BIND

From Gentoo Wiki
Jump to: navigation, search
Resources

BIND, or the Berkeley Internet Name Daemon, is a popular free software DNS server, and also one of the most frequently used name servers on the Internet.

With BIND, users are able to set up a name server for managing their own DNS records, for caching DNS, or acting as a slave DNS server. The software supports DNSSEC which provides cryptographic signatures on the DNS records as a means to natively authenticate the integrity and ownership of the records.

Installation

BIND is offered through the net-dns/bind package. As with most packages, it is good practice to check the USE flags before emerging. Since BIND is a popular name server software, it is also a popular target for hackers and malicious groups. Is wise to securely configure BIND, which includes building in support for only features that will be actually used. If a feature will not be used, reduce the surface area of security vulnerabilities by disabling it.

USE flags

USE flags for net-dns/bind BIND - Berkeley Internet Name Domain - Name Server

dlz Enables dynamic loaded zones, 3rd party extension local
dnsrps Enable the DNS Response Policy Service (DNSRPS) API, a mechanism to allow an external response policy provider local
dnstap Enables dnstap packet logging local
fixed-rrset Enables fixed rrset-order option local
gost Enables gost OpenSSL engine support local
gssapi Enable gssapi support local
idn Enable support for Internationalized Domain Names global
json Enable JSON statistics channel local
ldap Add LDAP support (Lightweight Directory Access Protocol) global
libidn2 Enables IDN support using net-dns/libidn2 rather than using net-dns/idnkit local
lmdb Enable LMDB support to store configuration for 'addzone' zones local
mysql Add mySQL Database support global
python Add optional support/bindings for the Python language global
rpz Enable response policy rewriting (rpz) local
static-libs Build static versions of dynamic libraries as well global
urandom Use /dev/urandom instead of /dev/random local

Emerge

root #emerge --ask net-dns/bind

Additional software

Bind-tools

USE flags for bind-tools:

USE flags for net-dns/bind-tools bind tools: dig, nslookup, host, nsupdate, dnssec-keygen

gost Enables gost OpenSSL engine support local
gssapi Enable gssapi support local
idn Enable support for Internationalized Domain Names global
libedit Use the libedit library (replacement for readline) global
libidn2 Enables IDN support using net-dns/libidn2 rather than using net-dns/idnkit local
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants global
urandom Use /dev/urandom instead of /dev/random local

Install:

root #emerge --ask net-dns/bind-tools

Configuration

Service

OpenRC

To have automatically start BIND at system boot:

root #rc-update add named default

To start the service now:

root #rc-service named start

Most management of BIND is done through its rndc command, although the /etc/init.d/named (OpenRC) init script can be passed the following arguments, in addition the typical start/stop/restart routines:

checkconfig 
Validates the configuration file /etc/bind/named.conf for correct syntax.
checkzones 
Validates the zone files for correct syntax.
reload 
Reloads the zone files without restarting the named daemon itself.

For example:

root #rc-service named reload

Chroots

System that will be using BIND in a chrooted environment should set the CHROOT variable in /etc/conf.d/named accordingly. Check the comments as well, as they provide information on automatically creating the chrooted environment using emerge --config.

Recipes

Easy caching DNS

root #echo 'dns_servers="127.0.0.1"' >> /etc/conf.d/net

As root edit /etc/bind/named.conf add an internet service provider's DNS where the x.x.x.x are.

FILE /etc/bind/named.conf
forwarders {
		x.x.x.x;	// Your ISP NS
		x.x.x.x;	// Your ISP NS
		4.2.2.1;		// Level3 Public DNS
		4.2.2.2;		// Level3 Public DNS
		8.8.4.4;		// Google Open DNS
		8.8.8.8;		// Google Open DNS
	};
root #rc-service named restart
user $dig google.com

See also

External resources