Enterprise Bind 9.4.2 Caching nameserver

Bind is the de-facto DNS server used in almost all kinds of environment all over the world.
This article is a How-To for creating a local caching name server for your network to resolve DNS hostnames faster and also to conserve your precious bandwidth.

The Domain Name System (DNS) is the crucial glue that keeps computer networks in harmony by converting human-friendly hostnames to the numerical IP addresses computers require to communicate with each other. DNS is one of the largest and most important distributed databases the world depends on by serving billions of DNS requests daily for public IP addresses. Most public DNS servers today are run by larger ISPs and commercial companies but private DNS servers can also be useful for private home networks.

Without DNS, most of the Internet comprising WWW, Email, etc will simply fail to work!
This How-To can to be used for running bind as a fast caching name server from a small network to a large corporate environment.

A caching only name server will find the answer to name queries and remember the answer the next time you need it. You can configure a caching name server to query the ROOT servers directly or use it to forward to your ISP name servers to build a very big and effective cache.

This will shorten the waiting time the next time significantly, especially if you’re on a slow connection.

Having said that, this guide can be used for both Linux based and BSD based operating systems.

As of today (17-Dec-2007), the latest stable version of Bind is 9.4.2

(1.) Create the bind UserID and Group

groupadd bind
useradd -g bind bind

(2.) Download the latest copy of Bind

mkdir -p /usr/local/src

cd /usr/local/src

wget http://ftp.isc.org/isc/bind9/9.4.2/bind-9.4.2.tar.gz

(3.) Unzip the source file

tar zxvf bind-9.4.2.tar.gz

(4.) cd bind-9.4.2

(5.) Compile bind with the following parameters:

./configure –prefix=/usr \
–sysconfdir=/etc/namedb \
–mandir=/usr/share/man \
–localstatedir=/var

(6.) make

(7.) make install

If all goes well, bind is installed and we can go to the configuration part!

(8.) create the necessary directories and files

mkdir -p /var/run/named/
touch /var/run/named/pid

mkdir -p /var/dump
touch /var/dump/named_dump.db

mkdir -p /var/stats
touch /var/stats/named.stats

mkdir -p /var/log/named/
touch /var/log/named/queries.log

chown -R bind:bind /etc/namedb
chown -R bind:bind /var/log/named
chown -R bind:bind /var/run/named
chown -R bind:bind /var/dump
chown -R bind:bind /var/stats

(9.) Generate your usable rndc.conf file using rndc-confgen with the key name “dnssecret”

with a key size of 256 bits.

rndc-confgen -a -c /etc/namedb/rndc.conf -k dnssecret -b 256

(10.) cd /etc/namedb

(11.) vi named.conf

Copy and paste the following configuration:

############# Start of /etc/namedb/named.conf ################

acl local {
127.0.0.1;
192.168.0.0/24;
172.16.0.0/24;
10.0.0.0/24;
};

options {
directory “/etc/namedb”;
pid-file “/var/run/named/pid”;
dump-file “/var/dump/named_dump.db”;
statistics-file “/var/stats/named.stats”;

listen-on { 127.0.0.1;};
listen-on { 192.168.0.1; };
listen-on { 172.16.0.1; };
listen-on { 10.0.0.1; };

#The following forwarders will only be needed if you want your cache to forward DNS #requests

to your ISP DNS servers.

forwarders {
IP.OF.ISP.DNSSERVER1;
IP.OF.ISP.DNSSERVER2;
};

query-source address * port 53;
};

key “dnssecret” {
algorithm hmac-md5;
secret “Copy and paste your dnssecret key generated by rndc-confgen”;
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { “dnssecret”; };

};

zone “.” {
type hint;
file “named.root”;
};

##We need to log the dns queries of our clients

/*
options {
statistics-file “named-stats.log”;
}
*/

logging {
channel queries_log {
file “/var/log/named/queries.log” versions 5 size 50m ;
print-severity yes;
print-time yes;
};
category queries { queries_log ; };
};

############## End of /etc/namedb/named.conf #################

(12.) Next the named.root file listing the root name servers.

dig > /etc/namedb/named.root

(13.) Add the localhost entry in /etc/resolv.conf

vi /etc/reslov.conf

search example.com
nameserver 127.0.0.1
nameserver 192.168.0.1
nameserver 172.16.0.1
nameserver 10.0.0.1

(14.) Run your newly configured Bind caching name server

/usr/sbin/named -u bind -c /etc/namedb/named.conf

(15.) Check for any syntax mistakes and possible errors in /var/log/messages and run a few

dns tests.

dig cnn.com
dig isc.org
dig mit.edu
dig squid-cache.org
dig freebsd.org

(16.) If all the hostnames resolves into IP addresses, you should see the entries in your

queries.log

tail -f /var/log/named/queries.log

You should see something like the following queries:

05-Oct-2007 13:31:35.457 info: client 127.0.0.1#51604: query: cnn.com IN A +
05-Oct-2007 13:31:40.337 info: client 127.0.0.1#56894: query: isc.org IN A +
05-Oct-2007 13:31:44.657 info: client 127.0.0.1#52537: query: mit.edu IN A +
05-Oct-2007 13:31:50.959 info: client 127.0.0.1#51148: query: squid-cache.org IN A +
05-Oct-2007 13:31:56.153 info: client 127.0.0.1#65424: query: freebsd.org IN A +

Lastly, to illustrate the effectiveness and caching capabilities of this bind server, the following graph provides the graphical details:

bind-dns-traffic

Bind DNS Queries Graph

Yellow: Successful DNS queries

Red: DNS Failures queries

bind-bandwidth-traffic

Bind Bandwidth/Traffic Utilization

Since Bind uses UDP instead of TCP to perform DNS queries, it’s traffic usage is much smaller and faster. Even though there are thousands of DNS requests per minute, international bandwidth consumed is only about 256/128 kbps

 

 

Happy DNS caching!!!

Advertisements

5 responses to “Enterprise Bind 9.4.2 Caching nameserver

  1. Hi Teklimbu,
    I am again with your articles its working till now well. But when I copy the configaration file I had to reytpe all of “” invited coma.
    Please tell me how to automatic start BIND after restart Linux Box. I am already insert this command at /etc/rc.local as /usr/sbin/named -u bind -c /etc/namedb/named.conf but its not work. Now I am starting it manualy after each restart my Linux Box.

  2. It is also ok now.
    After flow this instruction:
    ————————————————————
    “I think that you are getting this error due to SELinux being enabled in your Linux box. I guess you are running Fedora?

    So typing: “setenforce 0″ disables it until the next reboot.

    If you don’t want to disable SELinux completely, why don’t you just run SELinux in permissive mode?

    (1.) vi /etc/selinux/config

    #Set policy to permissive
    SELINUX=permissive

    This way, the SELinux settings will be saved and rebooting won’t make a difference.

    Hope it helps.”

  3. Hi Teklimbu,
    I am again with your articles its working till now well. But when I copy the configaration file I had to reytpe all of “” invited coma.
    Please tell me how to automatic start BIND after restart Linux Box. I am already insert this command at /etc/rc.local as /usr/sbin/named -u bind -c /etc/namedb/named.conf but its not work. Now I am starting it manualy after each restart my Linux Box.

  4. i am learning solaris.i need you continus guidence.hope you will help me.

  5. after CVE-2008-1447 , please stop using source port 53 directive, since it’s insecure.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s