Your Ad Here

Ubuntu DNS Server Guide - BIND Master Server Setup

Ubuntu Logo In a previous post I walked you through the installation of BIND9 (Berkley Internet Name Daemon Version 9) on Ubuntu (currently Hardy Heron 8.04) and configuring the installation to function as a caching name server on your local area network (LAN). Caching DNS records on a local server will hopefully boost your network’s performance. That is great, but you probably want your private DNS server to actually help manage the machines on your LAN by maintaining host records and serving those records. Here I show you how to setup a BIND master server to do just that.

Makeup of A Fictional Domain

Here we will consider the set up of a fictional domain named mydomain.lan on a restricted network (i.e., a LAN located behind a firewall) and the 192.168.1.0 subnet. The domain will have have 4 hosts with the following addresses, names, and roles.

IP Address         hostname     role                alias
192.168.1.99       john         DNS/mail server
192.168.1.50       paul         web server          www
192.168.1.51       george       workstation
192.168.1.52       ringo        workstation

Note that the web server is configured with the alias (canonical name) www so that one can navigate to it using www.mydomain.lan in addition to paul and paul.mydomain.lan. Of course your domain will vary in makeup and function to the one considered here, but you should be able to modify the following code to suit your needs.



Configure Zones on BIND

Ubuntu installs BIND with a configuration file /etc/bind/named.conf that suits most home office and small business needs and does not need to be modified. Instead you will create your local DNS “zone” by editing /etc/bind/named.conf.local, which is sourced by named.conf. Open this file with a text editor of your choice (I use vi here).

sudo vi /etc/bind/named.conf.local

Ignore the commented areas and add a zone definition for your domain to this file.

zone “mydomain.lan” IN {
    type master;
    file “/etc/bind/zones/mydomain.lan.db”;
};

Add a reverse DNS zone definition as well. This will allow the server to map IP addresses to domain names.

zone “1.168.192.in-addr.arpa” {
    type master;
    file “/etc/bind/zones/rev.1.168.192.in-addr.arpa”;
};

Create DNS Records

The zone definitions in the previous section refer to files that will contain details about our network mapping. The mydomain.lan.db file will contain records of the hostname-to-IP address mappings of your domain. The rev.1.168.192.in-addr.arpa file will contain “reverse” IP address-to-hostname records. Make a directory to hold these files and open mydomain.lan.db.

sudo mkdir /etc/bind/zones
sudo vi /etc/bind/zones/mydomain.lan.db

For the fictitious domain considered here mydomain.lan.db is edited to look like the following.

; Use semicolons to add comments.
; Host-to-IP Address DNS Pointers for mydomain.lan
; Note: The extra “.” at the end of addresses are important.
; The following parameters set when DNS records will expire, etc.
; Importantly, the serial number must always be iterated upward to prevent
; undesirable consequences. A good format to use is YYYYMMDDI where
; the I index is in case you make more that one change in the same day.
mydomain.lan. IN SOA john.mydomain.lan. hostmaster.mydomain.lan. (
    200709131 ; serial
    8H ; refresh
    4H ; retry
    4W ; expire
    1D ; minimum
)
; NS indicates that john is the name server on mydomain.lan
; MX indicates that john is (also) the mail server on mydomain.lan
mydomain.lan. IN NS john.mydomain.lan.
mydomain.lan. IN MX 10 john.mydomain.lan.
; Set an alias (canonical name) for paul
www IN CNAME paul.mydomain.lan.
; Set the address for localhost.mydomain.lan
localhost    IN A 127.0.0.1
; Set the hostnames in alphabetical order
george       IN A 192.168.1.51
john         IN A 192.168.1.99
paul         IN A 192.168.1.50
ringo        IN A 192.168.1.52

After creating the reverse DNS record file

sudo vi /etc/bind/zones/rev.1.168.192.in-addr.arpa

it is edited to look like the following.

; IP Address-to-Host DNS Pointers for 192.168.1.0 subnet
@ IN SOA john.mydomain.lan. hostmaster.mydomain.lan. (
    200709131 ; serial
    8H ; refresh
    4H ; retry
    4W ; expire
    1D ; minimum
)
; define the authoritative name server
IN NS john.mydomain.lan.
; our hosts, in numeric order
99        IN PTR john.mydomain.lan.
50        IN PTR paul.mydomain.lan.
51        IN PTR george.mydomain.lan.
52        IN PTR ringo.mydomain.lan.

