it both locally and remotely.
15.2.1. Empty Zones
BIND
configures a number of “empty zones” to prevent recursive servers from sending unnecessary queries to Internet servers that cannot handle them (thus creating delays and SERVFAIL responses to clients who query for them). These empty zones ensure that immediate and authoritative NXDOMAIN responses are returned instead. The configuration option empty-zones-enable
controls whether or not empty zones are created, whilst the option disable-empty-zone
can be used in addition to disable one or more empty zones from the list of default prefixes that would be used.
15.2.2. Configuring the named Service
named
service is started, it reads the configuration from the files as described in Table 15.1, “The named Service Configuration Files”.
Path | Description |
---|---|
/etc/named.conf | The main configuration file. |
/etc/named/ | An auxiliary directory for configuration files that are included in the main configuration file. |
{
and }
). Note that when editing the file, you have to be careful not to make any syntax error, otherwise the named
service will not start. A typical /etc/named.conf
file is organized as follows:
statement-1 ["statement-1-name"] [statement-1-class] { option-1; option-2; option-N; }; statement-2 ["statement-2-name"] [statement-2-class] { option-1; option-2; option-N; }; statement-N ["statement-N-name"] [statement-N-class] { option-1; option-2; option-N; };
Note
chroot
environment. In that case, the initialization script will mount the above configuration files using the mount --bind
command, so that you can manage the configuration outside this environment. There is no need to copy anything into the /var/named/chroot/
directory because it is mounted automatically. This simplifies maintenance since you do not need to take any special care of BIND
configuration files if it is run in a chroot
environment. You can organize everything as you would with BIND
not running in a chroot
environment.
/var/named/chroot/
directory if the corresponding mount point directories underneath /var/named/chroot/
are empty:
/etc/named
/etc/pki/dnssec-keys
/run/named
/var/named
/usr/lib64/bind
or/usr/lib/bind
(architecture dependent).
/var/named/chroot/
:
/etc/named.conf
/etc/rndc.conf
/etc/rndc.key
/etc/named.rfc1912.zones
/etc/named.dnssec.keys
/etc/named.iscdlv.key
/etc/named.root.key
Important
chroot
environment requires creating a backup copy and then editing the original file. Alternatively, use an editor with “edit-a-copy” mode disabled. For example, to edit the BIND's configuration file, /etc/named.conf
, with Vim while it is running in a chroot
environment, issue the following command as root
:
~]# vim -c "set backupcopy=yes" /etc/named.conf
15.2.2.1. Installing BIND in a chroot Environment
chroot
environment, issue the following command as root
:
~]# yum install bind-chroot
named-chroot
service, first check if the named
service is running by issuing the following command:
~]$ systemctl status named
If it is running, it must be disabled.
named
, issue the following commands as root
:
~]# systemctl stop named
~]# systemctl disable named
Then, to enable the named-chroot
service, issue the following commands as root
:
~]# systemctl enable named-chroot
~]# systemctl start named-chroot
named-chroot
service, issue the following command as root
:
~]# systemctl status named-chroot
15.2.2.2. Common Statement Types
/etc/named.conf
:
-
acl
- The
acl
(Access Control List) statement allows you to define groups of hosts, so that they can be permitted or denied access to the nameserver. It takes the following form:acl acl-name { match-element; ... };
The acl-name statement name is the name of the access control list, and the match-element option is usually an individualIP
address (such as10.0.1.1
) or a Classless Inter-Domain Routing (CIDR) network notation (for example,10.0.1.0/24
). For a list of already defined keywords, see Table 15.2, “Predefined Access Control Lists”.Table 15.2. Predefined Access Control Lists Keyword Description any
Matches every IP
address.localhost
Matches any IP
address that is in use by the local system.localnets
Matches any IP
address on any network to which the local system is connected.none
Does not match any IP
address.Theacl
statement can be especially useful in conjunction with other statements such asoptions
. Example 15.2, “Using acl in Conjunction with Options” defines two access control lists,black-hats
andred-hats
, and addsblack-hats
on the blacklist while grantingred-hats
normal access.Example 15.2. Using acl in Conjunction with Options
acl black-hats { 10.0.2.0/24; 192.168.0.0/24; 1234:5678::9abc/24; }; acl red-hats { 10.0.1.0/24; }; options { blackhole { black-hats; }; allow-query { red-hats; }; allow-query-cache { red-hats; }; };
-
include
- The
include
statement allows you to include files in the/etc/named.conf
, so that potentially sensitive data can be placed in a separate file with restricted permissions. It takes the following form:include "file-name"
The file-name statement name is an absolute path to a file.Example 15.3. Including a File to /etc/named.conf
include "/etc/named.rfc1912.zones";
-
options
- The
options
