You are on page 1of 10

RHEL / CentOS Bind Tutorial

Guide to the BIND9 DNS of Red Hat Enterprise Linux 5 / CentOS Linux 5.
by Vivek Gite <vivek@nixcraft.com>, © 2008 nixCraft. All rights reserved. <http://www.cyberciti.biz>

Warnings
• •

Do not attempt to implement any of the recommendations in this guide without first testing in a nonproduction environment. This document is only a guide containing recommended security settings for BIND software. It is not meant to replace well structured policy or sound judgment. Furthermore this guide does not address site-specific configuration concerns. Configuration changes described in this document apply only to Red Hat Enterprise Linux 5.x or CentOS Linux 5.x. They may or may not translate gracefully to other operating systems.

BIND DNS Server Software
BIND (Berkeley Internet Name Domain or "named") is the most commonly used DNS server on the Internet, especially on Linux and Unix-like systems, where it is a de facto standard.

Required packages
You need to install the following packages. 1. bind - BIND includes a DNS server (named), which resolves host names to IP addresses; a resolver library (routines for applications to use when interfacing with DNS); and tools for verifying that the DNS server is operating properly. 2. bind-chroot - A chroot runtime environment for the ISC BIND DNS server, named. This package contains a tree of files which can be used as a chroot jail for the named program from the BIND package. 3. bind-utils - Bind-utils contains a collection of utilities for querying DNS (Domain Name System) name servers to find out information about Internet hosts. These tools will provide you with the IP addresses for given host names, as well as other information about registered domains and network addresses. You should install bind-utils if you need to get information from DNS name servers.

Our sample setup
You have two CentOS v5.x or RHEL v5.x server installed as follows with two public IP addresses as follows:
ns1.nixcraft.com => 202.54.1.1 ns2.nixcraft.com => 190.5.1.1

ISP servers are configured as recursive caching servers. /var/named/chroot/dev/ . even when UDP would suffice.com and its IP address with your ISP or domain registrar such as Go Daddy.Zone and log data files. BIND 9 was a complete rewrite.nixcraft.BIND jail directory. it will search through DNS name space to get the data.Register your name server with ISP / Domain Service Provider You need to register ns1.x? Type the yum command as follows: # yum install bind bind-chroot bind-utils Understanding Directory Structure You must run named in a jail to increase security. This is known as name resolution. In this tutorial you will learn about setting up non-recursive master and slave server.conf and other config file here. BIND default network ports The following TCP/IP application layer . it has still experienced few vulnerabilities. Non-recursive (iterative) .DNS protocol number used by BIND 9 dns software: • • TCP port 53 : It is only used when the response data size exceeds 512 bytes. Recursive .A recursive query is one where the DNS server will fully answer the query (or give an error). www The type of the resource record such as A. You can configure BIND to answer two types of DNS queries: 1.nixcraft. Understanding Resource Records (RR) Each resource record has five fields as follows: Resource Record Name Type Description The domain name the resource record refers to. For e.g. 2. it uses the resolver to send a query against DNS server such as your own or ISP's dns servers. Store all your configuration and zone data here.You need to store named. /var/named/chroot/var/named/ . If authoritative it will return reply. When an application such as Firefox need information from the DNS. otherwise. Please see this FAQ about name resolution for further details. How do I install bind server under CentOS / RHEL 5. Please note that some operating systems such as HP-UX are known to have resolver implementations that use TCP for all queries.Device file directory used by named jail. /var/named/chroot/etc/ . Therefor you need to keep open both ports using firewall software such as netfilter.A non-recursive query is one in which the DNS server may provide a partial answer to the query (or give an error). or for such tasks as zone transfer to slave / secondary servers. • • • • /var/named/chroot/ . MX etc . UDP port 53 : DNS primarily uses UDP on port 53 to serve requests. In the earlier days of the Internet BIND 4 and BIND 8 have had a large number of serious security vulnerabilities over the years. Understanding the name resolution process Each client that access name servers are known as resolvers (it is a library). Usually.com and ns1.

