installing bind 9.14.3

Yes, they are not related or relevant.


we have public dns for our website and everything works well cause it's on our hosting company but my boss want to run local dns server for programmer department to query everything via the dns server not to change local host on every client
 
I should install a DNS server for my company and configure it for using some records inside and query our public ip or maybe forward it outside
Don't get me wrong here but you probably bitten off more than you can chew. Your questions make it apparent that you don't know how to set this up or even where to begin. Which is fine, we all had to learn at some point. But this might not be the right time for it. Setting up BIND is quite an undertaking and can easily be done incorrectly. It's also quite easy to get a server like that abused, I'm sure your boss isn't going to like it when the internet provider kills your internet connection because your DNS server became part of a DDoS network.

For your situation start with dns/dnsmasq, it will be more than sufficient for this purpose. If you want to know how to set up BIND do so in a lab environment or your home. At least somewhere where others (and especially a company) aren't going to depend on it. Making mistakes is part of the learning process. You just can't afford them when it's a company that's on the line. So make those mistakes in a lab or on your home network. At least until you are confident enough not to fall for the most obvious ones and know how to fix those mistakes quickly.
 
You put your private records in /etc/hosts, your public records in a zone file, nsd
configured similar as above. For resolving DN yourself unbound as configured automatically by
FreeBSD or similar as above. At least you can begin in this simple way, later try DNSsec.

But the ISP must write some NS and glue records to link to your server:


For writing the zone file, just google a little, the wikipedia pages really help. It is not difficult.

And learn how to query a DNS server with drill, then you can test your zone file.
 
but my boss want to run local dns server for programmer department to query everything via the dns server not to change local host on every client

Then nsd will listen a local IP, not reachable from outside, not linked from outside, then you can put
it in /etc/resolv.conf of every client, together with other nameservers.
 
Here are some sample zonefiles and some portions of named.conf to set up a custom .lan TLD. The thing is if you want to create a custom TLD, you'll be at the mercy of somebody else being able to take control over that TLD when you're not on your network. If you use your own domain, you'll have to manage what's known as a "split horizon" DNS which is kind of difficult. Instead of doing .lan, you could use internal.domain.com which would partition that portion of your domain and you wouldn't have the problem.

------ named.conf (Some security settings)
Code:
acl clients {
        10.0.0.0/8;
        192.168.0.0/16;
    localnets;
    ::1;
};

options {
    version "no";
        listen-on    { 127.0.0.1; 192.168.1.1; };

        dnssec-enable yes;
        dnssec-validation yes;

        recursion yes;
    # Or you could do this
        # forwarders { 1.1.1.1; };

    # Apply the ACL above
    allow-recursion { clients; };
    allow-query { clients; };
    allow-transfer { none; };
};

------ named.conf (zone portion)
Code:
zone "168.192.IN-ADDR.ARPA" {
        type master;
        file "master/192.168.1.db";
};

zone "lan" {
        type master;
        file "master/lan.db";
};

------ Zonefile (lan.db)
Code:
$TTL 1h

@ IN SOA ns.lan. webmaster.lan. (
        2018022802;Serial
        2h      ;Refresh
        1h      ;Retry
        1d      ;Expire
        1h )    ;Negative caching TTL

@               IN NS           ns.lan.

ns.lan.        IN A    192.168.1.1

# Note these DON'T end in a . making the full name router.home.lan
router.home    IN A    192.168.1.1
firewall.home    IN CNAME router.home

----- Reverse file (192.168.1.db)
Code:
$TTL 1h;

@ IN SOA ns.lan. webmaster.lan. (
        2014120601 ;Serial
        2h      ;Refresh
        1h      ;Retry
        1w      ;Expire
        1h )    ;Negative caching TTL

@               IN NS   ns.lan.

1.1.168.192.in-addr.arpa.       IN PTR  router.home.lan.
 
Don't get me wrong here but you probably bitten off more than you can chew. Your questions make it apparent that you don't know how to set this up or even where to begin. Which is fine, we all had to learn at some point. But this might not be the right time for it. Setting up BIND is quite an undertaking and can easily be done incorrectly. It's also quite easy to get a server like that abused, I'm sure your boss isn't going to like it when the internet provider kills your internet connection because your DNS server became part of a DDoS network.

For your situation start with dns/dnsmasq, it will be more than sufficient for this purpose. If you want to know how to set up BIND do so in a lab environment or your home. At least somewhere where others (and especially a company) aren't going to depend on it. Making mistakes is part of the learning process. You just can't afford them when it's a company that's on the line. So make those mistakes in a lab or on your home network. At least until you are confident enough not to fall for the most obvious ones and know how to fix those mistakes quickly.

thanks for your advice sir
i decided as all of you mentioned some other simple solutions , to try NSD .
i think it's better for authoritative name server.
 
could you tell me some toturial about this ?

I do not know tutorial. Only man pages, I mentioned wikipedia for learning to write zone files. drill (comes with nsd) to
test your zone file.

Just try with the configuration file I put above and test. Try and err. It is really not difficult.
 
sirmosi1986 asks: could you tell me some toturial about this?

Tutorial on trial and err

After configuring /usr/local/etc/nsd/nsd.conf as above and writing your zonefile
/etc/nsd/zone.domain.tld, start nsd:

nsd -a listened-ip@port

here is listened-ip and port selected for testing purposes.

If something was wrong and it did not start, correct it and start again.

Otherwise, test if it gives correct answers about domains in the zone file with:

drill -p port domain @listened-ip

And for domains of other type than A:

drill -p port type domain @listened-ip

if somethething is wrong, alter the zone file and reload it with

pkill -HUP nsd

and test again, change again, reload again, and repeat these three steps until all is OK ....

Then you can make it listen the public IP on port 53 and ask the hoster of the domain to add NS and glue records.

SirDice, I dont think it is danger, it is just a specialized hierarchical database that can be queried through internet.
Also PostgreSQL and MySQL could be then danger.
 
hruodr: DNS servers can be used for amplification DDoS attacks. This is a real danger. Not for losing data but for DDoS'ing companies or organizations.
 
@ IN SOA ns.lan. webmaster.lan. (

I can't get it yet, I've got confused about the name "ns.lan.webmaster.lan" could u tell me is this for instance my dns name?
lan.webmaster.lan? i don't choose a domain name yet but if i try .local for example. how could it be written?
 
I've got confused about the name "ns.lan. webmaster.lan"

Do you see the space between ns.lan. and webmaster.lan?

The first is the primary name server and the second the email for the person managing it.

Nameservers, including this one, go also in NS records.

There is no way to avoid reading some info about zonefiles. Just beginn with Wikipedia:




For your try and err you can also use:



BTW, if you want to use it only locally, better try unbound, not nsd, and see my hint above on "local-zone" and
"local-data".
 
Back
Top