How to setup a DNS server master - slave with BIND

Written by
Date: 2010-12-29 10:36:30 00:00


How to setup a DNS server master / slave BIND

Domain Name System (a.k.a. DNS) is maybe one of the least known services in the Internet, by the common user, but also one, of the most used by everybody.

The Domain Name System (DNS) is a hierarchical naming system built on a distributed database for computers, services, or any resource connected to the Internet or a private network. It associates various information with domain names assigned to each of the participating entities. Most importantly, it translates domain names meaningful to humans into the numerical identifiers associated with networking equipment for the purpose of locating and addressing these devices worldwide.

The Domain Name System makes it possible to assign domain names to groups of Internet resources and users in a meaningful way, independent of each entity's physical location. Because of this, World Wide Web (WWW) hyperlinks and Internet contact information can remain consistent and constant even if the current Internet routing arrangements change or the participant uses a mobile device. Internet domain names are easier to remember than IP addresses such as 208.77.188.166 (IPv4) or 2001:db8:1f70::999:de8:7648:6e8 (IPv6). Users take advantage of this when they recite meaningful Uniform Resource Locators (URLs) and e-mail addresses without having to know how the computer actually locates them.

-Wikipedia

DNS servers there are a lot, but BIND may be the most used on the web, I will not start a discussion about if it is the best or there are better, just that it is one of the most used.

BIND (pronounced /ˈbaɪnd/), or named (/ˈneɪmdiː/), was as of 2004 the most commonly used Domain Name System (DNS) server on the Internet, and still proclaims itself to be so. On Unix-like operating systems it is the de facto standard.

Originally written by four graduate students at the Computer Systems Research Group at the University of California, Berkeley (UCB), the name originates as an acronym from Berkeley Internet Name Domain.

A new version of BIND (BIND 9) was written by the ISC from scratch in part to address the architectural difficulties with auditing the earlier BIND code bases, and also to support DNSSEC (DNS Security Extensions). Other important features of BIND 9 include: TSIG, DNS notify, nsupdate, IPv6, rndc flush (remote name daemon control), views, multiprocessor support, and an improved portability architecture. rndc uses a shared secret to provide encryption for local and remote terminals during each session.

–Wikipedia

Installation

The installation will vary depending on your Linux distribution, some calls it BIND, others named. But for sure it is in your software repository, I will focus this tutorial on Debian, Arch Linux and Slackware, of course Ubuntu and other Debian derivatives are also covered.

Let's keep an alphabetical order for the distributions covered here:

Arch Linux

pacman -Sy bind dnsutils

Debian and Ubuntu

apt-get update && apt-get install install bind9 dnsutils

Slackware

slackpkg update && slackpkg install bind

Configure a master zone on BIND

The file we need to edit to configure master and slave zones is: named.conf it is not located on the same place for every distribution, so I will give your the locations:

  • Arch Linux: /etc/named.conf
  • Debian: /etc/bind/named.conf
  • Slackware: /etc/named.conf

Note: You may want to save a copy of every file you will edit before doing so, in case you screw things up.

The first thing you may want to check is where your zone files are stored, and that is not the same for each distribution, but you can change that if you want.

Where your zone files are, is defined in the options section of the named.conf file, for Arch Linux and Slackware for Debian, you will find it in the file /etc/bind/named.conf.options which is included with an include clause in the /etc/bind/named.conf file.

Below the default named.conf files for each distribution covered in this tutorial:

Arch Linux

// 
// /etc/named.conf
//

options {
    directory "/var/named";
    pid-file "/var/run/named/named.pid";
    auth-nxdomain yes;
    datasize default;
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
//  listen-on-v6 { any; };
// Add this for no IPv4:
//  listen-on { none; };

    // Default security settings.
    allow-recursion { 127.0.0.1; };
    allow-transfer { none; };
    allow-update { none; };
    version none;
    hostname none;
    server-id none;
};

zone "localhost" IN {
    type master;
    file "localhost.zone";
    allow-transfer { any; };
};

zone "0.0.127.in-addr.arpa" IN {
    type master;
    file "127.0.0.zone";
    allow-transfer { any; };
};

zone "." IN {
    type hint;
    file "root.hint";
};

//zone "example.org" IN {
//  type slave;
//  file "example.zone";
//  masters {
//      192.168.1.100; 
//  };
//  allow-query { any; };
//  allow-transfer { any; };
//};

logging {
        channel xfer-log {
                file "/var/log/named.log";
                print-category yes;
                print-severity yes;
                print-time yes;
                severity info;
        };
        category xfer-in { xfer-log; };
        category xfer-out { xfer-log; };
        category notify { xfer-log; };
};

Debian

// This is the primary configuration file for the BIND DNS 	server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the 
// structure of BIND configuration files in Debian, *BEFORE* you customize 
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";

// prime the server with knowledge of the root servers
zone "." {
  	      type hint;
        file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "localhost" {
        type master;
        file "/etc/bind/db.local";
};
	
zone "127.in-addr.arpa" {
        type master;
        file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
        type master;
        file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
        type master;
        file "/etc/bind/db.255";
};

include "/etc/bind/named.conf.local";	

And the /etc/bind/named.conf.options

options {
        directory "/var/cache/bind";

        // If there is a firewall between you and nameservers 	you want
        // to talk to, you may need to fix the firewall to allow multiple
        // ports to talk.  See http://www.kb.cert.org/vuls/id/800113

        // If your ISP provided one or more IP addresses for stable 
        // nameservers, you probably want to use them as forwarders.  
        // Uncomment the following block, and insert the addresses replacing 
        // the all-0's placeholder.

