BIND/NAMED DNS Help

BIND (or 'named' as the BIND implementation on FreeBSD is called) is a bit more difficult to set up than the other 'must have' systems for a Domain Controller. And, it is one of the most important to 'get right'. For without properly functioning DNS, your network won't recognize the machines that are running on it by name.

The following is a 'short list' of the things that need to be accomplished using the sample files, plus some additional information. The first step, of course, is to install the latest version of BIND on your computer. FreeBSD already installs 'named' with the 'base' installation, so it should be no problem to simply enable it. For other operating systems, such as Linux, you may have to install it as a package, via an 'RPM' or one of the other package systems. Following that, you should do each of these steps in the order specified.

1. Determine the IP address range you will be using for your network. Typically you will choose a 'private' IP address range, such as 192.168.1/24 . You should have a thorough grasp of subnets and IP addressing on a network before proceeding with this.
   The notation '192.168.1/24' refers to the subnet 192.168.1.0 with a mask of 255.255.255.0 (i.e. 24 bits). The examples here will use this subnet. You should change the values within the sample files to match your subnet.
2. Determine the name of the domain you will be creating with your domain controller. Typically it will be something like 'WORKGROUP.local', which is what the sample files here use to represent the domain. It is worth pointing out that 'WORKGROUP.local', rather than 'WORKGROUP', is necessary because DNS is a global naming system. Like private IP addresses, '.local' refers to a private naming system, and will not resolve outside of your private network.
   (Sometimes people use their company's web site as a domain name for their network, such as using 'example.com' instead of 'WORKGROUP.local'. This practice, although not illegal, is certainly filled with problems, and effectively 'breaks' the domain naming system by causing multiple 'authoritative' servers to give different answers to the same question. Only one answer is considered correct, and only one server can truly be 'authoritative'. So please do not do this with YOUR network! Use a '.local' domain unless the IP address of the DNS server will be an authoritative match for the domain name outside of your network).
3. Create the following directories for your 'bind' implementation (this assumes that your bind database and 'bind.conf' will exist in '/etc/namedb'. Your system may be different.
   
   1. /etc/namedb/m/
   2. /etc/namedb/s/
   3. /etc/namedb/examples/
   The 'm' directory and 's' directory should be 'chown bind:wheel' and 'chmod 755'. The 'examples' directory is optional, and provided as a place where you can store the ORIGINAL versions of the various files. This is a good idea because BIND will modify them once it is running!
   (Please note that this example does NOT cover 'chroot' on your BIND implementation. If you want to 'chroot' the process, you should study the documentation on what the changes need to be, and create the directories in the appropriate location. The actual changes you need to make are relatively minor, however, so the extra security makes it well worth doing)
4. Copy the appropriate files from the examples into their proper location. The 'RDNS' files will have to be given names appropriate to your subnet. If you have more than one subnet, you will need more than one RDNS file and multiple zone entries for them.
5. Verify the contents of the '/etc/resolv.conf' file. It should contain 2 lines, similar to the following:
   
       domain WORKGROUP.local
       nameserver 192.168.1.1
   
   The first line must be modified to match your actual domain (rather than 'WORKGROUP.local'). The second line must be the IP address of the DNS server (typically the first IP address in the subnet for your network, as shown. You must run your DNS server on this IP address).
6. Restart the DNS server. You can either reboot the computer, or you can use some other method that's recommended. In FreeBSD you can enter 'named.restart' from the console, for example.

Once your DNS system is running, you should verify that everything works by using 'nslookup'. The easiest way is simply to invoke 'nslookup' from the console.

The Files

The contents of the various files are shown here. You can 'clip' the text out of the html text and paste it into the appropriately named file, modifying the text as needed for your operating system, machine name, domain name, and network settings.
NOTE:  The 'named.root' file (aka 'root hints') was not included here. It should be installed automatically when you install BIND on your system. If you need an updated 'root hints' file, you should obtain one from 'ftp://ftp.internic.net/domain/named.root'.

named.conf (or bind.conf)

The 'named.conf' (or bind.conf) file is the main configuration file and resides in the 'bind database' directory (typically '/etc/namedb' or '/etc/bindb' or similar). This example uses an IP address of 192.168.1.1 for the DNS server, a server name of 'FreeBSDServer', and a domain of 'WORKGROUP.local'. You will need to change these to match your own network. Also, 'directory' is one of the global options, so you should make certain that it is properly assigned as well.

