Beyond Linux® From Scratch (System V Edition) - Version 2021-04-13

Chapter 20. Major Servers

BIND-9.16.13

Introduction to BIND

The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the BIND Utilities-9.16.13.

This package is known to build and work properly using an LFS-10.1 platform.

Package Information

  • Download (FTP): ftp://ftp.isc.org/isc/bind9/9.16.13/bind-9.16.13.tar.xz

  • Download MD5 sum: d9ae4f2f3c0e2d8f7a50e1bc0097f54c

  • Download size: 4.8 MB

  • Estimated disk space required: 130 MB (23 MB installed)

  • Estimated build time: 0.8 SBU (with parallelism=4; add 29+ minutes, somewhat processor independent, to run the complete test suite)

Additional Downloads

BIND Dependencies

Required

libuv-1.41.0

Recommended

JSON-C-0.15 and libcap-2.49 with PAM

Optional

cURL-7.76.0, libidn2-2.3.0, libxml2-2.9.10, lmdb-0.9.28, MIT Kerberos V5-1.19.1, cmocka, geoip, pytest, Sphinx, and w3m

Optional database backends

Berkeley DB-5.3.28, MariaDB-10.5.9 or MySQL, OpenLDAP-2.4.58, PostgreSQL-13.2, and unixODBC-2.3.9

Optional (to run the test suite)

Net-DNS-1.30

Optional (to rebuild the documentation)

Doxygen-1.9.1, libxslt-1.1.34, and texlive-20200406 (or install-tl-unx)

User Notes: http://wiki.linuxfromscratch.org/blfs/wiki/bind

Installation of BIND

To ensure BIND will build dnssec-keymgr, install a python module as the root user: 

pip3 install ply

First, fix a few regressions that were reported upstream: 

patch -Np1 -i ../bind-9.16.13-upstream_fixes-1.patch

Install BIND by running the following commands: 

./configure --prefix=/usr           \
            --sysconfdir=/etc       \
            --localstatedir=/var    \
            --mandir=/usr/share/man \
            --with-libtool          \
            --disable-static        &&
make

Issue the following commands to run the complete suite of tests. First, as the root user, set up some test interfaces:

[Note]

Note

If IPv6 is not enabled in the kernel, there will be several error messages: "RTNETLINK answers: Operation not permitted". These messages do not affect the tests. 

bin/tests/system/ifconfig.sh up

The test suite may indicate some skipped tests depending on what configuration options are used. Some tests are marked UNTESTED if Net-DNS-1.30 is not installed. One test, CPU, is known to fail. To run the tests, as an unprivileged user, execute: 

make -k check

Again as root, clean up the test interfaces: 

bin/tests/system/ifconfig.sh down

Finally, install the package as the root user: 

make install

Command Explanations

--sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc.

--with-libtool: This parameter forces the building of dynamic libraries and links the installed binaries to these libraries.

--with-libidn2: This parameter enables the IDNA2008 (Internationalized Domain Names in Applications) support.

--enable-fetchlimit: Use this option if you want to be able to limit the rate of recursive client queries. This may be useful on servers which receive a large number of queries.

--disable-linux-caps: BIND can also be built without capability support by using this option, at the cost of some loss of security.

--with-dlz-{mysql,bdb,filesystem,ldap,odbc,stub}: Use one (or more) of those options to add Dynamically Loadable Zones support. For more information refer to bind-dlz.sourceforge.net.

--disable-static: This switch prevents installation of static versions of the libraries.

Configuring BIND

Config files

named.conf, root.hints, 127.0.0, rndc.conf, and resolv.conf

Configuration Information

BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.

Create the unprivileged user and group named: 

groupadd -g 20 named &&
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named &&
install -d -m770 -o named -g named /srv/named

Set up some files, directories and devices needed by BIND: 

mkdir -p /srv/named &&
cd       /srv/named &&
mkdir -p dev etc/named/{slave,pz} usr/lib/engines var/run/named &&
mknod /srv/named/dev/null c 1 3 &&
mknod /srv/named/dev/urandom c 1 9 &&
chmod 666 /srv/named/dev/{null,urandom} &&
cp /etc/localtime etc

The rndc.conf file contains information for controlling named operations with the rndc utility. Generate a key for use in the named.conf and rndc.conf with the rndc-confgen command: 

rndc-confgen -a -b 512 -t /srv/named

Complete the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys: 

cat >> /srv/named/etc/named.conf << "EOF"
options {
    directory "/etc/named";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";

};
zone "." {
    type hint;
    file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
    type master;
    file "pz/127.0.0";
};

// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.

logging {
    category default { default_syslog; default_debug; };
    category unmatched { null; };

  channel default_syslog {
      syslog daemon;                      // send to syslog's daemon
                                          // facility
      severity info;                      // only send priority info
                                          // and higher
  };

  channel default_debug {
      file "named.run";                   // write to named.run in
                                          // the working directory
                                          // Note: stderr is used instead
                                          // of "named.run"
                                          // if the server is started
                                          // with the '-f' option.
      severity dynamic;                   // log at the server's
                                          // current debug level
  };

  channel default_stderr {
      stderr;                             // writes to stderr
      severity info;                      // only send priority info
                                          // and higher
  };

  channel null {
      null;                               // toss anything sent to
                                          // this channel
  };
};
EOF

