Setup a Bind DNS server on Debian
Bind is a Domain Name System server largely used in the Unix world. Its great flexibility is associated with a quite complex configuration. This howto try to list most important configuration options of Bind 9.
This howto is tested on:
- Debian 6.0 Squeeze
Installation
Install the server software:
command apt-get install bind9
The server configuration is managed by this two files:
- /etc/bind9/named.conf.options: the DNS server options: access control lists, DNS redirections, recursion,...
- /etc/bind9/named.conf.local: the DNS zones managed by the server.
Security
Enable Bind security events logging:
if [ -z "$(command grep '/var/log/named/security.log' '/etc/bind/named.conf.options')" ]; then
echo '
// Logging security events for fail2ban
logging {
channel security_file {
file "/var/log/named/security.log" versions 3 size 30m;
severity dynamic;
print-time yes;
};
category security {
security_file;
};
};' >> '/etc/bind/named.conf.options'
fi
Create the security log folder:
command mkdir --parent /var/log/named/
command chown -R bind:bind /var/log/named/
Setup the security log rotation:
echo '/var/log/named/security.log {
daily
missingok
rotate 7
compress
delaycompress
notifempty
create 644 bind bind
postrotate
/usr/sbin/invoke-rc.d bind9 reload > /dev/null
endscript
}' > '/etc/logrotate.d/bind9-security'
Install fail2ban:
command apt-get install fail2ban
Enable Bind server protection by fail2ban:
if [ ! -e '/etc/fail2ban/jail.local' ]; then
command touch '/etc/fail2ban/jail.local'
fi
if [ -z "$(command grep "[named-refused-tcp]" '/etc/fail2ban/jail.local')" ]; then
echo "
[named-refused-tcp]
enabled = true
" >> '/etc/fail2ban/jail.local'
fi
Reload the configuration:
/etc/init.d/bind reload
/etc/init.d/fail2ban restart
Redirections
The DNS server can fetch zones informations from master DNS servers, or from the DNS servers of the Internet access provider. This last method is prefered because it is normally faster.
Detect the DNS servers of the Internet access provider:
NAME_SERVERS=$(command grep 'nameserver' '/etc/resolv.conf' \
| command sed -e 's/^.*nameserver[\t ]*//' \
-e 's/^\(.*\)$/\t\t\1\\;\\/' \
| command egrep -v '127\.')
An alternative is to use the OpenDNS project servers:
NAME_SERVERS="\t\t208.67.222.222\\;\\
\t\t208.67.220.220\\;\\"
Redirect DNS requests to the selected servers:
if [ -n "${NAME_SERVERS}" ]; then
command sed -i \
-e '/^[ \t]*forwarders/,/^[ \t]*};/d' \
-e "/directory/a\\
\\
\t// Forwarding DNS queries to ISP DNS.\\
\tforwarders {\\
${NAME_SERVERS}
\t}\\;" '/etc/bind/named.conf.options'
fi
Reload the configuration:
/etc/init.d/bind9 reload
Setup the system to use the local DNS server:
command sed -i -e 's/^\([ \t]*nameserver\)/#\1/' '/etc/resolv.conf'
command echo 'nameserver 127.0.0.1' >> '/etc/resolv.conf'
Local network access
By default, the DNS server usage is only allowed for local host. It is necessary to specificly list allowed IP addresses ranges.
Detect the IP addresses ranges of the system network interfaces:
IP_RANGES=$(command ifconfig \
| command grep "inet adr" \
| command sed -e 's/.*adr:\([^ ]*\) .*/\1/' \
| command egrep -v '127.0.0.1' \
| sed -e "s|^\(.*\)[^\.]*$|\t\10/24;|")
Create the local network IP address ranges access control list:
command echo -e "
// Local networks access control list.
