-   Linux - Networking (
-   -   First steps with DNS / BIND and now? (

Satriani 09-05-2003 03:44 PM

First steps with DNS / BIND and now?
Hi all (again)....

I'm trying to shutdown my windoze server and change it to linux.

The first step i wanted to take was setting it up as a DNS server. (As my windowz server is now).
So, i left everything as it was default in the named.conf and added two zone's:
One for ""
and one for reverse lookup: ""

These seem to work ok, dig shows up with the ip adres of my server and said it queried my dns server. Also reverse is working.

Next step in this DNS adventure is to forward all queries my DNS server cannot resolve in its files to my ISP's DNS server.
I read something about forwarders, but I did not find a good example on the books or the web.

And finally, (as soon as my DHCP server is installed) i want to assign IP addresses and dynamically update the zone-files with the hostnames of the clients....

Anyone willing to point me in the right direction? (Or even better, help me with a complete solution?)



DaveG 09-05-2003 06:55 PM

Use the latest ISC BIND and DHCP releases ( to do the dynamic updates of DNS from DHCP. The documentation covers setting up security keys and restricting DNS updates to authorised machines only.

Most of the DNS forwarding activity will be through the root zone. If your internet connection is always on, then the standard root zone files provided should work OK, just plug in the ISP's name server addresses.

If you dial up using PPP then the name server addresses can change each time. I capture them in the PPP scripts and pass them on to BIND via a generated config file. The root zone file I use is actually empty. It speeds up negative replies.

I'd consider not using "" unless you actually own the name. BIND will try asking the internet about unknown local hosts because of the ".com" ending, leaving you open to hackers. I use "xxx.localnet" with a block of 192.168 addresses. Any DNS confusion results in "host not found" without leaving the local network.

Have fun and happy hacking!

P.S. Don't forget to punch a hole in your firewall. I wasted a weekend over that!

Satriani 09-06-2003 05:00 PM

Thanks for your reply! I wasn't going to use "" for my domainname. I have a registered domainname on the internet. (Lets just say its "") The entries in there point to my external IPaddress.

Now, what I didn't get in your answer is "just plug in the ISP's name server addresses" and the empty root zone file, and the block of 192.168 address part. Can you please explain that to me? (Or post an example?)

And the firewall thingie: I now use my windowz server as a master DNS server for my "" and its caching names for the rest of the domains. (It looks up addresses against my ISP). It works flawlessly, and there is no firewall issue what so ever. So should i open the port 53? Because everything seems to wotk ok with MS-DNS server.

Lots of questions again, but help is very much appreciated.


Satriani 09-08-2003 08:19 AM

I found some more info on DNS, and it seems to work ok now,
only thing I still don't get is the caching / forwarders part:

I want to do a lookup against my ISP's DNS servers IF and ONLY IF the domain is not in my zone's. ( I have registered domainname on the internet, pointing to my external IP address, but on my lan, I use the same name, pointing to my internal IP addresses)

Also I would like to cache the names.

Any ideas?

DaveG 09-08-2003 06:57 PM

This is how my system is set up. Names and numbers have been altered to protect my innocence! All of the services are provided by one box (a 486!): DHCP server, DNS server, WINS server (Samba) and the firewall.

Firewall stuff (assumes netfilter with connection tracking):
The DNS server must accept port 53 TCP or UDP connections from the local subnet and it's loopback port.
It must be able to send port 53 TCP or UDP to the internet.
The DHCP server must be able to receive UDP port 67 and 68 on the broadcast address and output to port 68 on the local network.
# Connection tracking
iptables -t filter -A INPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
iptables -t filter -A OUTPUT -m state --state ESTABLISHED,RELATED -j ACCEPT
# DNS (on
iptables -t filter -A INPUT -i eth0 -s -d -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS1] -p tcp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS2] -p tcp --dport 53 -j ACCEPT
iptables -t filter -A INPUT -i eth0 -s -d -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS1] -p udp --dport 53 -j ACCEPT
iptables -t filter -A OUTPUT -o ppp0 -d [ISP-DNS2] -p udp --dport 53 -j ACCEPT
# DHCP (serving 192.168.1.x)
iptables -t filter -A INPUT -i eth0 -d -p udp --sport 67:68 --dport 67:68 -m state --state NEW -j ACCEPT
iptables -t filter -A OUTPUT -o eth0 -d -p udp --sport 67 --dport 68 -m start --state NEW -j ACCEPT

The rndc control path must also be opened up to allow DHCP to update BIND.

// named.conf -- bind/DNS configuration file
// Created by daveg, January 9, 2002

// alias for all "internal" (secure) subnets
acl "internal" {; };

// Global options
options {
directory "/var/named"; // Working directory
pid-file "/var/run/";
dump-file "/var/run/named_dump.db";
statistics-file "/var/run/named.stats";
listen-on { // Doesn't listen on internet port!; // Loopback for local resolution; // localhost port for internal network (eth0?)
}; // Only listen on internal ports
version "N/A"; // Don't give any help
allow-transfer { "localhost"; }; // No external zone transfers
allow-recursion { // Only query for local clients
allow-query { // Only serve local clients

// See BIND documentation (dnssec-keygen)
// Same key string used in /etc/dhcpd.conf and /etc/rndc.key
key "rndckey" {
algorithm hmac-md5;
secret "like I'm gonna publish that!";

// For rndc external DNS control
controls {
inet port 953 allow { localhost; } keys { "rndckey"; };

// Reverse mapping for loopback
zone "" in {
type master;
file "127.0.0.dns";

// Forward master for local net
zone "" in {
type master;
file "";
allow-update { key "rndckey"; }; // For dynamic DHCP updates

// Reverse master for local net
zone "" in {
type master;
file "192.168.1.dns";
allow-update { key "rndckey"; }; // For dynamic DHCP updates

// Root zone - forward everything, no hint file
zone "." in {
type forward;
forward only;
forwarders {; // DNS1 from ISP; // DNS2 from ISP
The root zone is set to forward all queries to the ISP's servers and cache the results. The "standard" setup uses a root "hints" file that will cause BIND to start querying all over the internet. Why chew up your own bandwidth?

