Building A Debian DNS System
Building A Debian DNS System
OK, this is the last DNS article... for a while, at least.
This article will show you how to build a complete DNS System with Debian. This includes a Master server, a Slave server, DDNS, and a bunch of DNSSEC. I'll be using BIND 9 for the server.
The Master Server
First lets get our Master server up and running. Since BIND has been known to have it's fair share of exploits, we're going to toss it in a chroot jail. I'm not going to cover that since Falko has written an excellent guide for that over here.
After you've got it all jailed up, get RNDC working. RNDC is a little command line utility to control BIND. To use it, copy the contents of /etc/bind/rndc.key to /etc/bind/named.conf. Restart BIND and you're good to go. Now you can use RNDC to interface with BIND instead of working with BIND directly. For more information on RNDC commands, see here.
Next it's time to create the zone file. For this example, I'm going to use the fictional TLD hemingway. No reason really -- just because I can and I know for a fact it'll never conflict with a real domain name.
For organization, I've made two directories to store the zone files, a master and slave -- for storing master and slave zone files, respectively.
Don't forget to edit /etc/bind/named.conf.options and change the directory option to "/etc/bind".
The zone file will look like this (/etc/bind/zones/master/master.hemingway):
The reverse zone for the 192.168.1.0/24 (/etc/bind/zones/192.168.1.rev) will look like this:
Now edit /etc/bind/named.conf.local with the new zones:
Reload DNS and check your logs. You shouldn't have any errors, but you never know...
Now that BIND knows what domain to host, it's time to add some hostnames to it. We'll use DDNS for that. To set up DDNS, you can follow my DDNS articles here.
To actually add the hosts with DDNS, I'm going to use my ddns.py script.
ddns.py add jake.hemingway A 192.168.1.11
The corresponding PTR files were also added, but I'm skipping that to save space.
We now have a fully functional Master DNS server resolving whatever hostnames we give it.
The Slave Server
The Slave will pull zone transfers from the Master. Since those zone transfers go over the network in plaintext, we're going to want to secure them.
In both the master and slave /etc/bind/named.conf.options file, add the following
Using the dnssec-keygen command described here, create a key. Add the MD5 hash to a new key statement in both /etc/bind/named.conf files:
On the master, add the following server statement to /etc/bind/named.conf:
On the slave, do the reverse:
On the master, add the following to the zone blocks in /etc/bind/named.conf.local:
The zone block on the Slave should look like this:
Finally, make sure both servers have their clocks sync'd. Zone transfers won't take place if they are not.
Once you're done, start up the slave server. You should now have a brand new file in /etc/bind/zones/slave/ from the zone transfer. If you don't, check your logs -- they're very verbose with errors.
That's all there is to it! It's a lot of work and I really breezed through it, but this should get you up and running. For reference and further information, please read my DDNS articles here and refer to the wonderful book Pro DNS and BIND (not a marketing plug -- it's really a good book!).