Bind_dns
Chapter 76: BIND DNS Server
Section titled “Chapter 76: BIND DNS Server”Comprehensive DNS Server Administration
Section titled “Comprehensive DNS Server Administration”76.1 Understanding DNS
Section titled “76.1 Understanding DNS”DNS Architecture
Section titled “DNS Architecture”The Domain Name System (DNS) is a hierarchical, distributed database that translates domain names to IP addresses. It’s essential infrastructure for all internet services.
DNS Query Flow+------------------------------------------------------------------+| || Client Query: www.example.com || || 1. Client → Local Resolver (ISP/Corporate) || | || 2. Local Resolver checks cache || | (cache miss) || 3. Root Server (.) → TLD Server (.com) || | || 4. TLD Server → Authoritative Server (example.com) || | || 5. Authoritative Server → IP Address || | || 6. Local Resolver → Client || || DNS Record Types: || +----------------------------------------------------------+ || | A | IPv4 address | || | AAAA | IPv6 address | || | CNAME | Canonical name (alias) | || | MX | Mail exchange | || | TXT | Text records (SPF, DKIM, DMARC) | || | NS | Name server | || | SOA | Start of Authority | || | PTR | Pointer (reverse DNS) | || | SRV | Service location | || | CAA | Certification Authority Authorization | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+DNS Resolution Types
Section titled “DNS Resolution Types” DNS Resolution Types+------------------------------------------------------------------+| || Recursive Query: || +----------------------------------------------------------+ || | Client asks resolver to complete query | || | Resolver queries root → TLD → Authoritative | || | Resolver returns final answer to client | || +----------------------------------------------------------+ || || Iterative Query: || +----------------------------------------------------------+ || | Server returns best answer it has | || | Client follows referrals | || | Root → TLD → Authoritative | || +----------------------------------------------------------+ || || Authoritative Answer: || +----------------------------------------------------------+ || | Server is authoritative for the zone | || | Has actual DNS records | || +----------------------------------------------------------+ || || Non-Authoritative Answer: || +----------------------------------------------------------+ || | Answer from cache | || | Not from authoritative server | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+76.2 BIND Installation and Setup
Section titled “76.2 BIND Installation and Setup”Installing BIND
Section titled “Installing BIND”# Debian/Ubuntusudo apt updatesudo apt install bind9 bind9utils bind9-doc
# RHEL/CentOS/Fedorasudo dnf install bind bind-utils
# Arch Linuxsudo pacman -S bind
# Start and enablesudo systemctl enable --now named
# Check statussudo systemctl status namednamed -vnamed -VBasic Configuration Files
Section titled “Basic Configuration Files”# Main configuration file# /etc/bind/named.conf (Debian/Ubuntu)/etc/named.conf (RHEL)
# Configuration structure# /etc/bind/named.conf.options - Global options# /etc/bind/named.conf.local - Local zones# /etc/bind/named.conf.default-zones - Default zones
# RHEL structure# /etc/named.conf# /etc/named.rfc1912.zones76.3 named.conf Configuration
Section titled “76.3 named.conf Configuration”Main Configuration
Section titled “Main Configuration”options { # Working directory directory "/var/named";
# PID file pid-file "/run/named/named.pid";
# Listen on all interfaces listen-on { any; }; listen-on-v6 { any; };
# Allow queries allow-query { localhost; 10.0.0.0/8; 192.168.0.0/16; };
# Allow recursion (for caching server) allow-recursion { localhost; 10.0.0.0/8; 192.168.0.0/16; };
# Forwarders (upstream DNS) forwarders { 8.8.8.8; 8.8.4.4; 1.1.1.1; };
# Forward only (don't do recursive) // forward only;
# DNSSEC validation dnssec-validation auto;
# Query logging // querylog yes;
# Transfer allowed allow-transfer { none; };
# Port port 53;
# Size limits max-cache-size 256M; max-cache-ttl 86400; max-ncache-ttl 3600;
# Logging logging { channel default_log { file "/var/log/named/default.log" versions 3 size 5m; severity info; print-time yes; print-category yes; }; category default { default_log; }; };};
# Include additional configinclude "/etc/bind/named.conf.local";include "/etc/bind/rndc.key";Local Zones
Section titled “Local Zones”# Forward zone for example.comzone "example.com" { type master; file "/etc/bind/zones/db.example.com"; allow-transfer { 10.0.0.0/8; }; // allow-update { key "rndc-key"; };};
# Reverse zone for 10.0.0.0/8 (10.in-addr.arpa)zone "0.0.10.in-addr.arpa" { type master; file "/etc/bind/zones/db.10.0.0"; allow-transfer { 10.0.0.0/8; };};
# Local domainzone "local" { type master; file "/etc/bind/zones/db.local";};
# localhost reversezone "127.in-addr.arpa" { type master; file "/etc/bind/zones/db.127";};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.in-addr.arpa" { type master; file "/etc/bind/zones/db.0.0.0";};76.4 Zone Files
Section titled “76.4 Zone Files”Forward Zone File
Section titled “Forward Zone File”$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. ( 2024022301 ; Serial (YYYYMMDDNN) 3600 ; Refresh (1 hour) 1800 ; Retry (30 minutes) 604800 ; Expire (1 week) 86400 ) ; Minimum TTL (1 day)
; Name servers@ IN NS ns1.example.com.@ IN NS ns2.example.com.
