The power of the World Wide Web we know today relies heavily on the potentialities of the Domain Name System (more popular as DNS) - one of the largest databases in the world, which is responsible for the smooth communication of computers within networks. With the help of DNS servers the domain names are converted to their corresponding numerical IP addresses, which computers need in order to communicate with each other to locate websites on the Internet.
DNS Servers
DNS servers are divided into public and private DNS servers. While the majority of the public servers are run by larger Internet Service Providers and commercial companies, the private DNS servers are used mainly for private home networks. Setting up DNS servers in the home network is highly recommended in cases when your network includes more than a few computers with the purpose of increasing its efficiency.
With a DNS Server set up for your private home network you can centralize the management of host information and track the host file for every client in your network. In addition, private DNS servers allow your clients to make DNS resolution requests within your home network, since they have the ability to cache DNS information.
Install and configure a BIND DNS server
Bind can be easily installed with most Linux distributions - it's available in their repositories. You can also compile it from the source code.
To install BIND 9 from the repositories, enter in superuser mode and run:
apt-get install bind9And you now have bind installed on your machine. You can start and stop it at any time with the "start" and "stop" commands.
Stopping Bind
/etc/init.d/bind9 stopStarting Bind
/etc/init.d/bind9 startHow to "chroot" Bind
The first step of the Bind configuration is to "chroot" it. This means that bind will not be executed with root privileges, but as a separate user, which is limited to see only its folder tree. This is done for security purposes - if someone manages to exploit a BIND vulnerability, he will not be able to do much damage, since BIND's folder structure will act as root folder.
Here we will show you how to chroot bind to the "var/lib/named" folder. The first thing to do is to edit the /etc/default/bind9 file. We will tell the bind daemon to run this file as the user "bind", who has no privileges. This is how the file should look like:
The /etc/default/bind9 file:
OPTIONS="-u bind -t /var/lib/named"# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes
Now, we will have to create the specific folder in the /var/lib directory.
mkdir -p /var/lib/named/etcmkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
This will create all the necessary folders for BIND to work without a problem in the "var/lib/named" folder. The next step is to copy BIND's configuration file. The file is located in the "/etc/bind" folder, and we will have to move it to the "/var/lib/named/etc" folder.
cp /etc/bind /var/lib/named/etcOnce we have the configuration file in its new location, it's time to create a symlink to it, since this will be very useful for future BIND updates.
ln -s /var/lib/named/etc/bind /etc/bindNow BIND will be running without a problem in the chroot jail. However, it will still need access to several files in order to function properly, for example - the /dev/null. You can create all of them with the following commands:
mknod /var/lib/named/dev/null c 1 3mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
The final step is to configure the systemlog to send log and error messages to the correct location. For this, you will have to add the following line:
SYSLOGD="-a /var/lib/named/dev/log"to the "/etc/default/syslogd" file. Here is how the file should look after that:
A syslogd file for a chrooted BIND
## Top configuration file for syslogd
#
#
# Full documentation of possible arguments are found in the manpage
# syslogd(8).
#
#
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"
Now, restart syslogd and BIND and check "/var/log/syslog" for any errors.
Restart syslogd and start BIND
/etc/init.d/sysklogd restart/etc/init.d/bind9 start
Configuring BIND
Once you have installed and chrooted BIND, it's time to start using it. The first thing that you need to do is add a DNS zone for your domain name. To do this, you will need to edit the "named.local.conf" file.
vi /etc/bind/named.conf.localIn there, you can add the following text to create a DNS zone for the "my-best-server.com".
zone "my-best-server.com" {type master;
file "/etc/bind/zones/my-best-server.com.db";
};
The next step is to edit the actual DNS zone
mkdir /etc/bind/zonesvi /etc/bind/zones/my-best-server.com .db
The last command will show you the actual DNS zone. You can add other DNS records, or change the ones shown here with your custom ones.
$TTL 1500 |
@ IN SOA my-best-server.com. root ( |
2007062703 ;serial |
28800 ;refresh |
3600 ;retry |
604800 ;expire |
38400 ) ;minimum 25 minutes |
my-best-server.com. | IN | NS | ns1.my-best-server.com. |
my-best-server.com | IN | A | 192.168.0.100 |
my-best-server.com. | IN | MX | 10 my-best-server.com. |
Two steps are left - to configure the DNS forwarder and the self-resolving setting.
To configure the DNS forwarder, we will have to edit the "named.conf.options".
vi /etc/bind/named.conf.optionsIn the file, look for the "forwarders" line and enter the IP of your IPS DNS server in the place of the default one.
forwarders {123.123.123.123;
};
This way, if your DNS server cannot resolve a request, it will forward it to the ISP DNS server, not failing the request.
The last thing that we need to do is to make the DNS server resolve itself. To do this, we will have to modify the resolv.conf file.
vi /etc/resolv.confIn there, enter the name of your domain name and your IP address.
search my-best-server.comnameserver 192.168.0.100
And your DNS server is now completely set up!