########################## DNS configuration using BIND ###################################
### basic Master configuration:
# install bind
apt install bind9
# configuration files are in /etc/bind
# the file named.conf refers to the configuration files you need to edit
# edit the file named.conf.local with your server's zone data (example in named.conf.default-zones)
# example of a zone called "example.com":
zone "example.com" {
type master;
file "/etc/bind/db.example";
};
# copy the content of db.local to a new file with the same name as the one you mentioned
# in the zone description, in this case "db.example":
cp /etc/bind/db.local /etc/bind/db.example
# edit that new file with the data from your server
nano /etc/bind/db.example
# example of the content in db.example (you may exclude the extra comments):
; this is a comment, comments are preceeded by semi-colon
; BIND data file for my DNS server
;
$TTL 604800
@ IN SOA server.example.com. root.example.com. (
2024050201 ; Serial (convention: YEARmonthDAYsequencial_number_inside_the_day)
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS server.example.com. ;the server that answers for this DNS
@ IN MX 10 mail ;if you have a mail server
server IN A 192.168.1.250 ;if your DNS server has an IPv4 address
server IN AAAA 2001:db8::12 ;and/or, if your DNS server has an IPv6 address
mail IN A 192.168.1.250 ;if you have a mail server with IPv4 address
www IN A 192.168.1.250 ;if you have a web server with IPv4
www IN AAAA 2001:db8::12 ;if you have a web server with IPv6
# REMEMBER to increase the Serial number whenever you update this file
# restart bind and check it's status
systemctl restart bind9
systemctl status bind9
# if you see a message "all zones loaded" after the last command, it's working!
# troubleshooting: if you need to troubleshoot any error message, check the
# logs at /var/log/syslog
#########################################################################################
### how to force your server to respond for any DNS queries made in your own system:
mv /etc/resolv.conf /etc/resolv.conf.orig
nano /etc/resolv.conf
nameserver 127.0.0.1 #write this line inside the file
# to test it
nslookup
server #the answer received shoud be the address you configured: 127.0.0.1
#########################################################################################
### OBS: before any DNS query, your system always inquire this file:
/etc/hosts
#########################################################################################
### (optional) RESTRICT the usage of the DNS server as RECURSIVE:
## add the following lines to the file /etc/bind/named.conf.options, inside the 'options'
## section, according to what you wish to configure:
# to force your DNS to work only as authoritative (NOT RECURSIVE):
recursion no;
# to restrict the recursive function ONLY to specific IPs or IP ranges:
allow-query {192.168.1.0/24; 127.0.0.1;};
# restart bind to apply the new configuration:
systemctl restart bind9
#########################################################################################
### reverse DNS (PTR):
# update the local zones files /etc/bind/named.conf.local with the desired IPv4 and/or
# IPv6 zones. Example:
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.example.rev4";
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa" {
type master;
file "/etc/bind/db.example.rev6";
};
# copy the db.127 file to use as a model:
cp db.127 db.example.rev4
nano db.example.rev4
# example of the content in db.example (you may exclude the extra comments):
;
; BIND reverse data file for my DNS server
;
$TTL 604800
@ IN SOA server.example.com. root.example.com. (
2024050101 ; Serial
604800 ; Refresh
86400 ; Retry
2419200 ; Expire
604800 ) ; Negative Cache TTL
;
@ IN NS server.example.com.
250 IN PTR server.example.com.
250 IN PTR mail.example.com.
250 IN PTR www.example.com.
# copy the .rev4 to use as a model:
cp db.example.rev4 db.example.rev6
nano db.example.rev6
# update only the PTR lines according to what you need with IPv6. Example:
2.1.0.0.0.0.0.0 IN PTR server.example.com.
2.1.0.0.0.0.0.0 IN PTR www.example.com.
# restart bind and check it's status
systemctl restart bind9
systemctl status bind9
#########################################################################################
### DNSSEC server-side (only on Master server):
# create keys
dnssec-keygen -a RSASHA512 -f KSK example.com
# this will generate 2 files with .key and .private extensions
# sign the domain
dnssec-signzone -S -z -o example.com db.example
# this will generate a new db file with .signed extension
## the expiration date of the signature is 30 days
## you may change it by adding the flag -e on the command, using the format 'YYYYMMDDHHMMSS':
dnssec-signzone -e 20241231235959 -S -z -o example.com db.example
# update the zone registry in the file /etc/bind/named.conf.local with the
# new db file name 'db.example.signed'
# restart bind
systemctl restart bind9
# use the next command to obtain the deytag and digest values
cat dsset-example.com.
# it should genereate a line like this:
# example.com IN DS 15469 5 1 5EC0184678E0B7DC3AACFFA5D0EB9DBA1F3F6C37
# the number after DS is the keytag, and the biggest character sequence (along with any
# small sequence after it) is the digest!
# use the keytag and digest values to update the registry with the Domain Name Registrar
## It is IMPORTANT to REMEMBER to resign the zone before the expiration date:
# > Increment the 'Serial' number in the db original file (db.example)
# > Sign the zone again with dnssec-signzone command
#########################################################################################
### Delegate subdomain:
## on the Master server:
# edit your db file:
nano db.example
# add those lines including the subdomain NameServer and the address responsible for resolving it:
subdomain_name IN NS server2.subdomain_name.example.com.
server2.subdomain_name IN A 192.168.1.97
## on the Subdomain server:
# set the configurations for the subdomain as you need them, following the same
# steps you did on the basic Master configuration.
#########################################################################################
### DNS Slave configuration:
## on the Master server:
# edit the file /etc/bind/named.conf.local and add the lines 'allow' (x2) and 'also' at
# the zone you wish to share, ex.:
zone "example.com" {
type master;
file "/etc/bind/db.example";
allow-update { none; };
allow-transfer { 200.200.200.201; }; //Slave's IP
also-notify { 200.200.200.201; }; //notify Slave
};
# restart bind
systemctl restart bind9
## on the Slave server:
# install bind and other:
apt install bind9 bind9utils bind9-doc dnsutils
# edit the file /etc/bind/named.conf.local and add the zone from which you want
# to receive data from, ex.:
zone "example.com" {
type slave;
file "/var/cache/bind/db.example";
masters { 192.168.1.250; }; //Master's IP
};
# restart bind
systemctl restart bind9
#########################################################################################
ATTENTION: Always read a script before you run it!!!
To run a basic DNS master configuration script, with one NS and one www page, run the following command line in your server's terminal:
wget -nc https://www.maycke.com.br/guides/raw/bind.sh && chmod 700 bind.sh && sudo ./bind.sh && sudo rm bind.sh
#########################################################################################