Module 5

1
Module 5
BIND Configuration
2
BIND Configuration

• named.conf controls operational features
• Located - Linux
• /etc/named.conf
• /etc/bind/named.conf
• Located- BSD
• /usr/local/etc/named.conf
• Located Windows
• systemroot\system32\dns\etc\named.conf

3
BIND named.conf

• Contains 3 types of info
• Comments
• Clauses collections of statements
• Statements individual statements within clauses
• Include in-situ inclusion from separate files
  (used for admin/security)

4
BIND named.conf
/ C-style comment format needs opening and
closing markers but allows multiple lines or
/ / single lines or / zone / in-line comment
does not terminate line / in some zone
statements // C-style comments have single
line format, no closing required ...some
statement // comment ends this line
SHELL/PERL-style comments have single lines, no
closing required some statement comment
ends this line
5
BIND named.conf Clauses

• ACL Access Control Lists
• Controls remote acces (rndc)
• Logging controls logging features
• Options global options
• View allows separate configurations in same
  server
• Zone defines the zones that are supported
• Key used for security data (typically included)

6
BIND - Statements

• Over 120 statements available
• Many valid in one or more clauses
• Some valid in only single clauses
• Pro DNS and BIND classifies them
• Transfer
• Query
• Operations
• Security

7
BIND Typical named.conf
// change log // 1. changed by M.E. on 24th
January acl "name" ... // acl
clauses if present generally come first
// to avoid forward references key "name"
... // key clauses if present must
appear // before being
referenced logging // requires at
least a file // statement unless using
syslog // order not important with BIND
9 options // other statements (as
required) // zones statements including
'required' zones zone ....
8
BIND View named.conf
options // global options //
other statements as required view "first"
// view specific statements (options) // view
specific zone clauses // including required
zones zone ..... zone
// end of view "first" view "second"
// view specific statements (options) // view
specific zone clauses // including required
zones zone zone
// end of view "second"
9
BIND View Clause

• Each view clause is matched to incoming queries
  using
• Match-clients
• Match-destinations
• Match-recursion-only
• View clause order is important
• Tested in order in which views are defined
• Unmatched fall through to next view clause

10
BIND View Clause Use

• Mixed Local/public IPs
• External public hosts
• Internal local hosts
• Mixed services
• Internal caching
• External Authoritative
• Split horizons
• different IPs to different sources

11
BIND match-clients
match-clients address_match_element ...
match-clients 10.2.3.0/8172.16.30.0/16!192.
168.0.0/16
12
BIND match-destinations
match-destinations address_match_element ...
match-destinations 192.168.0.3
13
BIND match-recursive-only
match-recursive-only (yes no) match-recursive-o
nly yes
14
BIND Match combined
// named.conf fragment view "recursive-external"
match-clients !10.2.3.4/24
match-recursive-only yes // other view
statements zone "example.com" in ....

15
BIND Logging

• defaults logs to syslog or MS Events
• logging clause is very powerful (complex!)
• Single or multiple files (channels)
• type of output (category)
• severity of message

16
BIND Logging Clause
logging channel channel_name ( file
path name versions ( number
unlimited ) size size_spec
syslog syslog_facility stderr
null ) severity (critical error
warning notice info debug
level dynamic ) print-category
yes no print-severity yes no
print-time yes no category
category_name channel_name
channel_name ... ...
17
BIND Logging Example
// log to /var/log/named/example.log all events
from info UP in severity (no debug) // uses 3
files in rotation swaps files when size reaches
250K // failure messages up to this point are in
(syslog) /var/log/messages // logging
channel example_log file "/var/log/named/examp
le.log" versions 3 size 250k severity info
category default example_log
18
BIND zone Clause

• Defines the zones to be supported
• Authoritative zones
• Root-server zone (hints)
• Special zones
• Loopback address (forward/reverse)
• Local IPs (RFC 1918 - reverse map)
• IPv4/Ipv6 as required

19
BIND Required zones

• Caching DNS
• Root-servers (hints)
• Loopback (forward/reverse)
• Local IPs (IPv4/IPv6)
• Authoritative DNS
• Zones supported
• Loopback (forward/reverse)

20
BIND caching zones
// required zone for recursive queries zone
"." type hint file "root.servers"
// required local host domain zone
"localhost" in type master file
"master.localhost" allow-updatenone
// localhost reverse map zone
"0.0.127.IN-ADDR.ARPA" in type master
file "localhost.rev" // reverse map for
local address at example.com // uses
192.168.254.0 for illustration zone
"254.168.192.IN-ADDR.ARPA" in type master
file "view/192.168.254.rev.internal"
21
BIND Authoritative zones
// required zone for authoritative queries
zone "example.com" type master //
private zone files including local hosts file
"master.example.com" allow-updatenone
// required local host domain zone
"localhost" in type master file
"master.localhost" allow-updatenone
// localhost reverse map zone
"0.0.127.IN-ADDR.ARPA" in type master
file "localhost.rev" allow-updatenone
22
BIND Close Resolver

• Open Caching DNS (Resolver)
• can be used in DDoS
• Defaults to recursion yes
• Closed Caching DNS (Resolver)
• Limit IPs allowed to access
• use allow-recursion x.x.x.x
• From BIND 9.4 if no limits defaults to
  allow-query-cache localnetslocalhost
• Implicit is not good

23
BIND - OPEN Resolvers
24
BIND Closed Resolver
Authoritative only inhibit all
recursion recursion no Any Resolver (caching)
function recursion yes // default! use an
appropriate local address scope statement to
limit recursion requests to local
users allow-recursion 192.168.2.0/24 //
change IPs as required OR if the DNS server's
IPs and netmasks cover the whole local network
you can use allow-recursion "localnets"
OR if a personal system hard limits on
reading listen-on 127.0.0.1 // or listen-on
localhost listen-on-v6 1 // OR
listen-on-v6 localhost OR allow-recursion
"localhost"
25
Quick Quiz

• BINDs configuration file name?
• One path to this file on Linux?
• Name two types of clauses?
• What is the view clause used for?
• One BIND statement used to control view clauses?
• Is the hints file necessary for an Authoritative
  only DNS?
• Why do you need a reverse map for RFC 1918 Ips?

26
Configure BIND9 on PC

• Check IP address (command prompt-gt ipconfig)
• From directory module-5-config copy
• named.conf.win-cache
• root.servers
• master.localhost
• localhost.rev
• to c\windows\sysWOW64\dns\etc
• rename named.conf.win-cache to named.conf
• Stop MS DNS client - Start ISC BIND service
• http//zytrax.com/books/dns/ch5/win2k.html

27
Configure BIND9 on nix

• Check IP address (command prompt-gt ifconfig)
• From directory module-5-config copy
• named.conf.unix-cache
• root.servers
• master.localhost
• localhost.rev
• 192.168.192.rev
• to /etc or /usr/local/etc as appropriate
• edit named.conf.unix-cache as required
• rename named.conf.unix-cache to named.conf
• Start BIND9 (service named start)
• http//zytrax.com/books/dns/ch5

28
Exercise BIND Configuration

• Save zone file master.example.com as
  master.example.net
• Change all necessary names
• Add Second MX server (lower priority) server
  using mail1.example.net
• Address record for mail1.example.net (IP
  192.168.2.0)
• Add zone example.net to named.conf