// MUST CHANGE ITEMS
// a) the IP address 192.168.1.1
// b) the 'forwarders' section
// c) the name of the RDNS files (depends upon the subnets)
// d) the name of the server and domain (FreeBSDServer and WORKGROUP.local)
// e) the correct database directory '/etc/namedb' (if yours differs)
// f) the correct IP addresses for the 'forwarders' section.  If this server
//    will not connect to the internet, you should comment that section out.

options {
        listen-on { 192.168.1.1; }; 
	version "why are you looking here";
	directory "/etc/namedb";
	pid-file "/var/run/named/pid";
// things I have added
        hostname "FreeBSDServer.WORKGROUP.local";
        notify yes;

        forward first; // the default
        fetch-glue no; // only fetches requested records, not everything

// If you've got a DNS server around at your upstream provider, enter
// its IP address here, and enable the line below.  This will make you
// benefit from its cache, thus reduce overall DNS traffic in the Internet.

        forwarders {
                x.x.x.x;  // your ISP's DNS server goes here
                x.x.x.x;  // your ISP's backup DNS server goes here
        };

	/*
	 * If there is a firewall between you and nameservers you want
	 * to talk to, you might need to uncomment the query-source
	 * directive below.  Previous versions of BIND always asked
	 * questions using port 53, but BIND 8.1 uses an unprivileged
	 * port by default.
	 */
	// query-source address * port 53;

	/*
	 * If running in a sandbox, you may have to specify a different
	 * location for the dumpfile.
	 */
	// dump-file "s/named_dump.db";

// SORT LIST

  sortlist { { localhost; localnets; };
             { localnets; };
  };
};


// SECONDARY ZONES

// If you enable a local name server, don't forget to enter 127.0.0.1
// first in your /etc/resolv.conf so this server will be queried.
// Also, make sure to enable it in /etc/rc.conf.

zone "." {
	type hint;
	file "named.root";
};

zone "WORKGROUP.local" {
	type master;
        allow-update { 192.168.0.0/16; };
        allow-transfer { 192.168.0.0/16; };
	notify yes;
	file "m/WORKGROUP.local";
};

zone "localhost"  {
	type master;
	file "m/named.localhost";
	allow-transfer { localhost; };
	notify no;
};


# reverse zones

zone "0.0.127.IN-ADDR.ARPA" {
	type master;
	file "m/localhost.rev";
};

zone "1.168.192.in-addr.arpa" {
	type master;
	file "m/1.168.192.in-addr.arpa";
        allow-update { 192.168.1.0/24; };
        allow-transfer { 192.168.1.0/24; };
};

// RFC 3152
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" {
	type master;
	file "m/localhost-v6.rev";
};

// RFC 1886 -- deprecated
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.INT" {
	type master;
	file "m/localhost-v6.rev";
};

Getting this 'right' is the hardest part of setting up your DNS. So I hope to help you out by providing you something that 'works'.

m/named.localhost

This file is the 'master' zone file for localhost, and is typically already installed in the database as part of the BIND installation. You should copy it to the 'm' directory or change the reference to it in 'named.conf'. The 'm' directory is preferable, as it is intended to always be writable by the BIND daemon, in case it is running as 'other than root'. It is also a standard way of setting things up, where 'm' has master zone files, and 's' has slave zone files.
This file (and others in the 'm' directory) should be 'chmod 444' and 'chown bind:wheel'.