Of course, your DNS records will look different then those above but hopefully by using these configurations as templates you can customize the files to your domain. To initiate your authoritative DNS server restart BIND.

sudo /etc/init.d/bind9 restart

Test your DNS server by typing dig mydomain.lan at the command prompt. All of the hosts on your local network should appear under AUTHORITY SECTION in the output of this command. If you believe that something can be added to this guide to improve it, please do not hesitate to leave relevant comments below.


Update, Oct. 24, 2007: Ubuntu 7.10 has been released and is receiving great reviews.

Update, May 5, 2008: Updated for Ubuntu 8.04 Hardy Heron.




Have something to add? Send me a message on twitter or leave a comment below.

Viewing 23 Comments

    • ^
    • v
    but if we dont have an static ip for our dns setting, and we are using the dyndns.com.
    then how we have to solve it?
    • ^
    • v
    I cant help it but even this isnt working. I have tried multiple how to's on bind. But for some reason i just cant get my configured dns to resolve anything.

    I have noticed however that when i dig mydomain. i dont get a "ANSWER SECTION".
    It does cach the website. Because when i dig another site the query time is 0.

    Ok anybody any idea's?
    • ^
    • v
    i been working 4 2 days without sleep,,,
    • ^
    • v
    Hi im jhon i cant setup my server coz i dont now how to setup the ubuntu server can you help me please?
    • ^
    • v
    Thanks a lot! My installation of bind9 worked out of the box with your guide. A home DNS may not be the most necessary thing in life but it's pretty neat. -Arto
    • ^
    • v
    I've been following your tutorials, from setting up LAMP to configuring a DNS caching nameserver and everything has gone great so far. This tutorial(dns server guide bind master server setup)however, has me scratching my head.

    In the first section, making up a fictional domain, where did you get all those ip addresses for the hosts? Are they static ip addresses assigned to the other machines? If they are, is it necessary to set a static ip to all machines on the network? How would I go about setting it up where only the server has a static ip and the other machines still use dhcp assigned ip addresses?

    Thank you, great work, I love Ubuntu
    • ^
    • v
    Thanks for your EXTENSIVE help with this [inexplicably complex] subject. I just wanted to highlight the fact that I spent a long time finding out the you MUST have a SPACE before the "IN NS john.mydomain.lan." entry in the Reverse DNS config file (in your example: "/etc/bind/zones/rev.1.168.192.in-addr.arpa ")
    Without that space in there, it doesn't reconize the NS entry, and it all goes to .... at that point. Thanks again for this great summary.

    Don
    • ^
    • v
    FYI, cutting and pasting from the web page to your own config files will give you "smart quotes" instead of the literal quote created from shift+comma. This will prevent bind from starting--just something to be aware of. :)

    Thanks again for the succinct how-to's.
    • ^
    • v
    @bayu - Thanks for the note on listing all registered domains on the local DNS server
    • ^
    • v
    Hi Sam,

    Thanks for your previous answer.

    Another note/question:
    On last paragraph to check DNS, you said by "dig mydomain.lan" will show all of hosts on AUTHORITY SECTION.
    I think the authority section only show the "authoritative name server" of "mydomain.lan" domain, thus NOT all of hosts on our local network (registered on our local DNS).

    If we want to show all the hosts registered on mydomain.lan local DNS server, we can use command: host -l mydomain.lan.

    CMIIW.

    Thanks,
    [bayu]
    • ^
    • v
    @bayu - I would use the hostmaster.mydomain.lan version of this line. I am not sure why someone would use root instead.
    • ^
    • v
    Hi,

    On two lines below:
    ===
    mydomain.lan. IN SOA john.mydomain.lan. hostmaster.mydomain.lan.

    mydomain.lan. IN SOA john.mydomain.lan. root.mydomain.lan.
    ===

    What is the difference between "hostmaster.mydomain.lan" and some tutorial put "root.mydomain.lan".
    Is the "root" hostname should be there (exist on the network)?

    Thanks,
    • ^
    • v
    @Zinv - I don't think I understand your predicament completely but as I was reading your comment I thought that perhaps you can get requests to your other two domain names (with unique IP addresses on your VPN) to be forwarded to your primary domain via a php redirect or using your .htaccess file. This may be easier than trying to configure your own DNS server.
    • ^
    • v
    I've been looking all over the place for a tut/guide that can help me with resolving multiple domain names to my server. I have a few names registered with godaddy. My VPS provider gives me 3 ip addresses. I initially set up only one ip that my webserver would be listening on. I've successfully forwarded my primary domain over to the server and can access it. BTW, the name server I supplied godaddy was the two from my vps provider.

