moeny/bind9
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
4 Commits 1 Branch 0 Tags 35 KiB
DIGITAL Command Language 100%
3e527b1a93
Go to file
moeny-matt 3e527b1a93 Add alpine version for internal DNS
2025-05-02 17:40:52 -04:00
alpine-etc-bind Add alpine version for internal DNS 2025-05-02 17:40:52 -04:00
apparmor-config Add info for dynamic DNS with TSIG 2025-04-01 17:24:22 -04:00
keys Add info for dynamic DNS with TSIG 2025-04-01 17:24:22 -04:00
.gitignore Add info for dynamic DNS with TSIG 2025-04-01 17:24:22 -04:00
dnssec-policies.conf Add info for dynamic DNS with TSIG 2025-04-01 17:24:22 -04:00
example.com Initial commit 2025-01-29 17:38:57 -05:00
named.conf Add info for dynamic DNS with TSIG 2025-04-01 17:24:22 -04:00
named.conf.local Add info for dynamic DNS with TSIG 2025-04-01 17:24:22 -04:00
named.conf.options Initial commit 2025-01-29 17:38:57 -05:00
README.md Add info for dynamic DNS with TSIG 2025-04-01 17:24:22 -04:00

README.md

bind9

This repo details the configuration for BIND DNS on Ubuntu 22.04. You can set up your own DNS server by following this guide.

The basic configuration is as below:

  1. Install bind9 and check its status
apt update -y && apt upgrade -y
apt install bind9 bind9utils bind9-doc -y
sudo systemctl status bind9

  1. Edit /etc/bind/named.conf.options and check its syntax with named-checkconf /etc/bind/named.conf.options. There should be no output.

  2. Edit /etc/bind/named.conf.local and check its syntax with named-checkconf /etc/bind/named.conf.local. There should be no output.

  3. Create a directory for your zone files with mkdir /etc/bind/zones and create your zone file in it as /etc/bind/zones/example.com. Replace example.com with your domain name.

  4. Check its syntax with named-checkzone example.com /etc/bind/zones/example.com.

  5. Restart bind9 with sudo systemctl restart bind9.

Enable Dynamic DNS Updates with a TSIG key

  1. We will first need to generate a TSIG (Transaction Signature) key
sudo tsig-keygen -a HMAC-SHA256 key-name > /etc/bind/keys/tsig.key

This will create the key in /etc/bind/keys/tsig.key, assign it the name key-name, and generate a secret for it. The file will look something like this but with your name and secret:

key "key-name" {
    algorithm hmac-sha256;
    secret "NqG1yS23A0K2mCxl3zOaa+e1/UDr3J68u3w8Tg==";
};
  1. Create /etc/bind/dnssec-policies.conf with the following. Replace moeny-policy with your own name.
dnssec-policy "moeny-policy" {
    keys {
        ksk lifetime unlimited algorithm ecdsap256sha256;
        zsk lifetime unlimited algorithm ecdsap256sha256;
    };
    max-zone-ttl 1d;
    parent-ds-ttl 1d;
    parent-propagation-delay 1h;
    signatures-refresh 1d;
    signatures-validity 30d;
    signatures-validity-dnskey 30d;
};
  1. Add the following lines to your /etc/bind/named.conf to include the files we just created.
include "/etc/bind/keys/tsig.key";
include "/etc/bind/dnssec-policies.conf";

You may also want to add logging:

logging {
    channel update_debug {
        file "/var/log/named/update_debug.log" versions 3 size 100m;
        severity debug;
        print-category yes;
        print-severity yes;
        print-time yes;
    };
    category update { update_debug; };
    category security { update_debug; };
    category database { update_debug; };
};
  1. Add the following lines to your /etc/bind/named.conf.local under the zone definition. Be sure to replace key-name and moeny-policy with your own names from tsig.key and dnssec-policies.conf.
allow-update { key "key-name"; };
dnssec-policy "moeny-policy";
inline-signing yes;

  1. If your DNS server has Apparmor, it may prevent the named service from writing journal files in /etc/bind/zones and performing other required tasks. To prevent this issue add the content of usr.sbin.named in /etc/apparmor.d/local/usr.sbin.named. Also, ensure that the bind user has permissions to read and write to /etc/bind/zones to begin with.

  2. Restart named and bind9.

sudo systemctl restart named
sudo systemctl status named
sudo systemctl restart bind9
sudo systemctl status bind9
  1. You should now be ready to test the TSIG key on your DNS server, using the nsupdate command.
nsupdate -k /etc/bind/keys/tsig.key -d
> server 127.0.0.1
> debug yes
> zone moeny.ai
> update add test.moeny.ai 300 A 192.168.1.200
> send
> quit

This will add a record for test.moeny.ai which you can then check for with dig @127.0.0.1 test.moeny.ai. When ready to remove the record, run nsupdate again but issue a delete.

nsupdate -k /etc/bind/keys/tsig.key -d
> server 127.0.0.1
> debug yes
> zone moeny.ai
> update delete test.moeny.ai A
> send
> quit

From now on, you will want to use nsupdate or a similar utility to edit and interact with the zone file, rather than editing it directly. Also, note that you will now have a .signed zone file, as well as .jnl and potentially .jbk files in /etc/bind/zones. The journal files store pending dynamic updates before they are committed to the zone file.

  1. You may want to take a look at some info on Journal Files.
  • rndc freeze zone stops dynamic updates and writes all changes from memory to disk.
  • rndc thaw zone re-enables dynamic updates and should be run after the freeze.
  • rndc sync zone forces an immediate sync of the in-memory zone to disk without freezing it.
  • rndc sync -clean is the same as rndc sync, but also removes journal files (*.jnl).