cyberciti.net. RDATA Actual data assoicated with the domain. Signed time in seconds that RR stays valid.1 The Main DNS Record Types Record Type A AAAA CNAME MX NS PTR TXT SOA KEY Label Address Canonical Name Mail eXchanger Name server Pointer Text Start Of Authority Description IPv4 32 bit host IP address such as 202. An example of PR made of five fields: ns1 3600 IN A 202.54. Set The server's public key for TSIG and DNSSEC. Using the bind-chroot-admin Command bind-chroot-admin tool can be used to enable or disable the bind-chroot environment. For e.54. This will make it much harder for attackers to exploit newly-discovered vulnerabilities. To turn on BIND jail setup. but other possiblities includes CHAOSnet (CH) and Hesiod (HS).2 Set an alias for a domain name. It can be IN (Internet).nixcraft.g. It is used to set host description or anti spam configurations. This section discusses mechanisms for preventing the DNS server from interfering with other services.biz is an alias for ghs. How Do I Chroot Named? The default directory /var/named/chroot is the location of the chroot. This is a security feature and you must use it. For e. theos. A list of authoritative name server for the domain. A text string upto 255 bytes long.in registered with ns1.g.x. cyberciti. Mostly used to set reverse name resolution. This tutorial only covers IN class for TCP/IP internet communication.net and ns2.net.g. and to make direct attacks on nameservers more difficult. Class code. feeds.biz mail is send to mail.google. Usually used on master bind server. enter: # bind-chroot-admin .nixcraft.nixcraft. For e. This is done both to protect the remainder of the network should a nameserver be compromised. Set the start of a zone of authority.1.1.com A list of mail servers for domain to which to send for domain name.Resource Record TTL CLASS Description The time to live of the RR. IPv6 Address IPv6 address in IPv6 format such as 2001:470:1f0e:b2::2 Master BIND9 Server Configuration Let us see how to configure the master named using RHEL 5.

}.*. enter: # cd /var/named/chroot/var/named # cp /usr/share/doc/bind-9. . Clauses in the statements are also semi-colon terminated. Get our zone stuff */ include "/etc/named. severity dynamic. 190. version "nixCraft dns server". Statements are enclosed in braces and terminated with a semi-colon. }.*.1. }.local. allow-notify { 202. }. /* /* /* Get localhost and other */ include "/etc/named. Copy required default zone files to the bind-chroot. The usual comment styles are supported: The "options" statement sets up global options to be used by Bind. memstatistics-file "data/named_mem_stats. Save and close the file.*.named.1.conf.broadcast} .*.root. enter: options { listen-on-v6 { none. listen-on { 202.db.db".1.run".conf is the configuration file for named. }. enter: # cd /var/named/chroot/etc/ # cp /usr/share/doc/bind-9.zero.zones". logging { channel default_debug { file "data/named.conf Append following configuration.conf Type the following command: # cd /var/named/chroot/etc/ # vi named. auth-nxdomain no.zones. Get root server */ include "/etc/named.hints} .root. dump-file "data/cache_dump.local". directory "/var/named". recursion no.conf.named.1.3.3. statistics-file "data/named_stats.rfc1912.hints".1.-e Copy required named config files to the bind-chroot. dnssec-enable yes.root.zone.txt". -v Create default named. Where.4/sample/etc/ {named. Understanding BIND main configuration file named.*.1.54.txt". }.rfc1912.54.5.4/sample/var/named/ {*.

This conform to RFC1035. This is security measure for Bind not to reveal its version number.Set BIND version number. }.54.1.54.Enable DNSSEC support in named. . directory "/var/named". Open /etc/sysconfig/iptables file and add the following line before the final LOG and DROP lines: # vi /etc/sysconfig/ iptables. Channels with dynamic severity use the server's global debug level to determine what messages to print. . a slave.1.BIND provides various fine tuning options for server to log messages. .Disable IPv6 support.local and add your domain. . -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT Finally. memstatistics-file "data/named_mem_stats.conf.The pathname of the file the server writes memory usage statistics to on exit.in can be added as follows: zone "theos. UNIX shell style comment defined as follows: # Get localhost and other Configure Iptables Based Firewalls to Protect the BIND DNS Server You need to allow remote client / system to connect the DNS server. }.The pathname of the file the server dumps the database to when instructed to do so with rndc dumpdb command.The pathname of the file the server appends statistics to when instructed to do so using rndc stats..Listen on 202.db". 190.5. restart iptables: # service iptables restart Add Domain Called TheOS. The severity clause works like syslog’s "priorities".1. dump-file "data/cache_dump. To turn on IPv6 support replace none with actual IPv6 IP address or any keyword. listen-on { 202. . allow-notify { 202.1. }.• • • • • • • • • • • • listen-on-v6 { none.txt". }.1. More about comments The following is nothing but comment defined using C style: /* Get localhost and other */ BIND also support C++ style comment: // Get localhost and other And. For example.in on Master Edit /var/named/chroot/etc/named. version "nixCraft dns server". . .1. . . of zone changes in addition to the zone masters.1 IPv4 address. . recursion no.BIND directory to store logs and zone data.txt". statistics-file "data/named_stats. auth-nxdomain no.1. . . logging { .in" { type master. dnssec-enable yes.54. . theos..Do not provide recursive service to any clients. except that they can also be used if you are writing straight to a file rather than using syslog.Specifies which hosts are allowed to notify this server.