    I'm stuck when it comes to forwarding my other domain names to my server. I figured i'd have to setup my own dns server on the box using my 3rd IP. I've gone through all the similar guides but havent had any luck. BIND is installed correctly with no errors, but my issue is how i go about having my names point my new DNS server. I went to godaddy and tried to supply the IP (the 3rd ip) of my new DNS server but for some reason it didnt like taking the standard IP convention. Its likes NS1.xxx.com, NS2.xxx.com, etc.

    I've created seperate zones for the other domains, but for some reason they're not resolving. when i dig i get a response, but i also see SERVFAIL.

    Any Ideas on where to start my troubleshooting will be apprecaited. Thanks.
    • ^
    • v
    Thank you, you help the world by your knowledge.
    • ^
    • v
    @Daniel - Yikes, I am afraid I can't give you a good answer. The best I can do is point you to this page, which has extensive BIND9 DNS server manuals. Good Luck.
    • ^
    • v
    What do I need to do if I have the DNS server on a different subnet than the clients?

    Daniel
    • ^
    • v
    @Wilfried van Hulzen - The first thing that comes to mind is that maybe your primary DNS server in your /etc/resolv.conf file is not configured correctly. It may be pointing to some other DNS server then the one you just set up. I believe host and nslookup will work from the terminal (because they are BIND commands) even if your DNS server is not configured correctly in your network configuration files. However, the DNS server has to be specified in /etc/resolv.conf in order for a web browser to find www.hostname.local. If this doesn't work, write back and I will think about this some more.
    • ^
    • v
    @Lloyd Strickler - I've given your comment some time and I am clueless. Sorry I can't be more useful. I'll think about it later and see if I can figure out your troubles.
    • ^
    • v
    In switching from another distribution to Ubuntu I have a strange DNS problem. I have 2 system, one stable, configured years ago, based on Slackware, and a fresh system replacing a broken (also Slackware configured) system. For the new one I decided for Ubuntu. I configured bind as I had before, basically mirroring existing DNS-configs,. All matches your description above. Except of course for names. I use a local domainname eregion.local (localnet) with a A-record host 'osgiliath' and a 'www' CNAME alias for that host.

    Bind seems fine with this: 'host' and 'nslookup' both give proper responses to queries.

    Now the strange part: when I try to ping www.eregion.local I get unknown host. When I point lynx or firefox to this host, they take some time trying names and I end up on some site on public internet www.eregion.local.com that happens to exists with a close match in name. The equivalent config on the old Slackware system works properly as I would expect.

    What can cause this?
    • ^
    • v
    Thanks for the articles.

    I was not able to get this one to work though, I probably screwed something up. Please help me figure out where I went wrong.

    named.conf file minus the rndc-key section
    // This is the primary configuration file for the BIND DNS server named.
    //
    // Please read /usr/share/doc/bind9/README.Debian.gz for information on the
    // structure of BIND configuration files in Debian, *BEFORE* you customize
    // this configuration file.
    //
    // If you are just adding zones, please do that in /etc/bind/named.conf.local

    include "/etc/bind/named.conf.options";

    // prime the server with knowledge of the root servers
    zone "." {
    type hint;
    file "/etc/bind/db.root";
    };

    // be authoritative for the localhost forward and reverse zones, and for
    // broadcast zones as per RFC 1912

    zone "localhost" {
    type master;
    file "/etc/bind/db.local";
    };

    zone "127.in-addr.arpa" {
    type master;
    file "/etc/bind/db.127";
    };

    zone "0.in-addr.arpa" {
    type master;
    file "/etc/bind/db.0";
    };

    zone "255.in-addr.arpa" {
    type master;
    file "/etc/bind/db.255";
    };

    // zone "com" { type delegation-only; };
    // zone "net" { type delegation-only; };

    // From the release notes:
    // Because many of our users are uncomfortable receiving undelegated answers
    // from root or top level domains, other than a few for whom that behaviour
    // has been trusted and expected for quite some length of time, we have now
    // introduced the "root-delegations-only" feature which applies delegation-only
    // logic to all top level domains, and to the root domain. An exception list
    // should be specified, including "MUSEUM" and "DE", and any other top level
    // domains from whom undelegated responses are expected and trusted.
    // root-delegation-only exclude { "DE"; "MUSEUM"; };

    include "/etc/bind/named.conf.local";
    server 68.105.29.12 {
    };
    server 68.105.28.12 {
    };
    server 68.105.28.11 {
    };

    named.conf.options file
    options {
    directory "/etc/bind";

    // If there is a firewall between you and nameservers you want
    // to talk to, you might need to uncomment the query-source
    // directive below. Previous versions of BIND always asked
    // questions using port 53, but BIND 8.1 and later use an unprivileged
    // port by default.

