Install Bind as an authoritative DNS server
Prerequisites
- A fixed IP address
Vocabulary
- Primary Name Server
- The primary name server is the source of the data. This is the one that you use to change the data.
- Secondary Name Server
- Secondary name server are used for redundancy and load balancing. They hold a complete copy of the data from the primary server and can answer to the same queries.
- Zone
- A DNS zone is a portion of the DNS space. For example, if you look at [[1]], you see 3 zones. One for .(the root), one for .org and one for .example.org. Each zone contains the records for the part of the DNS space it control. For example, the last zone will contain the record for www.example.org.
Install
# apt install bind9
Configure
Limit Information Disclosure
Version might be useful to an attacker that is searching known vulnerabilities on your server. Let’s make its life more difficult by hiding it.
Note that it is not an excuse to run old vulnerable software. The goal is just to slow down attacker in case of newly published security exploit, so you have enough time to update before getting pwned.
To prevent the information being returned edit the file /etc/bind/named.conf.options
and add the version and hostname lines
options {
version none;
hostname none;
}
Response Rate Limiting (RRL)
DNS servers can be abused to perform DoS attacks on other innocent victims. This are several issues for that
- attacker will waste your bandwidth while attacking other servers
- you are seen by the victim as the source of the attack. You can then appear in blacklists which will be an issue for you
- you are making DoS attacks easier for the attackers and contribute to the problem
For more details, read the quick introduction to response rate limiting from ISC (Bind author).
Rate limiting allows to render such attacks ineffective while still answering legitimate responses. To enable this, add the block rate-limit
in file /etc/bind/named.conf.options
options {
rate-limit {
responses-per-second 10;
exempt-clients { 127.0.0.1; ::1; };
};
}
Listen on public IP
By default, Bind will only reply to queries from localhost. To use it as an authoritative server, you must make it listen on a public IP. Once again the file to modify is /etc/bind/named.conf.options
options {
listen-on { any; };
listen-on-v6 { any; };
allow-recursion { 127.0.0.1; ::1; };
}
The 3 options to modify are (these should already be there in the file):
listen-on
: List of IPv4 addresses to listen on.any;
means all. Otherwise you can list IPs:listen-on { 203.0.113.23; 127.0.0.1; }
listen-on-v6
: Same as above for IPv6 addressesallow-recursion
: IPs to witch the server will reply to recursive queries (when it need to contact other severs to get the response). This must never contain any public IP.
Firewall
Bind will listen on port 53, on both TCP and UDP.Assuming that you configured nftables as described, you can edit file /etc/nftables/main_config.conf
and add
# Bind
add element inet main tcp_port_in { 53 }
add element inet main udp_port_in { 53 }
and activate it using
$ sudo /etc/nftables/reload_main.conf
Reload Configuration
Bind9 can be told to reload its configuration using
$ sudo rndc reload
Warning: This command is working asynchronously. It is recommended to verify that everything was fine using
$ sudo systemctl status bind9.service
● bind9.service - BIND Domain Name Server
Loaded: loaded (/lib/systemd/system/bind9.service; enabled)
Drop-In: /run/systemd/generator/bind9.service.d
└─50-insserv.conf-$named.conf
Active: active (running) since Mon 2016-08-08 19:30:41 UTC; 1 weeks 5 days ago
Docs: man:named(8)
Process: 6086 ExecStop=/usr/sbin/rndc stop (code=exited, status=0/SUCCESS)
Main PID: 6091 (named)
CGroup: /system.slice/bind9.service
└─6091 /usr/sbin/named -f -u bind
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): reconfiguring zone keys
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): next key event: 21-Aug-2016 10:10:12.300
Aug 21 09:10:12 server.example.org named[6091]: reloading zones succeeded
Aug 21 09:10:12 server.example.org named[6091]: all zones loaded
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (unsigned): loaded serial 2016082100
Aug 21 09:10:12 server.example.org named[6091]: running
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): serial 2016082100 (unsigned 2016082100)
Aug 21 09:10:12 server.example.org named[6091]: zone example.org/IN (signed): sending notifies (serial 2016082100)
Aug 21 09:10:12 server.example.org named[6091]: client 203.0.113.199#38278 (example.org): transfer of 'example.org/IN': IXFR started
Aug 21 09:10:12 server.example.org named[6091]: client 203.0.113.199#38278 (example.org): transfer of 'example.org/IN': IXFR ended
This will show you the last lines of the log. If anything went wrong, it should appear in red.
Test for open recursion
Open recursive DNS servers are really BAD. You can test your server at http://openresolver.com.
Adding a domain
Warning: | This page is a work in progress and is not completed. Important informations might be missing or wrong. |
Let's add a domain example.org
to our server.
Secondary Name Server
To ensure the resilience the service hosted on your domain, you must use one or several secondary name servers. The criteria to choose a secondary name server are
- Geographic location: This is important for the speed of your DNS queries. Servers far away mean slow DNS responses and will slow down your full product
- IPV6: This is becoming more and more important. Make sure your DNS server support it
- DNSSEC: If you care about security and plan to enable DNSSEC, you need to make sure that your secondary server support it as well
- Support Notify: This is a feature where the master DNS server notify the secondary in case of change. This allows to speed up change propagation
If you are hosting your primary name server on a server that you are renting, there is good chance that your provider provides you with a free secondary name server. Otherwise, search for secondary name server online. They are several free or paid options available.
Zone File
First create a file /etc/bind/master/example.org
$ORIGIN example.org.
$TTL 1d ; Time a cache will keep responses
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
;; Zone ;;
;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
@ SOA ns1 hostmaster (
2016121200 ; serial
12h ; Frequency of zone transfer from slave
15m ; delay before slave retries after a zone transfer faillure
4w ; Time a slave will keep the data in case it cannot contact the master
1h ; Time a cache will keep negative responses (NXDOMAIN)
)
@ NS ns1
@ NS ns2
ns1 A 198.51.100.42
AAAA 2001:db8:57:12::1
ns2 A 203.0.113.42
AAAA 2001:db8:af9b:d72e::1
- $ORIGIN: Default suffix for the entry bellow. Eg. ns1 will be read as ns1.example.org. Note that the dot at the end is important. Entries that end with a dot don't get the origin added to them.
- $TTL: Default Time To Live for entries. This is the amount of time a cache will keep a response.
- @: This represent the root of the domain. It's value is replaced by the value of $ORIGIN.
DDNS
Dynamic DNS allows you to change the entries in your name server in real time. It is often used to maintain records for hosts with dynamic IP.
Create Subzone
Warning: | This page is a work in progress and is not completed. Important informations might be missing or wrong. |
Configure Zone
zone "dyn.example.org" {
type master;
file "/etc/bind/master/dyn.example.org";
update-policy {
grant local-ddns name home.dyn.example.org A;
};
};