Setup a Bind DNS server on Debian

This howto is tested on:

• Debian 6.0 Squeeze

Installation

Install the server software:

command apt-get install bind9

The server configuration is managed by this two files:

• /etc/bind9/named.conf.options: the DNS server options: access control lists, DNS redirections, recursion,...
• /etc/bind9/named.conf.local: the DNS zones managed by the server.

Security

Enable Bind security events logging:

if [ -z "$(command grep '/var/log/named/security.log' '/etc/bind/named.conf.options')" ]; then
  echo '
// Logging security events for fail2ban
logging {
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 30m;
        severity dynamic;
        print-time yes;
    };
    category security {
        security_file;
    };
};' >> '/etc/bind/named.conf.options'
fi

Create the security log folder:

command mkdir --parent /var/log/named/
command chown -R bind:bind /var/log/named/

Setup the security log rotation:

echo '/var/log/named/security.log {
  daily
  missingok
  rotate 7
  compress
  delaycompress
  notifempty
  create 644 bind bind
  postrotate
    /usr/sbin/invoke-rc.d bind9 reload > /dev/null
  endscript
}' > '/etc/logrotate.d/bind9-security'

Install fail2ban:

command apt-get install fail2ban

Enable Bind server protection by fail2ban:

if [ ! -e '/etc/fail2ban/jail.local' ]; then
  command touch '/etc/fail2ban/jail.local'
fi
if [ -z "$(command grep "[named-refused-tcp]" '/etc/fail2ban/jail.local')" ]; then
  echo "
[named-refused-tcp]
enabled = true
" >> '/etc/fail2ban/jail.local'
fi

Reload the configuration:

/etc/init.d/bind reload
/etc/init.d/fail2ban restart

Redirections

The DNS server can fetch zones informations from master DNS servers, or from the DNS servers of the Internet access provider. This last method is prefered because it is normally faster.

Detect the DNS servers of the Internet access provider:

NAME_SERVERS=$(command grep 'nameserver' '/etc/resolv.conf' \
    | command sed -e 's/^.*nameserver[\t ]*//' \
                  -e 's/^\(.*\)$/\t\t\1\\;\\/' \
    | command egrep -v '127\.')

An alternative is to use the OpenDNS project servers:

NAME_SERVERS="\t\t208.67.222.222\\;\\
\t\t208.67.220.220\\;\\"

Redirect DNS requests to the selected servers:

if [ -n "${NAME_SERVERS}" ]; then
  command sed -i \
              -e '/^[ \t]*forwarders/,/^[ \t]*};/d' \
              -e "/directory/a\\
\\
\t// Forwarding DNS queries to ISP DNS.\\
\tforwarders {\\
${NAME_SERVERS}
\t}\\;" '/etc/bind/named.conf.options'
fi

Reload the configuration:

/etc/init.d/bind9 reload

Setup the system to use the local DNS server:

command sed -i -e 's/^\([ \t]*nameserver\)/#\1/' '/etc/resolv.conf'
command echo 'nameserver 127.0.0.1' >> '/etc/resolv.conf'

Local network access

By default, the DNS server usage is only allowed for local host. It is necessary to specificly list allowed IP addresses ranges.

Detect the IP addresses ranges of the system network interfaces:

IP_RANGES=$(command ifconfig \
    | command grep "inet adr" \
    | command sed -e 's/.*adr:\([^ ]*\) .*/\1/' \
    | command egrep -v '127.0.0.1' \
    | sed -e "s|^\(.*\)[^\.]*$|\t\10/24;|")

Create the local network IP address ranges access control list:

command echo -e "
// Local networks access control list.
acl local-networks {
\t127.0.0.0/8;
${IP_RANGES}
};" >> '/etc/bind/named.conf.options'

Allow DNS requests originated from the local networks:

command sed -i -e '/directory/a\
\
\t// Allowing queries for local networks.\
\tallow-query {\
\t\tlocal-networks\;\
\t}\;\
\
\t// Allowing recursion for local networks.\
\tallow-recursion {\
\t\tlocal-networks\;\
\t}\;' '/etc/bind/named.conf.options'

Reload the server configuration:

