4x Affordable, 99.95% SLA, 24x& Video Support, 100+ Countires

Configure Bind As An Authoritative Only Dns Server On Ubuntu 14 04

Introduction


DNS, or the Domain Name System, is often an arduous element to get right when learning how to configure websites and servers. While most people will probably appoint to use the DNS servers given by their entertaining company or their domain employee, there are some merits to creating your own DNS servers.

In this lead, we will discuss how to install and configure the Bind9 DNS server as authoritative-only DNS servers on Ubuntu 14.04 devices. We will set these up two Bind servers for our domain in a master-slave configuration.

Prerequisites and Goals

To finish this lead, you will first need to be acquainted with some communal DNS word. check out this lead to learn about the concepts we will be implementing in this lead.

You will also need at least two servers. One will be for the "master" DNS server where the zone files for our domain will become and one will be the "slave" server which will collect the zone data through transfers and be accessible in the event that the other server goes down. This avoids the venture of having a solo point of failure for your DNS servers.

Unlike caching or forwarding DNS servers or a multi-purpose DNS server, influential-only servers only respond to aspect queries for the zones that they are influential for. This means that if the server does not know the respond, it will just tell the case (usually some category of resolving DNS server) that it does not know the respond and give a reference to a server that may know more.

Authoritative-only DNS servers are often a good configuration for high performance because they do not have the overhead of resolving algorithmic queries from cases. They only care about the zones that they are designed to serve.

For the purposes of this lead, we will actually be referencing three servers. The two name servers mentioned above, plus a web server that we want to configure as a host within our zone.

We will use the artificial domain instance.com for this lead. You should replace it with the domain that you are configuring. These are the details of the machines we will be configuring:

Purpose DNS FQDN IP addresses
Master name server ns1.instance.com. 192.0.2.1
Slave name server ns2.instance.com. 192.0.2.2
Web Server www.instance.com. 192.0.2.3

After completing this lead, you should have two authoritative-only name servers configured for your domain zones. The names in the center column in the table above will be able to be used to reach your various hosts. Using this configuration, a recursive DNS server will be able to return data about the domain to clients.

Setting the Hostname on the Name Servers

Before we get into the configuration of our name servers, we must ensure that our hostname is configured properly on both our master and slave DNS server.

start by investigating the /etc/hosts file. ajar the file with sudo rights in your matter editor:

sudo nano /etc/hosts

We need to configure this so that it correctly identifies each server's hostname and FQDN. For the master name server, the file will look something like this initially:

127.0.0.1       localhost
127.0.1.1       ns1 ns1
. . .

We should alter the ordinal line to reference our accurate host and domain combination and point this to our public, nonmoving IP addresses. We can then increase the unqualified name as a name at the end. For the master server in this instance, you would action the ordinal line to this:

127.0.0.1       localhost
192.0.2.1       ns1.instance.com ns1
. . .

Save and close the file when you are completed .

We should also alter the /etc/hostname file to include our unqualified hostname:

sudo nano /etc/hostname
ns1

We can read this ideal into the currently running system then by writing :

sudo hostname -F /etc/hostname

We want to finish the same method on our slave server.

begin with the /etc/hosts file:

sudo nano /etc/hosts
127.0.0.1       localhost
192.0.2.2       ns2.instance.com ns2

Save and close the file when you are completed .

Then, alter the /etc/hostname file. Remember to only use the effective host (just ns2 in our instance) for this file:

sudo nano /etc/hostname
ns2

Again, read the file to alter the actual system:

sudo hostname -F /etc/hostname

Your servers should now have their host definitions set correctly.

Install Bind on Both Name Servers

On each of your name servers, you can now install Bind, the DNS server that we will be using.

The Bind app is accessible within Ubuntu's failure repositories, so we just need to modify our local package index and install the app using inclined. We will also include the documentation and some communal utilities:

sudo inclined-get update
sudo inclined-get install bind9 bind9utils bind9-doc

Run this installation regulate on your master and slave DNS servers to acquire the befitting files.

Configure the Master Bind Server

Now that we have the app installed, we can start by configuring our DNS server on the master server.

Configuring the Options File

The first action that we will configure to get commenced is the labelled .conf.actions file.

