step 4: configure bind

First of all you need to find your named.conf (the bind configuration file)

There is tool called "locate" on your system that is useful to find files, but every time your add or delete a file, you need to update "locate"'s files database, to do so type:

# updatedb

now use the following command to find the named.conf file:

# locate named.conf

the default location is /var/named/chroot/etc/named.conf

If you need help or know which options are available, type:

# man named.conf

to quit / get back to the command line prompt, type:

q

to avoid loosing our original file, we do a copy of it before editing it, using the "cp" (= copy) command:

# cp /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.conf.original

again update the files database using the "updatedb" command, then type "locate named.conf" again and you will see that now there are at least two files on your system, our original named.conf that we use as backup and the named.conf we will modify.

edit the named.conf file

now we use the "vi" tool, which is a file editor, to edit the named.conf and therefore type:

# vi /var/named/chroot/etc/named.conf

the vi editor is pretty easy to use

press the "i" key to go into edit mode

- first change the line "listen-on port 53" and set it to "trusted":

listen-on port 53 { trusted; };

- now edit the line "allow-query" and set it to "any":

allow-query{ any; };

- now add a zone for your domain name and a reverse zone for your ip address:

you need to add two zones to your named.conf, one for your domain and another reverse dns zone, lets say your domain is example.com and your server IP is 111.222.333.444, then you would add the following entries:


	zone "333.222.111.in-addr.arpa" {
		type master;
		file "333.222.111.in-addr.arpa";
	};

	zone "example.com" {
		type master;
		file "example.com.hosts";
	};

If your IP is 111.222.333.444 then the reverse DNS file should have a name like 333.222.111.in-addr.arpa. In the file you will also find an IP like 555.666.777.888, replace it by the IP of your secondary server.

to find your servers ip address, type

# ifconfig

search for a like with the term "inet addr", that's the server ip, replace 111.222.333.444 by your own IP and example.com by your domain

then if you finished editing the file, press the escape key to exit from the edit mode

type :x! to save the file and exit from vi

type :q! to exit without saving

Your final file might look like this:


//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

// Set up an ACL named "bogusnets" that will block RFC 1918 space,
// which is commonly used in spoofing attacks.
acl bogusnets {
    0.0.0.0/8;
    1.0.0.0/8;
    2.0.0.0/8;
    192.0.2.0/24;
    224.0.0.0/3;
    10.0.0.0/8;
    172.16.0.0/12;
    192.168.0.0/16;
};

// ip addresses i can trust
acl "trusted" {
        localhost;
        111.222.333.444;
};

// ip of secondary nameserver
acl "secondary" {
        555.666.777.888;
};

options {
	listen-on port 53 { YOUR_SERVER_IP; };
	listen-on-v6 port 53 { ::1; };
	directory 	"/var/named";
	dump-file 	"/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
	allow-query { any; };
	allow-query-cache { trusted; };
	allow-transfer          { secondary; };
	blackhole               { bogusnets; };
	recursion yes;

	dnssec-enable yes;
	dnssec-validation yes;
	dnssec-lookaside auto;

	/* Path to ISC DLV key */
	bindkeys-file "/etc/named.iscdlv.key";

	managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
	type hint;
	file "named.ca";
};

zone "333.222.111.in-addr.arpa" {
        type master;
        file "333.222.111.in-addr.arpa";
        allow-update { none; };
};

zone "example.com" {
        type master;
        file "example.com.hosts";
        allow-update { 555.666.777.888; };
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

create a reverse dns zone file and at least one dns zone for a host on your server

now we need to create both zone files we mention in the entries we added to named.conf into the /var/named/chroot/var/named directory, a reverse-dns file and a zone file for every vhost you want to set up later:

# vi /var/named/chroot/etc/333.222.111.in-addr.arpa

press the "i" key to insert content then paste the following content into the previously created file:


$ttl 38400
@ IN SOA ns1.example.com. root.example.com. (
                        2012121201
                        14400
                        3600
                        604800
                        38400 )
        NS      ns1.example.com.
        NS      my_secondary.dns-server.com.
111     PTR     example.com.

- It's important that you know what the number "2012121201" at the third line means. This number has to be updated after every update of this file. The format is year 2012 month 12 day 12 and a number that can be incremented if you do multiple edits during the same day, in your case 01.

- the ttl time indicates how much time must pass by before another machine that has cached your zone informations should try to read them again from your server to update its cache.

- The other numbers you find in those zone files are:

2012121201 is the serial-number, the format is yyyymmdd and 01 is the version in this case the first one 01 (The serial-number directive is a numerical value incremented every time the zone file is altered to indicate it is time for the named service to reload the zone).

14400 is the time-to-refresh (The time-to-refresh directive is the numerical value secondary nameservers use to determine how long to wait before asking the primary nameserver if any changes have been made to the zone).