statement allows you to define global server configuration options as well as to set defaults for other statements. It can be used to specify the location of thenamed
working directory, the types of queries allowed, and much more. It takes the following form:options { option; ... };
For a list of frequently used option directives, see Table 15.3, “Commonly Used Configuration Options” below.Table 15.3. Commonly Used Configuration Options Option Description allow-query
Specifies which hosts are allowed to query the nameserver for authoritative resource records. It accepts an access control list, a collection of IP
addresses, or networks in the CIDR notation. All hosts are allowed by default.allow-query-cache
Specifies which hosts are allowed to query the nameserver for non-authoritative data such as recursive queries. Only localhost
andlocalnets
are allowed by default.blackhole
Specifies which hosts are not allowed to query the nameserver. This option should be used when a particular host or network floods the server with requests. The default option is none
.directory
Specifies a working directory for the named
service. The default option is/var/named/
.disable-empty-zone
Used to disable one or more empty zones from the list of default prefixes that would be used. Can be specified in the options statement and also in view statements. It can be used multiple times. dnssec-enable
Specifies whether to return DNSSEC related resource records. The default option is yes
.dnssec-validation
Specifies whether to prove that resource records are authentic through DNSSEC. The default option is yes
.empty-zones-enable
Controls whether or not empty zones are created. Can be specified only in the options statement. forwarders
Specifies a list of valid IP
addresses for nameservers to which the requests should be forwarded for resolution.forward
Specifies the behavior of theforwarders
directive. It accepts the following options:first
— The server will query the nameservers listed in theforwarders
directive before attempting to resolve the name on its own.only
— When unable to query the nameservers listed in theforwarders
directive, the server will not attempt to resolve the name on its own.
listen-on
Specifies the IPv4
network interface on which to listen for queries. On aDNS
server that also acts as a gateway, you can use this option to answer queries originating from a single network only. AllIPv4
interfaces are used by default.listen-on-v6
Specifies the IPv6
network interface on which to listen for queries. On aDNS
server that also acts as a gateway, you can use this option to answer queries originating from a single network only. AllIPv6
interfaces are used by default.max-cache-size
Specifies the maximum amount of memory to be used for server caches. When the limit is reached, the server causes records to expire prematurely so that the limit is not exceeded. In a server with multiple views, the limit applies separately to the cache of each view. The default option is 32M
.notify
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:yes
— The server will notify all secondary nameservers.no
— The server will not notify any secondary nameserver.master-only
— The server will notify primary server for the zone only.explicit
— The server will notify only the secondary servers that are specified in thealso-notify
list within a zone statement.
pid-file
Specifies the location of the process ID file created by the named
service.recursion
Specifies whether to act as a recursive server. The default option is yes
.statistics-file
Specifies an alternate location for statistics files. The /var/named/named.stats
file is used by default.Note
The directory used bynamed
for runtime data has been moved from the BIND default location,/var/run/named/
, to a new location/run/named/
. As a result, the PID file has been moved from the default location/var/run/named/named.pid
to the new location/run/named/named.pid
. In addition, the session-key file has been moved to/run/named/session.key
. These locations need to be specified by statements in the options section. See Example 15.4, “Using the options Statement”.Important
To prevent distributed denial of service (DDoS) attacks, it is recommended that you use theallow-query-cache
option to restrict recursiveDNS
services for a particular subset of clients only.See the BIND 9 Administrator Reference Manual referenced in Section 15.2.8.1, “Installed Documentation”, and thenamed.conf
manual page for a complete list of available options.Example 15.4. Using the options Statement
options { allow-query { localhost; }; listen-on port 53 { 127.0.0.1; }; listen-on-v6 port 53 { ::1; }; max-cache-size 256M; directory "/var/named"; statistics-file "/var/named/data/named_stats.txt"; recursion yes; dnssec-enable yes; dnssec-validation yes; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; };
-
zone
- The
zone
statement allows you to define the characteristics of a zone, such as the location of its configuration file and zone-specific options, and can be used to override the globaloptions
statements. It takes the following form:zone zone-name [zone-class] { option; ... };
