TITLE:		BIND
LFS VERSION:	3.0-RC1
AUTHOR:		Michenaud Laurent <lmichenaud@free.fr>
		Patrick Kirk <patrick@enterprise-hr.com>

SYNOPSIS:
	How to set up a simple DNS server with bind

HINT:
version 1.0 final
This hint explains how to set up bind on your lfs.
I am not a bind specialist, what is written is what I
have understood. Don't hesitate to correct it if you
see mistakes or have optimisations.

The Domain Name System (DNS) is used by all TCP/IP Internet software to
translate the names that we humans like to use to the IP numbers
assigned to all the computers and devices out on the Internet and your
internal network.

Under most flavours of Unix, the most commonly used software package is
Berkley Internet Name Domain, (BIND). This article will serve as an
introduction to obtaining, installing and configuring BIND under Linux,
and will include some pointers on where to go for more in-depth
information.

Be aware that some recent security vulnerabilities have been uncovered
in BIND, so be sure to get at least version 8.23. As of this writing,
the latest version is 9.1.1. BIND can be downloaded from the Internet
Software Consortium (ISC) at http://www.isc.org.

For the purposes of this article we'll use version 9.1.1, downloadable
from
ftp://ftp.isc.org/isc/bind9/9.1.1/bind-9.1.1.tar.gz

In general terms, DNS is a very simple service that takes names like
www.yahoo.com and matches them to the machines that serve up the web
pages using dotted quad numbers along the lines of 212.19.67.5  Your ISP
provides this service for you using BIND.  If you have a single machine
connected to the Internet and wish to share that connection, running
BIND on the machine that shares the connection makes things faster and
easier.  From a security point of view, IP addresses like 192.168.0.n
and 10.n.n.n are non-routable. What this means is that your machines on
the LAN are much much safer if you use these addresses.  If you don't,
sooner or later, someting like ShareSniffer will find a shared folder or
service inside your firewall and
cause mischief.


------------------------------------------------
1) Installation of bind

To make the installation FHS compliant, we will install Bind into
/usr/local with its configuration files in /etc/bind.  This has the
advantage that if you want to back up all the configuration documents
for you system, you need only back up the /etc/ directory.

$ tar zxvf bind-9.1.3.tar.gz
$ cd bind-9.1.3
$ ./configure --prefix=/usr/local --sysconfdir=/etc/bind &&
$ make &&
$ make install &&
$ mkdir -p /etc/bind

The following configuration files are very simple. It allows you to have
a DNS server for your local network and allows you to use the DNS
server of your ISP when you're connected to internet.  For security
reasons, the service is only proided to machines that are on your local
network.

On this example,
  network address : 192.168.0.0
  domain name : zerezo.org
  machine host name : zarba
  machine ip : 192.168.0.51
  
---------------------------------------------------
2) The main configuration file: /etc/bind/named.conf

// Begin of file

// The IP Addresses we wish to provide DNS services for
// Bad idea to let just anyone start playing with this service.
// acl means Access Control List, zerezo.org is the family LAN
acl zerezo.org { 192.168.0.0/24; 127.0.0.0/24; };

// General options
options {
	auth-nxdomain yes;
	directory "/usr/local/sbin";
	forward first;
	forwarders {
		212.47.227.206;  //DNS of your ISP here
		212.47.227.207;
	};
};

// How to log
logging {
	channel warning
	{ 
		file "/var/log/dns_warnings" versions 3 size 100k;
		severity warning;
		print-category yes;
		print-severity yes;
		print-time yes;
	};
	channel general_dns
	{
		file "/var/log/dns_logs" versions 3 size 100k;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
	}; 
	category default { warning; } ;
	category queries { general_dns; } ;
}; 

// zone for access to Internet
zone "." {
	type hint;
	file "/etc/bind/named.ca";
};

// zone for access to localhost
zone "0.0.127.in-addr.arpa" {
	type master; 
	file "/etc/bind/named.local";
};

// zone for access to your domain
zone "zerezo.org" in {
	type master;
	notify no;
	file "/etc/bind/zerezo.org";
};

// zone for access to your domain using ip
zone "0.168.192.in-addr.arpa" in {
	type master;
	notify no;
	file "/etc/bind/db.192.168.0";
};

// End of file


------------------------------------
3) Configuration files for each zone

There is a configuration file of each zone defined in named.conf.
These files are in /etc/bind. You have to create this directory.
	
	a) /etc/bind/named.ca

This file is used when you are connected to Internet.
The up to date version can be downloaded from ftp://ftp.rs.internic.net
where it is called named.root

If you do download it, remember to rename it named.ca when you put 
it in /etc/bind

// Begin of file
;       This file holds the details on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC registration services
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.RS.INTERNIC.NET
;       -OR- under Gopher at    RS.INTERNIC.NET
;           under menu          InterNIC Registration Services (NSI)
;              submenu          InterNIC Registration Archives
;           file                named.root
;
;       last update:    Aug 22, 1997
;       related version of root zone:   1997082200
;
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; temporarily housed at NSI (InterNIC)
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; temporarily housed at ISI (IANA)
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; housed in Japan, operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33

// End of File


	b) /etc/bind/named.local
	
You must have an alias postmaster that points to the user root
or another one.
	