/etc/init.d/bind9 reload

Configuration

Initialization of a domain

To allow the DNS server to manage a domain name, provide the domain name:

DOMAIN="my-domain.com"

Provide the IPv4 address for the domain (A record):

DOMAIN_IP="XX.XX.XX.XX"

Provide the host name of the local DNS server (by default, the value of ${HOSTNAME}):

DNS_SERVER="${HOSTNAME}"

Create the zone file for the domain:

echo "\$ttl 86400
${DOMAIN}. IN SOA ${DNS_SERVER}. postmaster.${DOMAIN}. (
 2010111504; Serial
 3600; refresh after 3 hours.
 3600; Retry after 1 hour.
 1209600; expire after 1 week.
 86400; Minimum TTL of 1 day.
);

;
; Name servers declaration.
;

${DOMAIN}.  IN NS  ${DNS_SERVER}.;
${DOMAIN}.  IN NS  sdns2.ovh.net.;

;
; Hostnames declaration.
;
${DOMAIN}. IN A ${DOMAIN_IP};
" > "/etc/bind/db.${DOMAIN}"

Add the zone to the server configuration:

if [ -z "$(command grep "${DOMAIN}" "/etc/bind/named.conf.local")" ]; then
  echo "
zone \"${DOMAIN}\" in {
 type master;
 file \"/etc/bind/db.${DOMAIN}\";
 allow-query { any; };
};
" >> "/etc/bind/named.conf.local"
fi

Reload the configuration:

/etc/init.d/bind9 reload

Check that the configuration has been correctly loaded:

command tail -n 50 "/var/log/daemon.log"

Domain health checkup

It is very important to check the health of the DNS zone configuration. You can do so with the help of these 3 tools allowing to check your server configuration:

• ZoneCheck
• IntoDNS
• DNS Queries

Specific configurations

SMTP server

The MX records are used to specify the SMTP server managing the emails for a domain. The SMTP server domain name record must be of "A" (IPv4) and/or "AAAA" (IPv6) type. For example:

smtp.my-domain.com. IN    A    XX.XX.XX.XX;
my-domain.com. IN MX 10 smtp.my-domain.com.;

The "10" value on the MX record line allow to prioritize SMTP servers. You can setup many SMTP servers for a same domain (for backup or heavy load usage, for example).

Windows Live Mail use the Sender Policy Framework (SPF) to check if received emails are spams. To setup this recommandation, the email domain zone must contain a TXT record with the SPF configuration: the list of SMTP servers allowed to send e-mails from the domain @my-domain.com.

For example, if the same server is used to send and receive emails from and to @my-domain.com, use the TXT record:

mon-domaine.com. IN TXT "v=spf1 mx ~all"

If your setup is complex, you can use a Sender ID configuration generator.

If your domains are managed by OVH, this company provide a SPF configuration generator in the domain zone administration.

You can (must ?) tell Windows Live Mail that your domain has a SPF record by filling this form: https://support.msn.com/eform.aspx?productKey=senderid&ct=eformts

XMPP server (Jabber)

The XMPP protocol use SRV records to fetch the XMPP servers for a given domain. Here are the lines to add to a zone witch XMPP server is "mail.example.com", listening on 5222 and 5269 ports:

; XMPP
_xmpp-server._tcp 3600 IN SRV 10 0 5269 mail.example.com.
_xmpp-server._udp 3600 IN SRV 10 0 5269 mail.example.com.
_xmpp-client._tcp 3600 IN SRV 10 0 5222 mail.example.com.
_xmpp-client._udp 3600 IN SRV 10 0 5222 mail.example.com.
_jabber._tcp 3600 IN SRV 10 0 5269 mail.example.com.
_jabber._udp 3600 IN SRV 10 0 5269 mail.example.com.
_jabber-client._tcp 3600 IN SRV 10 0 5222 mail.example.com.
_jabber-client._udp 3600 IN SRV 10 0 5222 mail.example.com.

References

These books can help you:

• DNS and BIND on IPv6
• DNS and BIND (5th Edition)
• DNS & BIND Cookbook

Thanks

• Thanks to Bind 9 developers.
• Thanks to Thom for the post DNS SRV records for SIP and XMPP.
• Thanks to OpenSPF for their numerous SPF tools.