HOW TO: Install BIND DNS 9.2 with RNDC Controls

D

Dymas

Registered
HOW TO: Install BIND DNS 9.2 with RNDC Controls

I recently got BIND 9.2 compiled and running with RNDC controls under MAC OS X 10.1.3

Since BIND 9.2 uses the new RDNC controls instead of sending HUP signals to named or ndc I have written this HOW TO just for BIND 9.2. Please note that these instructions for section 3 and 4 WILL NOT work with previous versions of BIND (like 8.2) There are plenty of HOW TO's on the net if you need help with those versions.

Please also take note that I wrote this HOW TO to configure BIND to be a master server for a domain. I use this to host my own domain for testing stuff with Apache.

Oh and last thing, make sure you can use "sudo" or you won't get very far in this HOW TO

This whole install and config will take you a long time so block off some time before trying it out

The following HOW TO is split into six sections:

Section 1 - Configure, compile, and install

Section 2 - Creating zone data files

Section 3 - Creating the named conf file

Section 4 - Creating the RNDC config file and generating keys

Section 5 - Starting and controlling the BIND server

Section 6 - Making the BIND server start automatically on system startup

--> Commands are shown in blue colors
--> Code is shown in red colors and quotes
---> Names of files are shown in green colors
 
------------
SECTION 1 - Configure, compile and install BIND 9.2
------------

1 - Get the software. You can download BIND 9.2.0 from here:

get BIND 9.2 here

2 - unpack the file and move the folder to your root drive

3 - open a terminal window and change directory to the folder.

Type the following:

[localhost:~] baptiste% cd /bind-9.2.0/

4 - Now we start installing the program. First we have to configure the
installer. This step will take some time, you'll see a bunch of
"checking ...." and "creating ...." in the terminal window.

Type the following:

[localhost:/bind-9.2.0] baptiste% sudo ./configure

5 - Now you actually compile the program. *This will take several mins
(up to 30mins)* Your terminal window will spit out many many lines of
text here. Just wait for 15mins or so.

Type the following:

[localhost:/bind-9.2.0] baptiste% sudo make

6 - Now we install the compiled program.

Type the following:

[localhost:/bind-9.2.0] baptiste% sudo make install

7 - All done! Move on to the next section. If you get any error codes
post them and I'll try and help you out.
 
------------
SECTION 2 - Creating Zone data files
------------

1 - Before you can actually start using BIND you have to configure it
with some zone files for it to load.

2 - open a terminal window and create a folder for your zone files

Type the following:

[localhost:/bind-9.2.0] baptiste% sudo mkdir /var/named

Now go to your new folder:

localhost:/bind-9.2.0] baptiste% cd /var/named

3 - Now let's create some zone files. Your server needs the following files:

Root Hints date file: root.hints (or sometime called db.cache)
Loopback address file: db.127.0.0
Forward lookup zone data for you domain: db.mydomain.com (change this to whatever domain name you want to use)
Reverse lookup zone data for your network: db.192.168.1(change this to match your local subnet IP address)

* If you want a caching-only server you will need following this HOW TO
to make the proper zone files:
caching only HOW TO

* If you have no clue what a zone file, or want to change the stuff/name around is check these links:
---> I'll find some good ones soon! <---

4 - Let's create the db.mydomain.com file first:

[localhost:/var/named] baptiste% sudo pico db.mydomain.com

copy the following code:

$TTL 3h

@ IN SOA me.mydomain.com. admin.mydomain.com. (
1 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day

;
; Name Servers
;
IN NS me.mydomain.com.

;
; Host records
;
localhost IN A 127.0.0.1
me IN A 192.168.1.50

;
; CNAME Aliases
;
mp3 IN CNAME me
webtest IN CNAME me
Click to expand...

than do control-o to save it, and control-x to exit pico

5 - Now let's do the reverse lookup file:

[localhost:/var/named] baptiste% sudo pico db.192.168.1

copy the following code:

$TTL 3h

@ IN SOA me.mydomain.com. admin.mydomain.com. (
1 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day

;
; Name Servers
;
IN NS me.mydomain.com.

;
; PTR records
;

50 IN PTR me.mydomain.com.
Click to expand...


than do control-o to save it, and control-x to exit pico

6 - Okay now we have to make the loopback address reverse lookup file:

[localhost:/var/named] baptiste% sudo pico db.127.0.0

copy the following code:

$TTL 3h

@ IN SOA me.mydomain.com. admin.mydomain.com. (
1 ; Serial
3h ; Refresh after 3 hours
1h ; Retry after 1 hour
1w ; Expire after 1 week
1h ) ; Negative caching TTL of 1 day

;
; Name Servers
;

IN NS me.mydomain.com.