The zone-name attribute is the name of the zone, zone-class is the optional class of the zone, and option is azone
statement option as described in Table 15.4, “Commonly Used Options in Zone Statements”.The zone-name attribute is particularly important, as it is the default value assigned for the$ORIGIN
directive used within the corresponding zone file located in the/var/named/
directory. Thenamed
daemon appends the name of the zone to any non-fully qualified domain name listed in the zone file. For example, if azone
statement defines the namespace forexample.com
, useexample.com
as the zone-name so that it is placed at the end of host names within theexample.com
zone file.For more information about zone files, see Section 15.2.3, “Editing Zone Files”.Table 15.4. Commonly Used Options in Zone Statements Option Description allow-query
Specifies which clients are allowed to request information about this zone. This option overrides global allow-query
option. All query requests are allowed by default.allow-transfer
Specifies which secondary servers are allowed to request a transfer of the zone's information. All transfer requests are allowed by default. allow-update
Specifies which hosts are allowed to dynamically update information in their zone. The default option is to deny all dynamic update requests.Note that you should be careful when allowing hosts to update information about their zone. Do not setIP
addresses in this option unless the server is in the trusted network. Instead, use TSIG key as described in Section 15.2.6.3, “Transaction SIGnatures (TSIG)”.file
Specifies the name of the file in the named
working directory that contains the zone's configuration data.masters
Specifies from which IP
addresses to request authoritative zone information. This option is used only if the zone is defined astype
slave
.notify
Specifies whether to notify the secondary nameservers when a zone is updated. It accepts the following options:yes
— The server will notify all secondary nameservers.no
— The server will not notify any secondary nameserver.master-only
— The server will notify primary server for the zone only.explicit
— The server will notify only the secondary servers that are specified in thealso-notify
list within a zone statement.
type
Specifies the zone type. It accepts the following options:delegation-only
— Enforces the delegation status of infrastructure zones such as COM, NET, or ORG. Any answer that is received without an explicit or implicit delegation is treated asNXDOMAIN
. This option is only applicable in TLDs (Top-Level Domain) or root zone files used in recursive or caching implementations.forward
— Forwards all requests for information about this zone to other nameservers.hint
— A special type of zone used to point to the root nameservers which resolve queries when a zone is not otherwise known. No configuration beyond the default is necessary with ahint
zone.master
— Designates the nameserver as authoritative for this zone. A zone should be set as themaster
if the zone's configuration files reside on the system.slave
— Designates the nameserver as a secondary server for this zone. Primary server is specified in themasters
directive.
Most changes to the/etc/named.conf
file of a primary or secondary nameserver involve adding, modifying, or deletingzone
statements, and only a small subset ofzone
statement options is usually needed for a nameserver to work efficiently.In Example 15.5, “A Zone Statement for a Primary nameserver”, the zone is identified asexample.com
, the type is set tomaster
, and thenamed
service is instructed to read the/var/named/example.com.zone
file. It also allows only a secondary nameserver (192.168.0.2
) to transfer the zone.Example 15.5. A Zone Statement for a Primary nameserver
zone "example.com" IN { type master; file "example.com.zone"; allow-transfer { 192.168.0.2; }; };
A secondary server'szone
statement is slightly different. The type is set toslave
, and themasters
directive is tellingnamed
theIP
address of the primary server.In Example 15.6, “A Zone Statement for a Secondary nameserver”, thenamed
service is configured to query the primary server at the192.168.0.1
IP
address for information about theexample.com
zone. The received information is then saved to the/var/named/slaves/example.com.zone
file. Note that you have to put all secondary zones in the/var/named/slaves/
directory, otherwise the service will fail to transfer the zone.Example 15.6. A Zone Statement for a Secondary nameserver
zone "example.com" { type slave; file "slaves/example.com.zone"; masters { 192.168.0.1; }; };
15.2.2.3. Other Statement Types
/etc/named.conf
:
-
controls
- The
controls
statement allows you to configure various security requirements necessary to use therndc
command to administer thenamed
service.See Section 15.2.4, “Using the rndc Utility” for more information on therndc
utility and its usage. -
key
- The
key
statement allows you to define a particular key by name. Keys are used to authenticate various actions, such as secure updates or the use of therndc
command. Two options are used withkey
:algorithm algorithm-name
— The type of algorithm to be used (for example,hmac-md5
).secret "key-value"
— The encrypted key.
