BIND

From Gentoo Wiki
Jump to: navigation, search
Resources

BIND, or the Berkeley Internet Name Daemon, is a popular free software DNS server, and also one of the most frequently used name servers on the Internet.

With BIND, users are able to set up a name server for managing their own DNS records, for caching DNS, or acting as a slave DNS server. The software supports DNSSEC which provides cryptographic signatures on the DNS records as a means to natively authenticate the integrity and ownership of the records.

Installation

BIND is offered through the net-dns/bind package. As with most packages, it is good practice to check the USE flags before emerging. Since BIND is a popular name server software, it is also a popular target for hackers and malicious groups. Is wise to securely configure BIND, which includes building in support for only features that will be actually used. If a feature will not be used, reduce the surface area of security vulnerabilities by disabling it.

USE flags

USE flags for net-dns/bind Berkeley Internet Name Domain - Name Server

berkdb Add support for sys-libs/db (Berkeley DB for MySQL)
caps Use Linux capabilities library to control privilege
dlz Enables dynamic loaded zones, 3rd party extension
dnsrps Enable the DNS Response Policy Service (DNSRPS) API, a mechanism to allow an external response policy provider
dnstap Enables dnstap packet logging
doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
fixed-rrset Enables fixed rrset-order option
geoip Add geoip support for country and city lookup based on IPs
gssapi Enable gssapi support
json Enable JSON statistics channel
ldap Add LDAP support (Lightweight Directory Access Protocol)
libressl Use dev-libs/libressl instead of dev-libs/openssl when applicable (see also the ssl useflag)
lmdb Enable LMDB support to store configuration for 'addzone' zones
mysql Add mySQL Database support
odbc Add ODBC Support (Open DataBase Connectivity)
postgres Add support for the postgresql database
python Add optional support/bindings for the Python language
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur
static-libs Build static versions of dynamic libraries as well
urandom Use /dev/urandom instead of /dev/random
xml Add support for XML files
zlib Add support for zlib (de)compression

Emerge

root #emerge --ask net-dns/bind

Additional software

Bind-tools

USE flags for bind-tools:

USE flags for net-dns/bind-tools bind tools: dig, nslookup, host, nsupdate, dnssec-keygen

caps Use Linux capabilities library to control privilege
doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally
gssapi Enable gssapi support
idn Enable support for Internationalized Domain Names
ipv6 Add support for IP version 6
libedit Use the libedit library (replacement for readline)
libressl Use dev-libs/libressl instead of dev-libs/openssl when applicable (see also the ssl useflag)
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants
xml Add support for XML files

Install:

root #emerge --ask net-dns/bind-tools

Configuration

Service

OpenRC

To have automatically start BIND at system boot:

root #rc-update add named default

To start the service now:

root #rc-service named start

Most management of BIND is done through its rndc command, although the /etc/init.d/named (OpenRC) init script can be passed the following arguments, in addition the typical start/stop/restart routines:

checkconfig 
Validates the configuration file /etc/bind/named.conf for correct syntax.
checkzones 
Validates the zone files for correct syntax.
reload 
Reloads the zone files without restarting the named daemon itself.

For example:

root #rc-service named reload

Chroots

System that will be using BIND in a chrooted environment should set the CHROOT variable in /etc/conf.d/named accordingly. Check the comments as well, as they provide information on automatically creating the chrooted environment using emerge --config.

Recipes

Easy caching DNS

root #echo 'dns_servers="127.0.0.1"' >> /etc/conf.d/net

As root edit /etc/bind/named.conf add an internet service provider's DNS where the x.x.x.x are.

FILE /etc/bind/named.conf
forwarders {
		x.x.x.x;	// Your ISP NS
		x.x.x.x;	// Your ISP NS
		4.2.2.1;		// Level3 Public DNS
		4.2.2.2;		// Level3 Public DNS
		8.8.4.4;		// Google Open DNS
		8.8.8.8;		// Google Open DNS
	};
root #rc-service named restart
user $dig google.com

See also

External resources