Master (II)

Installation

_$: apt-get install bind9

Configuration

/etc/bind/db.example.com:
-------------------------
; example.com zone
$TTL    604800
@   IN  SOA dns.example.com.   info.example.com. (
            2013010201  ; Serial
            7200        ; Refresh
            120         ; Retry
            2419200     ; Expire
            604800)     ; Default TTL
;
@   IN  NS  dns.example.com.
@   IN  MX  10  mail-d6.example.com.
@   IN  TXT "v=spf1 +a +mx -all"

example.com._domainkey	IN	TXT	"v=DKIM1; g=*; k=rsa; p=MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDHPWNGNc8lKhfeywkE6gZg77oE6dIFm8EuqZ5VLyX9dbOi+zLxy7442o5bEEpXl+l1HPWfwzqjXpkbOMtK3ac5xxopgJ2U/nUpFffhM0CtDN2h3prDIfjyuAXSENHRRz4UQv4qdKyD902yQhT/nYAfuCvw9Sn8H5LCjYRSNjRVsQIDAQAB" ; -- DKIM

dns         IN      A       192.168.254.195
zabbix      IN      A       192.168.254.190
git         IN      A       192.168.254.191
samba       IN      A       192.168.254.192
mail        IN      A       192.168.254.193

/etc/bind/db.192.168.254:
-------------------------
; 254.168.192 zone
; admin
$TTL    604800
@   IN  SOA dns.example.com.    info.example.com. (
            2013010801  ; Serial
            7200        ; Refresh
            120         ; Retry
            2419200     ; Expire
            604800)     ; Default TTL
;
@   IN  NS  dns.example.com.
195 IN  PTR dns.example.com.
190 IN  PTR zabbix.example.com.
191 IN  PTR git.example.com.
192 IN  PTR samba.example.com.
193 IN  PTR mail.example.com.

/etc/bind/named.conf.local:
---------------------------
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";


zone "254.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/db.192.168.254";
};

zone "example.com" {
    type master;
    file "/etc/bind/db.example.com";
};

/etc/network/interfaces:
------------------------
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
iface eth0 inet static
	address 192.168.1.195
	network 192.168.1.0
	netmask 255.255.255.0
	gateway 192.168.1.1

auto eth1
iface eth1 inet static
	address 192.168.254.195
	network 192.168.254.0
	netmask 255.255.255.0
	dns-nameservers 127.0.0.1

Check

_$: cd /etc/bind
_$: named-checkzone example.com db.example.com
zone example.com/IN: loaded serial 2014031401
OK

_$: dig example.com any
; <<>> DiG 9.7.3 <<>> example.com any
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58369
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 3

;; QUESTION SECTION:
;example.com.               IN  ANY

;; ANSWER SECTION:
example.com.        604800  IN  SOA dns.example.com. info.example.com. 2013010201 7200 120 2419200 604800
example.com.        604800  IN  NS  dns.example.com.
example.com.        604800  IN  MX  10 mail.example.com.
example.com.        604800  IN  TXT "v=spf1 +a +mx -all"

;; ADDITIONAL SECTION:
dns.example.com.    604800  IN  A   192.168.254.195
mail.example.com.   604800  IN  A   192.168.254.193

;; Query time: 1 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Tue Jan  8 18:35:16 2013
;; MSG SIZE  rcvd: 217

_$: host 192.168.254.191
191.254.168.192.in-addr.arpa domain name pointer git.example.com.

_$: host zabbix.example.com
zabbix.example.com has address 192.168.254.190

Logging

/etc/bind/named.conf.options:
-----------------------------
options {
	directory "/var/cache/bind";

	// If there is a firewall between you and nameservers you want
	// to talk to, you may need to fix the firewall to allow multiple
	// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

	// If your ISP provided one or more IP addresses for stable
	// nameservers, you probably want to use them as forwarders.
	// Uncomment the following block, and insert the addresses replacing
	// the all-0's placeholder.

	// forwarders {
	// 	0.0.0.0;
	// };

	//========================================================================
	// If BIND logs error messages about the root key being expired,
	// you will need to update your keys.  See https://www.isc.org/bind-keys
	//========================================================================
	dnssec-validation auto;

	auth-nxdomain no;    # conform to RFC1035
	// listen-on-v6 { any; };
};


// Logging
logging {
    channel my_log {
        file "/var/log/bind/dns.log" versions 3 size 250k;
        severity debug 5;
    };
    category default {
        my_log;
    };
};

_$: mkdir -p /var/log/bind
_$: chown bind:root /var/log/bind
_$: touch /var/log/bind/dns.log
_$: chown bind:bind /var/log/bind/dns.log

If we find any error even before starting the service, we must check /var/log/syslog.

AppArmor

In case we want to disable AppArmor:

_$: sudo invoke-rc.d apparmor kill
_$: sudo update-rc.d -f apparmor remove

But we can configure it:

/etc/apparmor.d/usr.sbin.named:
-------------------------------
...
  # some people like to put logs in /var/log/named/ instead of having
  # syslog do the heavy lifting.
  /var/log/named/** rw,
  /var/log/named/ rw,

  /var/log/bind/** rw,      <===
  /var/log/bind/ rw,        <===

_$: service apparmor restart

Log rotation

BIND’s log grows very fast, so we must rotate the log files. We also must check the logging level set on /etc/named.conf.options. The highest value is debug 5, but that will fill your log pretty quickly.

_$: apt-get install logrotate
_$: vi /etc/logrotate.d/bind

/etc/logrotate.d/bind:
----------------------
/var/log/bind/dns.log {
        weekly
        rotate 5
        compress
        delaycompress
        notifempty
        create 0640 bind adm
        sharedscripts
        postrotate
                service bind9 restart
        endscript
}

_$: service bind9 restart