See Section 15.2.4, “Using the rndc Utility” for more information on therndc
utility and its usage. -
logging
- The
logging
statement allows you to use multiple types of logs, so called channels. By using thechannel
option within the statement, you can construct a customized type of log with its own file name (file
), size limit (size
), version number (version
), and level of importance (severity
). Once a customized channel is defined, acategory
option is used to categorize the channel and begin logging when thenamed
service is restarted.By default,named
sends standard messages to thersyslog
daemon, which places them in/var/log/messages
. Several standard channels are built into BIND with various severity levels, such asdefault_syslog
(which handles informational logging messages) anddefault_debug
(which specifically handles debugging messages). A default category, calleddefault
, uses the built-in channels to do normal logging without any special configuration.Customizing the logging process can be a very detailed process and is beyond the scope of this chapter. For information on creating custom BIND logs, see the BIND 9 Administrator Reference Manual referenced in Section 15.2.8.1, “Installed Documentation”. -
server
- The
server
statement allows you to specify options that affect how thenamed
service should respond to remote nameservers, especially with regard to notifications and zone transfers.Thetransfer-format
option controls the number of resource records that are sent with each message. It can be eitherone-answer
(only one resource record), ormany-answers
(multiple resource records). Note that while themany-answers
option is more efficient, it is not supported by older versions of BIND. -
trusted-keys
- The
trusted-keys
statement allows you to specify assorted public keys used for secureDNS
(DNSSEC). See Section 15.2.6.4, “DNS Security Extensions (DNSSEC)” for more information on this topic. -
view
- The
view
statement allows you to create special views depending upon which network the host querying the nameserver is on. This allows some hosts to receive one answer regarding a zone while other hosts receive totally different information. Alternatively, certain zones may only be made available to particular trusted hosts while non-trusted hosts can only make queries for other zones.Multiple views can be used as long as their names are unique. Thematch-clients
option allows you to specify theIP
addresses that apply to a particular view. If theoptions
statement is used within a view, it overrides the already configured global options. Finally, mostview
statements contain multiplezone
statements that apply to thematch-clients
list.Note that the order in which theview
statements are listed is important, as the first statement that matches a particular client'sIP
address is used. For more information on this topic, see Section 15.2.6.1, “Multiple Views”.
15.2.2.4. Comment Tags
/etc/named.conf
file can also contain comments. Comments are ignored by the named
service, but can prove useful when providing additional information to a user. The following are valid comment tags:
-
//
- Any text after the
//
characters to the end of the line is considered a comment. For example:notify yes; // notify all secondary nameservers
-
#
- Any text after the
#
character to the end of the line is considered a comment. For example:notify yes; # notify all secondary nameservers
/*
and*/
- Any block of text enclosed in
/*
and*/
is considered a comment. For example:notify yes; /* notify all secondary nameservers */
15.2.3. Editing Zone Files
named
working directory located in /var/named/
by default. Each zone file is named according to the file
option in the zone
statement, usually in a way that relates to the domain in and identifies the file as containing zone data, such as example.com.zone
.
Path | Description |
---|---|
/var/named/ | The working directory for the named service. The nameserver is not allowed to write to this directory. |
/var/named/slaves/ | The directory for secondary zones. This directory is writable by the named service. |
/var/named/dynamic/ | The directory for other files, such as dynamic DNS (DDNS) zones or managed DNSSEC keys. This directory is writable by the named service. |
/var/named/data/ | The directory for various statistics and debugging files. This directory is writable by the named service. |
15.2.3.1. Common Directives
$
) followed by the name of the directive, and usually appear at the top of the file. The following directives are commonly used in zone files:
-
$INCLUDE
- The
$INCLUDE
directive allows you to include another file at the place where it appears, so that other zone settings can be stored in a separate zone file.Example 15.7. Using the $INCLUDE Directive
$INCLUDE /var/named/penguin.example.com
-
$ORIGIN
- The
$ORIGIN
directive allows you to append the domain name to unqualified records, such as those with the host name only. Note that the use of this directive is not necessary if the zone is specified in/etc/named.conf
, since the zone name is used by default.In Example 15.8, “Using the $ORIGIN Directive”, any names used in resource records that do not end in a trailing period (the.
character) are appended withexample.com
.Example 15.8. Using the $ORIGIN Directive
$ORIGIN example.com.
