Building A Debian DNS System

Want to support HowtoForge? Become a subscriber!
Submitted by joe (Contact Author) (Forums) on Tue, 2005-11-01 12:03. :: BIND | DNS

Building A Debian DNS System

Version 1.0
Author: Joe Topjian <joe [at] adminspotting [dot] net>
Last edited 11/01/2005

OK, this is the last DNS article... for a while, at least.

This article will show you how to build a complete DNS System with Debian. This includes a Master server, a Slave server, DDNS, and a bunch of DNSSEC. I'll be using BIND 9 for the server.

The Master Server

First lets get our Master server up and running. Since BIND has been known to have it's fair share of exploits, we're going to toss it in a chroot jail. I'm not going to cover that since Falko has written an excellent guide for that over here.

After you've got it all jailed up, get RNDC working. RNDC is a little command line utility to control BIND. To use it, copy the contents of /etc/bind/rndc.key to /etc/bind/named.conf. Restart BIND and you're good to go. Now you can use RNDC to interface with BIND instead of working with BIND directly. For more information on RNDC commands, see here.

Next it's time to create the zone file. For this example, I'm going to use the fictional TLD hemingway. No reason really -- just because I can and I know for a fact it'll never conflict with a real domain name.

For organization, I've made two directories to store the zone files, a master and slave -- for storing master and slave zone files, respectively.


Don't forget to edit /etc/bind/named.conf.options and change the directory option to "/etc/bind".

The zone file will look like this (/etc/bind/zones/master/master.hemingway):

$ORIGIN hemingway
$TTL 1d
@ IN SOA ns1 hostmaster (
2005103008 ; serial
NS hemingway.

The reverse zone for the (/etc/bind/zones/192.168.1.rev) will look like this:

$TTL 1d ;
@ IN SOA ns1.hemingway. hostmaster.hemingway. (

IN NS ns1.hemingway.
IN NS ns2.hemingway.

Now edit /etc/bind/named.conf.local with the new zones:

zone "hemingway" {
type master;
file "zones/master/master.hemingway";

zone "1.168.192.IN-ADDR.ARPA" {
type master;
file "zones/192.168.1.rev";

Reload DNS and check your logs. You shouldn't have any errors, but you never know...

rndc reload

Now that BIND knows what domain to host, it's time to add some hostnames to it. We'll use DDNS for that. To set up DDNS, you can follow my DDNS articles here.

To actually add the hosts with DDNS, I'm going to use my script. add jake.hemingway A add bill.hemingway A add robert.hemingway A add brett.hemingway A

The corresponding PTR files were also added, but I'm skipping that to save space.

We now have a fully functional Master DNS server resolving whatever hostnames we give it.

The Slave Server

Now that the Master server is set up, it's time to move on to the Slave. On another box, set up a Jailed BIND installation just like the Master.

The Slave will pull zone transfers from the Master. Since those zone transfers go over the network in plaintext, we're going to want to secure them.

In both the master and slave /etc/bind/named.conf.options file, add the following

dnssec-enable yes;

Using the dnssec-keygen command described here, create a key. Add the MD5 hash to a new key statement in both /etc/bind/named.conf files:

key "TRANSFER" {
algorithm hmac-md5;
secret "jXc2Lreaw4QHHTb/MjiHAw==";

On the master, add the following server statement to /etc/bind/named.conf:

server IP-OF-SLAVE {
keys { TRANSFER; };

On the slave, do the reverse:

server IP-OF-MASTER {
keys { TRANSFER; };

On the master, add the following to the zone blocks in /etc/bind/named.conf.local:

allow-transfer { key TRANSFER; };

The zone block on the Slave should look like this:

zone hemingway {
type slave;
file "zones/slave/slave.hemingway";
masters { IP-OF-MASTER; };
allow-notify { IP-OF-MASTER; };

Finally, make sure both servers have their clocks sync'd. Zone transfers won't take place if they are not.

Once you're done, start up the slave server. You should now have a brand new file in /etc/bind/zones/slave/ from the zone transfer. If you don't, check your logs -- they're very verbose with errors.


That's all there is to it! It's a lot of work and I really breezed through it, but this should get you up and running. For reference and further information, please read my DDNS articles here and refer to the wonderful book Pro DNS and BIND (not a marketing plug -- it's really a good book!).

Please do not use the comment function to ask for help! If you need help, please use our forum.
Comments will be published after administrator approval.
Submitted by Anonymous (not registered) on Thu, 2005-11-03 00:40.

Instead of copying the contents of /etc/rndc.key to /etc/bind/named.conf, one could also just enter the following to the last line of named.conf:

include "/etc/rndc.key";
Submitted by Anonymous (not registered) on Tue, 2006-06-27 05:15.


 include "/etc/bind/rndc.key";

elSpike out.

Submitted by tagammeer (registered user) on Sat, 2005-11-05 18:51.
doh! You're absolutely right.