It is indeed possible to install BIND on Ubuntu by using apt-get install bind9. But sometime the geek inside our soul wants to torture itself by doing installation from source.
This tutorial is based on Ubuntu 14.04.2 LTS and BIND 9.10.2. If you are using different version, then you need to modify some names in this tutorial. Or, this might not work at all, because you know, it is different.
I divide them into five different steps:
- Download & Verify BIND source file
- Installation
- Configuration
- Testing
- Others things?
Download & Verify BIND source file
I download the latest BIND source file and the verification file. The source files and the verification file (.asc) can be obtained here.
sudo wget ftp://ftp.isc.org/isc/bind9/9.10.2/bind-9.10.2.tar.gz sudo wget ftp://ftp.isc.org/isc/bind9/9.10.2/bind-9.10.2.tar.gz.sha512.asc
The SHA-512 version is used because it is currently the best cryptographic hash available. The source file is signed by a certain private key and we need to verify it. This is using the Public-Key Cryptography principle. I’d advise you to read Wikipedia and also about GPG. Then the steps I am going to do next will be a bit clearer.
Let’s try to verify it with the provided .asc file.
sudo gpg bind-9.10.2.tar.gz.sha512.asc
You will get a question to enter the name of data file. It refers to the BIND source file you just downloaded: bind-9.10.2.tar.gz.
After you press [Enter], the output will be similar to this.
gpg: Signature made Wed Feb 25 13:35:48 2015 CET using RSA key ID 911A4C02 gpg: Can't check signature: public key not found
Do you see the RSA key ID 911A4C02? That is the key ID used to sign the source file. We still couldn’t verify it because we don’t have the public key. We need to retrieve it from the GPG keyserver.
sudo gpg --keyserver pgp.mit.edu --recv-keys 911A4C02
The output will look like the following:
gpg: requesting key 911A4C02 from hkp server pgp.mit.edu gpg: /home/ardho/.gnupg/trustdb.gpg: trustdb created gpg: key 911A4C02: public key "Internet Systems Consortium, Inc. (Signing key, 2015-2016) <codesign@isc.org>" imported gpg: no ultimately trusted keys found gpg: Total number processed: 1 gpg: imported: 1 (RSA: 1)
Then you need to do the gpg command that you invoked earlier. The result must look similar to this. If it isn’t, then something is wrong. Just go back to the beginning and check each step again.
gpg: Signature made Wed Feb 25 13:35:48 2015 CET using RSA key ID 911A4C02 gpg: Good signature from "Internet Systems Consortium, Inc. (Signing key, 2015-2016) gpg: WARNING: This key is not certified with a trusted signature! gpg: There is no indication that the signature belongs to the owner. Primary key fingerprint: ADBE 9446 286C 7949 05F1 E075 6FA6 EBC9 911A 4C02
You can see that it is a good signature from ISC (BIND developer). Now you are sure that you downloaded the correct source file.
Installation
All the dependencies must be installed first.
sudo apt-get install build-essential libssl-dev -y
Then we extract the source file.
tar xzvf bind-9.10.2.tar.gz
Then go to the extracted directory
cd bind-9.10.2
I configure it to use /etc/bind as the base directory because honestly, I don’t know what would be the default location if it is not set.
sudo ./configure –sysconfdir=/etc/bind && sudo make && sudo make install
Configuration
For the barebone configuration, we have to create the root server file (named.root), localhost zone resolver (localhost.zone) and also the reverse localhost zone resolver (localhost.reverse.zone), and the main configuration file (named.conf).
The content for the root server file can be obtained here. The following commands will download the named.root file and put it in the correct directory.
cd /etc/bind sudo wget http://www.internic.net/domain/named.root
For localhost and reverse localhost zone resolver, I create two separate files.
Here is for localhost.zone:
$TTL 86400
$ORIGIN 0.0.127.in-addr-arpa.
@ IN SOA localhost. root.localhost. (
1 ; serial
360000 ; refresh every 100 hours
3600 ; retry after 1 hour
3600000 ; expire after 1000 hours
3600 ; negative cache is 1 hour
)
IN NS localhost
0 IN PTR loopback
1 IN PTR localhost
And this is for the localhost.reverse.zone:
$TTL 86400
$ORIGIN localhost.
; line below = localhost 1D IN SOA localhost root.localhost
@ 1D IN SOA @ root (
2002022401
3H
15
1w
3h
)
@ 1D IN NS @
1D IN A 127.0.0.1
Then the main configuration file is named.conf.
// Define an access list to limit recursion later
acl localnet {
127.0.0.1/32;
};
// Working directory and limit recursion
options {
directory "/etc/bind";
allow-recursion {
localnet;
};
};
// Caching only DNS server.
zone "." {
type hint;
file "named.root";
};
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "localhost.zone";
notify no;
};
// where the localhost hostname is defined
zone "localhost" IN {
type master;
file "localhost.reverse.zone";
allow-update { none; };
};
The above three files were created in order to kick-start BIND in a really basic configuration. It can only receive query from its localhost and it is configured to be a Caching Name Server.
You can check Wikipedia to know more about the types of DNS and head here to see more configuration example.
At this point, BIND service (which is called named) can be executed already. It is your choice to stop here. It is working already, just run:
named
You will see nothing there, but rest assured, it is working. Or if you really want to be sure, you can see the logs in the console by running:
named -g
Next step, I am going to test if the named.conf file is correctly written, add logs, and add a service to trigger named automatically.
Testing
In order to check whether the named.conf file is correctly written, I use named-checkconf function.
named-checkconf named.conf
If it returns no value which means it is correct, otherwise just go back to previous steps and check what is wrong with them.
Other Things?
To make my life easier, I also configure logging. I want to have logs in a separate file so I added the following lines to named.conf.
logging {
channel simple_log {
file "/var/log/bind/bindlog.log" versions 3 size 5m; //will create log file of maximum 5MB and retain the last 3 files. Feel free to change the location.
severity debug 2; //the logging levels
print-time yes; //controls whether the date and time are written to output
print-severity yes; //controls whether the severity level is written to the output channel
print-category yes; //controls whether the severity level is written to the output channel
};
category default{
simple_log;
};
};
Above, I configured the logging to a file that is not created yet. So, first thing first.
mkdir /var/log/bind/
Then to start and stop the service, it needs rndc.
I create rndc key and configuration file by running a command:
sudo rndc-confgen
It will return the following result:
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "HereWillBeTheSecret";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "HereWillBeTheSecret";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
I copy the above output above between # Start of rndc.conf and # End of rndc.conf to a new file rndc.conf and put the file in /etc/bind/. Then I append the rest of the above output (after removing the leading hashes between # Use with the following… and #End of named.conf to named.conf.
Start the named service and check the status of rndc.
sudo named rndc status
If you see that the server is up and running then you are set!