I'm pretty much a dummy too, but I get by :-) Here is a basic working config that covers most of what you need.
It's impossible to give you a total Montell Jordon {grin 'this is how we do it....} that will fit your exact needs without knowing a fair bit about your set up, but here is a rough working example.
You probably know that BIND has a utility called 'RNDC' (remote named daemon controller) that is useful for controlling it. Think of it as a 'remote control' system. So that not every Tom, Dick and Harry can control your BIND server you create a secret key and tell BIND about it. There are a couple of ways to do this. One is to put the key itself into the named.conf file, the other is to put the path to a separate key file in named.conf. This example uses the latter.
The key needs some kind of random data and usually uses data from /dev/random. However, there is a known issue with the key generation script that can cause it to hang if it can't get random data drom that location. The workaround is to use 'mashing' the keyboard as a random source, but it takes a fair bit of typing to get the key. Enough waffle, generate the key by running 'rndc-confgen -a -r keyboard'
Code:
rndc-confgen -a -r keyboard
start typing:
...............................
...........................
...........................
...........................
...........................
...........................
...........................
...........................
stop typing.
wrote key file "/etc/bind/rndc.key"
The next step is to configure the rndc program so it can talk to BIND using the right key. This is done by copying the key details from the file you've just created (/etc/bind/rndc.key) and putting them in rndc.conf AND named.conf (note there are various ways to achieve this, some using external key files, but this will keep it simple for now)
So if the contents of /etc/bind/rndc.key look like this
Code:
key "rndc-key" {
algorithm hmac-md5;
secret "/laladadadadeedaa==";
};
Create the file /etc/bind/rndc.conf containing:
Code:
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "/laladadadadeedaa==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
We will also put the secret key "/laladadadadeedaa==" into named.conf....
Create named.conf file:
Code:
# BIND example Server Configuration
key "rndc-key" {
algorithm hmac-md5;
secret "/laladadadadeedaa==";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
acl blacklisted {
66.90.64.0/18;
75.151.0.0/16;
208.36.0.0/15;
204.11.48.0/21;
};
acl lookups-allowed {
localhost;
localnets;
192.168.0.0/24;
192.168.1.0/24;
};
acl xfer-allowed {
192.168.0.0/24;
192.168.1.0/24;
};
options {
blackhole {blacklisted; };
directory "/etc/bind/";
recursion yes;
allow-query {lookups-allowed; };
allow-recursion {lookups-allowed; };
notify yes;
};
################################################################################
# Logging Configuration
#
logging {
#
# Define channels for the two log files
#
channel query_log {
severity info;
print-time yes;
syslog syslog_facility;
};
channel activity_log {
severity info;
print-time yes;
print-category yes;
print-severity yes;
syslog syslog_facility;
};
#
# Send the interesting messages to the appropriate channels
#
category queries { query_log; };
category default { activity_log; };
category xfer-in { activity_log; };
category xfer-out { activity_log; };
category notify { activity_log; };
category security { activity_log; };
category update { activity_log; };
#
# Dump all uninteresting messages
#
category network { null; };
category lame-servers { null; };
};
################################################################################
# Zone Configuration
#
#
# Specify the root name servers
#
zone "." IN {
type hint;
file "/etc/bind/zones/db.root";
};
#
# Configure zonefile
#
zone "example1.com" IN {
type master;
file "/etc/bind/zones/example1.com.zone";
#WHO ARE WE GOING TO ALLOW ACCESS TO THIS ZONE? IF IT IS LIMITED TO LOCAL USERS WE USE:
allow-query {lookups-allowed; };
#IF WE WANT THE WHOLE WORLD TO BE ABLE TO QUERY YOUR SERVER FOR THIS ZONE WE USE allow-query {any; };
allow-transfer {xfer-allowed; };
allow-update { none; };
};
zone "example2.com" IN {
type master;
file "/etc/bind/zones/example2.com.zone";
#WHO ARE WE GOING TO ALLOW ACCESS TO THIS ZONE? IF IT IS LIMITED TO LOCAL USERS WE USE:
allow-query {lookups-allowed; };
#IF WE WANT THE WHOLE WORLD TO BE ABLE TO QUERY YOUR SERVER FOR THIS ZONE WE USE allow-query {any; };
allow-transfer {xfer-allowed; };
allow-update { none; };
};
# Reverse IP mapping
#
zone "0.0.127.in-addr.arpa" {
type master;
file "/etc/bind/zones/db.127";
};
# reverse mapping to stop leaking of private address space
#
zone "10.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "16.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "17.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "18.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "19.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "20.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "21.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "22.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "23.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "24.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "25.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "26.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "27.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "28.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "29.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "30.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "31.172.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/192.168.1.zone";
};
zone "0.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/192.168.0.zone";
};
zone "168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/empty.zone";
};
You now need to create your zonefiles, both to resolve the name to an IP address AND to do the opposite - resolve an IP back to a name.
