Installing and Configuring a Primary Bind9 Server (Master)
Introduction
BIND (Berkeley Internet Name Domain) is the most widely used DNS server on the Internet, especially on Unix-like systems. It is currently maintained by the Internet Systems Consortium.
A new version of BIND (BIND 9) was rewritten to solve some architectural issues in the initial code and to add support for DNSSEC (DNS Security Extensions).
We are specifying here that requests made from the server should first check the hosts file and then Bind.
Note: This modification is not needed for OpenBSD.
rndc.conf
Introduction to TSIG Keys
Transaction signatures ("TSIG") are a simpler form of DNS security. They use cryptographic hash functions to generate pseudo-signatures of DNS packets. The hash value is a combination of actual DNS data, timestamps to prevent replay attacks, and a shared secret between client and server. Since both entities involved in the DNS lookup must know the shared secret, TSIG signatures can only really be implemented in environments where systems are under common administrative control and where confidentiality of the shared secret can be absolutely guaranteed. In the case of ENUM, this means they can and should be used among ENUM level 0 name servers. For example, they can be used to validate zone transfers or dynamic update requests, with these functions being restricted to trusted clients because they know the shared secret.
Creating a TSIG Key
If you're on OpenBSD, we'll simplify things a bit, and to ensure this tutorial has the same paths everywhere, we'll create a symbolic link:
The acl section allows you to define reusable access lists in other sections of the configuration file. The following definition defines internal clients:
Ideally, build a zone/view file (to include in named.conf for each of your zones). But for simplicity, we'll leave everything in the same file here.
The view sections define server behaviors based on the IP address of the client sending the request, allowing DNS responses to be differentiated. We define two views:
One corresponding to clients in the internal and DMZ zone: recursion needs to be re-enabled for these requests, and resolving all possible names (zone ".") needs to be allowed.
Another corresponding to requests from outside (e.g. Internet). Only authorize requests for the zone where the DNS server has authority:
Replace the first field with the FQDN of your machine, and the second corresponds to the admin's email (here root@deimos.fr). The email address is written in a special way, but it works.
7200;Refresh
3600;Retry
1209600;Expire
604800;NegativeCacheTTL
)NSmufasa.deimos.fr.
A88.162.130.192
NSns6.gandi.net.
NSshenzi.deimos.fr.
MX5mufasa.deimos.fr.
MX10shenzi.deimos.fr.
TXT"v=spf1 ip4:192.168.0.0/24 a mx ~all exp=getlost.deimos.fr"getlostTXT"You are not allowed to send a message from this domain"_deimos.frTXT"t=y; o=-;"m1._deimos.frTXT"g=; k=rsa; p=;...IWWiAyklt5FDmS2U7QIDAQAB..."
For the TXT part, I'll let you check out other articles that deal with SPF.
$TTL604800@INSOAsimba.deimos.fr.root.deimos.fr.(2010301201;Serial(date+incrementation)7200;Refresh
3600;Retry
1209600;Expire
604800;NegativeCacheTTL
)NSsimba.deimos.fr.
A88.162.130.192
A88.191.31.89
NSns6.gandi.net.
NSshenzi.deimos.fr.
MX5simba.deimos.fr.
MX10shenzi.deimos.fr.
TXT"v=spf1 ip4:192.168.0.0/24 a mx ~all exp=getlost.deimos.fr"getlostTXT"You are not allowed to send a message from this domain"1PTRlocalhost
2PTRsimba
3PTRns6.gandi.net
4PTRshenzi.deimos.fr
The PTRs should go from smallest to largest based on priorities.
Bind versions from 9.3 now incorporate more precise control over domain name validity. They can no longer contain _ (0x5f in the ASCII table), as stipulated by RFC 1035. This is however quite unfortunate for me because I have several domains containing _.
Mar 6 07:48:08 dns3 named[25459]: pri/rags.ch.hosts:25: wisteria_lane.rags.ch: bad owner name (check-names)
Mar 6 07:48:08 dns3 named[25459]: zone rags.ch/IN: loading master file pri/rags.ch.hosts: bad owner name (check-names)
Oct 2 17:29:03 star1 named[5120]: zone 'deimos.fr' allows updates by IP address, which is insecure
This simply means that your RNDC key is not being used. To use it with ACLs, just add your secondary servers to the "controls" section and only allow updates (at zone level) with the RNDC key:
Now restart your DNS server and there are no more problems, exchanges are encrypted :-)
too many timeouts resolving 'mycompany.com/MX' (in 'eu'?): disabling EDNS
This error can appear for name resolution that takes too long due to UDP packet size. This can be very annoying, especially for email reception which can take a few hours. The solution is to add this line:
Then restart the bind service. If the problem persists, try lowering the size (change from 1460 to 500 for example). There are ways to test all this using the dig command. Use it like this until you no longer have timeouts: