Recipe 24.16. Running a Private BIND DNS Server

24.16.1 Problem

You're tired of dinking around with /etc/hosts; you're ready to implement some grown-up name resolution on your LAN by installing a BIND DNS server. You only want this server to be available to your local users, providing both name-resolution and caching services. It will not provide any public services.

24.16.2 Solution

Set up a caching name server according to Recipe Recipe 24.15. Then add zone blocks to named.conf to define the new zones for your LAN hosts, and construct the zone files.

Table 24-2 lists the five hosts on windbag.net.

Table 24-2. Five hosts

Address

Hostname

Role

Alias

10.11.12.1

parsley

DNS, mail

10.11.12.2

sage

FTP

ftp

10.11.12.3

rosemary

Web server

www

10.11.12.4

thyme

Workstation

10.11.12.5

cilantro

Workstation

Add these zone blocks to named.conf:

zone "windbag.net" IN {

  type master;

  file "zone.net.windbag";

};

   

zone "12.11.10.in-addr.arpa" {

  type master;

  file "revp.10.11.12";

};

Here is the actual zone file for windbag.net:

// zone.net.windbag

// dns zone for for windbag.net

;

$ORIGIN windbag.net.

$TTL 1D

; any time you make a change to the domain, bump the

; "serial" setting below. the format is easy:

; YYYYMMDDI, with the I being an iterator in case you

; make more than one change during any one day

@     IN SOA   parsley hostmaster (

                        200405191 ; serial

                        8H        ; refresh

                        4H        ; retry

                        4W        ; expire

                        1D )      ; minimum

; parsley.windbag.net serves this domain as both the

; name server (NS) and mail exchange (MX)

                NS      parsley

                MX      10 parsley

; define domain functions with CNAMEs

ftp             CNAME   sage

www             CNAME   rosemary

; just in case someone asks for localhost.windbag.net

localhost       A       127.0.0.1

; our hostnames, in alphabetical order

rosemary            A       10.11.12.3

sage                A       10.11.12.2

parsley             A       10.11.12.1

thyme               A       10.11.12.4

cilantro            A       10.11.12.5

And finally, here are the reverse lookups for the domain in the revp.10.11.12 file:

; revp.10.11.12

; reverse pointers for 10.11.12.0 subnet

;

$ORIGIN 12.11.10.in-addr.arpa.

$TTL 1D

@     IN SOA  parsley.windbag.net. hostmaster.windbag.net. (

              200405190  ; serial

              28800      ; refresh (8 hours)

              14400      ; retry (4 hours)

              2419200    ; expire (4 weeks)

              86400      ; minimum (1 day)

              )

; define the authoritative name server

              NS      parsley.windbag.net.

; our hosts, in numeric order

1             PTR     parsley.windbag.net.

2             PTR     sage.windbag.net.

3             PTR     rosemary.windbag.net.

4             PTR     thyme.windbag.net.

5             PTR     cilantro.windbag.net.

Save your changes and restart BIND:

# /etc/init.d/named restart

And there you are—a shiny new fully functioning DNS server for your LAN.

24.16.3 Discussion

There's a whole lot happening in these three files. First of all, putting each zone into its own file is good organization. You may dump everything into a single zone file if you like, but you'll find that it's difficult to maintain.

In named.conf, the entries for windbag.net tell BIND that it is the authoritative server for windbag.net, and where to find the zone files.

The $origin directive is a nice timesaver. It lets you write:

$ORIGIN windbag.net.

www           CNAME   rosemary

instead of:

www.windbag.net    CNAME     rosemary.windbag.net

$TTL 1D sets a default time-to-live value. Values can be in this format:

w: For week
d: For day
h: For hour
m: For minute
s: For second

Individual entries may have their own TTL values:

rosemary      72h    A       10.11.12.3

The TTL tells visitors how often to refresh their own caches. If your site is fairly static, set this to a higher value. If you're making frequent changes, use a lower value. The lower the TTL, the more hits there will be on your server.

@ IN SOA parsley hostmaster means:

@: This holds the same value as $ORIGIN.
IN: This defines the address class; IN = Internet.
SOA: Start of Authority; the beginning of a zone file. Only A records can be used as the MNAME—don't use CNAMEs.

The SOA has 10 fields. These are the primary domain name, zone class, and SOA, plus the following:

MNAME: The master name server for the zone.
RNAME: The email address of the domain admin.
Serial number: BIND converts zone files into a binary file format. When you make changes to the zone file, you must also change the serial number, or BIND will not recognize the changes.
Refresh: This tells your slave, or secondary servers how often to check for updates.
Retry: If the master DNS server for the zone fails to answer a slave server's request for an update, this tells the secondary server how often it should resend the request.
Expire: If the master DNS server fails for a longer period of time, this tells the the secondary server how to continue to use its existing data. After the expire time has passed, the data is considered stale and will not be used, at which time the domain will no longer resolve. Hopefully your master server will be back online before this happens.
Minimum, or Negative-caching TTL: Negative answers (such as when a requested record does not exist) should also be cached on nonauthoritative servers. Setting this value prevents your server from getting hammered by a bunch of repeated requests in a short time. A common use for this is when you are migrating to a new name server at a different IP address; setting a short value on the old server a few days before you take it offline assures that your change will propagate quickly.

The next section contains resource records (RRs).

NS parsley and MX 10 parsley define your name server and mail server. If you have more than one mail server for the domain, the number sets the priority. Lower numbers are higher priority. Because $ORIGIN windbag.net. defines the domain name for the whole record, these expand to ns.windbag.net and mx.windbag.net. Make note of the trailing dot—this is very important! That defines the qualified domain name. If you leave it off, BIND will think it needs to append the domain name, so you'll have silliness like ns.windbag.net.windbag.net.

CNAME (canonical name) is an alias to an A record. Thus, a single A record can have several aliases. You can use a CNAME to add subdomains for virtual web or mail hosting—for example, programmers.only.domain.com or webmail.domain.com.

Instead of using CNAMES, you may assign subdomains their own A records. This means one less hit on your server per CNAME request, but it also means more work when you need to make changes. Endless debates rage over the use of CNAMEs; use what suits you.

"Canonical" is one of those weirdo geek words that defies a precise, logical definition. In this context, "canonical name" means "an alias assigned to the true (canonical) name of the server."

And finally, we come to the A (alias) records. An A record is the primary address for each of your hosts, the direct match of hostname to IP address.

Reverse pointers (RPTs) are technically not required, but in the real world so many servers require them that you had better use them.

If things are not working right, chances are it's a syntax error or a typo—mind your dots and commas especially. There are two syntax checkers for BIND to help you; see the next recipe for details.

The other common error is not starting from A records. Every host must first have an A record. Then you can assign name servers, mail servers, and CNAMEs.

24.16.4 See Also

named(5), named(8)
Section 6.3 of The Bind 9 Administrator's Reference Manual (http://www.bind9.net/Bv9ARM.html)
A named reference of TCP/IP Network Administration, by Craig Hunt (O'Reilly)

< Day Day Up >