BIND setup on CentOS
What is BIND and what does it do?
BIND is an implementation of the Domain Name System (DNS) protocols. The name BIND stands for "Berkeley Internet Name Domain", because the software originated in the early 1980s at the University of California at Berkeley. In recent years, the word BIND has become, like "radar" and "snafu" and "laser" and "scuba", more word than acronym.
The DNS protocols are part of the core Internet standards. They specify the process by which one computer can find another computer on the basis of its name. What it means to say "BIND is an implementation of the DNS protocols" is that the BIND software distribution contains all of the software needed both to ask name service questions and to answer such questions.
The BIND software distribution contains three parts:
- A Domain Name System server. This is a program called "named", which is pronounced "name-dee" and stands for "name daemon". It answers questions that are sent to it, following the rules specified in the DNS protocol standards. You can provide DNS service on the internet by installing this software on a server computer and giving it correct information about your domain names.
- A Domain Name System "resolver library". A "resolver" is a program that resolves questions about names by sending those questions to appropriate servers and responding appropriately to the servers' replies. A "resolver library" is a collection of software components that a programmer can add to software being developed, which will give that software the ability to resolve names. For example, a programmer who was programming a new web browser does not need to create the part of it that looks up names in DNS; he or she can plug in the resolver library and then send questions to the library software components. This saves time (the programmer does not need to re-invent that particular wheel) and helps ensure that the new browser correctly follows the DNS standards.
- Software tools for testing servers. These are the tools that we use for testing, and we include them in the distribution in case you would like to do your own testing, perhaps to make sure your server configuration is working properly.
When you install an operating system on your computer, that operating system will contain whatever resolver library its developers selected for it. When you set up a server computer, its vendor usually has provided some DNS server software (usually BIND) so that the server will work as delivered. Because BIND faithfully implements the DNS protocols, there is no need for the resolver (which asks questions) and the server (which answers questions) to be running the same software.
Install bind
We will be installing a secure version of BIND 9. This means we will be installing the BIND 9 name server to run in a chroot jail and as a non-root user, to provide added security and minimize the potential effects of a security compromise.
For CentOS
yum install bind-chroot
Installed now some fine tuning:
chmod 750 /var/named/ chmod 750 /var/named/chroot/ chmod 750 /var/named/chroot/var/ chmod 750 /var/named/chroot/var/named/ chmod 750 /var/named/chroot/var/run/ chmod 750 /var/named/chroot/var/run/named/ cd /var/named/chroot/var/named/ ln -s ../../ chroot cp /usr/share/doc/bind-9.3.3/sample/var/named/named.local /var/named/chroot/var/named/named.local cp /usr/share/doc/bind-9.3.3/sample/var/named/named.root /var/named/chroot/var/named/named.root touch /var/named/chroot/etc/named.conf chkconfig --levels 235 named on /etc/init.d/named startconfigure bind
The main config file in named.conf. Located in /var/named/chroot/etc/.
It is easier to create a separated file for each domain and then link it.Here is an example how a conf-file of domain could look like:
You already guessed it, everything after ; is a comment.
$TTL 1H @ IN SOA ns1.domain.com. root ( 2009091114 ; serial 1H ; refresh 15M ; retry 4W ; expire 1H ; Negative caching TTL of 1 hour ) ; Name servers domain.com. IN NS ns1.domain.com. domain.com. IN NS ns2.domain.com. domain.com. IN MX 10 mail.domain.com. ns1.domain.com. IN A 192.168.2.11 ns2.domain.com. IN A 192.168.3.16 www.domain.com. IN A 192.168.2.50 ftp.domain.com. IN A 192.168.2.50 mail.domain.com. IN A 192.168.2.100
domain.com. IN NS ns1.domain.com.
This is the line for the name server, the server that holds the DNS record.
Usually there are 2; The main and the backup.
domain.com. IN MX 10 mail.domain.com.
This line of code is the MX record, or the mail record. It will tell other mail servers where to send mail. In this case to mail.domain.com for domain.com.
The rest of the lines translate the DNS-records to the IP-address.ns1.domain.com. IN A 192.168.2.11 ns2.domain.com. IN A 192.168.3.16 www.domain.com. IN A 192.168.2.50 ftp.domain.com. IN A 192.168.2.50 mail.domain.com. IN A 192.168.2.100
Test
Now testing if the server works.With dig:
Dig is really easy to use. just add the domain name you want to investigate:
To investigate the BIND server you just setup:dig domain.com
With the ipaddress as you BIND-server ipaddress.dig @ipaddress domain.com
With host
host -v domain.com
host -v domain.com ipaddress
Security
There is a type of Distributed Denial of Service attack (DDoS) that can use/trick a open DNS server to attack other sites.
You can prevent this by adding 2 lines to the bind config-file (/var/named/chroot/etc/named.conf).
Basically this configuration allow the DNS-server to respond with the ip-address of domains it knows,options { allow-query-cache { none; }; recursion no; };
but will not request other DNS-servers for ip's it doesn't know.