https://wiki.samba.org/index.php/Setting_up_a_BIND_DNS_Server
Introduction
If you are planning to set up a Samba Active Directory (AD) domain controller (DC) using the BIND9_DLZ back end, you have to install and configure the BIND DNS server first.
The following describes how to set up a basic BIND installation you can use as Samba AD DC back end.
 |
If you are changing from the internal dns server to a Bind9 dns server, you will also need to read Changing_the_DNS_Back_End_of_a_Samba_AD_DC. |
Installing BIND
For a list of supported BIND versions, see Configuring the BIND9_DLZ module.
|
You can not run BIND in a changed root environment (chroot), because the BIND9_DLZ must be able to access the Samba Active Directory (AD) database files directly. |
Package Installation
Installing BIND using packages provided with your distribution is the recommended way. Select this installation mode for an easy installation and to automatically receive updates when available. For details how to install packages, see the distribution's package manager documentation.
Make sure that your package provider compiled BIND using the following options:
--with-gssapi=yesor--with-gssapi=/usr(or similar) for secure dynamic DNS updates using Kerberos--with-dlopendynamically loadable zones (DLZ)
|
Later versions of Bind9.9.x have the --with-dlopen option builtin and is not shown by the following command. This happened around Bind 9.9.4 |
To list the build options:
# named -V BIND 9.x.y built with ... '--with-dlopen=yes' '--with-gssapi=yes' ...
Compiling and Installing BIND
Use this installation mode if you are an advanced user and know how to compile software.
Downloading the Sources
Download a supported BIND version from https://www.isc.org/software/bind.
Compiling BIND
- Pass at least the following parameters to the
configurecommand:
# ./configure --with-gssapi=/usr/include/gssapi --with-dlopen=yes
- Add further parameters, if required.
- To build and install, run:
# make # make install
Adding a User and Group for BIND
For security reasons, do not run BIND as root user.
To create a named group using GID 25:
# groupadd -g 25 named
To create a named account with UID 25, primary group named, home directory /var/named/, and without a valid shell:
# useradd -u 25 -g named -d /var/named -M -s /sbin/nologin named
For details, see the useradd (8) and groupadd (8) man page.
Configuring BIND
Setting up a named.conf file
To locate the directory, BIND uses to read the named.conf file:
# named -V BIND 9.x.y built with ... '--sysconfdir=/etc' ...
In the previous example, BIND reads the configuration from the /etc/named.conf file.
The following is a basic configuration file:
# Global Configuration Options
options {
auth-nxdomain yes;
directory "/var/named";
notify no;
empty-zones-enable no;
# IP addresses and network ranges allowed to query the DNS server:
allow-query {
127.0.0.1;
10.99.1.0/24;
};
# IP addresses and network ranges allowed to run recursive queries:
# (Zones not served by this DNS server)
allow-recursion {
127.0.0.1;
10.1.1.0/24;
};
# Forward queries that can not be answered from own zones
# to these DNS servers:
forwarders {
8.8.8.8;
8.8.4.4;
};
# Disable zone transfers
allow-transfer {
none;
};
};
# Root Servers
# (Required for recursive DNS queries)
zone "." {
type hint;
file "named.root";
};
# localhost zone
zone "localhost" {
type master;
file "master/localhost.zone";
};
# 127.0.0. zone.
zone "0.0.127.in-addr.arpa" {
type master;
file "master/0.0.127.zone";
};
For details about the used parameters and options, see the named.conf (5) man page.
The previous example does not contain the BIND9_DLZ configuration required for setting up a Samba AD DNS server. For details how to set up the module, see BIND9_DLZ DNS Back End.
 |
You must not add the AD domain forward or reverse zone records to the named.conf files, these zones are stored dynamically in AD. |
Downloading the DNS Root Servers List
- Download the latest list of the DNS root servers to the
/var/named/named.rootfile:
# wget -q -O /var/named/named.root http://www.internic.net/zones/named.root
- Enable the BIND user to read the root servers list:
# chown root:named /var/named/named.root # chmod 640 /var/named/named.root
|
Optionally, set up a Cron job to automatically update the file. |
Creating the localhost Zone File
- Create the
localhostforward zone in the/var/named/master/localhost.zonefile:
$TTL 3D
$ORIGIN localhost.
