DNS

The DNS server software package selected for this installation is BIND9.

BIND9 (Berkeley Internet Name Domain version 9) is an implementation of the DNS protocols and provides an openly redistributable reference implementation of the major components of the Domain Name System.

BIND version 9 is a major rewrite of nearly all aspects of the underlying BIND architecture. Some of the important features of BIND9 are DNS Security (DNSSEC, TSIG), IPv6, DNS Protocol Enhancements (IXFR, DDNS, DNS Notify, EDNS0), Views, Multiprocessor Support, and an Improved Portability Architecture.

Debian 7.5 comes with precompiled BIND version 9.8. For further information please refer to BIND 9 Administrator Reference Manual.

Installation

In order to install Bind9 these are the steps have been followed:

# apt-get install bind9

Together with bind9 package, the installer installs bind9utils as well. Additionally, it creates bind group and user, and it writes a key, for secure exchanges in /etc/bind/rndc.key. Finally, it starts the service.

Configuration

/etc/bind directory is full of bind configuration files. This is the purpose of some of them:

• named.conf: main bind configuration file. Additionally, it refers to other configuration files to maintain a structured configuration.
• named.conf.options: this configuration file is used to the caching feature of the DNS server. This feature caches DNS entries so lookups remain on the network instead of having to travel to an external source.
• named.conf.local: this configuration file is used to set up the primary master. The primary master makes the DNS server the authoritative source for its zones.
• named.conf.default-zones: this file is where all the zones are defined.
• db.root: this file contains serveral root DNS server IP addresses.
• db.*: this kind of files contain all the DNS entries excluding the db.root file.
• bind.keys: this file is used to override the built-in DNSSEC trust anchors which are included as part of BIND 9. As of the current release, the only trust anchors it contains are those for the DNS root zone ("."), and for the ISC DNSSEC Lookaside Validation zone ("dlv.isc.org"). Trust anchors for any other zones MUST be configured elsewhere; if they are configured here, they will not be recognized or used by named.
• rndc.key: RNDC controls the operation of a name server. RNDC uses tcp connection to communicate with bind server for sending commands authenticated with digital signatures.
• zones.rfc1918: it is generally considered a good practice to serve localhost, 0.0.127.in-addr.arpa and the RFC-1918 reverse zones on your internal DNS system to prevent sending queries from them out to the internet. It saves time (you get replies for those queries quickly), bandwidth (no requests leaving your network for zones that shouldn't exist), and relieves the load on servers upstream of you. If you are using RFC-1918 addresses by all means serve the appropriate reverse data for the range(s) you use. You should also serve empty zones (or wildcarded zones) for the other ranges.

Since we are going to set DNS server as caching server, we need to edit /etc/bind/named.conf.options file. These are the steps:

1. Edit file and, forward IP addresses and set dnssec-validation to no in order to avoid no valid RRSIG errors.

#vi /etc/bind/named.conf.options

forwarders {
       193.156.97.36;
       193.156.97.95;
};

2. Additionally, in order to avoid network unreachable errors, edit /etc/default/bind9 file and add the following:

#vi /etc/default/bind9

OPTIONS="-4"

3. Restart the service

# /etc/init.d/bind9 restart

Further information at:

• Configuring an Ubuntu (Debian) Server for DNS, DHCP, and WINS.
• Setting up a Simple DNS Server with Bind9.
• Configure RNDC Key for Bind9 (DNS Server).
• error (network unreachable) resolving ...
• error (no valid RRSIG) resolving ...

Return to Application Server page.

Return to Technology page.