-
$TTL
- The
$TTL
directive allows you to set the default Time to Live (TTL) value for the zone, that is, how long is a zone record valid. Each resource record can contain its own TTL value, which overrides this directive.Increasing this value allows remote nameservers to cache the zone information for a longer period of time, reducing the number of queries for the zone and lengthening the amount of time required to propagate resource record changes.Example 15.9. Using the $TTL Directive
$TTL 1D
15.2.3.2. Common Resource Records
-
A
- The Address record specifies an
IP
address to be assigned to a name. It takes the following form:hostname IN A IP-address
If the hostname value is omitted, the record will point to the last specified hostname.In Example 15.10, “Using the A Resource Record”, the requests forserver1.example.com
are pointed to10.0.1.3
or10.0.1.5
.Example 15.10. Using the A Resource Record
server1 IN A 10.0.1.3 IN A 10.0.1.5
-
CNAME
- The Canonical Name record maps one name to another. Because of this, this type of record is sometimes referred to as an alias record. It takes the following form:
alias-name IN CNAME real-name
CNAME
records are most commonly used to point to services that use a common naming scheme, such aswww
for Web servers. However, there are multiple restrictions for their usage:- CNAME records should not point to other CNAME records. This is mainly to avoid possible infinite loops.
- CNAME records should not contain other resource record types (such as A, NS, MX, and so on). The only exception are DNSSEC related records (RRSIG, NSEC, and so on) when the zone is signed.
- Other resource records that point to the fully qualified domain name (FQDN) of a host (NS, MX, PTR) should not point to a CNAME record.
In Example 15.11, “Using the CNAME Resource Record”, theA
record binds a host name to anIP
address, while theCNAME
record points the commonly usedwww
host name to it.Example 15.11. Using the CNAME Resource Record
server1 IN A 10.0.1.5 www IN CNAME server1
-
MX
- The Mail Exchange record specifies where the mail sent to a particular namespace controlled by this zone should go. It takes the following form:
IN MX preference-value email-server-name
The email-server-name is a fully qualified domain name (FQDN). The preference-value allows numerical ranking of the email servers for a namespace, giving preference to some email systems over others. TheMX
resource record with the lowest preference-value is preferred over the others. However, multiple email servers can possess the same value to distribute email traffic evenly among them.In Example 15.12, “Using the MX Resource Record”, the firstmail.example.com
email server is preferred to themail2.example.com
email server when receiving email destined for theexample.com
domain.Example 15.12. Using the MX Resource Record
example.com. IN MX 10 mail.example.com. IN MX 20 mail2.example.com.
-
NS
- The Nameserver record announces authoritative nameservers for a particular zone. It takes the following form:
IN NS nameserver-name
The nameserver-name should be a fully qualified domain name (FQDN). Note that when two nameservers are listed as authoritative for the domain, it is not important whether these nameservers are secondary nameservers, or if one of them is a primary server. They are both still considered authoritative.Example 15.13. Using the NS Resource Record
IN NS dns1.example.com. IN NS dns2.example.com.
-
PTR
- The Pointer record points to another part of the namespace. It takes the following form:
last-IP-digit IN PTR FQDN-of-system
The last-IP-digit directive is the last number in anIP
address, and the FQDN-of-system is a fully qualified domain name (FQDN).PTR
records are primarily used for reverse name resolution, as they pointIP
addresses back to a particular name. See Section 15.2.3.4.2, “A Reverse Name Resolution Zone File” for examples ofPTR
records in use. -
SOA
- The Start of Authority record announces important authoritative information about a namespace to the nameserver. Located after the directives, it is the first resource record in a zone file. It takes the following form:
@ IN SOA primary-name-server hostmaster-email ( serial-number time-to-refresh time-to-retry time-to-expire minimum-TTL )
The directives are as follows:- The
@
symbol places the$ORIGIN
directive (or the zone's name if the$ORIGIN
directive is not set) as the namespace being defined by thisSOA
resource record. - The primary-name-server directive is the host name of the primary nameserver that is authoritative for this domain.
- The hostmaster-email directive is the email of the person to contact about the namespace.
- The serial-number directive is a numerical value incremented every time the zone file is altered to indicate it is time for the
named
service to reload the zone. - The time-to-refresh directive is the numerical value secondary nameservers use to determine how long to wait before asking the primary nameserver if any changes have been made to the zone.
- The time-to-retry directive is a numerical value used by secondary nameservers to determine the length of time to wait before issuing a refresh request in the event that the primary nameserver is not answering. If the primary server has not replied to a refresh request before the amount of time specified in the time-to-expire directive elapses, the secondary servers stop responding as an authority for requests concerning that namespace.