The Bind DNS server is also known as labelled . The important configuration file is located at /etc/bind/labelled .conf. This file calls on the other files that we will be actually configuring.

ajar the actions file with sudo rights in your editor:

sudo nano /etc/bind/labelled
.conf.actions

Below, most of the commented lines have been taken out for terseness, but in general the file should look like this after installation:

actions {
        directory "/var/cache/bind";

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

The important action that we need to configure in this file is recursion. Since we are attempting to set up an authoritative-only server, we do not want to enable recursion on this server. We can turn this off within the actions block.

We are also going to failure to not allowing transfers. We will override this in solo zone specifications later:

actions {
        directory "/var/cache/bind";
        recursion no;
        allow-transfer { none; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

When you are completed , save and close the file.

Configuring the Local File

The next stride that we need to take is to appoint the zones that we wish to command this server. a zone is any section of the domain that is delegated for management to a name server that has not been sub-delegated to other servers.

We are configuring the instance.com domain and we are not going to be sub-delegating responsibility for any section of the domain to other servers. So the zone will cover our whole domain.

To configure our zones, we need to ajar the /etc/bind/labelled .conf.local file with sudo rights:

sudo nano /etc/bind/labelled
.conf.local

This file will initially be empty besides comments. There are other zones that our server knows about for general management, but these are chosen in the labelled .conf.default-zones file.

To commence off, we need to configure the forward zone for our instance.com domain. Forward zone are the received name-to-IP resolution that most of us think of when we discuss DNS. We create a configuration block that defines the domain zone we wish to configure:

zone "instance.com" {
};

Inside of this block, we increase the management information about this zone. We appoint relation of this DNS server to the zone. This is "master" in this case since we are configuring this appliance as the master name server for all of our zones. We also point Bind to the file that holds the effective resource records that be the zone.

We are going to keep our master zone files in a directory labelled zones within the Bind configuration directory. We will call our file db.instance.com to borrow convention from the other zone files in the Bind directory. Our block will look like this now:

zone "instance.com" {
    symbol master;
    file "/etc/bind/zones/db.instance.com";
};

We want to allow this zone to be transferred to our slave server, we need to increase a line like this:

zone "instance.com" {
    symbol master;
    file "/etc/bind/zones/db.instance.com";
    allow-transfer { 192.0.2.2; };
};

Next, we are going to be the reverse zone for our domain.

a bit About Reverse Zones

If the organization that gave you your IP addresses did not give you a network range and representative responsibility for that range to you, then your reverse zone file will not be referenced and will be handled by the organization itself.

With entertaining providers, the reverse mapping is usually taken care of by the company itself. For example, with F(x) data cloud, reverse mappings for your servers will be automatically created if use the machine's FQDN as the server name in the command body. For example, the reverse mappings for this tutorial could be created by labelling the servers like this:

F(x) data cloud auto reverse DNS mapping

In examples like these, since you have not been allocated an agglomeration of addresses to administer, you should use this strategy. The strategy outlined below is covered for completeness and to make it relevant if you have been delegated command over large teams of close addresses.

Reverse zones are used to connect an IP address back to a domain name. However, the domain name system was designed for the forward mappings originally, so some thought is needed to adinclined this to allow for reverse mappings.

The pieces of information that you need to keep in mind to understand reverse mappings are:

  • In a domain, the most accurate section is of the addresses is on the left. For an ip addresses, the most accurate section is on the right.
  • The most accurate part of a domain specification is either a subdomain or a host name. This is been in the zone file for the domain.
  • Each subdomain can, in turn, be more subdomains or hosts.

All reverse zone mappings are been under the distinctive domain in-addr.arpa, which is regulated by the Internet Assigned Numbers dominance (IANA). Under this domain, a tree exists that uses subdomains to map out each of the octets in an ip addresses. To make convinced that the specificity of the IP addresses mirrors that of normal domains, the octets of the IP addresses are actually reversed.

So our master DNS server, with an ip addresses of 192.0.2.1, would be turned to read as 1.2.0.192. When we increase this host specification as a hierarchy existing under the in-addr.arpa domain, the exact host can be referenced as 1.2.0.192.in-addr.arpa.

Since we be single hosts (like the guiding "1" here) within the zone file itself when using DNS, the zone we would be configuring would be 2.0.192.in-addr.arpa. If our network provider has given us a /24 block of addresses, say 192.0.2.0/24, they would have delegated this in-addr.arpa part to us.