; A records@ IN A 10.0.0.10ns1 IN A 10.0.0.11ns2 IN A 10.0.0.12www IN A 10.0.0.10mail IN A 10.0.0.20ftp IN A 10.0.0.10
; CNAME recordsblog IN CNAME wwwshop IN CNAME wwwapi IN CNAME wwwcdn IN CNAME www
; MX records (priority: lower = higher priority)@ IN MX 10 mail.example.com.@ IN MX 20 mail2.example.com.
; TXT records (SPF)@ IN TXT "v=spf1 mx -all"
; DMARC_dmarc IN TXT "v=DMARC1; p=quarantine; rua=mailto:dmarc@example.com"
; Service records (SRV)_http._tcp IN SRV 0 5 80 www.example.com._imap._tcp IN SRV 0 5 993 mail.example.com._smtp._tcp IN SRV 0 5 587 mail.example.com.Reverse Zone File
Section titled “Reverse Zone File”$TTL 86400
@ IN SOA ns1.example.com. admin.example.com. ( 2024022301 ; Serial 3600 ; Refresh 1800 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL
@ IN NS ns1.example.com.@ IN NS ns2.example.com.
; PTR records10 IN PTR ns1.example.com.11 IN PTR ns2.example.com.12 IN PTR www.example.com.20 IN PTR mail.example.com.Zone File Directives
Section titled “Zone File Directives” Zone File Directives+------------------------------------------------------------------+| || $TTL | Default TTL for all records || $ORIGIN | Default domain for unqualified names || $INCLUDE | Include another file || || Record Format: || +----------------------------------------------------------+ || | name TTL CLASS TYPE data | || | | || | @ IN A 10.0.0.10 | || | www IN CNAME @ | || | | || | TTL and CLASS are optional; IN is default class | || +----------------------------------------------------------+ || || SOA Record: || +----------------------------------------------------------+ || | Primary NS, Contact email, Serial, Refresh, Retry, | || | Expire, Minimum TTL | || | | || | Serial format: YYYYMMDDNN (NN = revision number) | || | MUST increment when zone changes | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+76.5 Testing and Troubleshooting
Section titled “76.5 Testing and Troubleshooting”Configuration Testing
Section titled “Configuration Testing”# Test named.conf syntaxsudo named-checkconfsudo named-checkconf /etc/bind/named.conf
# Test zone file syntaxsudo named-checkzone example.com /etc/bind/zones/db.example.comsudo named-checkzone 0.0.10.in-addr.arpa /etc/bind/zones/db.10.0.0
# Test configuration with specific filesudo named-checkconf -t /etc/bind /etc/bind/named.conf
# Validate DNSSEC keysdnssec-checkds /etc/bind/zones/Query Testing
Section titled “Query Testing”# Query locallydig @127.0.0.1 example.comdig @127.0.0.1 example.com MXdig @127.0.0.1 example.com TXT
# Query specific record typedig @127.0.0.1 www.example.com Adig @127.0.0.1 ns1.example.com AAAA
# Reverse lookupdig @127.0.0.1 -x 10.0.0.10dig @127.0.0.1 10.0.0.10.in-addr.arpa PTR
# Trace DNS pathdig +trace example.com
# Short outputdig +short example.com
# Using nslookupnslookup example.comnslookup -type=mx example.comnslookup -type=txt example.com
# Using hosthost example.comhost -t any example.comhost 10.0.0.10Service Management
Section titled “Service Management”# Reload configurationsudo systemctl reload named
# Restart servicesudo systemctl restart named
# Check statussudo systemctl status namedsudo named -g # Run in foreground for debugging
# View logssudo journalctl -u named -ftail -f /var/log/named/default.log
# rndc commandssudo rndc status # Server statussudo rndc reload # Reload zonessudo rndc reload example.com # Reload specific zonesudo rndc flush # Flush cachesudo rndc flushname example.com # Flush domain cache76.6 Slave Zones
Section titled “76.6 Slave Zones”Configuring Slave Server
Section titled “Configuring Slave Server”# Slave zone (replicates from master)zone "example.com" { type slave; file "db.example.com"; masters { 10.0.0.11; }; allow-transfer { none; };};
# For multiple masterszone "example.com" { type slave; file "db.example.com"; masters { 10.0.0.11; 10.0.0.12; };};
# Allow zone transfer from master# On master:# allow-transfer { 10.0.0.0/8; };
# Notify slaves on zone update# In master zone block:# also-notify { 10.0.0.12; };76.7 Caching-Only DNS Server
Section titled “76.7 Caching-Only DNS Server”Caching Server Configuration
Section titled “Caching Server Configuration”options { directory "/var/named";
# Enable recursion recursion yes;
# Allow recursive queries from local network allow-recursion { localhost; 10.0.0.0/8; 192.168.0.0/16; };
# Allow queries allow-query { 10.0.0.0/8; 192.168.0.0/16; };
# Forward all queries to upstream forwarders { 8.8.8.8; 8.8.4.4; 1.1.1.1; };
# Don't query root servers // forward only;
dnssec-validation auto;};76.8 Split DNS (Views)