@ 1D IN SOA @ root (
2013050101 ; serial
8H ; refresh
2H ; retry
4W ; expiry
1D ; minimum
)
@ IN NS @
IN A 127.0.0.1
- Enable the BIND user to read the zone file:
# chown named:named /var/named/master/localhost.zone # chmod 640 /var/named/master/localhost.zone
Creating the 0.0.127.in-addr.arpa Zone File
- Create the
0.0.127.in-addr.arpareverse zone in the/var/named/master/0.0.127.zonefile:
$TTL 3D
@ IN SOA localhost. root.localhost. (
2013050101 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D ; Minimum TTL
)
IN NS localhost.
1 IN PTR localhost.
- Enable the BIND user to read the zone file:
# chown named:named /var/named/master/0.0.127.zone # chmod 640 /var/named/master/0.0.127.zone
Starting the Daemon
To start the BIND daemon as the named user, run
# named -u named
Alternatively, use your operating system tools, such as systemctl or service, to start the daemon. See your distribution's documentation for details.
|
Enable the daemon to start automatically when the system boots. For details, see your distribution's documentation. |
Testing Your Zones
The following examples query the DNS service on the local machine (127.0.0.1):
To test the localhost forward zone:
# host -t A localhost 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: localhost has address 127.0.0.1
To test the 0.0.127.in-addr.arpa reverse zone:
# host -t PTR 127.0.0.1 127.0.0.1 Using domain server: Name: 127.0.0.1 Address: 127.0.0.1#53 Aliases: 1.0.0.127.in-addr.arpa domain name pointer localhost.
Configuring the BIND9_DLZ module
For details, see See BIND9_DLZ DNS Back End.
댓글 0
| 번호 | 제목 | 글쓴이 | 날짜 | 조회 수 |
|---|---|---|---|---|
| 24 | apt-get upgrade 수행 시 특정 패키지만 빼고 설치하기 | proin | 2018.10.04 | 0 |
| 23 | apt-get upgrade 수행 시 특정 패키지만 설치하기 | proin | 2018.10.04 | 1 |
| 22 | 필요없을지도 모르지만 왠지 겁나니까 | proin | 2018.10.02 | 2 |
| 21 | Info - XE 백업 및 복원 (통째로 서버 옮기기) | proin | 2018.10.02 | 1 |
| 20 | 워드프레스와 백업(backup) | proin | 2018.10.02 | 0 |
| 19 | iptables 정리 | proin | 2018.10.02 | 3 |
| 18 | 변경된 iptables 저장 방법 | proin | 2018.10.02 | 0 |
| 17 | 내 서버에는 누가 들어오는걸까? (실시간 user-agent 분석기) | proin | 2018.10.02 | 1 |
| 16 | BIND DNS Server | proin | 2018.10.02 | 0 |
| » | Setting up a BIND DNS Server | proin | 2018.10.02 | 1 |
| 14 | How To Configure BIND as a Private Network DNS Server on Ubuntu 18.04 | proin | 2018.10.02 | 0 |
| 13 | 뭔가 쓸만 할수도 있는 사이트 | proin | 2018.10.01 | 1 |
| 12 | OpenVPN Access Server 구축하기 | proin | 2018.10.01 | 6 |
| 11 | ZmEu 해킹시도 접근 | proin | 2018.10.01 | 0 |
| 10 | [Linux] 압축 파일 관리 - gz 압축하기, 압축풀기 | proin | 2018.10.01 | 1 |
| 9 | [devil's camp] - 트위터 봇 만들기 (권준혁) | proin | 2018.09.27 | 0 |
| 8 | 아파치 가상호스트 | proin | 2018.09.26 | 1 |
| 7 | [SPRING] 스프링 시큐리티 (비밀번호 암호화) | proin | 2018.09.19 | 3 |
| 6 | [MySQL] MySQL의 password() 함수와 암호화 | proin | 2018.09.19 | 2 |
| 5 | 안전한 패스워드 저장 | proin | 2018.09.19 | 1 |