HOWTOs :: Domain Name Server (DNS)

The meaning of this howto is to set up a name server (aka DNS) for a domain you own, instead of using the ones of your domain name provider. This howto meant to be a stripped down version of the the original hosted at http://langfeldt.net/DNS-HOWTO/ and http://www.tldp.org/HOWTO/DNS-HOWTO.html, in order to provide a step-by-step procedure on the Gentoo distribution. The reader is not expected to understand the intricate workings of the DNS in order to do what is described here; for any clarification of any of the topics here covered, please refer to the original HOWTO.

Installing necessary packages

    emerge sync

Now, install the 'bind' package:

    emerge bind

When it completes, it's time to configure your DNS to support the local host.

Getting your DNS up and running

For starters, you need to make sure that the /etc/bind/named.conf looks like this:

options { directory "/var/bind"; // uncomment the following lines to turn on DNS forwarding, // and change the forwarding ip address(es) : forward first; forwarders { 123.123.123.123; 123.123.123.123; }; listen-on-v6 { none; }; listen-on { 127.0.0.1; }; listen-on { 10.10.50.2; }; // to allow only specific hosts to use the DNS server: //allow-query { // 127.0.0.1; //}; // if you have problems and are behind a firewall: // query-source address * port 53; pid-file "/var/run/named/named.pid"; }; zone "." IN { type hint; file "named.ca"; }; zone "localhost" IN { type master; file "pri/localhost.zone"; allow-update { none; }; notify no; }; zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; allow-update { none; }; notify no; };

Please notice that the 'forwarders' and 'listen-on' section is modified. You'll need to insert your ISP's name servers' IP addresses there, and your own external IP address, respectively.

Next, you'll need to make sure your /var/bind/named.ca looks like this:

; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . " ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC ; under anonymous FTP as ; file /domain/named.cache ; on server FTP.INTERNIC.NET ; ; last update: Nov 5, 2002 ; related version of root zone: 2002110501 ; ; ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107 ; ; formerly C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ; formerly TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ; ; formerly NS.NASA.GOV ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; ; formerly NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; ; formerly NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ; ; formerly NIC.NORDU.NET ; . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; ; operated by VeriSign, Inc. ; . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 ; ; housed in LINX, operated by RIPE NCC ; . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 ; ; operated by IANA ; . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ; ; housed in Japan, operated by WIDE ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File

This is the default configuration, so you shouldn't have to worry too much.

Your /etc/resolv.conf should look like this:

search your.domain nameserver 127.0.0.1

Where you need to replace 'your.domain' with the domain you own.

Make sure your /etc/bind/rndc.conf file looks like this:

key rndc_key { algorithm "hmac-md5"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; };

If you want to know why this file looks different from the original presented in the official DNS HOWTO, please read this note.

Now, we need to configure your DNS to handle reverse lookups. Reverse lookups are lookups on an IP address instead of a domain name. First, we need to look at the /etc/bind/named.conf again, and examine the following entry:

zone "127.in-addr.arpa" IN { type master; file "pri/127.zone"; allow-update { none; }; notify no; };

The interesting part here, is the file highlighted in red. This file resides in /var/bind/pri/ and should look like this:

$ORIGIN 127.in-addr.arpa. $TTL 1W @ 1D IN SOA ns.your.domain. hostmaster.your.domain. ( 2002081601 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns.your.domain. * 1D IN PTR hostname.

Here, you need to modify the your.domain and hostname parts to match your domain (e.g. myprivatedomain.com).

Please note the dots ('.') at the end of the domain names. THESE ARE ESSENTIAL FOR THE CORRECT FUNCTION OF THE DNS. DO NOT REMOVE THEM!

We should now be ready to go. Start your DNS by typing the following command:

    /etc/init.d/named start

Take a look at the system log file, and make sure that it looks something like this:

May 26 16:16:53 libertalias named[9056]: starting BIND 9.2.2 -u named -n 1 May 26 16:16:53 libertalias named[9056]: using 1 CPU May 26 16:16:53 libertalias named[9059]: loading configuration from '/etc/bind/named.conf' May 26 16:16:53 libertalias named[9059]: listening on IPv4 interface lo, 127.0.0.1#53 May 26 16:16:53 libertalias named[9059]: command channel listening on 127.0.0.1#953 May 26 16:16:53 libertalias named[9059]: zone 127.in-addr.arpa/IN: loaded serial 2002081601 May 26 16:16:53 libertalias named[9059]: zone localhost/IN: loaded serial 2002081601 May 26 16:16:53 libertalias named[9059]: running

Now, do a 'dig' on your localhost (the '-x' means reverse lookup):

    dig -x 127.0.0.1

The response should look something like this:

$ dig -x 127.0.0.1 ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 30944 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0 ;; QUESTION SECTION: ;1.0.0.127.in-addr.arpa. IN PTR ;; ANSWER SECTION: 1.0.0.127.in-addr.arpa. 259200 IN PTR hostname. ;; AUTHORITY SECTION: 0.0.127.in-addr.arpa. 259200 IN NS ns.your.domain. ;; Query time: 3 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Sun Dec 23 03:02:39 2001 ;; MSG SIZE rcvd: 91$

Here, the highlighted names in red should match whatever you set in the 127.zone file. If this looks good, your DNS is now serving the correct localhost (127.0.0.1) information. The next step is to install the name server entries for your domain.

