BIND

From Gentoo Wiki
Jump to: navigation, search
Resources

BIND, or the Berkeley Internet Name Daemon, is a popular free software DNS server, and also one of the most frequently used name servers on the Internet.

With BIND, users are able to set up a name server for managing their own DNS records, for caching DNS or acting as a slave DNS server. The software supports DNSSEC (which provides cryptographic signatures on the DNS records as a means to authenticate the integrity and ownership of the records) natively.

Installing BIND

BIND is offered through the net-dns/bind package. Please check the USE flags before installing. As BIND is a popular name server software, it is also a popular target for hackers and malicious groups, so it is wise to securely configure BIND - which includes building in support for only those features you are planning to use.

Use Flags

USE flags for net-dns/bind BIND - Berkeley Internet Name Domain - Name Server

berkdb Add support for sys-libs/db (Berkeley DB for MySQL) global
caps Use Linux capabilities library to control privilege global
dlz Enables dynamic loaded zones, 3rd party extension local
doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally global
fetchlimit Recursive fetch limits for DoS attack mitigation local
filter-aaaa Enable filtering of AAAA records over IPv4 local
fixed-rrset Enables fixed rrset-order option local
geoip Add geoip support for country and city lookup based on IPs global
gost Enables gost OpenSSL engine support local
gssapi Enable gssapi support local
idn Enable support for Internationalized Domain Names global
ipv6 Add support for IP version 6 global
json Enable JSON statistics channel local
ldap Add LDAP support (Lightweight Directory Access Protocol) global
libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
mysql Add mySQL Database support global
nslint Build and install the nslint util local
odbc Add ODBC Support (Open DataBase Connectivity) global
postgres Add support for the postgresql database global
python Add optional support/bindings for the Python language global
rpz Enable response policy rewriting (rpz) local
seccomp Enable seccomp (secure computing mode) to perform system call filtering at runtime to increase security of programs global
selinux !!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur global
sit Source Identity Token support (sit) local
ssl Add support for Secure Socket Layer connections global
static-libs Build static versions of dynamic libraries as well global
threads Add threads support for various packages. Usually pthreads global
urandom Use /dev/urandom instead of /dev/random local
xml Add support for XML files global

Emerge

root #emerge --ask net-dns/bind

add bind to the boot scripts to automatically start bind upon boot.

root # rc-update add named default

If you are planning on using BIND in a chrooted environment, edit /etc/conf.d/named and set the CHROOT variable accordingly. Check the comments as well, as they provide information on automatically creating the chrooted environment using emerge --config.

Managing BIND

Most management of BIND is done through its rndc command, although you can use the /etc/init.d/named init script as well. Next to the default start/stop/restart routines, it also offers the following functionality:

  • checkconfig validates the configuration file /etc/bind/named.conf for correct syntax
  • checkzones validates the zone files for correct syntax
  • reload reloads the zone files without restarting the named daemon itself

Bind-tools

Use flags

USE flags for net-dns/bind-tools bind tools: dig, nslookup, host, nsupdate, dnssec-keygen

doc Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally global
gost Enables gost OpenSSL engine support local
gssapi Enable gssapi support local
idn Enable support for Internationalized Domain Names global
ipv6 Add support for IP version 6 global
libressl Use dev-libs/libressl as SSL provider (might need ssl USE flag), packages should not depend on this USE flag global
readline Enable support for libreadline, a GNU line-editing library that almost everyone wants global
seccomp Enable seccomp (secure computing mode) to perform system call filtering at runtime to increase security of programs global
ssl Add support for Secure Socket Layer connections global
urandom Use /dev/urandom instead of /dev/random local
xml Add support for XML files global

Emerge Bind-tools

root #emerge --ask net-dns/bind-tools

Recipes

Easy Caching DNS

root #echo 'dns_servers="127.0.0.1"' >> /etc/conf.d/net

As root edit /etc/bind/named.conf add your internet services dns where the x.x.x.x are.

FILE /etc/bind/named.conf
forwarders {
		x.x.x.x;	// Your ISP NS
		x.x.x.x;	// Your ISP NS
		4.2.2.1;		// Level3 Public DNS
		4.2.2.2;		// Level3 Public DNS
		8.8.4.4;		// Google Open DNS
		8.8.8.8;		// Google Open DNS
	};
root #rc-service named restart
user $dig google.com

Other resources