- In BIND 4 and 8, the minimum-TTL directive is the amount of time other nameservers cache the zone's information. In BIND 9, it defines how long negative answers are cached for. Caching of negative answers can be set to a maximum of 3 hours (
3H
).
When configuring BIND, all times are specified in seconds. However, it is possible to use abbreviations when specifying units of time other than seconds, such as minutes (M
), hours (H
), days (D
), and weeks (W
). Table 15.6, “Seconds compared to other time units” shows an amount of time in seconds and the equivalent time in another format.Table 15.6. Seconds compared to other time units Seconds Other Time Units 60 1M
1800 30M
3600 1H
10800 3H
21600 6H
43200 12H
86400 1D
259200 3D
604800 1W
31536000 365D
Example 15.14. Using the SOA Resource Record
@ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day
15.2.3.3. Comment Tags
named
service, but can prove useful when providing additional information to the user. Any text after the semicolon character to the end of the line is considered a comment. For example:
604800 ; expire after 1 week
15.2.3.4. Example Usage
15.2.3.4.1. A Simple Zone File
SOA
values.
Example 15.15. A simple zone file
$ORIGIN example.com. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; ; IN NS dns1.example.com. IN NS dns2.example.com. dns1 IN A 10.0.1.1 IN AAAA aaaa:bbbb::1 dns2 IN A 10.0.1.2 IN AAAA aaaa:bbbb::2 ; ; @ IN MX 10 mail.example.com. IN MX 20 mail2.example.com. mail IN A 10.0.1.5 IN AAAA aaaa:bbbb::5 mail2 IN A 10.0.1.6 IN AAAA aaaa:bbbb::6 ; ; ; This sample zone file illustrates sharing the same IP addresses ; for multiple services: ; services IN A 10.0.1.10 IN AAAA aaaa:bbbb::10 IN A 10.0.1.11 IN AAAA aaaa:bbbb::11 ftp IN CNAME services.example.com. www IN CNAME services.example.com. ; ;
dns1.example.com
and dns2.example.com
, and are tied to the 10.0.1.1
and 10.0.1.2
IP
addresses respectively using the A
record.
MX
records point to mail
and mail2
through A
records. Since these names do not end in a trailing period, the $ORIGIN
domain is placed after them, expanding them to mail.example.com
and mail2.example.com
.
www.example.com
(WWW), are pointed at the appropriate servers using the CNAME
record.
zone
statement in the /etc/named.conf
similar to the following:
zone "example.com" IN { type master; file "example.com.zone"; allow-update { none; }; };
15.2.3.4.2. A Reverse Name Resolution Zone File
IP
address in a particular namespace into a fully qualified domain name (FQDN). It looks very similar to a standard zone file, except that the PTR
resource records are used to link the IP
addresses to a fully qualified domain name as shown in Example 15.16, “A reverse name resolution zone file”.
Example 15.16. A reverse name resolution zone file
$ORIGIN 1.0.10.in-addr.arpa. $TTL 86400 @ IN SOA dns1.example.com. hostmaster.example.com. ( 2001062501 ; serial 21600 ; refresh after 6 hours 3600 ; retry after 1 hour 604800 ; expire after 1 week 86400 ) ; minimum TTL of 1 day ; @ IN NS dns1.example.com. ; 1 IN PTR dns1.example.com. 2 IN PTR dns2.example.com. ; 5 IN PTR server1.example.com. 6 IN PTR server2.example.com. ; 3 IN PTR ftp.example.com. 4 IN PTR ftp.example.com.
IP
addresses 10.0.1.1
through 10.0.1.6
are pointed to the corresponding fully qualified domain name.
zone
statement in the /etc/named.conf
file similar to the following:
zone "1.0.10.in-addr.arpa" IN { type master; file "example.com.rr.zone"; allow-update { none; }; };
zone
statement, except for the zone name. Note that a reverse name resolution zone requires the first three blocks of the IP
address reversed followed by .in-addr.arpa
. This allows the single block of IP
numbers used in the reverse name resolution zone file to be associated with the zone.