// Begin of file
$TTL    604800
@	IN	SOA	zarba.zerezo.org. postmaster.zarba.zerezo.org. (
			1999112002 ;
			28800 ;
			14400 ;
			604800 ;
			86400 );
		NS	zarba.zerezo.org.
1	PTR	localhost. ;
// End of file


	c) /etc/bind/zerezo.org
	
// Begin of file
$TTL    604800
@	IN	SOA	zarba.zerezo.org. postmaster.zarba.zerezo.org. (
			1999112002 ;  serial number
			28800 ;       rafraichissement
			14400 ;       nouvel essais
			604800 ;      expiration
			86400 );      temps de vie minimum

// NS = name server
@	IN	NS	zarba
@	IN	NS	zarba.zerezo.org.

// MX = mail server, the number is the priority
@	IN	MX	10 zarba
@	IN	MX	20 zarba.zerezo.org.

// local DNS server
@	IN A	127.0.0.1
@	IN A	192.168.0.51

// IP server
localhost	IN A	127.0.0.1
zarba		IN A	192.168.0.51

// IP of others machines of the network
karine	IN A	192.168.0.52
yaf	IN A	192.168.0.7

// aliases
www	IN CNAME	zarba
ftp	IN CNAME	zarba
mail	IN CNAME	zarba

// End of file


	d) /etc/bind/db.192.168.0

// Begin of file
$TTL    604800
@	IN	SOA	zarba.zerezo.org. postmaster.zarba.zerezo.org. (
			1999112002 ; numero de serie
			28800 ;	     rafraichissement
			14400 ;	     nouvel essais
			604800 ;     expiration
			86400 );    temps de vie

// nameserver
	IN	NS	zarba.zerezo.org.

// IP Reverses adresses
1	IN	PTR	zarba.zerezo.org.
2	IN	PTR	karine.zerezo.org.
3	IN	PTR	yaf.zerezo.org.

// End of file
	

------------------------
4) rndc configuration

rndc is used to administrate bind. It development is not
finished but I prefer to put it in this hint rather than
the obsolete nslookup utility.
	
	a) Creation of a key

You have to get a key so rndc can communicate with bind :
dnssec-keygen -a hmac-md5 -b 128 -n user rndc
	
It will create you two files. Get the value of the key in the .key one.


	b) /etc/bind/rdnc.conf

Create the file and edit the key please.

// Begin of file
options {
        default-server  localhost;
        default-key     rndc_key;
};

server localhost {
        key     rndc_key;
};

key rndc_key {
        algorithm hmac-md5;
        secret "Xd3zz2FgxvkML4V/BlVG8Q==";
};
// End of file


	c) Edit again /etc/bind/named.conf and add the following lines :
	
key rndc_key {
        algorithm       hmac-md5;
        secret		
"Xd3zz2FgxvkML4V/BlVG8Q==";
};

controls {
    inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};


--------------------
5) /etc/init.d/named

	a) Here is the boot script

#!/bin/sh
# Begin /etc/init.d/
#
# Include the functions declared in the /etc/init.d/functions file
#

source /etc/init.d/functions

case "$1" in
        start)
                echo -n "Starting DNS server..."
                loadproc /usr/sbin/named
                ;;

        stop)
                echo -n "Stopping DNS server..."
                /usr/sbin/rndc stop
                evaluate_retval
                ;;

        reload)
                echo -n "Reloading DNS server..."
                /usr/sbin/rndc reload
		            evaluate_retval
                ;;

        restart)
                $0 stop
                /usr/sbin/sleep 1
                $0 start
                ;;

        status)
                /usr/sbin/rndc status
		            evalute_retval
                ;;

        *)
                echo "Usage: $0 {start|stop|reload|restart|status}"
                exit 1
        ;;

esac

# End /etc/init.d/


	b) Create the links
	
	cd /etc/rc0.d
	ln -s ../init.d/named K600named
  cd /etc/rc1.d
	ln -s ../init.d/named K600named
	cd /etc/rc6.d
	ln -s ../init.d/named K600named
	cd /etc/rc3.d
	ln -s ../init.d/named S300named
	cd /etc/rc5.d
	ln -s ../init.d/named S300named


--------------------------
6) Edit /etc/resolv.conf so it use your DNS server

search zerezo.org
nameserver 127.0.0.1
nameserver 192.168.0.51


--------------------------
6) Test your configuration

Some tests :
	dig -x 127.0.0.1
	
	if you have a ftp server :
		ftp ftp.zerezo.org
		ftp zarba.zerezo.org
		
	if you have apache, launch your browser and use as url :
	  http://www.zerezo.org
	  http://zarba.zerezo.org
		
	If problems, look at the logs /var/log/dns* and
/var/log/daemon.log
	