Section titled “76.8 Split DNS (Views)”Configuring Views
Section titled “Configuring Views”view "internal" { match-clients { 10.0.0.0/8; 192.168.0.0/16; };
recursion yes;
zone "example.com" { type master; file "internal/db.example.com"; };
// Include internal zones include "/etc/bind/named.conf.internal";};
view "external" { match-clients { any; };
recursion no;
zone "example.com" { type master; file "external/db.example.com"; };
// Include external zones include "/etc/bind/named.conf.external";};76.9 Dynamic Updates
Section titled “76.9 Dynamic Updates”DDNS Configuration
Section titled “DDNS Configuration”# Enable dynamic updates in zonezone "example.com" { type master; file "dynamic/db.example.com"; allow-update { 10.0.0.0/8; }; // Or use TSIG key // allow-update { key "ddns-key"; };};
# Generate TSIG keydnssec-keygen -a HMAC-MD5 -b 128 -n HOST ddns-key
# Add key to named.confkey "ddns-key" { algorithm hmac-md5; secret "key-material==";};
# nsupdate examplensupdate> server ns1.example.com> key ddns-key key-material==> update add host.example.com 3600 A 10.0.0.50> send> quit
# From command linensupdate -k /etc/bind/ddns.key << EOFserver ns1.example.comupdate add host.example.com 3600 A 10.0.0.50sendEOF76.10 Performance Tuning
Section titled “76.10 Performance Tuning”Optimizing BIND
Section titled “Optimizing BIND”options { // Threading numberOfCores 0; // Use all cores
// Cache size max-cache-size 512M; max-cache-ttl 86400; max-ncache-ttl 3600;
// TCP connections tcp-clients 1000;
// Recursive clients recursive-clients 10000;
// Query logging (careful with production) // querylog yes;
// Rate limiting rate-limit { responses-per-second 10; window 5; };
// Prefetch prefetch 2 9; // Cache popular records};76.11 Interview Questions
Section titled “76.11 Interview Questions”Basic Questions
Section titled “Basic Questions”-
What is BIND?
- Berkeley Internet Name Domain, most widely used DNS server
-
What are the main record types?
- A, AAAA, CNAME, MX, NS, TXT, PTR, SOA
-
What is the SOA record?
- Start of Authority - contains zone admin info and timing
-
How do you test DNS configuration?
- named-checkconf, named-checkzone, dig
-
What is a forward zone?
- Maps domain names to IP addresses
Intermediate Questions
Section titled “Intermediate Questions”-
What is the difference between authoritative and recursive DNS?
- Authoritative: has actual records; Recursive: queries on behalf of clients
-
What is a slave DNS server?
- Replicates zone data from master server
-
What is split DNS?
- Different responses based on client location (internal vs external)
-
What is DDNS?
- Dynamic DNS - automatic DNS updates
-
What does the serial number in SOA represent?
- Must increment when zone changes
Advanced Questions
Section titled “Advanced Questions”-
How does DNS zone transfer work?
- AXFR (full), IXFR (incremental), uses TCP port 53
-
What is DNSSEC?
- DNS Security Extensions - validates DNS responses
-
How do you secure BIND?
- Disable recursion for external, rate limiting, allow-transfer controls, TSIG
-
What is the purpose of forwarders in BIND?
- Forward queries to upstream DNS instead of querying root
-
How do you debug DNS resolution issues?
- dig +trace, check logs, verify firewall, check configuration
Summary
Section titled “Summary” Quick Reference+------------------------------------------------------------------+| || Configuration Files: || +----------------------------------------------------------+ || | /etc/bind/named.conf | Main config | || | /etc/bind/named.conf.options | Global options | || | /etc/bind/named.conf.local | Local zones | || +----------------------------------------------------------+ || || Key Commands: || +----------------------------------------------------------+ || | named-checkconf | Test config | || | named-checkzone | Test zone file | || | dig @server domain | Query DNS | || | rndc reload | Reload configuration | || | rndc flush | Flush cache | || +----------------------------------------------------------+ || || Zone File Records: || +----------------------------------------------------------+ || | SOA | Start of Authority (admin, serial, timing) | || | NS | Name server | || | A | IPv4 address | || | AAAA | IPv6 address | || | CNAME | Alias | || | MX | Mail exchange | || | TXT | Text (SPF, DKIM, DMARC) | || | PTR | Reverse DNS | || +----------------------------------------------------------+ || |+------------------------------------------------------------------+