;
; PTR records
;

1 IN PTR localhost.
Click to expand...

than do control-o to save it, and control-x to exit pico

7 - Almost there! Last file is the ROOT server hints file. We can get this
file online with a few simple steps. So make sure you are connected to
the internet!

You can use the "dig" command to get one. After you do dig you must ask
one of the servers for the file. You can replace the
"@e.root-server.net" with any from the list.

[localhost:/var/named] baptiste% dig

[localhost:/var/named] baptiste% dig @e.root-server.net . ns > root.hints

8 - Wheeh! Okay great that's all the zone files we need. Let's move on to the main config file in the next section.
 
------------
SECTION 3 - Creating the named conf file
------------

Now we have to write a config file. This is the file BIND uses to figure out what it needs to do and what
files/zones to load.

1 - The file is usually stored in the /etc/ directory.

Type the following:

[localhost:/var/named] baptiste% cd /etc/

2 - Now let's create the file.

Type the following:

[localhost:/etc] baptiste% sudo pico named.conf

copy the following code:

/ BIND 9.2 configuration file

//
// Server options
//

options {
directory "/var/named";
check-names master ignore;
pid-file "bind-dns.pid";
};

//
// This calls the rndc key
//

include "/etc/rndc.key";

//
// This controls access to rndc and loads keys
//

controls {
inet 127.0.0.1 allow { any; } keys { rndc.key; };
};

//
// Forward-lookup Zone Files
//

zone "mydomain.com" IN {
type master;
file "db.mydomain.com";
};

//
// REV-lookup Zone Files
//

zone "1.168.192.in-addr.arpa" IN {
type master;
file "db.192.168.1";
};

//
// Hints and Local-host rev zone files
//

zone "." IN {
type hint;
file "root.hints";
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "db.127.0.0";
};
Click to expand...

than do control-o to save it, and control-x to exit pico

3 - A few notes about this file. The way BIND 9.2 works is that it needs to have a matching secret password in both
the named.conf file and another file called the rndc.conf file. You'll notice there is no secret password in the
code above. Instead we are going to use an "include" command to reference the secret password in another file.
I have it set up like this for security reasons. It's a little different than some of the HOW TO's on the
internet.

4 - That's it! Pretty simple huh? Well now it's just getting fun, let's move on to the next section where we'll
learn how to make a RNDC key for controlling our BIND server and how to create the RNDC conf file.
 
------------
SECTION 4 - Creating the RNDC config file and generating keys
------------

1 - First thing to do is create a RNDC config file. It's usually stored in the same place as the named.conf file.

Type the following:

[localhost:/etc] baptiste% sudo pico rndc.conf

copy the following code:

options {
default-server localhost;
default-key "rndc.key";
};

server localhost {
key rndc.key;
};

key "rndc.key" {
algorithm "hmac-md5";
secret "XXXXXXXXXXXXXXXXX";
};
Click to expand...

than do control-o to save it, and control-x to exit pico

3 - Now we have to generate a secret password to use. This will replace the "XXXXXXXXXXXXXXXXX" stuff in the file above.

In the next command you can replace the -b 56 with a higher number like -b 256 if you want. This is the length of the key in bits

Type the following:

[localhost:/etc] baptiste% sudo dnssec-keygen -a hmac-md5 -b 56 -n HOST rndc.key

It will tell you to start typing. So mash away at the keyboard in a VERY RANDOM fashion. Stop when it tells you to. Please note the name it gives you after you stop typing and the command finished running.

3 - Cool! Now we have generated a secret password in "hash" This means it's all garbled text, which is good. Now
let's open the file and copy the new secret password.

Copy the name the last command(dnssec-keygen) gave you and add ".private" to the end of it

Type the following:

[localhost:/etc] baptiste% sudo pico Krndc.key.+157+58439.private

You should see this:

Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: tTXEB9RskQ==

do control-x to exit pico

4 - Excellent! Now we have to put this garbled text stuff in two places. The first place is in your rndc.conf file and the second is in a new file that we'll call rndc.key

Type the following:

[localhost:/etc] baptiste% sudo pico rndc.conf

Scroll down to the secret "XXXXXXXXXXXXXXXXX" and replace "XXXXXXXXXXXXXXXXX" with the garbled text you got from Krndc.key.+157+58439.private

than do control-o to save it, and control-x to exit pico

5 - Almost done, I promise! As I said in the last section we used an "include" command in the named.conf file to read the secret password out of separate file instead of putting it directly in the named.conf file. I know it adds a few steps, but I think it's worth it security wise. So now we gotta create that separate file called rndc.key file.

Type the following:

[localhost:/etc] baptiste% sudo pico rndc.key


key "rndc.key" {
algorithm "hmac-md5";
secret "XXXXXXXXXXXXXXXXX";
};
Click to expand...
Again replace the "XXXXXXXXXXXXXXXXX" with the garbled text you got from Krndc.key.+157+58439.private

than do control-o to save it, and control-x to exit pico

6 - Okay good job! Now we're done with RNDC and the secret password generation. Let's move on to the next section and start the server!
 