For clarity I'll assume you have created a directory '/etc/bind/zones' to hold them. I'm going to assume that your domain is called 'example.local'
I'll start with the generic empty zone used to stop requests for private networks 'leaking' to the internet:
'/etc/bind/zones/empty.zone'
Code:
@ 10800 IN SOA ns.example.local. admin.example.local (
1 3600 1200 604800 10800 )
@ 10800 IN NS ns.example.local.
Now a reverse zonefile for your 192.168.0.x network. I'll assume you have three hosts in this network; 'Tom (192.168.0.10), Dick(192.168.0.20) & Harry(192.168.0.30)'
/etc/bind/zones/192.168.0.zone
Code:
@ 10800 IN SOA ns.example.local. admin.example.local (
1 3600 1200 604800 10800 )
IN NS ns.example.local.
10 IN PTR tom
20 IN PTR dick
30 IN PTR harry
Now a forward zonefile for file example1.com - I'm going to assume your DNS Name Server is 192.168.0.1 and that you have a mail server (mx) called 'mail' at 192.168.0.50, a web server at 192.168.0.60 and for the sake of illustration a SQUID proxy server called 'squid' running on 192.168.0.70
/etc/bind/zones/example1.com.zone
Code:
$TTL 86400 ; 1 day
@ 10800 IN SOA ns.example.local. admin.example.local (
1 3600 1200 604800 10800 )
IN NS ns.example.local.
A 192.168.0.60
MX 10 mail.example1.com.
ns A 192.168.0.1
mail A 192.168.0.50
www A 192.168.0.60
squid A 192.168.0.70
And example2.com - this time assuming a similar set of hosts but in the 192.168.0.1xx range
/etc/bind/zones/example2.com.zone
Code:
$TTL 86400 ; 1 day
@ 10800 IN SOA ns.example.local. admin.example.local (
1 3600 1200 604800 10800 )
IN NS ns.example.local.
A 192.168.0.160
MX 10 mail.example2.com.
ns A 192.168.0.1
mail A 192.168.0.150
www A 192.168.0.160
squid A 192.168.0.170
A reverse zone for 127.x called 'db.127'
Code:
$TTL 86400 ; 1 day
0.0.127.in-addr.arpa. IN SOA ns.example.local. admin.example.local (
2008083001 ; serial
21600 ; refresh (6 hours)
3600 ; retry (1 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
0.0.127.in-addr.arpa. IN NS ns.example.local.
With the zone files in place all you would need to do is restart or reload the server either using '/etc/init.d/bind restart' - or 'rndc reload'.
This is basic and should work but lacks additional name servers, slave set up, if and how you are going to let it be authorative to the whole world or just locally and fine tuning for your hosts and needs.
You can test your server with the DIG or NSLOOKUP commands - example:
Code:
FORWARD TEST:
dig @192.168.0.1 mail.example1.com
dig @192.168.0.1 www.example1.com
dig @192.168.0.1 mx example1.com
REVERSE TEST
dig @192.168.0.1 -x 192.168.1.50
WITH NSLOOKUP
FORWARD TEST:
nslookup -querytype=A mail.example1.com 192.168.0.1
nslookup -querytype=A www.example1.com 192.168.0.1
nslookup -querytype=MX example1.com 192.168.0.1
REVERSE TEST
nslookup -querytype=PTR 192.168.1.60 192.168.0.1
FINALLY - MAKE SURE PORT 53 IS OPEN ON THE DNS SERVER TO ACCEPT REQUESTS, that you have set /etc/resolv.conf on any linux clients to use the nameserver you have just created, and pointed any Windows/Mac/Other hosts to use your NS ONLY and not multiple NSs (or your results will not be reliable)
THIS IS A VERY USEFUL GUIDE:
http://www.redhat.com/docs/manuals/l...e/ch-bind.html
NOTES ABOUT rndc. These are mentioned as I've seen lots of issues with the key if changed whilst BIND/NAMED is running
If you should get warnings like this:
Quote:
rndc: connection to remote host closed
This may indicate that
* the remote server is using an older version of the command protocol,
* this host is not authorized to connect,
* the clocks are not syncronized, or
* the key is invalid.
|
And you are sure the key /etc/bind/rndc.key matches in /etc/bind/rndc.conf and /etc/bind/named.conf try and stop bind with
/etc/init.d/bind9 stop
If you spot 'FAIL' then 'killall named', make sure it has stopped with /etc/init.d/bind9 stop {should report 'rndc: connect failed: 127.0.0.1#953: connection refused' as it's down already} then restart it '/etc/init.d/bind9 start' and check 'rndc reload' works.