Building A Debian DNS System
Version 1.0
Author: Joe Topjian <joe [at] adminspotting [dot] net>
OK, this is the last DNS article... for a while, at least.
This article will show you how to build a complete DNS System with Debian. This includes a Master server, a Slave server, DDNS, and a bunch of DNSSEC. I'll be using BIND 9 for the server.
The Master Server
First lets get our Master server up and running. Since BIND has been known to have it's fair share of exploits, we're going to toss it in a chroot jail. I'm not going to cover that since Falko has written an excellent guide for that over here.
After you've got it all jailed up, get RNDC working. RNDC is a little command line utility to control BIND. To use it, copy the contents of /etc/bind/rndc.key to /etc/bind/named.conf. Restart BIND and you're good to go. Now you can use RNDC to interface with BIND instead of working with BIND directly. For more information on RNDC commands, see here.
Next it's time to create the zone file. For this example, I'm going to use the fictional TLD hemingway. No reason really -- just because I can and I know for a fact it'll never conflict with a real domain name.
For organization, I've made two directories to store the zone files, a master and slave -- for storing master and slave zone files, respectively.
/etc/bind/zones/master
/etc/bind/zones/slave
Don't forget to edit /etc/bind/named.conf.options and change the directory option to "/etc/bind".
The zone file will look like this (/etc/bind/zones/master/master.hemingway):
$ORIGIN hemingway |
The reverse zone for the 192.168.1.0/24 (/etc/bind/zones/192.168.1.rev) will look like this:
$TTL 1d ; |
Now edit /etc/bind/named.conf.local with the new zones:
zone "hemingway" {
|
zone "1.168.192.IN-ADDR.ARPA" {
|
Reload DNS and check your logs. You shouldn't have any errors, but you never know...
rndc reload
Now that BIND knows what domain to host, it's time to add some hostnames to it. We'll use DDNS for that. To set up DDNS, you can follow my DDNS articles here.
To actually add the hosts with DDNS, I'm going to use my ddns.py script.
ddns.py add jake.hemingway A 192.168.1.11
ddns.py add bill.hemingway A 192.168.1.12
ddns.py add robert.hemingway A 192.168.1.13
ddns.py add brett.hemingway A 192.168.1.14
The corresponding PTR files were also added, but I'm skipping that to save space.
We now have a fully functional Master DNS server resolving whatever hostnames we give it.
The Slave Server
Now that the Master server is set up, it's time to move on to the Slave. On another box, set up a Jailed BIND installation just like the Master.
The Slave will pull zone transfers from the Master. Since those zone transfers go over the network in plaintext, we're going to want to secure them.
In both the master and slave /etc/bind/named.conf.options file, add the following
dnssec-enable yes; |
Using the dnssec-keygen command described here, create a key. Add the MD5 hash to a new key statement in both /etc/bind/named.conf files:
key "TRANSFER" {
|
On the master, add the following server statement to /etc/bind/named.conf:
server IP-OF-SLAVE {
|
On the slave, do the reverse:
server IP-OF-MASTER {
|
On the master, add the following to the zone blocks in /etc/bind/named.conf.local:
allow-transfer { key TRANSFER; };
|
The zone block on the Slave should look like this:
zone hemingway {
|
Finally, make sure both servers have their clocks sync'd. Zone transfers won't take place if they are not.
Once you're done, start up the slave server. You should now have a brand new file in /etc/bind/zones/slave/ from the zone transfer. If you don't, check your logs -- they're very verbose with errors.
Ending
That's all there is to it! It's a lot of work and I really breezed through it, but this should get you up and running. For reference and further information, please read my DDNS articles here and refer to the wonderful book Pro DNS and BIND (not a marketing plug -- it's really a good book!).