------------
SECTION 5 - Starting and controlling the BIND server
------------

1 - In the last four sections we got our BIND server installed and created a whole bunch of files. Now we are finally ready to put all our
hard work to the test and watch this thing work. First we need to start the server and see if anything is broken. I recommend opening up
the "console.app" to watch for any error messages.

In Finder open the "Applications" folder than the "Utilities" sub-folder
Locate the "Console" icon and double-click it.

This will open the "console.log" scroll all the way down to the end of it.

2 - Back in your terminal window type the following:

[localhost:/etc] baptiste% sudo named

3 - Watch the console window for anything with named If everything went okay you should get these two lines:

Mar 16 19:03:46 localhost named[5414]: entropy.c:279: unexpected error:
Mar 16 19:03:46 localhost named[5414]: fcntl(10, F_SETFL, 4): Operation not supported by device
Click to expand...
This is normal and a documented bug of BSD - it will not affect the operation of your BIND 9.2 server.

4 - Now we're rocking. Let's test it out!

Type the following:

[localhost:/etc] baptiste% rndc status

You should get something like:

number of zones: 5
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running

5 - If we want to reload the server we can type:

[localhost:/etc] baptiste% rndc reload

6 - Other noteworthy commands:

[localhost:/etc] baptiste% rndc flush

this will clear the resolver cache

[localhost:/etc] baptiste% rndc stats

this will write the statistics for your server to a file. You can find the stats
file in /var/named/named.stats

[localhost:/etc] baptiste% rndc halt

stop the DNS server. Use "sudo named" to get it start it back up

7 - That's about it. RNDC is pretty cool and you can use it to control all your BIND 9.2 servers via telnet.

8 - Now what? Well nothing! It works! If you want your shinny new BIND server to startup when your mac boots reads the next section on how to add it to your StartupItems.
 
------------
SECTION 6 - Making the BIND server start automatically on system startup
------------

1 - So you got your BIND server all setup and everything is running fine. Now let's get this puppy to startup every
time you boot your mac. We are going to create a new StartupItem script to accomplish this. It's pretty simple and
if you've gotten this far why stop now?! :)

2 - First we need to see if you have a StartupItems folder.

open Finder and open the "Library" folder. Check to see if you have a folder called "StartupItems"

3 - If you already have the folder skip to step #4. If not read on! Open a terminal window.

Type the following:

[localhost:/etc] baptiste% sudo mkdir /Library/StartupItems/

4 - Now we create a folder to put the startup script in.

Type the following:

[localhost:/etc] baptiste% sudo mkdir /Library/StartupItems/BIND

5 - Now let's go to the new folder and create two new files.

[localhost:/etc] baptiste% cd /Library/StartupItems/BIND

6 - The first file is the actual script.

Type the following:

[localhost:/Library/StartupItems/BIND] baptiste% sudo pico BIND

copy the following code:

#!/bin/sh

##
# Start DNS server (BIND/named)
##

. /etc/rc.common

if [ "${BIND:=-NO-}" = "-YES-" ]; then

ConsoleMessage "Starting BIND DNS"

/usr/local/sbin/named

fi
Click to expand...

than do control-o to save it, and control-x to exit pico

7 - Now we have to make it executable since it's a script. Very important or it won't work!

Type the following:

[localhost:/Library/StartupItems/BIND] baptiste% sudo chmod +x BIND

8 - Okay now last file.

Type the following:

[localhost:/Library/StartupItems/BIND] baptiste% sudo pico StartupParameters.plist

copy the following code:

{
Description = "BIND domain name server";
Provides = ("DNS");
Requires = ("Disks", "Resolver", "Desktop DB", "Input Managers");
OrderPreference = "None";
Messages =
{
start = "Starting BIND DNS server...";
stop = "Stopping BIND DNS server...";
};
}
Click to expand...

than do control-o to save it, and control-x to exit pico

9 - Cool. We're almost done. One last step. We have to edit the hostconfig file. OS X looks in the file to see
what scripts it should run. The file is stored in /etc

Type the following:

[localhost:/Library/StartupItems/BIND] baptiste% cd /etc

Now edit the file:

[localhost:/etc] baptiste% sudo pico hostconfig

add this line to the end of the file:

BIND=-YES-
Click to expand...

than do control-o to save it, and control-x to exit pico

10 - That's it! Go ahead and reboot. Once you log back into OS X you can check to see if BIND is running:

Type the following:

[localhost:~] baptiste% top -ln

and scroll through the list to find a process called named

Or you can type the following:

[localhost:~] baptiste% rndc status


Congrats! :D No more sections...you have survived this HOW TO!
 
You must log in or register to reply here.
Back
Top