installing bind 9.14.3

OP
OP
S

sirmosi1986

New Member


Messages: 18

Yes, they are not related or relevant.


we have public dns for our website and everything works well cause it's on our hosting company but my boss want to run local dns server for programmer department to query everything via the dns server not to change local host on every client
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,562
Messages: 30,279

I should install a DNS server for my company and configure it for using some records inside and query our public ip or maybe forward it outside
Don't get me wrong here but you probably bitten off more than you can chew. Your questions make it apparent that you don't know how to set this up or even where to begin. Which is fine, we all had to learn at some point. But this might not be the right time for it. Setting up BIND is quite an undertaking and can easily be done incorrectly. It's also quite easy to get a server like that abused, I'm sure your boss isn't going to like it when the internet provider kills your internet connection because your DNS server became part of a DDoS network.

For your situation start with dns/dnsmasq, it will be more than sufficient for this purpose. If you want to know how to set up BIND do so in a lab environment or your home. At least somewhere where others (and especially a company) aren't going to depend on it. Making mistakes is part of the learning process. You just can't afford them when it's a company that's on the line. So make those mistakes in a lab or on your home network. At least until you are confident enough not to fall for the most obvious ones and know how to fix those mistakes quickly.
 

hruodr

Well-Known Member

Reaction score: 46
Messages: 362

You put your private records in /etc/hosts, your public records in a zone file, nsd
configured similar as above. For resolving DN yourself unbound as configured automatically by
FreeBSD or similar as above. At least you can begin in this simple way, later try DNSsec.

But the ISP must write some NS and glue records to link to your server:


For writing the zone file, just google a little, the wikipedia pages really help. It is not difficult.

And learn how to query a DNS server with drill, then you can test your zone file.
 

hruodr

Well-Known Member

Reaction score: 46
Messages: 362

but my boss want to run local dns server for programmer department to query everything via the dns server not to change local host on every client
Then nsd will listen a local IP, not reachable from outside, not linked from outside, then you can put
it in /etc/resolv.conf of every client, together with other nameservers.
 

msplsh

Member

Reaction score: 5
Messages: 34

Here are some sample zonefiles and some portions of named.conf to set up a custom .lan TLD. The thing is if you want to create a custom TLD, you'll be at the mercy of somebody else being able to take control over that TLD when you're not on your network. If you use your own domain, you'll have to manage what's known as a "split horizon" DNS which is kind of difficult. Instead of doing .lan, you could use internal.domain.com which would partition that portion of your domain and you wouldn't have the problem.

------ named.conf (Some security settings)
Code:
acl clients {
        10.0.0.0/8;
        192.168.0.0/16;
    localnets;
    ::1;
};

options {
    version "no";
        listen-on    { 127.0.0.1; 192.168.1.1; };

        dnssec-enable yes;
        dnssec-validation yes;

        recursion yes;
    # Or you could do this
        # forwarders { 1.1.1.1; };

    # Apply the ACL above
    allow-recursion { clients; };
    allow-query { clients; };
    allow-transfer { none; };
};
------ named.conf (zone portion)
Code:
zone "168.192.IN-ADDR.ARPA" {
        type master;
        file "master/192.168.1.db";
};

zone "lan" {
        type master;
        file "master/lan.db";
};
------ Zonefile (lan.db)
Code:
$TTL 1h

@ IN SOA ns.lan. webmaster.lan. (
        2018022802;Serial
        2h      ;Refresh
        1h      ;Retry
        1d      ;Expire
        1h )    ;Negative caching TTL

@               IN NS           ns.lan.

ns.lan.        IN A    192.168.1.1

# Note these DON'T end in a . making the full name router.home.lan
router.home    IN A    192.168.1.1
firewall.home    IN CNAME router.home
----- Reverse file (192.168.1.db)
Code:
$TTL 1h;

@ IN SOA ns.lan. webmaster.lan. (
        2014120601 ;Serial
        2h      ;Refresh
        1h      ;Retry
        1w      ;Expire
        1h )    ;Negative caching TTL

@               IN NS   ns.lan.

1.1.168.192.in-addr.arpa.       IN PTR  router.home.lan.
 
OP
OP
S

sirmosi1986

New Member


Messages: 18

Don't get me wrong here but you probably bitten off more than you can chew. Your questions make it apparent that you don't know how to set this up or even where to begin. Which is fine, we all had to learn at some point. But this might not be the right time for it. Setting up BIND is quite an undertaking and can easily be done incorrectly. It's also quite easy to get a server like that abused, I'm sure your boss isn't going to like it when the internet provider kills your internet connection because your DNS server became part of a DDoS network.

For your situation start with dns/dnsmasq, it will be more than sufficient for this purpose. If you want to know how to set up BIND do so in a lab environment or your home. At least somewhere where others (and especially a company) aren't going to depend on it. Making mistakes is part of the learning process. You just can't afford them when it's a company that's on the line. So make those mistakes in a lab or on your home network. At least until you are confident enough not to fall for the most obvious ones and know how to fix those mistakes quickly.
thanks for your advice sir
i decided as all of you mentioned some other simple solutions , to try NSD .
i think it's better for authoritative name server.
 

hruodr

Well-Known Member

Reaction score: 46
Messages: 362

could you tell me some toturial about this ?
I do not know tutorial. Only man pages, I mentioned wikipedia for learning to write zone files. drill (comes with nsd) to
test your zone file.

Just try with the configuration file I put above and test. Try and err. It is really not difficult.
 

hruodr

Well-Known Member

Reaction score: 46
Messages: 362

sirmosi1986 asks: could you tell me some toturial about this?

Tutorial on trial and err

After configuring /usr/local/etc/nsd/nsd.conf as above and writing your zonefile
/etc/nsd/zone.domain.tld, start nsd:

nsd -a listened-ip@port

here is listened-ip and port selected for testing purposes.

If something was wrong and it did not start, correct it and start again.

Otherwise, test if it gives correct answers about domains in the zone file with:

drill -p port domain @listened-ip

And for domains of other type than A:

drill -p port type domain @listened-ip

if somethething is wrong, alter the zone file and reload it with

pkill -HUP nsd

and test again, change again, reload again, and repeat these three steps until all is OK ....

Then you can make it listen the public IP on port 53 and ask the hoster of the domain to add NS and glue records.

SirDice, I dont think it is danger, it is just a specialized hierarchical database that can be queried through internet.
Also PostgreSQL and MySQL could be then danger.
 

tommiie

Active Member

Reaction score: 59
Messages: 215

hruodr: DNS servers can be used for amplification DDoS attacks. This is a real danger. Not for losing data but for DDoS'ing companies or organizations.
 

SirDice

Administrator
Staff member
Administrator
Moderator

Reaction score: 7,562
Messages: 30,279

OP
OP
S

sirmosi1986

New Member


Messages: 18

@ IN SOA ns.lan. webmaster.lan. (
I can't get it yet, I've got confused about the name "ns.lan.webmaster.lan" could u tell me is this for instance my dns name?
lan.webmaster.lan? i don't choose a domain name yet but if i try .local for example. how could it be written?
 

hruodr

Well-Known Member

Reaction score: 46
Messages: 362

I've got confused about the name "ns.lan. webmaster.lan"
Do you see the space between ns.lan. and webmaster.lan?

The first is the primary name server and the second the email for the person managing it.

Nameservers, including this one, go also in NS records.

There is no way to avoid reading some info about zonefiles. Just beginn with Wikipedia:




For your try and err you can also use:



BTW, if you want to use it only locally, better try unbound, not nsd, and see my hint above on "local-zone" and
"local-data".
 
Top