Create a zone file with the following contents: 

cat > /srv/named/etc/named/pz/127.0.0 << "EOF"
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
EOF

Create the root.hints file with the following commands:

[Note]

Note

Caution must be used to ensure there are no leading spaces in this file. 

cat > /srv/named/etc/named/root.hints << "EOF"
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
A.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:ba3e::2:30
B.ROOT-SERVERS.NET.     6D  IN      A       192.228.79.201
B.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:200::b
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
C.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2::c
D.ROOT-SERVERS.NET.     6D  IN      A       199.7.91.13
D.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2d::d
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
E.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:a8::e
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
F.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:2f::f
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
G.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:12::d0d
H.ROOT-SERVERS.NET.     6D  IN      A       198.97.190.53
H.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:1::53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
I.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fe::53
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
J.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:503:c27::2:30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
K.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:7fd::1
L.ROOT-SERVERS.NET.     6D  IN      A       199.7.83.42
L.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:500:9f::42
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
M.ROOT-SERVERS.NET.     6D  IN      AAAA    2001:dc3::35
EOF

The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root. For details, consult the "BIND 9 Administrator Reference Manual", included in every source archive of BIND 9 distributed by ISC, in HTML and PDF formats, also available at BIND 9 Administrator Reference Manual.

Create or modify resolv.conf to use the new name server with the following commands:

[Note]

Note

Replace <yourdomain.com> with your own valid domain name. 

cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search <yourdomain.com>
nameserver 127.0.0.1
EOF

Set permissions on the chroot jail with the following command: 

chown -R named:named /srv/named

Boot Script

To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the blfs-bootscripts-20210110 package: 

make install-bind

Now start BIND with the following command: 

/etc/rc.d/init.d/bind start

Testing BIND

Test out the new BIND 9 installation. First query the local host address with dig: 

dig -x 127.0.0.1

Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address: 

dig www.linuxfromscratch.org &&
dig www.linuxfromscratch.org

You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual located at https://kb.isc.org/docs/bind-916-administrative-reference-manual for further configuration options.

Contents

Installed Programs: arpaname, ddns-confgen, delv, dig, dnssec-cds, dnssec-checkds, dnssec-coverage, dnssec-dsfromkey, dnssec-importkey, dnssec-keyfromlabel, dnssec-keygen, dnssec-keymgr, dnssec-revoke, dnssec-settime, dnssec-signzone, dnssec-verify, host, mdig, named, named-checkconf, named-checkzone, named-compilezone (symlink), named-journalprint, named-nzd2nzf, named-rrchecker, nsec3hash, nslookup, nsupdate, rndc, rndc-confgen, and tsig-keygen (symlink)
Installed Libraries: libbind9.so, libdns.so, libirs.so, libisc.so, libisccc.so, libisccfg.so, and libns.so
Installed Directories: /usr/include/{bind9,dns,dst,irs,isc,isccc,isccfg,ns,pk11,pkcs11}, /usr/lib/named, /usr/lib/python3.9/site-packages/isc, and /srv/named

Short Descriptions

arpaname

translates IP addresses to the corresponding ARPA names

ddns-confgen

generates a key for use by nsupdate and named

delv

is a new debugging tool that is a successor to dig

dig

interrogates DNS servers

dnssec-cds

changes DS records for a child zone based on CDS/CDNSKEY

dnssec-checkds

is a DNSSEC delegation consistency checking tool

dnssec-coverage

verifies that the DNSSEC keys for a given zone or a set of zones have timing metadata set properly to ensure no future lapses in DNSSEC coverage

dnssec-dsfromkey

outputs the Delegation Signer (DS) resource record (RR)

dnssec-importkey

reads a public DNSKEY record and generates a pair of .key/.private files

dnssec-keyfromlabel

gets keys with the given label from a cryptography hardware device and builds key files for DNSSEC

dnssec-keygen

is a key generator for secure DNS

dnssec-keymgr

ensures correct DNSKEY coverage based on a defined policy

dnssec-revoke

sets the REVOKED bit on a DNSSEC key

dnssec-settime

sets the key timing metadata for a DNSSEC key

dnssec-signzone

generates signed versions of zone files

dnssec-verify

verifies that a zone is fully signed for each algorithm found in the DNSKEY RRset for the zone, and that the NSEC / NSEC3 chains are complete

host

is a utility for DNS lookups

mdig

is a version of dig that allows multiple queries at once

named

is the name server daemon

named-checkconf

checks the syntax of named.conf files

named-checkzone

checks zone file validity

named-compilezone

is similar to named-checkzone, but it always dumps the zone contents to a specified file in a specified format

named-journalprint

prints the zone journal in human-readable form

named-rrchecker

reads an individual DNS resource record from standard input and checks if it is syntactically correct

named-nzd2nzf

converts an NZD database to NZF text format

nsec3hash

generates an NSEC3 hash based on a set of NSEC3 parameters

nslookup

is a program used to query Internet domain nameservers

nsupdate

is used to submit DNS update requests

rndc

controls the operation of BIND

rndc-confgen

generates rndc.conf files

tsig-keygen

is a symlink to ddns-confgen

Last updated on 2021-03-24 23:45:35 -0500