acl local-networks {
\t127.0.0.0/8;
${IP_RANGES}
};" >> '/etc/bind/named.conf.options'
Allow DNS requests originated from the local networks:
command sed -i -e '/directory/a\
\
\t// Allowing queries for local networks.\
\tallow-query {\
\t\tlocal-networks\;\
\t}\;\
\
\t// Allowing recursion for local networks.\
\tallow-recursion {\
\t\tlocal-networks\;\
\t}\;' '/etc/bind/named.conf.options'
Reload the server configuration:
/etc/init.d/bind9 reload
Configuration
Initialization of a domain
To allow the DNS server to manage a domain name, provide the domain name:
DOMAIN="my-domain.com"
Provide the IPv4 address for the domain (A record):
DOMAIN_IP="XX.XX.XX.XX"
Provide the host name of the local DNS server (by default, the value of ${HOSTNAME}):
DNS_SERVER="${HOSTNAME}"
Create the zone file for the domain:
echo "\$ttl 86400
${DOMAIN}. IN SOA ${DNS_SERVER}. postmaster.${DOMAIN}. (
2010111504; Serial
3600; refresh after 3 hours.
3600; Retry after 1 hour.
1209600; expire after 1 week.
86400; Minimum TTL of 1 day.
);
;
; Name servers declaration.
;
${DOMAIN}. IN NS ${DNS_SERVER}.;
${DOMAIN}. IN NS sdns2.ovh.net.;
;
; Hostnames declaration.
;
${DOMAIN}. IN A ${DOMAIN_IP};
" > "/etc/bind/db.${DOMAIN}"
Add the zone to the server configuration:
if [ -z "$(command grep "${DOMAIN}" "/etc/bind/named.conf.local")" ]; then
echo "
zone \"${DOMAIN}\" in {
type master;
file \"/etc/bind/db.${DOMAIN}\";
allow-query { any; };
};
" >> "/etc/bind/named.conf.local"
fi
Reload the configuration:
/etc/init.d/bind9 reload
Check that the configuration has been correctly loaded:
command tail -n 50 "/var/log/daemon.log"
Domain health checkup
It is very important to check the health of the DNS zone configuration. You can do so with the help of these 3 tools allowing to check your server configuration:
Specific configurations
SMTP server
The MX records are used to specify the SMTP server managing the emails for a domain. The SMTP server domain name record must be of "A" (IPv4) and/or "AAAA" (IPv6) type. For example:
smtp.my-domain.com. IN A XX.XX.XX.XX;
my-domain.com. IN MX 10 smtp.my-domain.com.;
The "10" value on the MX record line allow to prioritize SMTP servers. You can setup many SMTP servers for a same domain (for backup or heavy load usage, for example).
Windows Live Mail use the Sender Policy Framework (SPF) to check if received emails are spams. To setup this recommandation, the email domain zone must contain a TXT record with the SPF configuration: the list of SMTP servers allowed to send e-mails from the domain @my-domain.com.
For example, if the same server is used to send and receive emails from and to @my-domain.com, use the TXT record:
mon-domaine.com. IN TXT "v=spf1 mx ~all"
If your setup is complex, you can use a Sender ID configuration generator.
If your domains are managed by OVH, this company provide a SPF configuration generator in the domain zone administration.
You can (must ?) tell Windows Live Mail that your domain has a SPF record by filling this form: https://support.msn.com/eform.aspx?productKey=senderid&ct=eformts
XMPP server (Jabber)
The XMPP protocol use SRV records to fetch the XMPP servers for a given domain. Here are the lines to add to a zone witch XMPP server is "mail.example.com", listening on 5222 and 5269 ports:
; XMPP
_xmpp-server._tcp 3600 IN SRV 10 0 5269 mail.example.com.
_xmpp-server._udp 3600 IN SRV 10 0 5269 mail.example.com.
_xmpp-client._tcp 3600 IN SRV 10 0 5222 mail.example.com.
_xmpp-client._udp 3600 IN SRV 10 0 5222 mail.example.com.
_jabber._tcp 3600 IN SRV 10 0 5269 mail.example.com.
_jabber._udp 3600 IN SRV 10 0 5269 mail.example.com.
_jabber-client._tcp 3600 IN SRV 10 0 5222 mail.example.com.
_jabber-client._udp 3600 IN SRV 10 0 5222 mail.example.com.
References
These books can help you:
Thanks
- Thanks to Bind 9 developers.
- Thanks to Thom for the post DNS SRV records for SIP and XMPP.
- Thanks to OpenSPF for their numerous SPF tools.