15.2.4. Using the rndc Utility
rndc
utility is a command-line tool that allows you to administer the named
service, both locally and from a remote machine. Its usage is as follows:
rndc
[option...] command [command-option]
15.2.4.1. Configuring the Utility
named
must be configured to listen on the selected port (953
by default), and an identical key must be used by both the service and the rndc
utility.
rndc
configuration is located in /etc/rndc.conf
. If the file does not exist, the utility will use the key located in /etc/rndc.key
, which was generated automatically during the installation process using the rndc-confgen -a
command.
named
service is configured using the controls
statement in the /etc/named.conf
configuration file as described in Section 15.2.2.3, “Other Statement Types”. Unless this statement is present, only the connections from the loopback address (127.0.0.1
) will be allowed, and the key located in /etc/rndc.key
will be used.
Important
root
is allowed to read the /etc/rndc.key
file:
~]# chmod o-rwx /etc/rndc.key
15.2.4.2. Checking the Service Status
named
service, use the following command:
~]# rndc status
version: 9.7.0-P2-RedHat-9.7.0-5.P2.el6
CPUs found: 1
worker threads: 1
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
15.2.4.3. Reloading the Configuration and Zones
~]# rndc reload
server reload successful
reload
command, for example:
~]# rndc reload localhost
zone reload up-to-date
~]# rndc reconfig
Note
DNS
(DDNS), make sure you run the freeze
command first:
~]# rndc freeze localhost
thaw
command to allow the DDNS
again and reload the zone:
~]# rndc thaw localhost
The zone reload and thaw was successful.
15.2.4.4. Updating Zone Keys
sign
command. For example:
~]# rndc sign localhost
auto-dnssec
option has to be set to maintain
in the zone statement. For example:
zone "localhost" IN { type master; file "named.localhost"; allow-update { none; }; auto-dnssec maintain; };
15.2.4.5. Enabling the DNSSEC Validation
root
:
~]# rndc validation on
~]# rndc validation off
options
statement described in Section 15.2.2.2, “Common Statement Types” for information on how to configure this option in /etc/named.conf
.
15.2.4.6. Enabling the Query Logging
root
:
~]# rndc querylog
status
command as described in Section 15.2.4.2, “Checking the Service Status”.
15.2.5. Using the dig Utility
dig
utility is a command-line tool that allows you to perform DNS
lookups and debug a nameserver configuration. Its typical usage is as follows:
dig
[@server] [option...] name type
15.2.5.1. Looking Up a Nameserver
dig
name NS
dig
utility is used to display nameservers for example.com
.
Example 15.17. A sample nameserver lookup
~]$ dig example.com NS
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> example.com NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 57883
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN NS
;; ANSWER SECTION:
example.com. 99374 IN NS a.iana-servers.net.
example.com. 99374 IN NS b.iana-servers.net.
;; Query time: 1 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:04:06 2010
;; MSG SIZE rcvd: 77
15.2.5.2. Looking Up an IP Address
IP
address assigned to a particular domain, use the command in the following form:
dig
name A
dig
utility is used to display the IP
address of example.com
.
Example 15.18. A sample IP address lookup
~]$ dig example.com A
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> example.com A
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4849
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 0
;; QUESTION SECTION:
;example.com. IN A
;; ANSWER SECTION:
example.com. 155606 IN A 192.0.32.10
;; AUTHORITY SECTION:
example.com. 99175 IN NS a.iana-servers.net.
example.com. 99175 IN NS b.iana-servers.net.
;; Query time: 1 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:07:25 2010
;; MSG SIZE rcvd: 93
15.2.5.3. Looking Up a Host Name
IP
address, use the command in the following form:
dig
-x
address
dig
utility is used to display the host name assigned to 192.0.32.10
.
Example 15.19. A Sample Host Name Lookup
~]$ dig -x 192.0.32.10
; <<>> DiG 9.7.1-P2-RedHat-9.7.1-2.P2.fc13 <<>> -x 192.0.32.10
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 29683
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 5, ADDITIONAL: 6
;; QUESTION SECTION:
;10.32.0.192.in-addr.arpa. IN PTR
;; ANSWER SECTION:
10.32.0.192.in-addr.arpa. 21600 IN PTR www.example.com.
;; AUTHORITY SECTION:
32.0.192.in-addr.arpa. 21600 IN NS b.iana-servers.org.
32.0.192.in-addr.arpa. 21600 IN NS c.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN NS d.iana-servers.net.
32.0.192.in-addr.arpa. 21600 IN NS ns.icann.org.
32.0.192.in-addr.arpa. 21600 IN NS a.iana-servers.net.
