129 lines
4.7 KiB
Markdown
129 lines
4.7 KiB
Markdown
# bind9
|
|
This repo details the configuration for BIND DNS on Ubuntu 22.04.
|
|
You can set up your own DNS server by following this [guide](https://www.cherryservers.com/blog/how-to-install-and-configure-a-private-bind-dns-server-on-ubuntu-22-04]).
|
|
|
|
The basic configuration is as below:
|
|
|
|
1. Install bind9 and check its status
|
|
```bash
|
|
apt update -y && apt upgrade -y
|
|
apt install bind9 bind9utils bind9-doc -y
|
|
sudo systemctl status bind9
|
|
```
|
|
|
|
2. Edit `/etc/bind/named.conf.options` and check its syntax with `named-checkconf /etc/bind/named.conf.options`. There should be no output.
|
|
|
|
3. Edit `/etc/bind/named.conf.local` and check its syntax with `named-checkconf /etc/bind/named.conf.local`. There should be no output.
|
|
|
|
4. Create a directory for your zone files with `mkdir /etc/bind/zones` and create your zone file in it as `/etc/bind/zones/example.com`. Replace `example.com` with your domain name.
|
|
|
|
5. Check its syntax with `named-checkzone example.com /etc/bind/zones/example.com`.
|
|
|
|
6. Restart bind9 with `sudo systemctl restart bind9`.
|
|
|
|
## Enable Dynamic DNS Updates with a TSIG key
|
|
1. We will first need to generate a TSIG (Transaction Signature) key
|
|
```bash
|
|
sudo tsig-keygen -a HMAC-SHA256 key-name > /etc/bind/keys/tsig.key
|
|
```
|
|
|
|
This will create the key in `/etc/bind/keys/tsig.key`, assign it the name `key-name`, and generate a secret for it. The file will look something like this but with your name and secret:
|
|
```
|
|
key "key-name" {
|
|
algorithm hmac-sha256;
|
|
secret "NqG1yS23A0K2mCxl3zOaa+e1/UDr3J68u3w8Tg==";
|
|
};
|
|
```
|
|
|
|
|
|
2. Create `/etc/bind/dnssec-policies.conf` with the following. Replace `moeny-policy` with your own name.
|
|
```
|
|
dnssec-policy "moeny-policy" {
|
|
keys {
|
|
ksk lifetime unlimited algorithm ecdsap256sha256;
|
|
zsk lifetime unlimited algorithm ecdsap256sha256;
|
|
};
|
|
max-zone-ttl 1d;
|
|
parent-ds-ttl 1d;
|
|
parent-propagation-delay 1h;
|
|
signatures-refresh 1d;
|
|
signatures-validity 30d;
|
|
signatures-validity-dnskey 30d;
|
|
};
|
|
```
|
|
|
|
|
|
3. Add the following lines to your `/etc/bind/named.conf` to include the files we just created.
|
|
```
|
|
include "/etc/bind/keys/tsig.key";
|
|
include "/etc/bind/dnssec-policies.conf";
|
|
```
|
|
|
|
You may also want to add logging:
|
|
```
|
|
logging {
|
|
channel update_debug {
|
|
file "/var/log/named/update_debug.log" versions 3 size 100m;
|
|
severity debug;
|
|
print-category yes;
|
|
print-severity yes;
|
|
print-time yes;
|
|
};
|
|
category update { update_debug; };
|
|
category security { update_debug; };
|
|
category database { update_debug; };
|
|
};
|
|
```
|
|
|
|
|
|
4. Add the following lines to your `/etc/bind/named.conf.local` under the zone definition. Be sure to replace `key-name` and `moeny-policy` with your own names from `tsig.key` and `dnssec-policies.conf`.
|
|
```
|
|
allow-update { key "key-name"; };
|
|
dnssec-policy "moeny-policy";
|
|
inline-signing yes;
|
|
```
|
|
|
|
|
|
5. If your DNS server has Apparmor, it may prevent the named service from writing journal files in `/etc/bind/zones` and performing other required tasks. To prevent this issue add the content of [`usr.sbin.named`](apparmor-config/usr.sbin.named) in `/etc/apparmor.d/local/usr.sbin.named`. Also, ensure that the `bind` user has permissions to read and write to `/etc/bind/zones` to begin with.
|
|
|
|
|
|
6. Restart `named` and `bind9`.
|
|
```
|
|
sudo systemctl restart named
|
|
sudo systemctl status named
|
|
sudo systemctl restart bind9
|
|
sudo systemctl status bind9
|
|
```
|
|
|
|
|
|
7. You should now be ready to test the TSIG key on your DNS server, using the `nsupdate` command.
|
|
```bash
|
|
nsupdate -k /etc/bind/keys/tsig.key -d
|
|
> server 127.0.0.1
|
|
> debug yes
|
|
> zone moeny.ai
|
|
> update add test.moeny.ai 300 A 192.168.1.200
|
|
> send
|
|
> quit
|
|
```
|
|
|
|
This will add a record for `test.moeny.ai` which you can then check for with `dig @127.0.0.1 test.moeny.ai`. When ready to remove the record, run `nsupdate` again but issue a delete.
|
|
```bash
|
|
nsupdate -k /etc/bind/keys/tsig.key -d
|
|
> server 127.0.0.1
|
|
> debug yes
|
|
> zone moeny.ai
|
|
> update delete test.moeny.ai A
|
|
> send
|
|
> quit
|
|
```
|
|
|
|
From now on, you will want to use `nsupdate` or a similar utility to edit and interact with the zone file, rather than editing it directly. Also, note that you will now have a `.signed` zone file, as well as `.jnl` and potentially `.jbk` files in `/etc/bind/zones`. The journal files store pending dynamic updates before they are committed to the zone file.
|
|
|
|
|
|
8. You may want to take a look at some info on [Journal Files](https://bind9.readthedocs.io/en/v9.16.24/advanced.html#the-journal-file).
|
|
|
|
- `rndc freeze zone` stops dynamic updates and writes all changes from memory to disk.
|
|
- `rndc thaw zone` re-enables dynamic updates and should be run after the freeze.
|
|
- `rndc sync zone` forces an immediate sync of the in-memory zone to disk without freezing it.
|
|
- `rndc sync -clean` is the same as `rndc sync`, but also removes journal files (*.jnl). |