First install Bind9:
# aptitude install bind9
Then stop it so we can move to the chroot:
# /etc/init.d/bind9 stop
Set bind to run as the unprivileged user bind and chrooted to /var/lib/named:
# vi /etc/default/bind9
OPTIONS="-u bind -t /var/lib/named"
Chrooting an application means making it think the directory its chrooted to is the root of the file system. We need to create the directory bind is chrooted to as well as necessary directories under that directory:
# mkdir -p /var/lib/named/etc # mkdir -p /var/lib/named/dev # mkdir -p /var/lib/named/var/cache/bind # mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory to /var/lib/named/etc:
# mv /etc/bind /var/lib/named/etc
Create a symlink from the old location to the new config directory:
ln -s /var/lib/named/etc/bind /etc/bind
Create another symlink for log files:
# ln -s /var/lib/named/var/log /var/log/bind9
Next make null and random devices:
# mknod /var/lib/named/dev/null c 1 3 # mknod /var/lib/named/dev/random c 1 8
And then set the permissions of the directories:
# chmod 666 /var/lib/named/dev/null # chmod 666 /var/lib/named/dev/random # chown -R bind:bind /var/lib/named/var/* # chown -R bind:bind /var/lib/named/etc/bind
We need to modify the startup script of sysklogd so that we can still get important messages logged. Modify the line SYSLOGD=”” so that it reads as follows:
for Debian 3.1 (sarge )
# vi /etc/init.d/sysklogd
for Debian 4.0 (etch)
# vi /etc/default/syslogd
SYSLOGD="-a /var/lib/named/dev/log"
Restart sysklogd and start bind:
# /etc/init.d/sysklogd restart # /etc/init.d/bind9 start
First, check syslog and daemon.log for errors:
# tail -f /var/log/syslog # tail -f /var/log/daemon.log
Then query your server and verify it's answer:
# dig @localhost www.bbc.co.uk
Edit the bind configuration file:
# vi /etc/bind/named.conf.local
Restrict which clients bind to resolve DNS queries for:
allow-query {
127.0.0.1
};
Restrict which clients bind will answer recursive DNS queries for:
allow-recursion {
127.0.0.1
}
Set which servers should be allowed to perform zone transfers. Specify the IP address of all secondaries:
allow-transfer {
1.2.3.4
}
You should now restart bind and repeat the testing we did previously.
# /etc/init.d/bind9 restart # tail -f /var/log/syslog # tail -f /var/log/daemon.log # dig @localhost www.bbc.co.uk
Edit the bind configuration file and set bind to resolve DNS queries for all clients:
# vi /etc/bind/named.conf.local
allow-query {
127.0.0.1
};
You should continue to restrict which clients bind will resolve recursive queries for as shown previously.
Next create a directory to store your zone files in:
# mkdir -p /etc/bind/zones # chown bind:bind /etc/bind/zones # chmod 700 /etc/bind/zones
Create a template zone file as shown below:
# vi /etc/bind/zones/template
;
; SOA
;
$TTL 1h
@ IN SOA dns1.example.com. hostmaster.example.com. (
2007010101 ; Serial number
1h ; Slave refresh
15m ; Slave retry
2w ; Slave expire
1h ; Negative Cache TTL
)
;
; NS RECORDS
;
@ IN NS dns1.example.com.
@ IN NS dns2.example.com.
;
; MAIL RECORDS
;
@ IN MX 10 mx.example.com.
mail IN CNAME mail.example.com.
smtp IN CNAME smtp.example.com.
webmail IN CNAME webmail.example.com.
;
; WWW RECORDS
;
@ IN A 1.2.3.4
www IN A 1.2.3.4
;
; CUSTOM RECORDS
;
Set suitable permissions on the file:
# chown bind:bind /etc/bind/zones/template # chmod 600 /etc/bind/zones/template
This won't actually be used, but we will copy it each time we create a new zone.
Copy the zone file template and edit as necessary:
# cp -p /etc/bind/zones/template db.example.com
As a minimum you should set the serial number to today's date plus an incremental number.
Next tell bind where the zone file is:
# ee /etc/bind/named.conf.local
zone "example.com" {
type master;
file "/etc/bind/zones/db.example.com";
notify yes;
};
And finally reload bind:
# /etc/init.d/bind9 reload
Check the logs and test that bind is serving the correct answers for your new zone:
# tail -f /var/log/syslog # tail -f /var/log/daemon.log # dig @localhost example.com MX