Feb 21

Administering DNS in Linux is in fact really simple. The first-time configuration though can prove quite tricky. Just follow the instructions that follow to have your DNS server setup using bind9 – the most popular and reliable dns server.

First, let’s install the DNS server:

aptitude install bind9
cd /etc/bind

Add a new forward and backward lookup zone to config file.
I am assuming that the IP you want to resolve example.com site is 192.168.0.50. In real life this would be your external IP address which is serviing your website/email. We are also creating reverse zone. Reverse zone name is created by removing the last umber from the IP (50 in our case) and reversing the rest. Then “in-addr.arpa” is added. So for 192.168.0.50 IP the reverse zone will be 0.168.192.in-addr.arpa. Right, let’s go for it!
Edit /etc/bind/named.conf.local (e.g. vi /etc/bind/named.conf.local) and put this in the end of the file:

zone "example.com" {
        type master;
        file "/etc/bind/zones/example.com.db";
};

zone "0.168.192.in-addr.arpa" {
        type master;
        file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};

Now save the file and let’s create the actual zones.

mkdir /etc/bind/zones
cd /etc/bind/zones
vi example.com.db

Put this in the example.com.db file:

$TTL 1h
example.com.  IN      SOA     ns.example.com.        webadmin@example.com. (
                                                        2009010910 ;serial
                                                        3600 ;refresh
                                                        3600 ;retry
                                                        3600 ;expire
                                                        3600 ;minimum TTL
)

example.com. IN  NS      ns.example.com.
example.com. IN  MX      10      mail.example.com.
example.com. IN  MX      20      mail.example.com.

@       IN      A       192.168.0.50
www     IN      A       192.168.0.50
mail    IN      A       192.168.0.50
ns 	IN 	A 	192.168.0.50

example.com.     IN      TXT     "v=spf1 a mx ip4:192.168.0.50 -all"
example.com.     IN      SPF     "v=spf1 a mx ip4:192.168.0.50 -all"

This means that example.com, www.example.com and mail.example.com as well as ns.example.com will resolve to the same address of 192.168.0.50. I have also added SPF and TXT records which hold the spf mail filtering rules. It is quite simple in fact and doesn’t require any changes on your mail server whatsoever. The above spf lines should be rad as follows:

  • v=spf1 – version 1 of SPF
  • a mx ip4:192.168.0.50 – servers which are allowed to send email from “@example.com” email address are the ones listed in the a records, the mx records and also 192.168.0.50 IP address.
  • -all – no one else is allowed to send mail from “@example.com”

The remote servers upon receiving mail (if they have spf-checks implemented) will lookup your spf records and then compare them with who actually sent them email from “@example.com”. This ensures that no-one can send email from a forged IP stating their FROM email address is “@example.com”. This way you ensure no spam mail will be sent from your domain name, even from remote servers. And it is just adding 2 lines to your DNS zone ;)

Right, let’s create the reverse zone file then:

vi rev.0.168.192.in-addr.arpa
Put this in the file
$TTL 1h
@ IN SOA ns.example.com. webadmin@example.com. (
                                                        2008112111 ;serial
                                                        3600 ;refresh
                                                        3600 ;retry
                                                        3600 ;expire
                                                        3600 ;minimum TTL
)

                IN      NS      ns.example.com.
50              IN      PTR     example.com

As the zone already tells the server it is a 192.168.0 starting IP address (from 0.168.192.in-addr.arpa domain), we only put the last number (50 in this case) of the IP address and the corresponding reverse lookup records. You should always have reverse zones for domains that receive and send email addresses as some mail servers are very strict on this and might blacklist you otherwise.

That should do the trick and this DNS server should soon respond to queries to example.com with an actual IP :)
Now a very important step is to stop this server from being an open DNS server. To the outside world it should only respond to queries for domains it is configured as an authoritative server. Otherwise, anyone can use your DNS server like opendns :/

vi /etc/bind/named.conf.options

 # at the end of the file, just above the enclosure "};" which ends the options part, insert this line
 # this is assuming you want to allow all lookups from your internal network
 # and that your internal network is 192.168.24.0/24
allow-recursion { 127.0.0.1; 192.168.24.0/24; };

Right, let’s restart BIND and do some tests:

 # restart bind name server (named)
/etc/init.d/bind9 restart
 # if that hangs, ctrl+c the restart. Then run the below 2 commands:
NMD=`ps -A |grep named |grep -v grep |cut -d " " -f 1`; kill -9 $NMD
/etc/init.d/bind9 start
 # test new configuration. you should get your 192.168.0.50
dig @localhost example.com
dig @localhost -x 192.168.0.50
 # configure machine to use our DNS server as the main one
vi /etc/resolv.conf
 # add the below line as the first nameserver entry
nameserver 127.0.0.1
 # save the file, no need to restart anything
One final test:
dig example.com
dig -x 192.168.0.50

And we are done. BIND is configured and setup to serve example.com domain. Now you should login to your DNS provider and point the name servers to your server if you want to handle DNS resolution for your domain :)
If you want to have your DNS server to actually respond you will need to open port 53 UDP and TCP to the internet (as DNS listens on these ports).
If you followed my manual on setting up your sshdfilter and firewall, then to open port 53, do this:

iptables -I INPUT -p udp -m udp --dport 53 -j ACCEPT
iptables -I INPUT -p tcp -m tcp --dport 53 -j ACCEPT
iptables-save > /etc/iptables-rules

15 Responses to “DNS (bind9) Configuration HowTo”

  1. [...] Install and configure DNS server – BIND9 Tagged as: apache, apache2, bind dns, bind9, clamav, courier, dspam, linux, maildrop, monit, monitoring, munin, MySQL, perfect, php, postfix, proftpd, sasl, server, setup, squirrelmail, tls, ubuntu, virtual Leave a comment Comments (0) Trackbacks (0) ( subscribe to comments on this post ) [...]

  2. [...] mailbox from snapshot using NetApp SMBR (0) Post a comment. Name (required) Mail (will not be …DNS (bind9) Configuration HowToNow a very important step is to stop this server from being an open DNS server. … to queries for [...]

  3. Whilst looking bing I discovered this website, DNS (bind9) Configuration HowTo. I should say I very like it and can bookmark and arrive once more shortly.

  4. to domain name says:

    hi guys…

    hi guysI would like to thank you for the efforts you have made in writing this article. I am hoping the same best work from you in the future as well and i have start my own blog now, , thanks for your effort…

  5. Panama says:

    Marvellous post – and solid domain by the way!

  6. Easter games says:

    hello!, thanks for the info, this post was really nice.

  7. Leasing Cars says:

    Great information you write it very clean. I’m very lucky to get this details from you.

  8. All I can say is this was great. Thanks for the post!

  9. old hostmaster says:

    Hello!
    Very nice exmaple to let me refresh my bind knowledge and helped me a lot to configure my test server! great

  10. Ann McPhail says:

    Hi there! This is my 1st comment here so I just wanted to give a quick shout out and tell you I truly enjoy reading through your posts. Can you suggest any other blogs/websites/forums that go over the same subjects? Appreciate it!

  11. Jesus says:

    Best post i’ve found about this!

    Keep up the good work!

  12. Hehmer says:

    Great…

    love your blog,There is no “limit”.. . Think of it this way…a wedding dress is (we hope) a once in a lifetime purchase, unlike any other dress you have ever worn. Therefore, you need the time to decide what you really like. I had always imagined on…

  13. ORLANDO says:


    Buy Viagra

    Buy Unique Pharmacy Today!…

Leave a Reply

You must be logged in to post a comment.

preload preload preload