|
Copyright (C) 2007 Internet Systems Consortium, Inc. All Rights Reserved.
This Technical Note instructs a moderately-experienced systems administrator on the steps necessary to quickly set up a recursive (caching-only) nameserver for use on a system or trusted local network
Stop or kill off your current named process, if one is running. Usually, running "rndc stop" will instruct named to shut down. If this doesn't work, you can look for any error messages to determine a problem. On Unix systems, you can use ps to verify that it has stopped running. If the process is still running, you can use kill to force it to stop.
Obtain the latest version of BIND from ftp.isc.org or one of the many sites who mirror it. At the time of writing, the latest version is bind-9.4.1-P1.tar.gz. You can find that via FTP at ftp://ftp.isc.org/isc/bind9/9.4.1-P1/bind-9.4.1-P1.tar.gz . If you prefer a web interface, please access it via http://www.isc.org/index.pl?/sw/bind/view/?release=9.4.1-P1#DOWNLOADS . When looking at version numbers, please note that P stands for patch, RC means release candidate, while b is short for beta. Only numbered or patched releases are considered to be production-quality releases.
Extract the distribution. After you've obtained the file and moved it to a convenient directory with enough free space:
tar zxf bind-9.4.1-P1.tar.gz
cd bind-9.4.1-P1
Build the package by running the configure script.
Specifying a prefix will put the binaries and other files in
a single location, to avoid overwriting any existing files.
After that's successful, build the binaries and such by
running make. To install the binaries and associated files,
use "make install".
Note that while the configure script is designed to work in a
large number of environments, it may instead exit with an error.
./configure --prefix=/usr/local/isc
make
make install
Create a configuration file for the named binary. Make an
/usr/local/isc/etc/named.conf that looks something like the
following. If you are running IPv6 on your system, please
enable the "listen-on-v6" statement.
If you are running this system on an insecure connection such
as an open wireless connection, please remove the "localnets;"
entries since this may increase the chance of your nameserver
being used maliciously for attacks. However, if you are using
this in a home or office environment, it is okay to leave that
parameter in, since you probably want to offer name service to
other local systems.
include "/usr/local/isc/etc/rndc.key";
controls
{
inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; };
};
options
{
allow-query { localhost; localnets; };
listen-on { any; };
// uncomment this statement if your system supports IPv6.
// listen-on-v6 { any; };
// change this if you put cache & zone files elsewhere.
directory "/var/named";
};
view "default-recursive"
{
match-clients { localhost; localnets; };
match-destinations { localhost; localnets; };
recursion yes;
// actually include authoritative service for recommended zones
// to reduce needless queries
zone "." IN {
type hint;
file "named.cache";
};
zone "localdomain" IN {
type master;
file "db.localdomain";
allow-update { none; };
};
zone "localhost" IN {
type master;
file "db.localhost";
allow-update { none; };
};
zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.rev.127";
allow-update { none; };
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa"
IN {
type master;
file "db.rev.0.0";
allow-update { none; };
};
zone "255.in-addr.arpa" IN {
type master;
file "db.rev.255";
allow-update { none; };
};
zone "0.in-addr.arpa" IN {
type master;
file "db.rev.0";
allow-update { none; };
};
};
Create the files referenced in the configuration. Create the following seven files in /var/named-- or whatever "directory", declared in /usr/local/isc/etc/named.conf, specifies. Note that you can verify you have the latest named.cache by downloading it from ftp://ftp.internic.net/domain/named.cache . It's worthwhile to verify you have the latest version of the named.cache occasionally. This file does not change frequently, but changes may occur during the next few years.
named.cache:
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.cache
; on server FTP.INTERNIC.NET
; -OR- RS.INTERNIC.NET
;
; last update: Jan 29, 2004
; related version of root zone: 2004012900
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by ICANN
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
db.localdomain:
$TTL 86400
@ IN SOA localhost root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost
localhost IN A 127.0.0.1
db.localhost:
$TTL 86400
@ IN SOA @ root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS @
IN A 127.0.0.1
IN AAAA ::1
db.rev.127:
$TTL 86400
@ IN SOA @ root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost.
1 IN PTR localhost.
db.rev.0.0:
$TTL 86400
@ IN SOA @ root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost.
db.rev.255:
$TTL 86400
@ IN SOA @ root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost.
db.rev.0:
$TTL 86400
@ IN SOA @ root (
1 ; serial
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS localhost.
Generate an key for rndc. In order to run rndc, which will let you control named over a separate channel, execute the command:
rndc-confgen -a
This will create /usr/local/isc/etc/rndc.key, which the
named.conf is set up to include. Please verify and control
the permissions on this file, since anyone who has this key
on this machine could control your nameserver.
Add your nameserver to the list of resolvers. On Unix systems, edit /etc/resolv.conf. Add in the folllowing line at the first nameserver entry in the file:
nameserver 127.0.0.1
If you control this file, the entry should be permanent.
However, note that on some variants of Unix, networking
scripts may modify this file. In that case, you may wish to
either alter those scripts or change this file each time
after networking changes are made.
If your system does not start up named by default, edit your startup configuration to start /usr/local/isc/sbin/named. Replace references to "named" with "/usr/local/isc/sbin/named" to make sure that this newest version is running, rather than running an older version.
Start up named. Check the system logfile for any messages reflecting a successful start. On Unix, you can use ps to verify that the named process is running. You can also use "rndc status" to verify that the server is running. It will also output some brief status messages.
| ISC Technical Support | |
| Internet Systems Consortium | |
| 950 Charter Street | |
| Redwood City, CA 94063 | |
| US | |
| URI: | http://www.isc.org/ |