BIND primary and secondary DNS server

bind

Last weeks BIND post cost me more time than I could’ve imagined. You can have a forwarding or caching server running in a matter of minutes, but fiddling with listening addresses and ACLs took me a bit more time.

In retrospect, it was not hard, but I stumbled upon a couple of problems like the IPv6 one as described in that post. Anyway, today I’m setting up a full primary and secondary DNS server.

We’re building upon the caching server and we can leave the /etc/bind/named.conf.local file as we left it last week:

# Create an access control list (ACL)
acl localauthorized {
	127.0.0.1;
	192.168.33.0/24;
};

# Server options
options {
	# Default options
	directory "/var/cache/bind";
	auth-nxdomain no;
	listen-on-v6 { any; };

	# ACL config
	recursion yes;
        listen-on { 127.0.0.1; 192.168.33.10; };
	allow-recursion { localauthorized; };
        allow-transfer { none; };  
	
	# Enable DNSSec
	dnssec-enable yes;
	dnssec-validation yes;
};

The next file to edit is the /etc/bind/named.conf.local to specify our zones and zonefiles:

//
// Do any local configuration here
//
zone "cloudpro.vm" {
	type master;
	file "db.cloudpro.vm";
	allow-transfer { 192.168.33.11; };
};

zone "33.168.192.in-addr.arpa" {
	type master;
	file "db.33.168.192";
	allow-transfer { 192.168.33.11; };
};

So this maybe needs a bit of explanation. The 192.168.33.11 will be our secondary DNS server and my test domainname is cloudpro.vm. Mind the ‘file’ directive. Since we’ve specified the directory in our named.conf.local, we don’t need the full path here. You could however and then it should be:

file "/var/cache/bind/db.cloudpro.vm";
file "/var/cache/bind/db.33.168.192";

The ‘33.168.192.in-addr.arpa’ is used for reversed lookups and the naming is standard with DNS, so be sure to at least keep the ‘in-addr.arpa‘ part.

So lets create these files, right? We can build them from scratch, or copy them from the defaults:

# cp /etc/bind/db.local /var/cache/bind/db.cloudpro.vm
# cp /etc/bind/db.127 /var/cache/bind/db.33.168.192

First we’re editing our db.cloudpro.vm forward lookup zone file:

;
; BIND forward lookup zone for the cloudpro.vm domain
;

$TTL	300
@	IN	SOA	cloudpro.vm root.cloudpro.vm (
			      3		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL

;
; cloudpro.vm nameserver configuration
;

			IN	NS	ns1.cloudpro.vm.
			IN	NS	ns2.cloudpro.vm.
ns1.cloudpro.vm.	IN	A	192.168.33.10
ns2.cloudpro.vm.	IN	A	192.168.33.11

;
; cloudpro.vm A records
;

mail.cloudpro.vm.	IN	A	192.168.33.20
web.cloudpro.vm.	IN	A	192.168.33.21
db.cloudpro.vm.		IN	A	192.168.33.22

;
; cloudpro.vm CNAME records
;

smtp.cloudpro.vm.	IN	CNAME	mail.cloudpro.vm.
imap.cloudpro.vm.	IN	CNAME	mail.cloudpro.vm.
www.cloudpro.vm.	IN	CNAME	web.cloudpro.vm.
mysql.cloudpro.vm.	IN	CNAME	db.cloudpro.vm.

I’ve set the TTL to 5 minutes and did some formatting. The comments should clear things up a bit. Most important note while editing these files, is that you should increment the ‘Serial’ by 1, every time you make a change and save the file.

Check your zone file:

# named-checkzone cloudpro.vm /var/cache/bind/db.cloudpro.vm

When this returns an OK, move on to the db.33.168.192 reverse lookup zone file:

;
; BIND reversed lookup zone for the cloudpro.vm domain
;

$TTL	300
@	IN	SOA	cloudpro.vm. root.cloudpro.vm. (
			      4		; Serial
			 604800		; Refresh
			  86400		; Retry
			2419200		; Expire
			 604800 )	; Negative Cache TTL

;
; cloudpro.vm nameserver configuration
;

	IN	NS	ns1.cloudpro.vm.
	IN	NS	ns2.cloudpro.vm.
10	IN	PTR	ns1.cloudpro.vm.
11	IN	PTR	ns2.cloudpro.vm.

;
; cloudpro.vm pointer records
;

20	IN	PTR	mail.cloudpro.vm.
21	IN	PTR	web.cloudpro.vm.
22	IN	PTR	db.cloudpro.vm.

CNAME records don’t have PTR records so that’s why they are missing in the above file. As with the forward zone, check this zone as well:

# named-checkzone 33.168.192.in-addr-arpa db.33.168.192

When this returns an OK, we can do I final config check, restart the service and perform different tests:

# named-checkconf
# systemctl restart bind9
# dig mail.cloudpro.vm @127.0.0.1
# dig www.cloudpro.vm @127.0.0.1
# dig www.apple.com @127.0.0.1
# dig -x 192.168.33.11 @127.0.0.1
# dig -x 192.168.33.22 @127.0.0.1
# dig -x 1.1.1.1 @127.0.0.1
# journalctl --unit bind9

From another machine in the same subnet all tests should result in the same answers, when querying this server.

Lets get on with our second nameserver, in my case ns2.cloudpro.vm with IP number 192.168.33.11:

# apt install bind9
# vi /etc/default/bind

As stated last week, make BIND startup in IPv4 mode by editing the above file:

OPTIONS="-u bind -4"

Edit the /etc/bind/named.conf.options file to read:

# Create an access control list (ACL)
acl localauthorized {
	127.0.0.1;
	192.168.33.0/24;
};

# Server options
options {
	# Default options
	directory "/var/cache/bind";
	auth-nxdomain no;
	listen-on-v6 { any; };

	# ACL config
	recursion yes;
        listen-on { 127.0.0.1; 192.168.33.11; };
	allow-recursion { localauthorized; };
        allow-transfer { none; };  

	# Enable DNSSec
	dnssec-enable yes;
	dnssec-validation yes;
};

Edit the /etc/bind/named.conf.local file to read:

//
// Do any local configuration here
//
zone "cloudpro.vm" {
	type slave;
	file "db.cloudpro.vm";
	masters { 192.168.33.10; };
};

zone "33.168.192.in-addr.arpa" {
	type slave;
	file "db.33.168.192";
	masters { 192.168.33.10; };
};

You should be good to go. Test, restart and test some more:

# named-checkconf
# systemctl restart bind9
# dig imap.cloudpro.vm @127.0.0.1
# dig www.linux.com @127.0.0.1
# dig -x 192.168.33.21 @127.0.0.1
# dig -x 1.1.1.1 @127.0.0.1
# journalctl --unit bind9

Finally point any local client in the same subnet to your primary and secondary DNS servers to make use of your hard work.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.