The Domain Name System, among other things, translates domain names, also known as computer hostnames, into IP addresses. DNS has become an essential component of Internet use as it makes possible to attach easy to remember domain names (such as www.softpedia.com) to hard to remember IP addresses (such as 193.226.140.167), making Internet usage a lot easier.

BIND (Berkeley Internet Name Domain) is the most used DNS server, especially for Unix-like systems and has reached the version 9. Among other important features, BIND includes TISG, DNS notify, nsupdate, rndc flush, views, multiprocessor support and IPv6. Unlike past versions of BIND, which have had a large number of serious security vulnerabilities (version 4 and 8), BIND 9 is a rewrite, providing a much better security.

Downloading and Installing

You can download BIND 9.3.2 from here.

Extract it:

tar xfz bind-9.3.2.tar.gz

Build it:

cd bind-9.3.2
sed -i -e '247a #undef SO_BSDCOMPAT
' lib/isc/unix/socket.c &&
./configure --prefix=/usr --sysconfdir=/etc
--enable-threads --with-libtool &&
make

Test it:

As root, set up some test interfaces:

bin/tests/system/ifconfig.sh up

As an unprivileged user, run the test suite:

make

check 2>&1 | tee check.log

As root again, clean up the test interfaces:

bin/tests/system/ifconfig.sh down

Issue the following command to check if all 144 tests completed successfully:

grep "R:PASS" check.log | wc -l

If no errors occurred, it's time for the next step.

Install it:

As root, issue the following command to finally install the BIND package:

make install &&
chmod 755 /usr/lib/{lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.?} &&
cd doc &&
install -v -d -m755 /usr/share/doc/bind-9.3.2/{arm,draft,misc,rfc} &&
install -v -m644 arm/*.html
/usr/share/doc/bind-9.3.2/arm &&
install -v -m644 draft/*.txt
/usr/share/doc/bind-9.3.2/draft &&
install -v -m644 rfc/*
/usr/share/doc/bind-9.3.2/rfc &&
install -v -m644
misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb}
/usr/share/doc/bind-9.3.2/misc

The commands from 'cd doc' to end are installing the additional package documentation. Optionally, you can omit any or all of them.

Configuring BIND

The files used for BIND configuration are named.cfg, root.hints, 127.0.0, rndc.conf and resolv.conf.

This guide will configure BIND to run in a chroot jail as the unprivileged user, named. This is a more secure configuration because, in case of an attack, only a few files in the named home directory will be compromised.

Issue the following commands as root in order to create the unprivileged user and group named:

groupadd -g 20 named &&
useradd -c "BIND Owner" -g named -s /bin/false -u 20 named
install -d -m770 -o named -g named /srv/named

Set up some files, directories and devices needed by BIND:

mkdir /srv/named &&
cd /srv/named &&
mkdir -p dev etc/namedb/slave var/run &&
mknod /srv/named/dev/null c 1 3 &&
mknod /srv/named/dev/random c 1 8 &&
chmod 666 /srv/named/dev/{null,random} &&
mkdir /srv/named/etc/namedb/pz &&
cp /etc/localtime /srv/named/etc

Next, you must generate a key for use in the named.conf and rdnc.conf files with the command:

rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2

Download this named.conf file and save it as /srv/named/etc/named.conf . From this file, named will read the location of the zone files, root name servers and secure DNS keys. Next, download this rndc.conf and save it as /etc/rndc.conf . The rndc.conf file contains information for controlling named operations with the rndc utility.

Now it's time to create a zone file. You can download this file and save it as /srv/named/etc/namedb/pz/127.0.0 .

Create the root.hints file. Download this file and save it as /srv/named/etc/namedb/root.hints . You must ensure there are no leading spaces in this file.

Create or modify the /etc/resolv.conf file to use your new domain server. Add these two lines but replace yourdomain.com with your own valid domain name:

search yourdomain.com
nameserver 127.0.0.1

Set the permissions on the chroot jail issuing the command:

chown -R named.named /srv/named

Starting BIND

To start BIND, you have to issue the following command which you can add to rc.local script so it's started on every Linux boot:

/usr/sbin/named -u named -t /srv/named -c /srv/named/etc/named.conf

Testing BIND

Test out your new BIND 9 installation. First, query the local host address with dig:

dig -x 127.0.0.1

Next, try an external name lookup also using dig:

dig softpedia.com

Here, you can see in what IP addresses is translated the softpedia.com domain and also its authority servers.