Home / guides   Print version

BIND setup on CentOS

What is BIND and what does it do?

BIND is an implementation of the Domain Name System (DNS) protocols. The name BIND stands for "Berkeley Internet Name Domain", because the software originated in the early 1980s at the University of California at Berkeley. In recent years, the word BIND has become, like "radar" and "snafu" and "laser" and "scuba", more word than acronym.

The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. What it means to say "BIND is an implementation of the DNS protocols" is that the BIND software distribution contains all of the software needed both to ask name service questions and to answer such questions.

The BIND software distribution contains three parts:

  • A Domain Name System server. This is a program called "named", which is pronounced "name-dee" and stands for "name daemon". It answers questions that are sent to it, following the rules specified in the DNS protocol standards. You can provide DNS service on the internet by installing this software on a server computer and giving it correct information about your domain names.
  • A Domain Name System "resolver library". A "resolver" is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers' replies. A "resolver library" is a collection of software components that a programmer can add to software being developed, which will give that software the ability to resolve names. For example, a programmer who was programming a new web browser does not need to create the part of it that looks up names in DNS; he or she can plug in the resolver library and then send questions to the library software components. This saves time (the programmer does not need to re-invent that particular wheel) and helps ensure that the new browser correctly follows the DNS standards.
  • Software tools for testing servers. These are the tools that we use for testing, and we include them in the distribution in case you would like to do your own testing, perhaps to make sure your server configuration is working properly.

When you install an operating system on your computer, that operating system will contain whatever resolver library its developers selected for it. When you set up a server computer, its vendor usually has provided some DNS server software (usually BIND) so that the server will work as delivered. Because BIND faithfully implements the DNS protocols, there is no need for the resolver (which asks questions) and the server (which answers questions) to be running the same software.

Install bind

We will be installing a secure version of BIND 9. This means we will be installing the BIND 9 name server to run in a chroot jail and as a non-root user, to provide added security and minimize the potential effects of a security compromise.

For CentOS

yum install bind-chroot

Installed now some fine tuning:

chmod 750 /var/named/
chmod 750 /var/named/chroot/
chmod 750 /var/named/chroot/var/
chmod 750 /var/named/chroot/var/named/
chmod 750 /var/named/chroot/var/run/
chmod 750 /var/named/chroot/var/run/named/
cd /var/named/chroot/var/named/
ln -s ../../ chroot
cp /usr/share/doc/bind-9.3.3/sample/var/named/named.local /var/named/chroot/var/named/named.local
cp /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/chroot/var/named/named.root
touch /var/named/chroot/etc/named.conf
chkconfig --levels 235 named on
/etc/init.d/named start

configure bind

The main config file in named.conf. Located in /var/named/chroot/etc/.
It is easier to create a separated file for each domain and then link it.

Here is an example how a conf-file of domain could look like:

$TTL    1H
@               IN      SOA     ns1.domain.com.      root (
                        2009091114 ; serial
                        1H ; refresh
                        15M ; retry
                        4W ; expire
                        1H ; Negative caching TTL of 1 hour
                        )
; Name servers
domain.com. 	    IN      NS      ns1.domain.com.
domain.com. 	    IN      NS      ns2.domain.com.
domain.com.	    IN	    MX      10 mail.domain.com.
ns1.domain.com.     IN      A       192.168.2.11
ns2.domain.com.     IN      A       192.168.3.16
www.domain.com.     IN      A       192.168.2.50
ftp.domain.com.     IN      A       192.168.2.50
mail.domain.com.    IN      A       192.168.2.100
You already guessed it, everything after ; is a comment.

domain.com. IN NS ns1.domain.com.
This is the line for the name server, the server that holds the DNS record.
Usually there are 2; The main and the backup.

domain.com. IN MX 10 mail.domain.com.
This line of code is the MX record, or the mail record. It will tell other mail servers where to send mail. In this case to mail.domain.com for domain.com.

ns1.domain.com.     IN      A       192.168.2.11
ns2.domain.com.     IN      A       192.168.3.16
www.domain.com.     IN      A       192.168.2.50
ftp.domain.com.     IN      A       192.168.2.50
mail.domain.com.    IN      A       192.168.2.100
The rest of the lines translate the DNS-records to the IP-address.

Test

Now testing if the server works.

With dig:

Dig is really easy to use. just add the domain name you want to investigate:

dig domain.com
To investigate the BIND server you just setup:
dig @ipaddress domain.com
With the ipaddress as you BIND-server ipaddress.

With host

host -v domain.com
host -v domain.com ipaddress

 

Security

There is a type of Distributed Denial of Service attack (DDoS) that can use/trick a open DNS server to attack other sites.
You can prevent this by adding 2 lines to the bind config-file (/var/named/chroot/etc/named.conf).


options {
     allow-query-cache { none; };
     recursion no;
};
Basically this configuration allow the DNS-server to respond with the ip-address of domains it knows,
but will not request other DNS-servers for ip's it doesn't know.

 

TOP