![Page 1: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/1.jpg)
Module 5
BIND Configuration
![Page 2: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/2.jpg)
BIND Configuration named.conf – controls operational
features Located - Linux:
/etc/named.conf /etc/bind/named.conf
Located- BSD: /usr/local/etc/named.conf
Located – Windows: $systemroot%\system32\dns\etc\named.conf
![Page 3: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/3.jpg)
BIND named.conf Contains 3 types of info: Comments Clauses – collections of statements Statements – individual statements
within clauses Include – in-situ inclusion from
separate files (used for admin/security)
![Page 4: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/4.jpg)
BIND – named.conf
/* C-style comment format needs opening and closing markers** but allows multiple lines or *//* single lines or */zone /* in-line comment does not terminate line */ in {some zone statements};// C++-style comments have single line format, no closing required...some statement; // comment ends this line# SHELL/PERL-style comments have single lines, no closing required some statement; # comment ends this line
![Page 5: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/5.jpg)
BIND – named.conf Clauses ACL – Access Control Lists Controls – remote acces (rndc) Logging – controls logging features Options – global options View – allows separate configurations in
same server Zone – defines the zones that are
supported Key – used for security data (typically
included)
![Page 6: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/6.jpg)
BIND - Statements Over 120 statements available Many valid in one or more clauses Some valid in only single clauses Pro DNS and BIND classifies them:
Transfer Query Operations Security
![Page 7: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/7.jpg)
BIND – Typical named.conf// change log// 1. changed by M.E. on 24th Januaryacl "name" {... // acl clauses if present generally come first // to avoid forward references};key "name" {... // key clauses if present must appear // before being referenced};logging { // requires at least a file // statement unless using syslog // order not important with BIND 9};options { // other statements (as required)};// zones statements including 'required' zoneszone {....};
![Page 8: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/8.jpg)
BIND – View named.confoptions { // global options // other statements as required};view "first" { // view specific statements (options) // view specific zone clauses // including required zones zone { }; ..... zone { };}; // end of view "first" view "second" { // view specific statements (options) // view specific zone clauses // including required zones zone { }; zone { };}; // end of view "second"
![Page 9: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/9.jpg)
BIND – View Clause Each view clause is matched to incoming
queries using: Match-clients Match-destinations Match-recursion-only
View clause order is important Tested in order in which views are defined Unmatched fall through to next view clause
![Page 10: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/10.jpg)
BIND – View Clause Use Mixed Local/public IPs
External – public hosts Internal – local hosts
Mixed services Internal caching External Authoritative
Split horizons different IPs to different sources
![Page 11: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/11.jpg)
BIND – match-clients
match-clients { address_match_element; ... };match-clients { 10.2.3.0/8;172.16.30.0/16;!192.168.0.0/16; };
![Page 12: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/12.jpg)
BIND – match-destinations
match-destinations { address_match_element; ... };match-destinations { 192.168.0.3; };
![Page 13: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/13.jpg)
BIND – match-recursive-only
match-recursive-only (yes | no);match-recursive-only yes;
![Page 14: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/14.jpg)
BIND – Match combined// named.conf fragmentview "recursive-external" { match-clients {!10.2.3.4/24;}; match-recursive-only yes; // other view statements zone "example.com" in { .... };};
![Page 15: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/15.jpg)
BIND Logging defaults logs to syslog or MS Events logging clause is very powerful
(complex!) Single or multiple files (channels) type of output (category) severity of message
![Page 16: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/16.jpg)
BIND Logging Clauselogging { [ channel channel_name { ( file path name [ versions ( number | unlimited ) ] [ size size_spec ] | syslog syslog_facility | stderr | null ); [ severity (critical | error | warning | notice | info | debug [ level ] | dynamic ); ] [ print-category yes | no; ] [ print-severity yes | no; ] [ print-time yes | no; ] }; ] [ category category_name { channel_name ; [ channel_name ; ... ] }; ] ...};
