ISC-TN-2007-1 ISC. Technical Support ISC September 4, 2007 Setting up BIND to Run as a Recursive Nameserver Copyright Notice Copyright (C) 2007 Internet Systems Consortium, Inc. All Rights Reserved. Abstract This Technical Note instructs a moderately-experienced systems administrator on the steps necessary to quickly set up a recursive (caching-only) nameserver for use on a system or trusted local network 1. Preparations Stop or kill off your current named process, if one is running. Usually, running "rndc stop" will instruct named to shut down. If this doesn't work, you can look for any error messages to determine a problem. On Unix systems, you can use ps to verify that it has stopped running. If the process is still running, you can use kill to force it to stop. Obtain the latest version of BIND from ftp.isc.org or one of the many sites who mirror it. At the time of writing, the latest version is bind-9.4.1-P1.tar.gz. You can find that via FTP at . If you prefer a web interface, please access it via . When looking at version numbers, please note that P stands for patch, RC means release candidate, while b is short for beta. Only numbered or patched releases are considered to be production-quality releases. Extract the distribution. After you've obtained the file and moved it to a convenient directory with enough free space: tar zxf bind-9.4.1-P1.tar.gz cd bind-9.4.1-P1 2. Build and Configure BIND Build the package by running the configure script. Specifying a Technical Support [Page 1] Recursive Nameserver Setup September 2007 prefix will put the binaries and other files in a single location, to avoid overwriting any existing files. After that's successful, build the binaries and such by running make. To install the binaries and associated files, use "make install". Note that while the configure script is designed to work in a large number of environments, it may instead exit with an error. ./configure --prefix=/usr/local/isc make make install Create a configuration file for the named binary. Make an /usr/ local/isc/etc/named.conf that looks something like the following. If you are running IPv6 on your system, please enable the "listen-on-v6" statement. If you are running this system on an insecure connection such as an open wireless connection, please remove the "localnets;" entries since this may increase the chance of your nameserver being used maliciously for attacks. However, if you are using this in a home or office environment, it is okay to leave that parameter in, since you probably want to offer name service to other local systems. include "/usr/local/isc/etc/rndc.key"; controls { inet 127.0.0.1 allow { localhost; } keys { "rndc-key"; }; }; options { allow-query { localhost; localnets; }; listen-on { any; }; // uncomment this statement if your system supports IPv6. // listen-on-v6 { any; }; // change this if you put cache & zone files elsewhere. directory "/var/named"; }; view "default-recursive" { match-clients { localhost; localnets; }; match-destinations { localhost; localnets; }; Technical Support [Page 2] Recursive Nameserver Setup September 2007 recursion yes; // actually include authoritative service for recommended zones // to reduce needless queries zone "." IN { type hint; file "named.cache"; }; zone "localdomain" IN { type master; file "db.localdomain"; allow-update { none; }; }; zone "localhost" IN { type master; file "db.localhost"; allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN { type master; file "db.rev.127"; allow-update { none; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.\ 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN { type master; file "db.rev.0.0"; allow-update { none; }; }; zone "255.in-addr.arpa" IN { type master; file "db.rev.255"; allow-update { none; }; }; zone "0.in-addr.arpa" IN { type master; file "db.rev.0"; allow-update { none; }; }; Technical Support [Page 3] Recursive Nameserver Setup September 2007 }; Create the files referenced in the configuration. Create the following seven files in /var/named-- or whatever "directory", declared in /usr/local/isc/etc/named.conf, specifies. Note that you can verify you have the latest named.cache by downloading it from . It's worthwhile to verify you have the latest version of the named.cache occasionally. This file does not change frequently, but changes may occur during the next few years. named.cache: ; This file holds the information on root name servers needed to ; initialize cache of Internet domain name servers ; (e.g. reference this file in the "cache . " ; configuration file of BIND domain name servers). ; ; This file is made available by InterNIC ; under anonymous FTP as ; file /domain/named.cache ; on server FTP.INTERNIC.NET ; -OR- RS.INTERNIC.NET ; ; last update: Jan 29, 2004 ; related version of root zone: 2004012900 ; ; ; formerly NS.INTERNIC.NET ; . 3600000 IN NS A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4 ; ; formerly NS1.ISI.EDU ; . 3600000 NS B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET. 3600000 A 192.228.79.201 ; ; formerly C.PSI.NET ; . 3600000 NS C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12 ; ; formerly TERP.UMD.EDU ; . 3600000 NS D.ROOT-SERVERS.NET. D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90 ; ; formerly NS.NASA.GOV Technical Support [Page 4] Recursive Nameserver Setup September 2007 ; . 3600000 NS E.ROOT-SERVERS.NET. E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10 ; ; formerly NS.ISC.ORG ; . 3600000 NS F.ROOT-SERVERS.NET. F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241 ; ; formerly NS.NIC.DDN.MIL ; . 3600000 NS G.ROOT-SERVERS.NET. G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4 ; ; formerly AOS.ARL.ARMY.MIL ; . 3600000 NS H.ROOT-SERVERS.NET. H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53 ; ; formerly NIC.NORDU.NET ; . 3600000 NS I.ROOT-SERVERS.NET. I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17 ; ; operated by VeriSign, Inc. ; . 3600000 NS J.ROOT-SERVERS.NET. J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30 ; ; operated by RIPE NCC ; . 3600000 NS K.ROOT-SERVERS.NET. K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129 ; ; operated by ICANN ; . 3600000 NS L.ROOT-SERVERS.NET. L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12 ; ; operated by WIDE ; . 3600000 NS M.ROOT-SERVERS.NET. M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33 ; End of File db.localdomain: $TTL 86400 @ IN SOA localhost root ( Technical Support [Page 5] Recursive Nameserver Setup September 2007 1 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost localhost IN A 127.0.0.1 db.localhost: $TTL 86400 @ IN SOA @ root ( 1 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS @ IN A 127.0.0.1 IN AAAA ::1 db.rev.127: $TTL 86400 @ IN SOA @ root ( 1 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost. 1 IN PTR localhost. db.rev.0.0: $TTL 86400 @ IN SOA @ root ( 1 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost. db.rev.255: $TTL 86400 @ IN SOA @ root ( 1 ; serial 3H ; refresh Technical Support [Page 6] Recursive Nameserver Setup September 2007 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost. db.rev.0: $TTL 86400 @ IN SOA @ root ( 1 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS localhost. Generate an key for rndc. In order to run rndc, which will let you control named over a separate channel, execute the command: rndc-confgen -a This will create /usr/local/isc/etc/rndc.key, which the named.conf is set up to include. Please verify and control the permissions on this file, since anyone who has this key on this machine could control your nameserver. 3. Operating System Configuration Add your nameserver to the list of resolvers. On Unix systems, edit /etc/resolv.conf. Add in the folllowing line at the first nameserver entry in the file: nameserver 127.0.0.1 If you control this file, the entry should be permanent. However, note that on some variants of Unix, networking scripts may modify this file. In that case, you may wish to either alter those scripts or change this file each time after networking changes are made. If your system does not start up named by default, edit your startup configuration to start /usr/local/isc/sbin/named. Replace references to "named" with "/usr/local/isc/sbin/named" to make sure that this newest version is running, rather than running an older version. Start up named. Check the system logfile for any messages reflecting a successful start. On Unix, you can use ps to verify that the named process is running. You can also use "rndc status" to verify that the server is running. It will also output some brief status messages. Technical Support [Page 7] Recursive Nameserver Setup September 2007 Author's Address ISC Technical Support Internet Systems Consortium 950 Charter Street Redwood City, CA 94063 US URI: http://www.isc.org/ Technical Support [Page 8]