Hey Greyfox,
Here it tells you how to install Bind 9.3.1
Install BIND by running the following commands:
sed -i -e "s/dsssl-stylesheets/&-1.79/g" configure &&
./configure --prefix=/usr --sysconfdir=/etc \
--enable-threads --with-libtool &&
makeIssue the following commands to run the complete suite of tests. First, as root, set up some test interfaces:
bin/tests/system/ifconfig.sh upNow run the test suite as an unprivileged user:
make check 2>&1 | tee check.logAgain as root, clean up the test interfaces:
bin/tests/system/ifconfig.sh downIssue the following command to check that all 145 tests ran successfully:
grep "R
ASS" check.log | wc -lFinally, install the package as the root user:
make install &&
chmod 755 /usr/lib/{lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.?} &&
cd doc &&
install -v -d -m755 /usr/share/doc/bind-9.3.1/{arm,draft,misc,rfc} &&
install -v -m644 arm/*.html \
/usr/share/doc/bind-9.3.1/arm &&
install -v -m644 draft/*.txt \
/usr/share/doc/bind-9.3.1/draft &&
install -v -m644 rfc/* \
/usr/share/doc/bind-9.3.1/rfc &&
install -v -m644 \
misc/{dnssec,ipv6,migrat*,options,rfc-compliance,roadmap,sdb} \
/usr/share/doc/bind-9.3.1/miscCommand Explanations
sed -i -e ... configure: This command forces configure to look for the DSSSL stylesheets in the standard BLFS location.
--sysconfdir=/etc: This parameter forces BIND to look for configuration files in /etc instead of /usr/etc.
--enable-threads: This parameter enables multi-threading capability.
--with-libtool: This parameter forces the building of dynamic libraries and links the installed binaries to these libraries.
chmod 755 /usr/lib/{lib{bind9,isc{,cc,cfg},lwres,dns}.so.*.?.?}: Libtool does not set the permissions for these libraries correctly so they are fixed here.
cd doc; install ...: These commands install the additional package documentation. Optionally, omit any or all of these commands.
Configuring BIND
Config files
named.conf, root.hints, 127.0.0, rndc.conf and resolv.conf
Configuration Information
BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.
Create the unprivileged user and group named:
groupadd -g 20 named &&
useradd -m -c "BIND Owner" -g named -s /bin/false -u 20 namedSet up some files, directories and devices needed by BIND:
cd /home/named &&
mkdir -p dev etc/namedb/slave var/run &&
mknod /home/named/dev/null c 1 3 &&
mknod /home/named/dev/random c 1 8 &&
chmod 666 /home/named/dev/{null,random} &&
mkdir /home/named/etc/namedb/pz &&
cp /etc/localtime /home/named/etcThen, generate a key for use in the named.conf and rdnc.conf files using the rndc-confgen command:
rndc-confgen -b 512 | grep -m 1 "secret" | cut -d '"' -f 2Create the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys:
cat > /home/named/etc/named.conf << "EOF"
options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};
key "rndc_key" {
algorithm hmac-md5;
secret "[Insert secret from rndc-confgen's output here]";
};
zone "." {
type hint;
file "root.hints";
};
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
};
// Bind 9 now logs by default through syslog (except debug).
// These are the default logging rules.
logging {
category default { default_syslog; default_debug; };
category unmatched { null; };
channel default_syslog {
syslog daemon; // send to syslog's daemon
// facility
severity info; // only send priority info
// and higher
};
channel default_debug {
file "named.run"; // write to named.run in
// the working directory
// Note: stderr is used instead
// of "named.run"
// if the server is started
// with the '-f' option.
severity dynamic; // log at the server's
// current debug level
};
channel default_stderr {
stderr; // writes to stderr
severity info; // only send priority info
// and higher
};
channel null {
null; // toss anything sent to
// this channel
};
};
EOFCreate the rndc.conf file with the following commands:
cat > /etc/rndc.conf << "EOF"
key rndc_key {
algorithm "hmac-md5";
secret
"[Insert secret from rndc-confgen's output here]";
};
options {
default-server localhost;
default-key rndc_key;
};
EOFThe rndc.conf file contains information for controlling named operations with the rndc utility.
Create a zone file with the following contents:
cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"
$TTL 3D
@ IN SOA ns.local.domain. hostmaster.local.domain. (
1 ; Serial
8H ; Refresh
2H ; Retry
4W ; Expire
1D) ; Minimum TTL
NS ns.local.domain.
1 PTR localhost.
EOFCreate the root.hints file with the following commands:
Note
Caution must be used to ensure there are no leading spaces in this file.
cat > /home/named/etc/namedb/root.hints << "EOF"
. 6D IN NS A.ROOT-SERVERS.NET.
. 6D IN NS B.ROOT-SERVERS.NET.
. 6D IN NS C.ROOT-SERVERS.NET.
. 6D IN NS D.ROOT-SERVERS.NET.
. 6D IN NS E.ROOT-SERVERS.NET.
. 6D IN NS F.ROOT-SERVERS.NET.
. 6D IN NS G.ROOT-SERVERS.NET.
. 6D IN NS H.ROOT-SERVERS.NET.
. 6D IN NS I.ROOT-SERVERS.NET.
. 6D IN NS J.ROOT-SERVERS.NET.
. 6D IN NS K.ROOT-SERVERS.NET.
. 6D IN NS L.ROOT-SERVERS.NET.
. 6D IN NS M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
EOFThe root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from
ftp://rs.internic.net/domain/named.root. Consult the BIND 9 Administrator Reference Manual for details.
Create or modify resolv.conf to use the new name server with the following commands:
Note
Replace [yourdomain.com] with your own valid domain name.
cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search [yourdomain.com]
nameserver 127.0.0.1
EOFSet permissions on the chroot jail with the following command:
chown -R named.named /home/namedBoot Script
To start the DNS server at boot, install the /etc/rc.d/init.d/bind init script included in the blfs-bootscripts-6.1 package.
make install-bindNow start BIND with the new boot script:
/etc/rc.d/init.d/bind startTesting BIND
Test out the new BIND 9 installation. First query the local host address with dig:
dig -x 127.0.0.1Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:
dig
www.linuxfromscratch.org &&
dig
www.linuxfromscratch.org
you might Also wanna Check out this Link, it tells you how to run BIND 9 nameserver to run in a chroot jail and as a non-root user
http://tldp.org/HOWTO/Chroot-BIND-HOWTO.html
Sources:
http://www.linuxfromscratch.org/blfs/view/6.1/server/bind.html
hope this Helps,
Jake