$ORIGIN localhost.
$TTL 6h
@   IN  SOA localhost. postmaster.localhost. (
            1   ; serial
            3600    ; refresh
            1800    ; retry
            604800  ; expiration
            3600 )  ; minimum
    IN  NS  localhost.
    IN  A       127.0.0.1

m/WORKGROUP.local

This is your 'primary zone file' for WORKGROUP.local (change to your domain). The entry 'root.FreeBSDServer.WORKGROUP.local' is a reference to the e-mail address 'root@FreeBSDServer.WORKGROUP.local' and can be changed appropriately. You should modify both 'WORKGROUP.local', the alias machine names, and the IP addresses to match your network. These addresses are 'fixed'. Dynamic updates will happen when DHCP and Samba 3 are working together with BIND and notifying it of changes to the zones.
This file (like others in the 'm' directory) should be 'chmod 444' and 'chown bind:wheel'.

$TTL 3600

WORKGROUP.local. IN SOA FreeBSDServer.WORKGROUP.local. root.FreeBSDServer.WORKGROUP.local. (
                        2004081707      ; Serial YYYYMMDDnn
                        10800           ; Refresh
                        3600            ; Retry
                        604800          ; Expire
                        86400 )         ; Minimum TTL

; DNS Servers
@       IN NS           FreeBSDServer.WORKGROUP.local.

; Machine Names
localhost       IN A    127.0.0.1
FreeBSDServer   IN A    192.168.1.1
; mail server (use this if you have a mail server running)
mail            IN A    192.168.1.1
@               IN A    192.168.1.1

; Aliases (use this if you have a web server here, www.WORKGROUP.local)
www             IN CNAME        @

; MX Record (use this if you have a mail server running)
@               IN MX   10      mail.WORKGROUP.local.

m/localhost.rev - reverse lookups for 'localhost'

As it says in the comments, the file can be automatically generated using the 'make-localhost' script. If you have this script in your BIND implementation, you should go ahead and run it to generate the file, and then copy it to the 'm' directory. Otherwise, you can use the example here. You must edit it to reflect the correct server name and domain name.
This file (like others in the 'm' directory) should be 'chmod 444' and 'chown bind:wheel'.

; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

$TTL    3600

@       IN      SOA     FreeBSDServer.WORKGROUP.local. root.FreeBSDServer.WORKGROUP.local.  (
                                2004081701      ; Serial YYYYMMDDnn
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      FreeBSDServer.WORKGROUP.local.
1       IN      PTR     localhost.WORKGROUP.local.

m/localhost-v6.rev - IPV6 reverse lookups for 'localhost',

Similar to 'localhost.rev', the 'localhost-v6.rev' file handles the reverse lookups for localhost via IPV6. It should also be updated to reflect the correct domain name and server name.
This file (like others in the 'm' directory) should be 'chmod 444' and 'chown bind:wheel'.

; This file is automatically edited by the `make-localhost' script in
; the /etc/namedb directory.
;

$TTL    3600

@       IN      SOA     FreeBSDServer.WORKGROUP.local. root.FreeBSDServer.WORKGROUP.local.  (
                                20040817        ; Serial
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      FreeBSDServer.WORKGROUP.local.
        IN      PTR     localhost.WORKGROUP.local.

m/1.168.192.in-addr.arpa - reverse DNS lookups

This is the 'RDNS' lookup zone file, which should contain entries for each IP address that was mentioned in 'm/WORKGROUP.local' and that belongs in the subnet for '192.168.1/24'. You will notice that the name corresponds to the 'reversed' numer order of the IP address range, and the final number is left off. Entries for each of the 'final numbers' will be placed in this file, initially with the 'fixed' values, and dynamically with the values sent during updates and zone transfers. As with the other files, you should modify it to reflect the correct domain name, server name, and IP address for the server. The '1' entry refers (in this case) to the IP address '192.168.1.1'.
This file (like others in the 'm' directory) should be 'chmod 444' and 'chown bind:wheel'.

$TTL    3600

@       IN      SOA     FreeBSDServer.WORKGROUP.local. root.FreeBSDServer.WORKGROUP.local.  (
                                2004081701      ; Serial YYYYMMDDnn
                                3600    ; Refresh
                                900     ; Retry
                                3600000 ; Expire
                                3600 )  ; Minimum
        IN      NS      FreeBSDServer.WORKGROUP.local.
1       IN      PTR     FreeBSDServer.WORKGROUP.local.