BIND Installation

By | March 16, 2016

To install BIND and verify it works, and then install it in a chroot jail for added security.
We will also ensure that only ns1.isp.net will be allowed to do zone transfers.
The following instructions primarily come from 6. I’m going to modify them slightly because I prefer to have the various configuration files under /etc/named.

Download bind-9.2.3.tar.gz from one of the mirror sites at http://www.isc.org

Create a user and group for Bind:

# groupadd -g 25 named > /dev/null 2>&1 || :
# useradd -c “BIND DNS Server” -d /var/named -g 25 -s /bin/false -u 25 named > /
dev/null 2>&1 || :
# tar xvzf bind-9.2.3.tar.gz
# cd bind-9.2.3
# vi +105 bin/named/include/named/globals.h

Change
“/run/named.pid”);
to
“/run/named/named.pid”);
Change (two lines down)
“/run/lwresd.pid”);
to
“/run/named/lwresd.pid”);

# CFLAGS=”-O2 -march=i686 -funroll-loops”; export CFLAGS
# ./configure \
> –prefix=/usr \
> –sysconfdir=/etc \
> –localstatedir=/var \
> –mandir=/usr/share/man \
> –with-libtool \
> –disable-ipv6
# make
# make install
# strip /usr/sbin/named
# mkdir -p /etc/named

# mkdir -p /var/run/named
# install -c -m0600 bin/rndc/rndc.conf /etc/
# chown named.named /etc/rndc.conf
# chown named.named /etc/named
# chown named.named /var/run/named/
# /sbin/ldconfig

Note: Remove –with-openssl as the ISP does not support SSL.

# vi /etc/named.conf

The entry for 192.168.0.0/16 under the known fake addresses will have to be uncommented when the server is put into service.
# chmod 600 /etc/named.conf
# chown named.named /etc/named.conf

Now it time to create the /var/named/db.cache file which is the Root Server Hints File.
# dig @a.root-servers.net . ns > db.cache
# mv db.cache /etc/named/
#chmod 644 /etc/named/db.cache
# chown named.named /etc/named/db.cach

Create /etc/named/db.localhost

# vi /etc/named/db.localhost

Add the following:

$TTL 86400
@ IN SOA localhost. root.localhost. (
00 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum
IN NS localhost.
localhost IN A 127.0.0.1

# chmod 644 /etc/named/db.localhost
# chown named.named /etc/named/db.localhost

Create /etc/named/0.0.127.in-addr.arpa: The Reverse Mapping File

# chmod 644 /etc/named/0.0.127.in-addr.arpa
# chown named.named /etc/named/0.0.127.in-addr.arpa

Create the BIND System Configuration File

# vi /etc/sysconfig/named

Add the following:

# This option will run named in a chroot environment.
#ROOTDIR=”/chroot/named/”
# These additional options will be passed to named at startup.
# Don’t add .t here, use ROOTDIR instead.
#OPTIONS=””

Create the named initialization script

# vi /etc/init.d/named
# chmod 700 /etc/init.d/named
# chown root.root /etc/init.d/named
# vi /etc/named/db.domain.com

@ IN SOA domain.com. webmaster.domain.com. (
2004013001 ; serial YYYYMMDD##
1H ; Refresh after 3 hours
2H ; Retry after 1 hour
1209600S ; Expire after 1 week
1S ) ; Minimum TTL of 1 day
; ***** Nameserver (NS) records. ******************************
domain.com. IN NS ns1.domain.com.
;domain.com. IN NS ns2.isp.com.
; ***** Mail Exchange (MX) Records ****************************
MX 10 mail
; ***** Address (A) Records ***********************************
localhost A 127.0.0.1
server A 192.168.0.50
;
22
Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46.
; ***** Canonical Name (CNAME) records ************************
;
ns1 CNAME server
mail CNAME server
www CNAME server

# vi /etc/named/db.0.168.192

Add the following:
$TTL 3h
0.168.192.in-addr.arpa. IN SOA server.domain.com. webmaster.domain.com. (
2004013001 ; Serial YYYYMMDD##
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 hour
;;
Name Servers
;
0.168.192.in-addr.arpa. IN NS server.domain.com.
;;
Addresses point to canonical name
;
50.0.168.192.in-addr.arpa. IN PTR server.domain.com.

# chmod 644 /etc/named/*
# chown named.named /etc/named/*

Now we start Bind and verify that we can resolve names from it.

# /etc/init.d/named start
# ping server.domain.com

You should see the name resolve to the correct IP Address.

Leave a Reply

Your email address will not be published. Required fields are marked *