Adding your own domain

First off, we need to add a new zone information in your /etc/bind/named.conf file.

zone "your.domain" IN { type master; notify no; file "pri/yourdomain.zone"; };

Again, replace the highlighted parts with your domain information, and create a file under /var/bind/pri/ called yourdomain.zone (naturally you should call this file whatever matches your domain name) and populate it like this:

$TTL 3D @ IN SOA ns.your.domain. hostmaster.your.domain. ( 199802151 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D) ; minimum, seconds ; NS ns ; Inet Address of name server MX 10 mail ; Primary Mail Exchanger localhost A 127.0.0.1 gw A 10.10.50.1 MX 10 mail TXT "Gateway/Router" mygateway CNAME gw ; this is an alias for the gateway ns A 10.10.50.2 MX 10 mail TXT "Name server" www A 10.10.50.3 MX 10 mail TXT "HTTPD" mail A 10.10.50.4 MX 10 mail TXT "MTA server" webmail CNAME ns ; alias for the mail server ;EOF

First, you must change the your.domain with your actual domain name. Next, you must match the IP addresses highlighted here with your own IP addresses.

The most important aspect here, however, is that an MX, CNAME or SOA record should never refer to a CNAME record, they should only refer to something with an A record. In other words, your SOA field cannot refer to a CNAME filed.

The following example config is therefore erroneous :

$TTL 3D @ IN SOA ns.your.domain. hostmaster.your.domain. ( 199802151 ; serial, todays date + todays serial # 8H ; refresh, seconds 2H ; retry, seconds 4W ; expire, seconds 1D) ; minimum, seconds ; NS ns ; Inet Address of name server MX 10 mail ; Primary Mail Exchanger localhost A 127.0.0.1 myfirsthost A 10.10.50.1 MX 10 mail TXT "name server" ns CNAME myfirsthost ; erronoeus alias for the name server

Read more about this issue in the Original DNS HOWTO.

Now, restart your DNS by typing the following command :

    /etc/init.d/named restart

Do a 'dig' or 'host' to check your new zone config by issuing the follwing command:

    dig your.domain axfr

If this looks ok, we need to configure the reverse lookup for your IP addresses.

Reverse lookup for your domain

Now, we need to configure your DNS to handle reverse lookups for your domain. We've already done this for your localhost, so it's almost the same procedure. Remember, reverse lookups are lookups on an IP address instead of a domain name.

We need to look at the /etc/bind/named.conf again, and add the following entry:

zone "50.10.10.in-addr.arpa" { type master; notify no; file "pri/50.10.10.zone"; };

Again, you need to change the highlighted addresses with your corresponding IP address for your network. NOTE: the network address should be in the reverse order. This is a standard that should be followed.

Create a file under /var/bind/pri/ called 50.10.10.zone (naturally you should call this file whatever matches your domain network range) and populate it like this:

$TTL 3D @ IN SOA ns.your.domain. hostmaster.your.domain. ( 199802151 ; Serial, todays date + todays serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns 1 PTR gw.your.domain. 2 PTR ns.your.domain. 3 PTR www.your.domain. 4 PTR mail.your.domain. ;EOF

Now, restart your DNS by typing the following command :

    /etc/init.d/named restart

Do a 'dig' or 'host' to check your new zone config by issuing the follwing command:

    dig -x 10.10.50.1

If this looks ok, you now have a DNS running! Congratulations! If you encountered some problems, please refer to the official DNS HOWTO (sect. 5).

The next step is to secure your DNS. Please refer to the official DNS HOWTO (sect. 5.4).

notes

According to the official DNS HOWTO, the /etc/bind/rndc.conf file should look like this:

key rndc_key { algorithm "hmac-md5"; secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K"; }; options { default-server localhost; default-key rndc_key; };

but I got an error in the /var/log/messages file that looked like this:

May 26 16:11:57 libertalias named[8926]: starting BIND 9.2.2 -u named -n 1 May 26 16:11:57 libertalias named[8926]: using 1 CPU May 26 16:11:57 libertalias named[8928]: loading configuration from '/etc/bind/named.conf' May 26 16:11:57 libertalias named[8928]: listening on IPv4 interface lo, 127.0.0.1#53 May 26 16:11:57 libertalias named[8928]: /etc/bind/rndc.key:6: unknown option 'options' May 26 16:11:57 libertalias named[8928]: couldn't add command channel 127.0.0.1#953: failure May 26 16:11:57 libertalias named[8928]: zone 127.in-addr.arpa/IN: loaded serial 2002081601 May 26 16:11:57 libertalias named[8928]: zone localhost/IN: loaded serial 2002081601 May 26 16:11:57 libertalias named[8928]: running

when i removed the options field, it started ok:

May 26 16:16:53 libertalias named[9056]: starting BIND 9.2.2 -u named -n 1 May 26 16:16:53 libertalias named[9056]: using 1 CPU May 26 16:16:53 libertalias named[9059]: loading configuration from '/etc/bind/named.conf' May 26 16:16:53 libertalias named[9059]: listening on IPv4 interface lo, 127.0.0.1#53 May 26 16:16:53 libertalias named[9059]: command channel listening on 127.0.0.1#953 May 26 16:16:53 libertalias named[9059]: zone 127.in-addr.arpa/IN: loaded serial 2002081601 May 26 16:16:53 libertalias named[9059]: zone localhost/IN: loaded serial 2002081601 May 26 16:16:53 libertalias named[9059]: running