Introducción
A continuación se muestra el contenido del conjunto de ficheros de configuración que necesita BIND9 para ofrecer las funciones de DNS local sobre una zona de dominios de primer nivel «.dev» y en una red local 192.168.1.0/24, suponiendo que la dirección IP del servidor DNS es 192.168.1.10.
Todos los ficheros se se sitúan en la ruta /etc/bind.
named.conf:
// This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local include "/etc/bind/named.conf.options"; include "/etc/bind/named.conf.local"; include "/etc/bind/named.conf.default-zones";
named.conf.options:
options {
// all relative paths use this directory as a base
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
// forwarders {
// 0.0.0.0;
// };
// By not providing a forwarder, root servers are used.
//forwarders {
// 192.168.1.1;
//};
//=====================================================================$
// If BIND logs error messages about the root key being expired,
// you will need to update your keys. See https://www.isc.org/bind-keys
//=====================================================================$
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
// To listen only on certain interfaces list them here:
//listen-on { 127.0.0.1; 10.0.0.1/24; };
listen-on-v6 { any; };
listen-on { any; };
// This prevents bind from serving requests from IPs other than specified:
allow-query-cache { 127.0.0.0/8; 192.168.1.0/24; };
// version statement changed for security (to avoid hacking known weaknesses)
version "not currently available";
// This prevents bind from serving other than authoritative requests:
// recursion no;
// disables all zone transfer requests for performance as well as security reasons
// allow-transfer { none; }; // The allow-transfer in each zone overrides this
// dnssec-enable no; // zone not signed - yes by default since BIND 9.5
// minimal-responses yes; // optional - improved performance
// additional-from-auth no; // optional - improved performance
// additional-from-cache no; // optional - minimal performance change
};
// ----------------------- Logging -----------------------
// log to /var/log/bind/bind9_info.log all events from info UP in severity (no debug)
// uses 3 files in rotation swaps files when size reaches 250K
// failure messages up to this point are in (syslog) /var/log/messages
logging {
channel custom_log {
file "/var/log/bind/bind9_info.log" versions 3 size 250k;
severity info;
print-time yes;
print-category yes;
};
category default {
custom_log;
};
// Debugging logging settings
// category "default" { "debug"; };
category "general" { "debug"; };
category "database" { "debug"; };
category "security" { "debug"; };
category "config" { "debug"; };
category "resolver" { "debug"; };
category "xfer-in" { "debug"; };
category "xfer-out" { "debug"; };
category "notify" { "debug"; };
category "client" { "debug"; };
category "unmatched" { "debug"; };
category "network" { "debug"; };
category "update" { "debug"; };
category "queries" { "debug"; };
category "dispatch" { "debug"; };
category "dnssec" { "debug"; };
category "lame-servers" { "debug"; };
channel "debug" {
file "/var/log/bind/bind-dbg.log" versions 2 size 50m;
print-time yes;
print-category yes;
};
};
named.conf.local:
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "dev" {
type master;
file "/etc/bind/db.dev";
// allow-transfer { 10.0.0.1; }; // Slave server for the domain
allow-update { none; }; // Don't allow updates from other servers
};
zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/db.1.168.192";
};
named.conf.default-zones:
// prime the server with knowledge of the root servers
zone "." {
// a hint type means that we've got to look elsewhere
// for authoritative information
type hint;
file "/etc/bind/db.root";
// This file is maintained by InterNIC and made available at:
// ftp://ftp.internic.net/domain/named.root
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
// a master type means that this server needn't look
// anywhere else for information; the localhost buck
// stops here.
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
db.dev:
; ; BIND data file for dev local TLD ; $ORIGIN dev. $TTL 604800 @ IN SOA ns.dev. root.localhost. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.dev. @ IN A 192.168.1.10 @ IN AAAA ::1 ns IN A 192.168.1.10 otro IN A 192.168.1.100
db.1.168.192:
;; db.1.168.192 - Reverse lookup zone for domain-name $TTL 2D @ IN SOA ns.dev. root.localhost. ( 3 ; Serial 604800 ; Refresh 86400 ; Retry 2419200 ; Expire 604800 ) ; Negative Cache TTL ; @ IN NS ns.dev. 10 IN PTR ns.dev. ; The nameserver 192.168.1.10 100 IN PTR otro.dev.
Referencias:
http://blog.philippklaus.de/2011/04/get-your-own-dns-server-up-and-running-with-bind9-on-ubuntu-or-debian/
http://www.server-world.info/en/note?os=Debian_6.0&p=dns
http://www.cameratim.com/computing/linux/using-bind-as-a-local-dns-server
http://www.zytrax.com/books/dns/ch8/aaaa.html