How to setup a DNS server master - slave with BIND
Written by Guillermo Garron
Date: 2010-12-29 10:36:30 00:00
How to setup a DNS server master / slave BIND
Domain Name System (a.k.a. DNS) is maybe one of the least known services in the Internet, by the common user, but also one, of the most used by everybody.
The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.
The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them.
-Wikipedia
DNS servers there are a lot, but BIND may be the most used on the web, I will not start a discussion about if it is the best or there are better, just that it is one of the most used.
BIND (pronounced /ˈbaɪnd/), or named (/ˈneɪmdiː/), was as of 2004 the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims itself to be so. On Unix-like operating systems it is the de facto standard.
Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley (UCB), the name originates as an acronym from Berkeley Internet Name Domain.
A new version of BIND (BIND 9) was written by the ISC from scratch in part to address the architectural difficulties with auditing the earlier BIND code bases, and also to support DNSSEC (DNS Security Extensions). Other important features of BIND 9 include: TSIG, DNS notify, nsupdate, IPv6, rndc flush (remote name daemon control), views, multiprocessor support, and an improved portability architecture. rndc uses a shared secret to provide encryption for local and remote terminals during each session.
–Wikipedia
Installation
The installation will vary depending on your Linux distribution, some calls it BIND, others named. But for sure it is in your software repository, I will focus this tutorial on Debian, Arch Linux and Slackware, of course Ubuntu and other Debian derivatives are also covered.
Let's keep an alphabetical order for the distributions covered here:
Arch Linux
pacman -Sy bind dnsutils
Debian and Ubuntu
apt-get update && apt-get install install bind9 dnsutils
Slackware
slackpkg update && slackpkg install bind
Configure a master zone on BIND
The file we need to edit to configure master and slave zones is: named.conf
it is not located on the same place for every distribution, so I will give your the locations:
- Arch Linux:
/etc/named.conf
- Debian:
/etc/bind/named.conf
- Slackware:
/etc/named.conf
Note: You may want to save a copy of every file you will edit before doing so, in case you screw things up.
The first thing you may want to check is where your zone files are stored, and that is not the same for each distribution, but you can change that if you want.
Where your zone files are, is defined in the options section of the named.conf
file, for Arch Linux and Slackware for Debian, you will find it in the file /etc/bind/named.conf.options
which is included with an include clause in the /etc/bind/named.conf
file.
Below the default named.conf files for each distribution covered in this tutorial:
Arch Linux
//
// /etc/named.conf
//
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
auth-nxdomain yes;
datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
// listen-on-v6 { any; };
// Add this for no IPv4:
// listen-on { none; };
// Default security settings.
allow-recursion { 127.0.0.1; };
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
zone "localhost" IN {
type master;
file "localhost.zone";
allow-transfer { any; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "127.0.0.zone";
allow-transfer { any; };
};
zone "." IN {
type hint;
file "root.hint";
};
//zone "example.org" IN {
// type slave;
// file "example.zone";
// masters {
// 192.168.1.100;
// };
// allow-query { any; };
// allow-transfer { any; };
//};
logging {
channel xfer-log {
file "/var/log/named.log";
print-category yes;
print-severity yes;
print-time yes;
severity info;
};
category xfer-in { xfer-log; };
category xfer-out { xfer-log; };
category notify { xfer-log; };
};
Debian
// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
include "/etc/bind/named.conf.local";
And the /etc/bind/named.conf.options
options {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
};
Slackware
options {
directory "/var/named";
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;
};
//
// a caching only nameserver config
//
zone "." IN {
type hint;
file "caching-example/named.root";
};
zone "localhost" IN {
type master;
file "caching-example/localhost.zone";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "caching-example/named.local";
allow-update { none; };
};
As it can be seen, there is not too much difference, but the place where to store zone files:
- Arch Linux and Slackware: /var/named
- Debian and Ubuntu /var/cache/bind
From here we could use the same for all of these Linux distributions.
Create a Master Zone
To create a master zone, edit the file named.conf
and add the following, in this example, I will create a zone for the domain linux10.com
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { none; };
};
Then create the file linux10.com.zone
in the folder stated in your options section of named.conf file.
The file should look at least like this:
$ORIGIN .
$TTL 86400 ; 1 day
linux10.com IN SOA primary.server.com. your.email.address. (
2010122801 ; serial
7200 ; refresh (2 hous)
7200 ; retry (2 hours)
2419200 ; expire (5 weeks 6 days 16 hours)
86400 ; minimum (1 day)
)
$TTL 14400 ; 4 hours
NS scz.alketech.com.
NS ns1.alketech.com.
A 10.1.1.1 ; If you want to assign a server to your domain
MX 10 mx1 ; Your email server if you have any
MX 20 mx2 ; Your secondary email server if you have one
$ORIGIN linux10.com.
www A 1.2.3.4 ; The IP of your web server if you want to have one.
mx1 A 1.2.3.5 ; The IP of your mx1 server
mx2 A 1.2.3.6 ; The IP of your mx2 server
Of course yours may have more or less lines and servers according to your needs.
Configure a DNS slave server with BIND
It is a good idea, to have slave server in case your master server is not reachable at any time.
Both master and slave need to defined as your DNS servers in your domain registrar, you may define more than just two server, and that is a good idea, it is also a good idea, to have your DNS server on different networks, I mean, if you have them on the same office/Data center, and that place loose Internet connectivity all your server will be out of reach, and you will loose traffic or emails or both.
For the visitors of your servers, any DNS server is the same and there is no difference between masters or slaves, so you should define one master and as many slaves as you want (anything between 2 to 4 slaves is OK).
Enable AXFR transfers
Your master DNS server should allow AXFR transfers to the slave servers for this to work, so the first step is to configure your master server to do so.
zone "linux10.com" IN {
type master;
file "linux10.com.zone";
allow-update { none; };
allow-transfer { ip.of.slave.server; ip.of.slave.server2; ip.of.slave.server3;};
};
Now create the slave zone in your slave servers.
On the slave server named.conf file you need to configure the slave zone, like this:
zone "linux10.com" {
type slave;
file "linux10.com.zon";
masters { 1.2.3.4; };
allow-transfer { none; };
};
Testing the configuration
dig @your.master.server your.domain.com ns
Example:
dig @scz.alketech.com linux10.com ns
You should get something like this:
; <<>> DiG 9.2.4 <<>> @scz.alketech.com linux10.com ns
; (1 server found)
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23659
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2
;; QUESTION SECTION:
;linux10.com. IN NS
;; ANSWER SECTION:
linux10.com. 14400 IN NS scz.alketech.com.
linux10.com. 14400 IN NS ns1.alketech.com.
;; ADDITIONAL SECTION:
ns1.alketech.com. 14400 IN A 200.87.59.3
scz.alketech.com. 14400 IN A 200.87.61.83
;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 29 15:35:20 2010
;; MSG SIZE rcvd: 106
Final tunings
It is a good idea to disable recursion in your authoritative servers, either master or slave.
To do this, in your options section insert these lines
acl recurseallow { 1.2.3.4; 127.0.0.1; };
allow-recursion { recurseallow; };recursion yes;
Be sure to include this in the options section of the file /etc/named.conf
for Arch Linux and Slackware and /etc/bind/named.conf.options
for Debian.
Only for Slackware and Arch Linux
For Arch Linux and Slackware you need to enable the named daemon to start on each boot, to do this
On Arch Linux, edit the /etc/rc.conf
file, and add it, to the daemons list
On Slackware, make the file /etc/rc.bind
executable