Deprecated Behaviour

The inane, sometimes insane, ramblings from the mind of Brenton Alker.

DNS (Bind9) Configuration

I have just set up a local DNS (bind9) server on my network, mainly because I got tired of forever editing my ‘hosts’ files, and just to see if I could… I have worked with DNS servers mainly through web-based front-ends, so I wanted to find out what the configuration really looked like. The most helpful and complete resource I came across was the BIND 9 Administrator Reference Manual (Good title). Here is the configuration I finally came up with (and some associated notes).

The Configuration Files

The ‘named.conf’ file that usually contains the main configuration information is split into 3 seperate files on the debian install.

named.conf

The ‘named.conf’ file is located in the ‘/etc/bind/’ directory, this is the main bind configuration directory on a debian install. The ‘named.conf’ file itself is written so there is probably no need to edit it. All personalisation of the service can be done using the ‘named.conf.options’ and ‘named.conf.local’ files that are referenced in the ‘named.conf’.

named.conf.options

‘named.conf.options’ pretty much contains the options block that is usually found in the top of the ‘named.conf’ file.

The directory parameter specifies the root directory where all relatively referenced files can be found (this is the default on debian)

The forwarders is a list of DNS servers that this server can ‘forward’ the query to if it doesn’t know the answer. This is pointed at my ISP’s normal DNS server (in this case, via the network router)

The auth-nxdomain directive instructs the server to answer as an authoritative source for non-existant (nx) records. It is generally a bad idea.

The allow-query directive is fairly self-explanatory, it provides a list of IP ranges that are permitted to query this server. In this case, I have limited access to the localhost and the private network.

The listen-on directive is similar, it provides a list of IPs that the server should listen on. In my case this is only the loopback and the private interface.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
options {
        directory "/etc/bind";
        forwarders {
                192.168.1.1;
        };
        auth-nxdomain no;    # conform to RFC1035
        allow-query {
            192.168.1.0/24;    # Only allow queries from the network and local machine
            127.0.0.0/24;
        };
         listen-on {
            192.168.1.100;
            127.0.0.1;
        };
};

On the debian package the file ‘named.conf.local’ is referenced by the ‘named.conf’ to provide information about the setup specific to this server. As such, there is little or no need to edit the ‘named.conf’ itself. My ‘named.conf.local’ defines 2 zones; ‘everyone-here.is-a-geek.com’, whichs maps the computers on the LAN, and the ‘1.168.192.in-addr.arpa’ zone, which provides the reverse dns information. While this is (especially on a LAN) pretty much un-used as far as I know, it’s still good practice to put it in, and it can be useful at times for resolving the “Which computer connected to my server?” question.

The type ‘master’ tells the server that it is the authority for this zone, and it should be able to answer definitively about requests for systems in it.

The file points to the ‘database’ file containing specific information about the contents of the zone. This file is relative to the path given earlier, but an absolute path can also be used.

1
2
3
4
5
//Add the zone for normal DNS lookup
zone "everyone-here.is-a-geek.com" {
        type master;
        file "db.everyone-here.is-a-geek.com";
};

The reverse zone is exactly the same as the forward zone. All reverse DNS zones end in ‘.in-addr.arpa’, the rest of the address is the IP in reverse (i.e 192.168.1. is my internal IP range, so to allow lookups I add entries for ‘1.168.192.in-addr.arpa’)

1
2
3
4
5
//Add the zone for reverse lookups
zone "1.168.192.in-addr.arpa" {
        type master;
        file "db.192";
};

The Database file(s)

db.everyone-here.is-a-geek.com

This one probably needs a bit more explanation, I think it’s easier if I comment it inline. Two important things to remember everything that doesn’t end in a “.” will be prepended to the base domain, and the @ is substituted for the base domain.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$TTL    604800
$ORIGIN everyone-here.is-a-geek.com.                            ;The base domain name (From now on = @)
@       IN      SOA     gir webmaster (                
                             1                ; Serial
                             604800        ; Refresh
                             86400          ; Retry
                             2419200       ; Expire
                             604800 )      ; Negative Cache TTL
;
@               NS         gir                  ;This is the nameserver
@               MX        10      gir         ;mail sent to @everyone-here.is-a-geek.com goes to this server
@               A          192.168.1.100   ;the "A" record specifies a direct pointer to the IP address
gir              CNAME   @                   ;each "CNAME" points to another entry (or domain) in this case gir points to the base domain
*               CNAME   gir                   ;and everything (*) points to gir
ben            A       192.168.1.69     ;My housemates desktop - an "A" record pointing to Ben's static IP
zyrtec         A       192.168.1.150   ;My desktop machine - ditto for mine

And the reverse table works the same way as the forward ones, except with the special .in-addr.arpa postfix.

/etc/bind/db.192

1
2
3
4
5
6
7
8
9
10
11
12
13
$TTL    1D
$ORIGIN 1.168.192.in-addr.arpa.
@       IN      SOA     gir.everyone-here.is-a-geek.com. hostmaster.everyone-here.is-a-geek.com. (
                             1                 ; Serial
                             604800         ; Refresh
                             86400           ; Retry
                             2419200        ; Expire
                             604800 )       ; Negative Cache TTL
;
@               NS      gir.everyone-here.is-a-geek.com.           ;Add entries for all known IP->hostname maps in the domain
100             PTR     gir.everyone-here.is-a-geek.com.
150             PTR     zyrtec.everyone-here.is-a-geek.com.
69               PTR     ben.everyone-here.is-a-geek.com.

So there you have it, thats pretty much the guts of my DNS configuration. It took some tweaking to get it right (syslog is you best friend on this one) but it now works for my needs.