Introduction link
When you want to set up your own DNS server, you must have a secondary server. If you don’t have other machines, you can use Gandi, otherwise follow this guide.
Don’t forget to declare the secondary server on the primary server.
Installation link
On the secondary server:
For OpenBSD, nothing to do, it’s already installed by default.
Configuration link
Before beginning, declare your secondary servers in your domain name records (update NS records + ACL in named.conf), otherwise notifications won’t work.
Configuration of Permissions link
If you want a chrooted environment, proceed as follows, otherwise skip this step:
1
2
3
4
5
6
7
8
9
10
11
| mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
|
Then edit the /etc/default/bind9 file to tell it to chroot at service startup:
1
2
| OPTIONS="-u bind -t /var/lib/named"
...
|
host.conf link
Here’s how to configure the /etc/host.conf file:
1
2
| order hosts,bind
multi on
|
We are saying here to first look in the hosts file and then in Bind when queries are made from the server.
named.conf link
This file must contain the same information for RNDC and external zone (to replicate):
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
| include "/etc/bind/named.conf.options";
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
// TSIG Security | RNDC Key
key "rndc-key" {
algorithm hmac-md5;
secret "a4fGtm0fB4zO+4KfqH/zNZ3nPq+ThM5yUCEE7AqzEVI=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
zone "127.in-addr.arpa" {
type master;
notify no;
file "/etc/bind/db.127";
};
// Starting secondary transfert zones
view "externe" {
match-clients {
any;
};
// Recursion not permited for World Wide Web
recursion no;
zone "deimos.fr" {
type slave;
file "/etc/bind/db.deimos.fr";
notify yes;
masters {
88.162.130.192;
};
};
zone "mavro.fr" {
type slave;
file "/etc/bind/db.mavro.fr";
notify yes;
masters {
88.162.130.192;
};
};
zone "0.168.192.in-addr.arpa" {
type slave;
file "/etc/bind/db.0.168.192.inv.local";
notify yes;
masters {
88.162.130.192;
};
};
};
|
named.conf.options link
Same file as for the primary server:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| options {
directory "/var/cache/bind";
pid-file "/var/run/bind/run/named.pid";
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
query-source address * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
// For dial up connections
dialup yes;
allow-query {
any;
};
// Security version
version "Microsoft 2000 DNS Server";
auth-nxdomain no; # conform to RFC1035
};
|
rndc.conf link
We’re using exactly the same file again as for the primary server:
1
2
3
4
5
6
7
8
9
10
| key "rndc-key" {
algorithm hmac-md5;
secret "a4fGtm0fB4zO+4KfqH/zNZ3nPq+ThM5yUCEE7AqzEVI=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
|
Don’t forget to copy the rndc.key file from the primary server to the /etc/bind directory and assign it the correct permissions.
Verification link
All that’s left is to restart the bind server and the domain name configuration files will automatically appear in /etc/bind:
1
| /etc/init.d/bind9 restart
|
No files appear and the logs say there are no permissions link
The solution is simple:
1
| chown -Rf root:bind /etc/bind
|
Why do I have this message in my logs: refused notify from non-master link
Here’s the type of message you might encounter when you’re not lucky:
1
| Oct 2 16:43:50 tasmania named[7978]: zone deimos.local/IN/internalview: refused notify from non-master: 192.168.0.27#37097
|
This is due to a Bind update (9.3). You simply need to authorize the server to notify itself in your named.conf by adding allow-notify:
1
2
3
4
5
6
7
8
9
| ...
zone "deimos.local" {
type slave;
file "/etc/bind/db.deimos.local";
notify yes;
masters { 192.168.0.69; };
allow-notify { 192.168.0.27; };
};
...
|
refresh: failure trying master 53 (source 0.0.0.0#0): operation canceled link
This is certainly due to a firewalling problem, make sure your port 53 is open for both TCP and UDP on both sides.
could not open entropy source /dev/random: file not found link
If you encounter this problem, you are probably working in a vserver. To work around the issue, add a bcapabilities:
1
| echo CAP_MKNOD >> /etc/vservers/ed/bcapabilities
|
This will avoid problems like these in the logs:
1
2
| 24530 Oct 4 21:12:27 ed named[8642]: could not open entropy source /dev/random: file not found
24531 Oct 4 21:12:27 ed named[8642]: using pre-chroot entropy source /dev/random
|
Resources link
Last updated
04 Oct 2009, 19:25 CEST. history