Now that you know how to select the reverse zone name, the effective definition is exactly the same as the forward zone. Below the instance.com zone definition, make a reverse zone for the network you have been given. Again, this is probably only necessary if you were delegated command over a block of addresses:

zone "2.0.192.in-addr.arpa" {
    symbol master;
    file "/etc/bind/zones/db.192.0.2";
};

We have selected to name the file db.192.0.2. This is exact about what the zone configures and is more legible than the reverse notation.

Save and close the file when you are completed .

Create the Forward Zone File

We have told Bind about our forward and reverse zones now, but we have not yet created the files that will be these zones.

If you recall, we appointed the file areas as being within a directory labelled zones. We need to create this directory:

sudo mkdir /etc/bind/zones

Now, we can use some of the pre-existing zone files in the Bind directory as templates for the zone files we want to create. For the forward zone, the db.local file will be close to what we need. Copy that file into the zones directory with the name used in the labelled .conf.local file.

sudo cp /etc/bind/db.local /etc/bind/zones/db.instance.com

While we are doing this, we can copy a template for the reverse zone as well. We will use the db.127 file, since it's a close match for what we need:

sudo cp /etc/bind/db.127 /etc/bind/zones/db.192.0.2

Now, ajar the forward zone file with sudo rights in your matter editor:

sudo nano /etc/bind/zones/db.instance.com

The file will look like this:

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              2         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1

The first action we need want to do is alter the SOA (begin of dominance) record that starts with the first @ symbol and continues until the closing parenthesis.

We need to replace the localhost. with the name of the FQDN of this device. This part of the record is used to be any name server that will answer authoritatively for the zone being been . This will be the device we are configuring now, ns1.instance.com. in our case (notice the trailing dot. This is all-important for our arrival to enlist correctly!).

We also want to action the next piece, which is actually a specially formatted email addresses with the @ replaced by a dot. We want our emails to go to an administer of the domain, so the conventional email is [email protected]instance.com. We would translate this so it looks like admin.instance.com.:

@       IN      SOA     ns1.instance.com. admin.instance.com. (

The next piece we need to edit is the ordered number. The ideal of the ordered number is how Bind tells if it needs to send modified information to the slave server.

Note: Failing to amount the ordered number is one of the most communal mistakes that leads to issues with zone updates. Each moment you make an edit, you must shock the ordered number.

One communal practice is to use a convention for incrementing the number. One reach is to use the date in YYYYMMDD format along with a revision number for the day increased onto the end. So the first revision made on June 05, 2014 could have an ordered number of 2014060501 and a modify made later that day could have an ordered number of 2014060502. The ideal can be a 10 digit number.

It is worthy adopting a convention for ease of use, but to keep things uncomplicated for our show, we will just set ours to 5 for now:

@       IN      SOA     ns1.instance.com. admin.instance.com. (
                              5         ; Serial

Next, we can get rid of the last three lines in the file (the units at the bottom that commence with @) as we will be making our own.

The first action we want to establish after the SOA record are the name servers for our zone. We select the domain and then our two name servers that are influential for the zone, by name. Since these name servers will be hosts within the domain itself, it will look a bit self-referential.

For our govern, it will look like this. Again, pay attention to the ending dots!:

; Name servers
instance.com.    IN      NS      ns1.instance.com.
instance.com.    IN      NS      ns2.instance.com.

Since the purpose of a zone file is mainly to map host names and services to accurate addresses, we are not done yet. Any program reading this zone file is going to want to know where the ns1 and ns2 servers are in order to accesses the influential zones.

So next, we need to create the A records that will subordinate these name server names to the effective IP addresses of our name servers:

; A records for name servers
ns1             IN      A       192.0.2.1
ns2             IN      A       192.0.2.2

Now that we have the a records to successfully resolve our name servers to their correct IP addresses, we can increase any more records. Remember, we have a web server on one of our hosts that we want to use to serve our site. We will point questions for the general domain (instance.com in our case) to this host, as well as questions for the www host. It will look like this:

; Other A records
@               IN      A       192.0.2.3
www             IN      A       192.0.2.3

You can increase any more hosts that you need to be by creating more A records. reference our DNS fact Synonyms/Hypernyms govern to get familiar with some of your actions with creating additional records.

When you are completed , your file should look something like this:

$TTL    604800
@       IN      SOA     ns1.instance.com. admin.instance.com. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;

; Name servers
instance.com.    IN      NS      ns1.instance.com.
instance.com.    IN      NS      ns2.instance.com.