![Page 17: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/17.jpg)
BIND Logging Example
// log to /var/log/named/example.log all events from info UP in severity (no debug)// uses 3 files in rotation swaps files when size reaches 250K// failure messages up to this point are in (syslog) /var/log/messages// logging{ channel example_log{ file "/var/log/named/example.log" versions 3 size 250k; severity info; }; category default{ example_log; };};
![Page 18: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/18.jpg)
BIND – zone Clause Defines the zones to be supported Authoritative zones Root-server zone (hints) Special zones
Loopback address (forward/reverse) Local IPs (RFC 1918 - reverse map) IPv4/Ipv6 as required
![Page 19: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/19.jpg)
BIND – Required zones Caching DNS
Root-servers (hints) Loopback (forward/reverse) Local IPs (IPv4/IPv6)
Authoritative DNS Zones supported Loopback (forward/reverse)
![Page 20: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/20.jpg)
BIND – caching zones // required zone for recursive queries zone "." { type hint; file "root.servers"; };// required local host domain zone "localhost" in{ type master; file "master.localhost"; allow-update{none;}; }; // localhost reverse map zone "0.0.127.IN-ADDR.ARPA" in{ type master; file "localhost.rev";}; // reverse map for local address at example.com // uses 192.168.254.0 for illustration zone "254.168.192.IN-ADDR.ARPA" in{ type master; file "view/192.168.254.rev.internal"; };
![Page 21: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/21.jpg)
BIND – Authoritative zones // required zone for authoritative queries zone "example.com" { type master; // private zone files including local hosts file "master.example.com"; allow-update{none;}; }; // required local host domain zone "localhost" in{ type master; file "master.localhost"; allow-update{none;}; }; // localhost reverse map zone "0.0.127.IN-ADDR.ARPA" in{ type master; file "localhost.rev"; allow-update{none;}; };
![Page 22: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/22.jpg)
BIND – Close Resolver Open Caching DNS (Resolver)
can be used in DDoS Defaults to recursion yes;
Closed Caching DNS (Resolver) Limit IPs allowed to access use allow-recursion {x.x.x.x;}; From BIND 9.4 if no limits defaults to allow-query-cache {localnets;localhost;};
Implicit is not good
![Page 23: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/23.jpg)
BIND - OPEN Resolvers
![Page 24: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/24.jpg)
BIND Closed Resolver# Authoritative only# inhibit all recursionrecursion no;
# Any Resolver (caching) functionrecursion yes; // default!# use an appropriate local address scope statement# to limit recursion requests to local usersallow-recursion {192.168.2.0/24;}; // change IPs as required
# OR if the DNS server's IPs and netmasks cover the whole # local network you can use:allow-recursion {"localnets";};
# OR if a personal system # hard limits on readinglisten-on {127.0.0.1;}; // or listen-on {localhost;};listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;};
# OR allow-recursion {"localhost";};
![Page 25: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/25.jpg)
Quick Quiz BIND’s configuration file name? One path to this file on Linux? Name two types of clauses? What is the view clause used for? One BIND statement used to control view
clauses? Is the hints file necessary for an
Authoritative only DNS? Why do you need a reverse map for RFC
1918 Ips?
![Page 26: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/26.jpg)
Configure BIND9 on PC Check IP address (command prompt-> ipconfig) From directory module-5-config copy
named.conf.win-cache root.servers master.localhost localhost.rev
to c:\windows\sysWOW64\dns\etc rename named.conf.win-cache to named.conf Stop MS DNS client - Start ISC BIND service http://zytrax.com/books/dns/ch5/win2k.html
![Page 27: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/27.jpg)
Configure BIND9 on *nix Check IP address (command prompt-> ifconfig) From directory module-5-config copy
named.conf.unix-cache root.servers master.localhost localhost.rev 192.168.192.rev
to /etc or /usr/local/etc as appropriate edit named.conf.unix-cache as required rename named.conf.unix-cache to named.conf Start BIND9 (service named start) http://zytrax.com/books/dns/ch5
![Page 28: Module 5 BIND Configuration. named.conf – controls operational features Located - Linux: /etc/named.conf /etc/bind/named.conf Located- BSD: /usr/local/etc/named.conf](https://reader035.vdocuments.net/reader035/viewer/2022062802/56649eac5503460f94bb2b02/html5/thumbnails/28.jpg)
Exercise – BIND Configuration
Save zone file master.example.com as master.example.net
Change all necessary names Add Second MX server (lower priority)
server using mail1.example.net Address record for mail1.example.net (IP
192.168.2.0) Add zone example.net to named.conf