nixcraft.theos.1.1.root. recursion no.nixcraft.5.153 ghs.168. }. Expire after 1 week 1h) .126. Serial yyyymmddnn 3h . ( 2008071012 .1. "v=spf1 mx ~all" 75. SPF for mx @ .com.txt". // the default dump-file "data/cache_dump. allow-transfer { key TRANSFER. /* /* .153 75.theos. Cname alias feeds . Minimum negative caching of 1 hour .zones". version "nixcraft DNS Server #2". Create /var/named/chroot/var/named/zone. }. statistics-file "data/named_stats. 2607:f0d0:1002:11::5 2607:f0d0:1002:11::5 Slave BIND9 Server Configuration Edit /var/named/chroot/etc/named.5. transfer-source 190.168. use-alt-transfer-source yes.1. }. // Statistics zone-statistics yes.com.com. Domain IP @ www . vivek. include "/etc/rndc. directory "/var/named"..nixcraft.hints".rfc1912.com.54.}. allow-notify { 202.key".nixcraft.in. }.conf as follows: options { listen-on { 190.db".in". ipv6 address @ www 3600 3600 3600 3600 3600 3600 3600 3600 IN NS IN NS IN TXT IN A IN A IN CNAME IN IN AAAA AAAA ns1. memstatistics-file "data/named_mem_stats. dnssec-enable yes.in as follows: $ORIGIN theos.1.126.google. Refresh After 3 hours 1h . Retry Retry after 1 hour 1w . ns2. Get localhost and other */ include "/etc/named. file "/var/named/zone.1.com. Name servers @ @ . Get root server */ include "/etc/named.txt". $TTL 3h @ IN SOA ns1.

in can be added as follows: zone "theos.1. Zone data is stored in /etc/bind/named.1 Slave nameserver: ns2. theos.nixcraft. }.1. }. TSIG uses shared secrets and a one-way hash function to authenticate DNS messages. 2. TSIG uses a one-way hash function to provide authentication and data integrity. . proving that the message's sender had a cryptographic key shared with the receiver and that the message wasn't modified after it left the sender.202.com .in".com . Add Domain Called TheOS.1 BIND configuration is stored in /etc/bind/ directory.conf file. For example. but can be extended for dynamic updates as well).54.key". TSIG can protect the following type of transactions between two DNS servers: • • • • Zone transfer Notify Dynamic updates Recursive query messages etc TSIG is available for BIND v8. 3.theos.5. The TSIG record signs the DNS message. TSIG is easy and lightweight for resolvers and named.in" { type slave. Our sample setup: • • • • Master nameserver: ns1.1. allow-transfer { none./* include "/etc/tsig. file "slaves/db.190.nixcraft.local and add your domain. Each name server adds a TSIG record the data section of a dns server-to-server queries and message.slave. masters { 202.54. Reload Named after configuring TSIG: # rndc reload OR # service named restart Bind Security: Transaction Signatures (TSIG) Configuration Transaction signatures (TSIG) is a mechanism used to secure DNS messages and to provide secure server-to-server communication (usually between master and slave server.conf.in on Slave Server Edit /var/named/chroot/etc/named. How it works? 1. Our own zone */ include "/etc/named.1.local". }.conf.2 and above.

