%general-entities; ]> $LastChangedBy: bdubbs $ $Date: 2015-03-02 17:33:58 -0500 (Mon, 02 Mar 2015) $ BIND The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the . &lfs77_checked; Package Information Download (HTTP): Download (FTP): Download MD5 sum: &bind-md5sum; Download size: &bind-size; Estimated disk space required: &bind-buildsize; Estimated build time: &bind-time; Additional Downloads Optional patch (if net-tools is not installed): BIND Dependencies Optional , , , , and geoip Optional database backends , or MySQL, , , and Optional (to run the test suite) and (you may omit net-tools by using the optional patch to utilize iproute2, but the IPv6 tests will fail) Optional (to rebuild the documentation) , (or ), and User Notes: If you have chosen not to install net-tools, apply the iproute2 patch with the following command: patch -Np1 -i ../bind-&bind-version;-use_iproute2-1.patch Install BIND by running the following commands: ./configure --prefix=/usr \ --sysconfdir=/etc \ --localstatedir=/var \ --mandir=/usr/share/man \ --enable-threads \ --with-libtool \ --disable-static \ --with-randomdev=/dev/urandom && make Issue the following commands to run the complete suite of tests. First, as the root user, set up some test interfaces: If IPv6 is not enabled in the kernel, there will be several error messages: "RTNETLINK answers: Operation not permitted". These messages do not afffect the tests. The test suite may indicate som failures depending on installed optional dependencies and what configuration options are used. To run the tests as an unprivileged user, execute: make check Again as root, clean up the test interfaces: bin/tests/system/ifconfig.sh down Finally, install the package as the root user: make install && chmod -v 0755 /usr/lib/lib{bind9,dns,isc{,cc,cfg},lwres}.so && install -v -m755 -d /usr/share/doc/bind-&bind-version;/{arm,misc} && install -v -m644 doc/arm/*.html \ /usr/share/doc/bind-&bind-version;/arm && install -v -m644 \ doc/misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \ /usr/share/doc/bind-&bind-version;/misc sed ... bin/tests/system/conf.sh: This command removes tests that fail (some for unknown reasons). --sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc. --enable-threads: This parameter enables multi-threading capability. --with-libtool: This parameter forces the building of dynamic libraries and links the installed binaries to these libraries. --with-randomdev=/dev/urandom: This parameter specifes a non-blocking random device for use with digital signatures. chmod 0755 /usr/lib/{lib{bind9,dns,isc{,cc,cfg},lwres}.so: Enable the execute bit to prevent a warning when using ldd to check library dependencies. cd doc; install ...: These commands install additional package documentation. Omit any or all of these commands if desired. named.conf, root.hints, 127.0.0, rndc.conf and resolv.conf /etc/named.conf /etc/rndc.conf /etc/resolv.conf /etc/namedb/root.hints /etc/namedb/pz/127.0.0.0 BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory. Create the unprivileged user and group named: groupadd -g 20 named && useradd -c "BIND Owner" -g named -s /bin/false -u 20 named && install -d -m770 -o named -g named /srv/named Set up some files, directories and devices needed by BIND: cd /srv/named && mkdir -p dev etc/namedb/{slave,pz} usr/lib/engines var/run/named && mknod /srv/named/dev/null c 1 3 && mknod /srv/named/dev/urandom c 1 9 && chmod 666 /srv/named/dev/{null,urandom} && cp /etc/localtime etc && touch /srv/named/managed-keys.bind && cp /usr/lib/engines/libgost.so usr/lib/engines && [ $(uname -m) = x86_64 ] && ln -sv lib usr/lib64 The rndc.conf file contains information for controlling named operations with the rndc utility. Generate a key for use in the named.conf and rdnc.conf with the rndc-confgen command: rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf && sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf Complete the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys: cat >> /srv/named/etc/named.conf << "EOF" options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; // Bind 9 now logs by default through syslog (except debug). // These are the default logging rules. logging { category default { default_syslog; default_debug; }; category unmatched { null; }; channel default_syslog { syslog daemon; // send to syslog's daemon // facility severity info; // only send priority info // and higher }; channel default_debug { file "named.run"; // write to named.run in // the working directory // Note: stderr is used instead // of "named.run" // if the server is started // with the '-f' option. severity dynamic; // log at the server's // current debug level }; channel default_stderr { stderr; // writes to stderr severity info; // only send priority info // and higher }; channel null { null; // toss anything sent to // this channel }; }; EOF Create a zone file with the following contents: cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF Create the root.hints file with the following commands: Caution must be used to ensure there are no leading spaces in this file. cat > /srv/named/etc/namedb/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 EOF The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from . Consult the BIND 9 Administrator Reference Manual for details. Create or modify resolv.conf to use the new name server with the following commands: Replace <yourdomain.com> with your own valid domain name. cp /etc/resolv.conf /etc/resolv.conf.bak && cat > /etc/resolv.conf << "EOF" search <yourdomain.com> nameserver 127.0.0.1 EOF Set permissions on the chroot jail with the following command: chown -R named:named /srv/named To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the package. bind make install-bind Now start BIND with the new boot script: /etc/rc.d/init.d/bind start Test out the new BIND 9 installation. First query the local host address with dig: dig -x 127.0.0.1 Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address: dig www.&lfs-domainname; && dig www.&lfs-domainname; You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual located at doc/arm/Bv9ARM.html in the package source tree, for further configuration options. Installed Programs Installed Libraries Installed Directories arpaname, bind9-config hardlinked to isc-config.sh, ddns-confgen, delv, dig, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-revoke, dnssec-settime, dnssec-signzone, dnssec-verify, genrandom, host, isc-hmac-fixup, lwresd hardlinked to named, named-checkconf, named-checkzone, named-compilezone (symlink), named-journalprint, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen, and tsig-keygen (symlink) libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so, libisccfg.so, and liblwres.so /usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,lwres,pk11,pkcs11}, /usr/share/doc/bind-&bind-version; and /srv/named Short Descriptions dig interrogates DNS servers. dig dnssec-keygen is a key generator for secure DNS. dnssec-keygen dnssec-signzone generates signed versions of zone files. dnssec-signzone host is a utility for DNS lookups. host lwresd is a caching-only name server for local process use. lwresd named is the name server daemon. named named-checkconf checks the syntax of named.conf files. named-checkconf named-checkzone checks zone file validity. named-checkzone nslookup is a program used to query Internet domain nameservers. nslookup nsupdate is used to submit DNS update requests. nsupdate rndc controls the operation of BIND. rndc rndc-confgen generates rndc.conf files. rndc-confgen