    // query-source address * port 53;

    // If your ISP provided one or more IP addresses for stable
    // nameservers, you probably want to use them as forwarders.
    // Uncomment the following block, and insert the addresses replacing
    // the all-0's placeholder.

    forwarders {
    192.168.1.1;
    68.105.28.12;
    68.105.28.11;
    68.105.29.12;
    };

    auth-nxdomain no; # conform to RFC1035
    listen-on-v6 { any; };
    };

    named.conf.local file
    //
    // Do any local configuration here
    //

    // Consider adding the 1918 zones here, if they are not used in your
    // organization
    //include "/etc/bind/zones.rfc1918";
    zone "teststr.lan" IN {
    type master;
    file "/etc/bind/zones/teststr.lan.db";
    };

    zone "1.168.192.in-addr.arpa" {
    type master;
    file "/etc/bind/zones/rev.1.168.192.in-addr.arpa";
    };

    teststr.lan.db file
    ; Use semicolons to add comments.
    ; Host-to-IP Address DNS Pointers for mydomain.lan
    ; Note: The extra “.” at the end of addresses are important.
    ; The following parameters set when DNS records will expire, etc.
    ; Importantly, the serial number must always be iterated upward to prevent
    ; undesirable consequences. A good format to use is YYYYMMDDI where
    ; the I index is in case you make more that one change in the same day.
    teststr.lan. IN SOA ubuntusvr.teststr.lan. hostmaster.teststr.lan. (
    200801026
    8H
    4H
    4W
    1D )
    ; NS indicates that john is the name server on mydomain.lan
    ; MX indicates that john is (also) the mail server on mydomain.lan
    teststr.lan. IN NS ubuntusvr.teststr.lan.
    teststr.lan. IN MX 10 ubuntusvr.teststr.lan.
    ; Set an alias (canonical name) for ubuntusvr
    www IN CNAME ubuntusvr.teststr.lan.
    ; Set the address for localhost.teststr.lan
    localhost.teststr.lan. IN A 127.0.0.1
    ; Set the hostnames in alphabetical order
    dlinkpr.teststr.lan. IN A 192.168.1.20
    hp2600n.teststr.lan. IN A 192.168.1.25
    mfc7820n.teststr.lan. IN A 192.168.1.26
    router.teststr.lan. IN A 192.168.1.1
    strap.teststr.lan. IN A 192.168.1.245
    ubuntusvr.teststr.lan. IN A 192.168.1.109

    rev.1.168.192.in-addr.arpa file
    ; IP Address-to-Host DNS Pointers for 192.168.1.0 subnet
    @ IN SOA ubuntusvr.teststr.lan. hostmaster.teststr.lan. (
    200801024
    8H
    4H
    4W
    1D )
    ; define the authoritative name server
    IN NS ubuntusvr.teststr.lan.
    ; our hosts, in numeric order
    20.1.168.192.in-addr.arpa. IN PTR dlinkpr.teststr.lan.
    25.1.168.192.in-addr.arpa. IN PTR hp2600n.teststr.lan.
    26.1.168.192.in-addr.arpa. IN PTR mfc7820n.teststr.lan.
    1.1.168.192.in-addr.arpa. IN PTR router.teststr.lan.
    245.1.168.192.in-addr.arpa. IN PTR strap.teststr.lan.
    109.1.168.192.in-addr.arpa. IN PTR ubuntusvr.teststr.lan.

    I have looked at this manually and with WebMin but I can't find the problem. None of the following work:
    dig ubuntusvr
    dig ubuntusvr.teststr.lan
    dig router.teststr.lan

    the return data is like:

    dad@ubuntusvr:~$ dig teststr.lan

    ; > DiG 9.4.1-P1 > teststr.lan
    ;; global options: printcmd
    ;; Got answer:
    ;; ->>HEADER
    • ^
    • v
    @Alan - Thanks for the feedback, I corrected the typo you mentioned.
    • ^
    • v
    Thanks for the article. The only problem I had was with the mydomain.lan.db file. Line 5 has a colon instead of a semi-colon, so you get this error when you start BIND: unknown RR type 'Importantly'. Once I changed this everything was fine.
 

Trackbacks

(Trackback URL)

close Reblog this comment
blog comments powered by Disqus

© Copyright Zaphu 2007. All rights reserved. -- Valid XHTML

Sitemap XML Sitemap XHTML