rfc1918 Where.theos.+157+64252.key and . which creates two files.Contains the public key.2 Algorithm: 157 (HMAC_MD5) Key: 0jnu3SdsMvzzlmTDPYRceA== Bits: AAA= Open /var/named/chroot/etc/tsig. The . -n Specify the nametype.key Now you need to create tsig.127 root 237 2009-01-06 12:16 db.master server configuration Run the following command and note down the Key: # cat Krndc-key. or USER. Using TSIG .options bind 77 2009-01-24 20:37 rndc. +157+64252.+157+64252.key root 81 2009-01-25 14:13 Krndc-key.root root 52 2009-01-25 14:13 Krndc-key.key . }. secret "0jnu3SdsMvzzlmTDPYRceA==". A nametype can be a ZONE.+157+64252.in The above dnssec-keygen program created two files as follows.255 root 353 2009-01-06 12:16 db.+157+64252. ENTITY. using the dnssec-keygen program.in) to create the shared keys.private .0 root 271 2009-01-06 12:16 db.private files are generated for symmetric encryption algorithms such as HMAC-MD5.conf.local root 1506 2009-01-06 12:16 db.private file contains algorithm-specific fields.How Do I Configure TSIG? Type the following command on master nameserver (ns1. enter: # vi /var/named/chroot/etc/tsig.key file on master server as follows: key "TRANSFER" { algorithm hmac-md5.private bind 1302 2009-01-25 14:13 named. Krndc-key.Contains the private key. Both .empty root 256 2009-01-06 12:16 db. • • • -a Specify the encryption algorithm. HOST. both containing the key generated. # dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key Sample output: Krndc-key. # Slave server IP # 1 . -b Specify the key size.conf.+157+64252 List all files.private Sample output: Private-key-format: v1.key file contains a DNS KEY record that can be inserted into a zone file. you need to use HOST or ZONE such as theos.local bind 358 2009-01-25 14:02 named. enter: # ls -l Output: total 52 -rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-r--r--rw-------rw-------rw-r--r--rw-r--r--rw-r--r--rw-r-----rw-r--r-1 1 1 1 1 1 1 1 1 1 1 1 1 root root root root root root root root root root root bind root root 237 2009-01-06 12:16 db.conf bind 165 2009-01-06 12:16 named. even though the public and private key are equivalent: • • Krndc-key.key file. Usually. The .key root 1317 2009-01-06 12:16 zones.

3 { # keys { # TRANSFER.2. # Master server IP server 202. to sign all requests to the host slave server 75. In our case the above substatement informs the master server.key". TSIG keys are configured using the keys substatements. secret "0jnu3SdsMvzzlmTDPYRceA==".server 190. }. Restart named: # rndc reload OR # service named restart Using TSIG .2. Save and close the file. }. Save and close the file.54. # }. enter: # tail -f /var/log/messages OR # tail -f /var/log/syslog OR # grep 'theos.slave server configuration Create /var/named/chroot/etc/tsig. Open named.1 { keys { TRANSFER. named. enter: # vi /var/named/chroot/etc/tsig.bind. Save and close the file. }.conf Append the following line: include "/etc/tsig.55. ################################ First block is nothing but keys. }.5.conf: include "/etc/tsig.1.in/IN' /var/log/syslog Further Resources The following resources provide more detailed information about the BIND9 software: 1. Bind9 Project . enter: # vi /var/named/chroot/etc/named.key on slave server. Append following to /var/named/chroot/etc/named. #}.1. ################################ # If you have 3rd slave server with IP 64.1.1 { keys { TRANSFER.key Append following config: key "TRANSFER" { algorithm hmac-md5.key". The keys substatements inform a name server to sign queries and zone transfer requests sent to a particular remote name server. man pages .2.1.100 with the key called TRANSFER.conf file. The server statement's keys clause to tell the slave name server to sign all zone transfer requests and queries sent to its master server and vice verse.3 #server 64. Restart / reload the bind server: # rndc reload OR # service named restart Verify TSGI Watch your master BIND dns server log file or system log file.conf 2. }.

If any misrepresentations. [ Privacy Policy . Please use all information. The use of this information is your OWN sole responsibility.com/. Bind from Wikipedia.Forum ] .Terms of Service .cyberciti. Copyright © 2008-2009 nixCraft. Although the author and its contributors believes the contents to be accurate at the time of publication. All rights reserved. no liability is assumed for them. the free encyclopedia Have a question or comment? Use our DNS tech support forum at http://nixcraft. their application or any consequences thereof. All trademark within are property of their respective holders. nixCraft website (http://www. commands and configuration with care.biz/) and its contributors will not be responsible for damages of any kind resulting from its use. errors or other need of clarification is found.com. please contact the us immediately at vivek@nixcraft.Questions or Comments .3. This pdf version is for personal use only.