3600 is the time-to-retry (The time-to-retry directive is a numerical value used by secondary nameservers to determine the length of time to wait before issuing a refresh request in the event that the primary nameserver is not answering).

604800 is the time-to-expire (If the primary server has not replied to a refresh request before the amount of time specified in the time-to-expire directive elapses, the secondary servers stop responding as an authority for requests concerning that namespace).

38400 is the minimum-TTL (In BIND 4 and 8, the minimum-TTL directive is the amount of time other nameservers cache the zone's information. In BIND 9, it defines how long negative answers are cached for, caching of negative answers can be set to a maximum of 3 hours).

- if you want to get more informations about the SOA record an all those numbers in the middle of the file, then you should read the official manual.

paste the following content into the example.com.hosts file:

# vi /var/named/chroot/etc/example.com.hosts

press the "i" key to insert content then paste the following content into the previously created file:


$ttl 38400
example.com. IN      SOA     ns1.example.com.       root.example.com.   (
                        2012121201
                        14400
                        3600
                        604800
                        38400 )
example.com.                 IN      NS              ns1.example.com.
example.com.                 IN      NS              my_secondary.dns-server.com.
example.com.                 IN      MX      10      mail.example.com.
ns1                       IN      A               111.222.333.444
www                       IN      A		          111.222.333.444
@                         IN      A               111.222.333.444
mail                      IN      A               111.222.333.444
static                    IN      A               111.222.333.444
cdn                       IN      CNAME           sub_domain.cndhost.com.

- my_secondary.dns-server.com is the URL of your secondary dns server

- the "static", "cdn" lines are sub-domains, like www and mail, the mail subdomain is used as mailserver url, www is for your website, static and cdn are two sub-domains i use, you can replace those by whatever you want or remove them or add even more sub-domains. The cdn sub-domain does not have a local vhost in my server, it's just a redirect to a sub-domain of my CDN host, where a copy of my static files is hosted.

- don't forget the dots behind the URLs (it's normal and required).

copy the files from /var/named to /var/named/chroot/var/named

change the owner of all files to root:named with the chown command

# chown root:named named.conf

to check if the named main configuration is ok, before restarting the server:

# named-checkconf -t /var/named/chroot /etc/named.conf

check if the zone files are ok:

# named-checkzone example.com /var/named/chroot/var/named/example.com.hosts

after you made all those changes you should restart your nameserver software:

# service named restart

to check if bind is running, type:

# ps -Af | grep 'named'

if you find a line in the output that list the user "named" and it's "id" then everything is ok

if you get your DNS server doesn't work, check the log files for errors using this command:

# tail -f /var/log/messages | grep named

to test your DNS Server you can use one of following online DNS Tools: intodns.com or dnscheck.iis.se/

to check if the domain is correctly defined you could also type this on the command line (replace example.com with your domain and 111.222.333.444 with the ip of your (name)-server:

# host example.com 111.222.333.444

you should get an answer similar to this:


Using domain server:
Name: 111.222.333.444
Address: 111.222.333.444#53
Aliases:
example.com has address 111.222.333.444
example.com mail is handled by 10 mail.example.com.

if you get the error message: "connection timed out; no servers could be reached"

your firewall is probably blocking the dns port

you this command to get a list of open ports:

# nmap 111.222.333.444

if you find a line similar to this one in the output everything is ok, port 53 is open:

53/tcp  open  domain

Now you show go the website of your domain hoster and put edit the nameservers of your domain there.

Add a second domain to your DNS server

Adding another domain will be a lot easier if you have already followed the previous steps.

First find your named.conf and edit it.

# vi /var/named/chroot/etc/named.conf

You will have to add another zone for your new domain (press the [i] key to enter edit mode in vi):


zone "example2.com" {
        type master;
        file "example2.com.hosts";
        allow-update { none; };
};

After adding those few lines save the file (to save press [escape] to leave the edit mode then type ":x!" to save the edit).

Now we have to create a new hosts file, for our new domain. Open the folder where your other hosts files are (in my case it is /var/named/chroot/var/named)

# cd /var/named/chroot/var/named

Make a copy of your previously created example.com.hosts file:

# cp example.com.hosts example2.com.hosts

Now edit the example2.com.hosts file and replace example.com with example2.com:


$ttl 38400
example2.com. IN      SOA     ns1.example2.com.       root.example2.com.   (
                        2014020201
                        14400
                        3600
                        604800
                        38400 )
example2.com.                 IN      NS              ns1.example2.com.
example2.com.                 IN      NS              my_secondary.dns-server.com.
example2.com.                 IN      MX      10      mail.example2.com.
ns1                       IN      A               111.222.333.444
www                    IN      A		 111.222.333.444
@                         IN      A               111.222.333.444
mail                      IN      A               111.222.333.444
static                    IN      A               111.222.333.444
cdn                       IN      CNAME           sub_domain.cndhost.com.

That's it, now reload your name server and you are done:

# service named reload