Bind9 - Debian Wiki https://wiki.debian.

org/Bind9

Bind9 - Debian Wiki

Translation(s): English - French

Putting a DNS server on a network allows for the replacement of IP addresses of individual machines by a
name. As a result, it's even possible to associate multiple names to the same machine to update the different
available services. For example, www.example.com and pop.example.com, could both point to the primary
server where the mail server and the business intranet reside, and the domain could be example.com. It's
easy to remember that these two services are running on the same machine whose IP address is 192.168.0.1.

Now imagine that our network administrator decides for some reason or another to move the mail server to
the machine 192.168.0.11. The only thing that has to be changed is the DNS server configuration file. You
could always go and modify the host configuration for all the users, but that would be time consuming and
inconvenient.

DNS : Domain Name System or Domain Name Server

Primary Server :

Secondary server :

Server cache :

We get internet access through an xxxbox (192.168.1.1), two DNS servers provided by our ISP (80.10.249.2,
80.10.246.129). In fact, these two latter servers will ever be referred to in the configuration because the
xxxbox will be in charge of resolving names if the packet destination isn't known. Consequently, I consider
the xxxbox like a primary server outside of our domain. The “sid” server (192.168.1.10) is connected to the
xxxbox via its primary network card. It's also connected to the LAN (192.168.0.0/24) by its secondary
network interface(192.168.0.1). It's on this that we are going to install the primary DNS server for our domain
example.com (RFC 2606) All the computers on the LAN are automatically assigned a single address by the
DHCP service. The DHCP also provides the primary DNS server's address for our domain, and updatees the
host names for the zone example.com so they can be associated with an ip address.

Installation
The package bind9 will be used for installation.
# apt-get install bind9

and then if you want to also install the documentation (very useful):
# apt-get install bind9-doc

Configuration
After installation, you might want to get familiar with some of the configuration files. They are in the
directory /etc/bind/

TSIG Signature

The purpose of this signature is to authenticate transactions with BIND. Thus, the DHCP server cannot
update the example.com domain if it loses this key. Copy and paste an existing key
# cd /etc/bind/
# cat rndc.key
key "rndc-key" {
algorithm hmac-md5;
secret "QJc08cnP1xkoF4a/eSZZbw==";
};

# cp rndc.key ns-example-com_rndc-key

You can generate a new key with the following options:

algorithm HMAC-MD5 - identifies 157 (required for a TSIG signature and only algorithm supported
by BIND)

1 of 3 5/2/2018, 3:50 PM
Bind9 - Debian Wiki https://wiki.debian.org/Bind9

length of 512 octets (multiple of 64 with a maximum length of 512 for the above algorithm)

name : ns-example-com_rndc-key
dnssec-keygen -a HMAC-MD5 -b 512 -n USER ns-example-com_rndc-key
Kns-example-com_rndc-key.+157+53334

The footprint associated with the key is 53334. We get two files, one with an extension key and the other with
a private extension. This substitutes the key in the file ns-example-com_rndc-key with the one in one of these
two files.
# cat Kns-example-com_rndc-key.+157+53334.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: LZ5m+L/HAmtc9rs9OU2RGstsg+Ud0TMXOT+C4rK7+YNUo3vNxKx/197o2Z80t6gA34AEaAf3F+hEodV4K+SWvA==
Bits: AAA=

# cat ns-example-com_rndc-key
key "ns-example-com_rndc-key" {
algorithm hmac-md5;
secret "LZ5m+L/HAmtc9rs9OU2RGstsg+Ud0TMXOT+C4rK7+YNUo3vNxKx/197o2Z80t6gA34AEaAf3F+hEodV4K+SWvA==";
};

The file ns-example-com_rndc-key should not be made world readable for security reasons. This should be
inserted into the bind configuration by an include because the bind configuration itself is world-readable.
Also, it's a good idea to delete the key and private files generated before.

File /etc/bind/named.conf

This file is the main configuration file for the DNS file.
// Managing acls
acl internals { 127.0.0.0/8; 192.168.0.0/24; };

// Load options
include "/etc/bind/named.conf.options";

// TSIG key used for the dynamic update

include "/etc/bind/ns-example-com_rndc-key";

// Configure the communication channel for Administrative BIND9 with rndc

// By default, they key is in the rndc.key file and is used by rndc and bind9
// on the localhost
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; };
};

// prime the server with knowledge of the root servers

zone "." {
type hint;
file "/etc/bind/db.root";
};

include "/etc/bind/named.conf.default-zones";
include "/etc/bind/named.conf.local";

Note : with Debian Jessie the 'zone "." {...}' part is inside the file "named.conf.default-zones". You don't need
to add it in the file "named.conf".

File /etc/bind/named.conf.default-zones

Note: as of Debian 7 "Wheezy" bind9 ships with a file containing default forward, reverse, and broadcast
zones.
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {

2 of 3 5/2/2018, 3:50 PM
Bind9 - Debian Wiki https://wiki.debian.org/Bind9

type master;
file "/etc/bind/db.255";
};

File /etc/bind/named.conf.options

This file contains all the configuration options for the DNS server

3 of 3 5/2/2018, 3:50 PM