; A records for name servers
ns1             IN      A       192.0.2.1
ns2             IN      A       192.0.2.2

; Other A records
@               IN      A       192.0.2.3
www             IN      A       192.0.2.3

Save and close the file when you are completed .

Create the Reverse Zone File

Now, we have the forward zone configured, but we need to set up the reverse zone file that we appointed in our configuration file. We already created the file at the starting of the last part.

ajar the file in your matter editor with sudo rights:

sudo nano db.192.0.2

The file should look like this:

$TTL    604800
@       IN      SOA     localhost. root.localhost. (
                              1         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;
@       IN      NS      localhost.
1.0.0   IN      PTR     localhost.

We will go through much of the same method as we did with the forward zone. First, alter the domain name, the admin email, and the ordered number to match exactly what you had in the last file (The ordered number can be disparate, but should be incremented):

@       IN      SOA     instance.com. admin.instance.com. (
                              5         ; Serial

Again, wipe out the lines under the closing parenthesis of the SOA record. We will be taking the last octet of each IP addresses in our network range and mapping it back to that host's FQDN using a PTR record. Each IP addresses should only have an individual PTR record to elude difficulties in some program, so you must appoint the host name you wish to reverse map to.

For example, if you have a mail server set up, you probably want to set up the reverse mapping to the mail name, since many systems use the reverse mapping to validate addresses.

First, we need to set our name servers again:

; Name servers
        IN      NS      ns1.instance.com.
        IN      NS      ns2.instance.com.

Next, you will use the last octet of the IP addresses you are referring to and point that back to the fully qualified domain name you want to return with. For our instance, we will use this:

; PTR Records
1       IN      PTR      ns1.instance.com.
2       IN      PTR      ns2.instance.com.
3       IN      PTR      www.instance.com.

When you are completed , the file should look something like this:

$TTL    604800
@       IN      SOA     instance.com. admin.instance.com. (
                              5         ; Serial
                         604800         ; Refresh
                          86400         ; Retry
                        2419200         ; Expire
                         604800 )       ; Negative Cache TTL
;

; Name servers
        IN      NS      ns1.instance.com.
        IN      NS      ns2.instance.com.

; PTR records
1       IN      PTR      ns1.instance.com.
2       IN      PTR      ns2.instance.com.
3       IN      PTR      www.instance.com.

Save and close the file when you are completed .

Testing the Files and Restarting the Service

The configuration for the master server is now finish, but we still need to implement our actions.

Before we restart our service, we should try-out all of our configuration files to make convinced that they're configured correctly. We have some equipment that can check the structure of each of our files.

First, we can check the labelled .conf.local and labelled .conf.actions files by using the labelled -checkconf control. Since both of these files are source by the skeleton labelled .conf file, it will experiment the structure of the files we altered .

sudo labelled
-checkconf

If this returns without any communications, it means that the labelled .conf.local and labelled .conf.actions files are syntactically binding.

Next, you can check your solo zone files by passing the domain that the zone handles and the zone file area to the labelled -checkzone control. So for our lead, you could check the forward zone file by writing :

sudo labelled
-checkzone instance.com /etc/bind/zones/db.instance.com

If your file has no difficulties, it should tell you that it loaded the correct ordered number and give the "OK" communication;

zone instance.com/IN: loaded serial 5
OK

If you run into any other communications, it means that you have a difficulty with your zone file. Usually, the communication is quite descriptive about what part is invalid.

You can check the reverse zone by passing the in-addr.arpa addresses and the file name. For our show, we would be symbol this:

sudo labelled
-checkzone 2.0.192.in-addr.arpa /etc/bind/zones/db.192.0.2

Again, this should give you an akin communication about loading the correct ordered number:

zone 2.0.192.in-addr.arpa/IN: loaded serial 5
OK

If all of your files are checking out, you can restart your Bind service:

sudo service bind9 restart

You should check the logs by writing :

sudo tail -f /var/log/syslog

Keep an eyeball on this log to make convinced that there are no errors.

Configure the Slave Bind Server

Now that we have the master server configured, we can go ahead and get the slave server set up. This will be significantly simple than the master server.

Configuring the Options File

Again, we will commence with the labelled .conf.actions file. ajar it with sudo rights in your matter editor:

sudo nano /etc/bind/labelled
.conf.actions

We will make the same accurate modifications to this file that we made to our master server's file.

actions {
        directory "/var/cache/bind";
        recursion no;
        allow-transfer { none; };

        dnssec-validation auto;

        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { any; };
};

Save and close the file when you are completed .

