You are here: Andy's Wiki » Andy's Debian HOWTOs » How to install and chroot Bind9

How to install and chroot Bind9

First install Bind9:

# aptitude install bind9

Then stop it so we can move to the chroot:

# /etc/init.d/bind9 stop

Set bind to run as the unprivileged user bind and chrooted to /var/lib/named:

# vi /etc/default/bind9

OPTIONS="-u bind -t /var/lib/named"

Chrooting an application means making it think the directory its chrooted to is the root of the file system. We need to create the directory bind is chrooted to as well as necessary directories under that directory:

# mkdir -p /var/lib/named/etc
# mkdir -p /var/lib/named/dev
# mkdir -p /var/lib/named/var/cache/bind
# mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory to /var/lib/named/etc:

# mv /etc/bind /var/lib/named/etc

Create a symlink from the old location to the new config directory:

ln -s /var/lib/named/etc/bind /etc/bind

Create another symlink for log files:

# ln -s /var/lib/named/var/log /var/log/bind9

Next make null and random devices:

# mknod /var/lib/named/dev/null c 1 3
# mknod /var/lib/named/dev/random c 1 8

And then set the permissions of the directories:

# chmod 666 /var/lib/named/dev/null 
# chmod 666 /var/lib/named/dev/random
# chown -R bind:bind /var/lib/named/var/*
# chown -R bind:bind /var/lib/named/etc/bind

We need to modify the startup script of sysklogd so that we can still get important messages logged. Modify the line SYSLOGD=”” so that it reads as follows:

for Debian 3.1 (sarge )

# vi /etc/init.d/sysklogd

for Debian 4.0 (etch)

# vi /etc/default/syslogd

SYSLOGD="-a /var/lib/named/dev/log"

Restart sysklogd and start bind:

# /etc/init.d/sysklogd restart
# /etc/init.d/bind9 start

Testing Bind

First, check syslog and daemon.log for errors:

# tail -f /var/log/syslog
# tail -f /var/log/daemon.log

Then query your server and verify it's answer:

# dig @localhost www.bbc.co.uk

Configuring Bind

Edit the bind configuration file:

# vi /etc/bind/named.conf.local

Restrict which clients bind to resolve DNS queries for:

allow-query { 
  127.0.0.1
};

Restrict which clients bind will answer recursive DNS queries for:

allow-recursion {
  127.0.0.1
}

Set which servers should be allowed to perform zone transfers. Specify the IP address of all secondaries:

allow-transfer {
  1.2.3.4
}

You should now restart bind and repeat the testing we did previously.

# /etc/init.d/bind9 restart
# tail -f /var/log/syslog
# tail -f /var/log/daemon.log
# dig @localhost www.bbc.co.uk

Configuring Authoratative DNS

Edit the bind configuration file and set bind to resolve DNS queries for all clients:

# vi /etc/bind/named.conf.local

allow-query { 
  127.0.0.1
};

You should continue to restrict which clients bind will resolve recursive queries for as shown previously.

Next create a directory to store your zone files in:

# mkdir -p /etc/bind/zones
# chown bind:bind /etc/bind/zones
# chmod 700 /etc/bind/zones

Create a template zone file as shown below:

# vi /etc/bind/zones/template

;
; SOA
;
$TTL    1h
@               IN      SOA     dns1.example.com. hostmaster.example.com. (
                        2007010101      ; Serial number
                        1h              ; Slave refresh
                        15m             ; Slave retry
                        2w              ; Slave expire
                        1h              ; Negative Cache TTL
                        )
;
; NS RECORDS
;
@               IN      NS              dns1.example.com.
@               IN      NS              dns2.example.com.
;
; MAIL RECORDS
;
@               IN      MX      10      mx.example.com.
mail            IN      CNAME           mail.example.com.
smtp            IN      CNAME           smtp.example.com.
webmail         IN      CNAME           webmail.example.com.
;
; WWW RECORDS
;
@               IN      A               1.2.3.4
www             IN      A               1.2.3.4
;
; CUSTOM RECORDS
;

Set suitable permissions on the file:

# chown bind:bind /etc/bind/zones/template
# chmod 600 /etc/bind/zones/template

This won't actually be used, but we will copy it each time we create a new zone.

Adding a New Zone

Copy the zone file template and edit as necessary:

# cp -p /etc/bind/zones/template db.example.com

As a minimum you should set the serial number to today's date plus an incremental number.

Next tell bind where the zone file is:

# ee /etc/bind/named.conf.local

zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com";
        notify yes;
     };

And finally reload bind:

# /etc/init.d/bind9 reload

Check the logs and test that bind is serving the correct answers for your new zone:

# tail -f /var/log/syslog
# tail -f /var/log/daemon.log
# dig @localhost example.com MX

Discussion

Subscribe to the RSS feed for Andy's Debian HOWTOs

Article from Andy's Debian HOWTOs (http://www.besy.co.uk/debian/debian)

debian/how_to_setup_a_bind_9_dns_server.txt · Last modified: 2008/08/01 22:56 (external edit) · [Old revisions]