        // forwarders {
        //      0.0.0.0;
        // };

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Slackware

options {
   directory "/var/named";
   /*
    * If there is a firewall between you and nameservers you want
    * to talk to, you might need to uncomment the query-source
    * directive below.  Previous versions of BIND always asked
    * questions using port 53, but BIND 8.1 uses an unprivileged
    * port by default.
    */
   // query-source address * port 53;
};

//
// a caching only nameserver config
//
zone "." IN {
   type hint;
   file "caching-example/named.root";
};

zone "localhost" IN {
   type master;
   file "caching-example/localhost.zone";
   allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
   type master;
   file "caching-example/named.local";
   allow-update { none; };
};

As it can be seen, there is not too much difference, but the place where to store zone files:

  • Arch Linux and Slackware: /var/named
  • Debian and Ubuntu /var/cache/bind

From here we could use the same for all of these Linux distributions.

Create a Master Zone

To create a master zone, edit the file named.conf and add the following, in this example, I will create a zone for the domain linux10.com

zone "linux10.com" IN {
    type master;
    file "linux10.com.zone";
    allow-update { none; };
    allow-transfer { none; };
};

Then create the file linux10.com.zone in the folder stated in your options section of named.conf file.

The file should look at least like this:

$ORIGIN .
$TTL 86400      ; 1 day
linux10.com            IN SOA  primary.server.com. your.email.address. (
                            2010122801 ; serial
                            7200       ; refresh (2 hous)
                            7200       ; retry (2 hours)
                            2419200    ; expire (5 weeks 6 days 16 hours)
                            86400      ; minimum (1 day)
                            )
$TTL 14400      ; 4 hours
                    NS      scz.alketech.com.
                    NS      ns1.alketech.com.
                    A       10.1.1.1 ; If you want to assign a server to your domain 
                   MX      10      mx1 ; Your email server if you have any
                   MX      20      mx2 ; Your secondary email server if you have one

$ORIGIN linux10.com.
www                     A       1.2.3.4 ; The IP of your web server if you want to have one.
mx1         A   1.2.3.5 ; The IP of your mx1 server
mx2         A   1.2.3.6 ; The IP of your mx2 server

Of course yours may have more or less lines and servers according to your needs.

Configure a DNS slave server with BIND

It is a good idea, to have slave server in case your master server is not reachable at any time.

Both master and slave need to defined as your DNS servers in your domain registrar, you may define more than just two server, and that is a good idea, it is also a good idea, to have your DNS server on different networks, I mean, if you have them on the same office/Data center, and that place loose Internet connectivity all your server will be out of reach, and you will loose traffic or emails or both.

For the visitors of your servers, any DNS server is the same and there is no difference between masters or slaves, so you should define one master and as many slaves as you want (anything between 2 to 4 slaves is OK).

Enable AXFR transfers

Your master DNS server should allow AXFR transfers to the slave servers for this to work, so the first step is to configure your master server to do so.

zone "linux10.com" IN {
    type master;
    file "linux10.com.zone";
    allow-update { none; };
    allow-transfer { ip.of.slave.server; ip.of.slave.server2; ip.of.slave.server3;};
};

Now create the slave zone in your slave servers.

On the slave server named.conf file you need to configure the slave zone, like this:

zone "linux10.com" {
    type slave;
    file "linux10.com.zon";
    masters { 1.2.3.4; };
    allow-transfer { none; };
};

Testing the configuration

dig @your.master.server your.domain.com ns

Example:

dig @scz.alketech.com linux10.com ns

You should get something like this:

; <<>> DiG 9.2.4 <<>> @scz.alketech.com linux10.com ns
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23659
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 2

;; QUESTION SECTION:
;linux10.com.                   IN      NS

;; ANSWER SECTION:
linux10.com.            14400   IN      NS      scz.alketech.com.
linux10.com.            14400   IN      NS      ns1.alketech.com.

;; ADDITIONAL SECTION:
ns1.alketech.com.       14400   IN      A       200.87.59.3
scz.alketech.com.       14400   IN      A       200.87.61.83

;; Query time: 2 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Dec 29 15:35:20 2010
;; MSG SIZE  rcvd: 106

Final tunings

It is a good idea to disable recursion in your authoritative servers, either master or slave.

To do this, in your options section insert these lines

acl recurseallow { 1.2.3.4; 127.0.0.1; };
allow-recursion { recurseallow; };recursion yes;

Be sure to include this in the options section of the file /etc/named.conf for Arch Linux and Slackware and /etc/bind/named.conf.options for Debian.

Only for Slackware and Arch Linux

For Arch Linux and Slackware you need to enable the named daemon to start on each boot, to do this

On Arch Linux, edit the /etc/rc.conf file, and add it, to the daemons list

On Slackware, make the file /etc/rc.bind executable