The "standard" setup also assumes that all the required "glue" records are in place to correctly delegate "" from ".com".

Also check /etc/resolv.conf and /etc/nsswitch.conf on the name server machine.

And for dynamic DHCP
# dhcpd.conf -- DHCP 3.0 server configuration file
# Created by daveg, January 24, 2003

# Global parameters
default-lease-time 86400; # 1 day
max-lease-time 259200; # 3 days

# Global declarations

# Internal (secure) subnet
subnet netmask {
# Subnet declarations
range; # Dynamic addresse allocation range
deny bootp;
deny client-updates; # Keep it simple
default-lease-time 259200; # 3 day
max-lease-time 604800; # 7 days
# Subnet dhcp options
option subnet-mask;
option broadcast-address;
option routers; # Firewall box
option domain-name "";
option domain-name-servers; # Name server box
# Subnet WINS options
option netbios-name-servers,; # Samba/NT WINS server
option netbios-node-type 2; # Hybrid

# DDNS glue
ddns-update-style interim;
# For debugging, logging, etc.
# update-optimization off;

key rndckey {
algorithm hmac-md5;
secret "like I'm gonna publish that!";

zone {
primary; # Just happens to be on the same box
key rndckey;

zone {
primary; # Just happens to be on the same box
key rndckey;

One day I'll get round to putting this all on a web page or two!
The DNS-HOWTO was a good starting point but doesn't cover the dynamic updates.
The DHCP mini-HOWTO was also useful. See

Hope it helps!

Satriani 09-09-2003 07:25 AM


Thank you sooooo much. I was struggling (googling) with it for a couple of days now, and didn't find any good example of what I wanted.
Your post is exactly the way I wanted to go. I think this is a very usefull post to all people with the same problem.

So, in 3 words: You are great!

Thanks again!


Satriani 09-09-2003 02:45 PM

Okay, so now I ran into some strange problems....

I made some updates on my domains zone, and did:
rndc refresh
It did not work: in /var/log/messages i see the error:

Sep  9 21:31:10 myserver named[11732]: zone cannot refresh: no masters
Anyone ideas ?

greggy69 09-10-2003 03:00 AM

NOPe! :D

You tell us since you've got this thing working last night!


Satriani 09-10-2003 06:04 AM

Im sorry Greggy... I got it working only half way:

It seems to work now, but I don't know why. And i'm not completely sure of it
Sometimes it works exactly as planned, other times i see the no masters error again.
Last night i did a dig on a record, and I got a SERVFAIL error.
So there must be something wrong.

Any help would be appreciated!

GraemeK 09-10-2003 08:27 AM

i got servfail errors with name lookups and narrowed it down to the file permissions...

change the file to full permissions for test purposes and restart the deamon.

see if that makes a differance, it did for me...


Satriani 09-10-2003 10:01 AM

I did change all the filepermissions, set it all up again, and again....
Still: When I do:

rndc refresh
I see in the /var/log/messages:

myserver named[11732]: zone cannot refresh: no masters
I am really getting a bit frustrated now.. I checked with a friend of mine who knows a lot about bind, and he checked my conf's. They would be OK.
So really: Any help would be so appreciated! Im almost starting to regret my transfer to linux DNS instead of W2k DNS server....
(Cuz on W2k it worked just as I wanted it to.)

DaveG 09-11-2003 04:08 AM

Hi Satriani,

The rndc refresh command is for updating any local slave zones from a master server. e.g. failover and load ballancing. If you are using it to copy a zone from one machine to another, you need to set the zone type to "slave" in named.conf for the transfer.

If you just want to make zone file edits live, use the rndc reload command. Check near the end of Chapter 3 of the BIND 9 Administrator Reference Manual and take care - you need to do an rndc stop to force the dynamic DHCP records in to the zone file from cache.

P.S. Don't go back! Look how much you have learned about DNS! Configuring Linux is hard work the first time round, but for me, I think it was worth the effort.

Satriani 09-11-2003 04:31 AM

DaveG: Thank you so much.
I must have overlooked the part of refresh, it was in the BIND-admin guide indeed! :study: Also the part of rndc stop was in there, and i remember reading that. I didn't make the link with the refresh however.

I finally got it working now. Only thing I don't like about it is that indeed you need to stop your named to make any changes. But, that's why a second BIND server should be setup I presume....

And, to be frankly: I do not want to change back to windows. I must say that I am enjoying the basic computer things again since i switched to linux. But some things get so frustrating..... :cry:

Thanks! I think my server is up and running now for everything I wanted to do....
If i can return the favor, just ask..... :D

greggy69 09-11-2003 06:06 AM

Great! You are now allowed do it all again on my server! :p

Satriani 09-11-2003 08:40 AM

Yeah! And keep you from learning anything.... Just use this great thread, and you should be able to get it working...

All times are GMT -5. The time now is 03:23 PM.