Configuring the Local Configuration File

Next, we will configure the labelled .conf.local file on the slave server. ajar it with sudo rights in your matter editor:

sudo nano /etc/bind/labelled
.conf.local

Here, we will create each of our zone specifications like we did on our master server. However, the belief Synonyms/Hypernyms and some of the parameters will be distinct.

First, we will work on the forward zone. begin it off the same path that you did in the master file:

zone "instance.com" {
};

This moment, we are going to set the symbol to slave since this server is acting as a slave for this zone. This simply means that it receives its zone files through transfer rather than a file on the local system. Additionally, we are just going to select the relational name instead of the direct route to the zone file.

The reason for this is that, for slave zones, Bind accumulations the files /var/cache/bind. Bind is already configured to look in this directory area, so we do not need to select the route.

For our forward zone, these details will look like this:

zone "instance.com" {
    symbol slave;
    file "db.instance.com";
};

Finally, instead of the allow-transfer directive, we will choose the master servers, by IP addresses, that this server will accept zone transfers from. This is done in a directive labelled masters:

zone "instance.com" {
    symbol slave;
    file "db.instance.com";
    masters { 192.0.2.1; };
};

This completes our forward zone specification. We can use this same specific format to take care of our reverse zone specification:

zone "2.0.192.in-addr.arpa" {
    symbol slave;
    file "db.192.0.2";
    masters { 192.0.2.1; };
};

When you are completed , you can save and close the file.

Testing the Files and Restarting the Service

We do not actually have to do any of the effective zone file creation on the slave device because, like we mentioned before, this server will collect the zone files from the master server. So we are prepared to try-out.

Again, we should check the configuration file structure. Since we don't have any zone files to check, we only need to use the labelled -checkconf equipment:

sudo labelled
-checkconf

If this returns without any errors, it means that the files you adjusted have no structure errors.

If this is the case, you can restart your Bind service:

sudo service bind9 restart

check the logs on both the master and slave server using:

sudo tail -f /var/log/syslog

You should see some arrivals that tell that the zone files have been transferred correctly.

Delegate Authority to your Name Servers

Your authoritative-only name servers should now be completely configured. However, you still need to representative dominance for your domain to your name servers.

To do this, you will have to go to the website where you bought your domain name. The interface and perhaps the word will be distinct being on the domain name employee that you used.

In your domain environments, look for an action that will allow you to select the name servers you wish to use. Since our name servers are within our domain, this is a unique case.

Instead of the employee simply delegating dominance for the zone through the use of NS records, it will need to create a cement record. A cement record is an A record that specifies the IP addresses for the name servers after it specifies the name servers that it is delegating authority to.

Usually, the delegation only databases the name servers that will handle the dominance of the domain, but when the name servers are within the domain itself, an a record is needed for the name servers in the parent zone. If this didn't happen, DNS resolvers would get stuck in a zigzag because it would never be able to find the IP addresses of the domain's name servers to follow the delegation way.

So you need to find a part of your domain registrar's command body that allows you to choose name servers and their IP addresses.

As a show, the employee Namecheap has two distinct name server portions.

There is a part labelled "Nameserver Registration" that allows you to appoint the IP addresses for name servers within your domain:

NameCheap register name servers

Inside, you will be able input the IP addresses of the name servers that exist within the domain:

NameCheap internal name server

This will create the A record that that serve as the cement records that you need in the parent zone file.

After you've done this, you should be able to action the progressive name servers to your domain's servers. In NameCheap, this is done using the "Domain Name Server Setup" menu action:

NameCheap domain name setup

Here, you can tell it to use the name servers you increased as the influential servers for your site:

NameCheap use name servers

The actions might take awhile to propagate, but you should see the data from your name servers being used within the next 24-48 distances for most employees.

Conclusion

You should now have two authoritative-only DNS servers configured to server your domains. These can be used to accumulation zone information for extra domains as you acquire more.

Configuring and managing your own DNS servers gives you the most control over how the DNS records are handled. You can make changes and be sure that all relevant pieces of DNS data are up-to-date at the source. While other DNS solutions may make this process easier, it is important to know that you have actions and to understand what is happening in more packaged solutions.

Reference: digitalocean