BIND DNS COnfiguration Checklist ================================ Shanker Balan http://shankerbalan.com/ Changelog: * Thu May 29 14:36:26 IST 2003 - Initial commit My checklist while setting up a DNS server using ISC BINDv9, putting it here for quick reference. Make sure what the option actually does before enabling them. Please note, there might be syntax errors. ### ### etc/named.conf ### # cacheing name server using ISP's DNS server for faster lookups options { forward first; forwarders { 202.54.1.30; }; // VSNL // forwarders { 144.16.64.2; 144.16.64.3; // Ernet, Bangalore // forwarders { 61.1.128.65; 61.1.128.5; }; // BSNL Dial-Up // forwarders { 164.164.4.5; 164.164.128.16; }; // STPI, Bangalore // listen on listen-on { 127.0.0.1; 192.168.1.1; }; // access controls allow-transfer { localhost; }; allow-recursion { localhost; lan; }; allow-query { localhost; lan; }; // keep stats zone-statistics yes; // other default stuff goes here } // access control lists acl lan { 192.168.1.0/24; }; acl localhost { 127.0.0.1; }; # forward zone zone "mydomain.com"{ type master; file "mydomain.com"; allow-update { localhost; }; }; # reverse zone zone "1.168.192.in-addr.arpa"{ type master; file "1.168.192.in-addr.arpa"; allow-update { localhost; }; }; ### ### Zone Files ### # named/mydomain.com $ORIGIN mydomain.com. $TTL 86400 ; 1 day mydomain.com IN SOA ns.mydomain.com. root.ns.mydomain.com. ( 815 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) ) NS ns.mydomain.com. MX 5 mail.mydomain.com. $ORIGIN mydomain.com. localhost A 127.0.0.1 ns A 192.168.1.1 gateway A 192.168.1.1 gw CNAME gateway mail A 192.168.1.2 www A 192.168.1.3 ftp A 192.168.1.4 proxy A 192.168.1.5 wpad CNAME proxy ldap A 192.168.1.6 # named/1.168.192.in-addr.arpa $ORIGIN 1.168.192.in-addr.arpa. $TTL 86400 ; 1 day 1.168.192.in-addr.arpa IN SOA ns.mydomain.com. root.ns.mydomain.com. ( 815 ; serial 10800 ; refresh (3 hours) 900 ; retry (15 minutes) 604800 ; expire (1 week) 86400 ; minimum (1 day) } NS ns.mydomain.com. $ORIGIN 1.168.192.IN-ADDR.ARPA. 1 PTR gateway.mydomain.com. 2 PTR mail.mydomain.com. 3 PTR www.mydomain.com. 4 PTR ftp.mydomain.com. 5 PTR proxy.mydomain.com. 6 PTR ldap.mydomain.com. ### ### etc/resolv.conf ### # Update resolv.conf to query your local DNS server. domain mydomain.com search mydomain.com nameserver 127.0.0.1 ### ### Dig -- send domain name query packets to name servers ### dig(1) Dig (domain information groper) is a flexible command line tool which can be used to gather information from the Domain Name System servers. Dig has two modes: simple interactive mode for a single query, and batch mode which executes a query for each in a list of several query lines. All query options are accessible from the command line. - To find the version of Bind runnning on a server dig @ version.bind chaos txt [godzilla] ~> dig @localhost version.bind chaos txt ; <<>> DiG 8.3 <<>> @localhost version.bind chaos txt ; (1 server found) ;; res options: init recurs defnam dnsrch ;; got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0 ;; QUERY SECTION: ;; version.bind, type = TXT, class = CHAOS ;; ANSWER SECTION: VERSION.BIND. 0S CHAOS TXT "8.3.4-REL" ;; Total query time: 7 msec ;; FROM: godzilla.exocore.com to SERVER: localhost 127.0.0.1 ;; WHEN: Thu May 29 16:02:18 2003 ;; MSG SIZE sent: 30 rcvd: 64 - Domain transfer dig @ns.mydomain.com mydomain.com axfr ### ### NOTES ### - Though ACLs are not required for normal operation, it is always best to use itfor fine grained control - Use "listen-on" to explicitly speficy named interfaces, avoids confusion when the host has multiple virtual IP addresses ### ### ToDo ### - Using rndc, dig etc - IPv6 zones - Split zones - Dynamic updates