;; ADDITIONAL SECTION:
a.iana-servers.net. 13688 IN A 192.0.34.43
b.iana-servers.org. 5844 IN A 193.0.0.236
b.iana-servers.org. 5844 IN AAAA 2001:610:240:2::c100:ec
c.iana-servers.net. 12173 IN A 139.91.1.10
c.iana-servers.net. 12173 IN AAAA 2001:648:2c30::1:10
ns.icann.org. 12884 IN A 192.0.34.126
;; Query time: 156 msec
;; SERVER: 10.34.255.7#53(10.34.255.7)
;; WHEN: Wed Aug 18 18:25:15 2010
;; MSG SIZE rcvd: 310
15.2.6. Advanced Features of BIND
named
service to provide name resolution services or to act as an authority for a particular domain. However, BIND version 9 has a number of advanced features that allow for a more secure and efficient DNS
service.
Important
15.2.6.1. Multiple Views
DNS
entries from clients outside of the local network, while allowing queries from clients inside the local network.
view
statement to the /etc/named.conf
configuration file. Use the match-clients
option to match IP
addresses or entire networks and give them special options and zone data.
15.2.6.2. Incremental Zone Transfers (IXFR)
15.2.6.3. Transaction SIGnatures (TSIG)
IP
address-based method of transfer authorization, since attackers would not only need to have access to the IP
address to transfer the zone, but they would also need to know the secret key.
Important
IP
address-based authentication only.
15.2.6.4. DNS Security Extensions (DNSSEC)
DNS
data, authenticated denial of existence, and data integrity. When a particular domain is marked as secure, the SERVFAIL
response is returned for each resource record that fails the validation.
dig
utility as described in Section 15.2.5, “Using the dig Utility”. Useful options are +dnssec
(requests DNSSEC-related resource records by setting the DNSSEC OK bit), +cd
(tells recursive nameserver not to validate the response), and +bufsize=512
(changes the packet size to 512B to get through some firewalls).
15.2.6.5. Internet Protocol version 6 (IPv6)
AAAA
resource records, and the listen-on-v6
directive as described in Table 15.3, “Commonly Used Configuration Options”.
15.2.7. Common Mistakes to Avoid
- Use semicolons and curly brackets correctly
- An omitted semicolon or unmatched curly bracket in the
/etc/named.conf
file can prevent thenamed
service from starting. - Use period (the
.
character) correctly - In zone files, a period at the end of a domain name denotes a fully qualified domain name. If omitted, the
named
service will append the name of the zone or the value of$ORIGIN
to complete it. - Increment the serial number when editing a zone file
- If the serial number is not incremented, the primary nameserver will have the correct, new information, but the secondary nameservers will never be notified of the change, and will not attempt to refresh their data of that zone.
- Configure the firewall
- If a firewall is blocking connections from the
named
service to other nameservers, the recommended practice is to change the firewall settings.Warning
Using a fixedUDP
source port forDNS
queries is a potential security vulnerability that could allow an attacker to conduct cache-poisoning attacks more easily. To prevent this, by defaultDNS
sends from a random ephemeral port. Configure your firewall to allow outgoing queries from a randomUDP
source port. The range1024
to65535
is used by default.
15.2.8. Additional Resources
15.2.8.1. Installed Documentation
-
/usr/share/doc/bind-version/
- The main directory containing the most recent documentation. The directory contains the BIND 9 Administrator Reference Manual in HTML and PDF formats, which details BIND resource requirements, how to configure different types of nameservers, how to perform load balancing, and other advanced topics.
-
/usr/share/doc/bind-version/sample/etc/
- The directory containing examples of
named
configuration files.
-
rndc(8)
- The manual page for the
rndc
name server control utility, containing documentation on its usage. -
named(8)
- The manual page for the Internet domain name server
named
, containing documentation on assorted arguments that can be used to control the BIND nameserver daemon. -
lwresd(8)
- The manual page for the lightweight resolver daemon
lwresd
, containing documentation on the daemon and its usage. -
named.conf(5)
- The manual page with a comprehensive list of options available within the
named
configuration file. -
rndc.conf(5)
- The manual page with a comprehensive list of options available within the
rndc
configuration file.
15.2.8.2. Online Resources
- https://access.redhat.com/site/articles/770133
- A Red Hat Knowledgebase article about running BIND in a
chroot
environment, including the differences compared to Red Hat Enterprise Linux 6. - https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Security_Guide/
- The Red Hat Enterprise Linux 7 Security Guide has a comprehensive section on DNSSEC.
- https://www.icann.org/namecollision
- The ICANN FAQ on domain name collision.