From the course: LPIC-2 Linux Engineer (202-450) Cert Prep

Installing the BIND DNS server

- Do you need a name server for your network? Stay tuned to see how to install BIND on Linux. - [Introducer] You're watching ITproTV. (techno music) - Welcome to LPIC-2: Linux Engineer. I'm Sophie, and this is Don. And to kick us off, we're going to be talking about installing the BIND DNS server. So can you tell us a little bit more about this server? - Absolutely. You know, we're going to learn about what is really the most common DNS server that's used on Linux, and you should be familiar with DNS by now, the Domain Name System, how we resolve names and IP addresses. Well, we need a server to do that, and the most common one is BIND. So in this episode, we're going to get a chance to see how to get it installed, do a basic configuration, and get it online. We're going to continue in the follow-up episodes with how to further configure it, set up zones, and so on. In this episode, we're focused on just getting the name server up and running. - So I know BIND is an acronym. Could you tell us a little bit more about the BIND DNS server? - Sure. So we're going to focus on BIND version Nine, which your version Nine sounds really current, BIND is a very mature DNS server that has been around since the late 1980s BIND Nine itself has been out for over 20 years. And the reason it's like that is DNS really hasn't changed much in 20 years. They've introduced some new security records like DNS-Sec, but those are just new records. The server itself didn't have to change at all to support that. So it is incredibly stable, reliable, and mature, which means it doesn't require a lot of changes to happen. Now, BIND itself was actually developed at the University of Berkeley. It was part of BSD Unix back in the day, and BIND stands for the Berkeley Internet Name Domain, which was just kind of like their internal name for it. And now we just call it BIND. Now, it's no longer managed by Berkeley. It's actually managed by the ISC and I've got their webpage pulled up right here. The ISC is the Internet Systems Consortium and they are kind of the stewards of BIND because they wanted to basically make it where it was something that was internationally usable and not really governed by one particular country. So that's what the ISC does and they manage it. Now, we don't have to go to the ISC website to get BIND. It's typically the default that we'll find on a lot of systems or we can at least find the packages that are available inside of the repos for whatever distro that we're using. - And it's pretty impressive that it was released so long ago, but there haven't really been many changes, but I guess they say, if it ain't broke, don't fix it. So that does make sense. Now is BIND included with most distros? - So it's usually in the repos, it's not normally installed by default. And in fact, we're seeing that today more than ever before. Like it used to be that yeah, some distros had it. Now, almost no distros have BIND installed by default. They're in the repos. We can install it if we want. All right, now the name of it might be a little bit different depending on what distro you're running. So it might be called BIND might be called BIND Nine. It might might be called Name D or The Name Demon. So it could have a different name depending on your distro, but it is typically there. And you can usually poke around in your distros to be able to find it. If you're running it by default, well, first off, I'd be curious what distro you're running, 'cause I haven't seen that in a while, but it might already be there. The main reason it's not installed by default, Let me show you real quick, I'm going to bring up, I've got a, a standard Ubuntu server installed here, and let me just see what version I'm on. I'm on 20.04.3. So that's the newest of the long-term support models. And I did a, basically a clean install. I did change my wallpaper I guess, but it's a clean install. On this system, if I pull up my network services, So if I do like a sudo SS-NATP, just to see what programs are listening on ports, I can see that I have a program listening on Port 53, which is where DNS would normally run. And I can see that it's System D Resolve D. The Resolve Demon, that's a part of the System Demon, well, that's being used for name resolution in System D. Almost all Linux distros run System D. And that means the port that BIND uses is already taken. That's why it's not installed by default, but we can get it on there if we need it. - So how do I figure out what BIND is called for my distro? - You know, you could check the documentation. I, if I'm in a hurry, I usually just poke around with a couple of common names, right? So I know Name D, BIND, DNS. Those are common names. So like here on Ubuntu, I can just search for one of those real quick. I could say sudo apt list, name*. like show me any package that starts with the word "name." I only find one, Name Cheap. That's probably not what I want. So then I'll do BIND* and see what comes up there. And now I'm starting to see the BIND Nine packages right there. And, and if you look, you'll find one in here that is just called BIND Nine, that's going to be the DNS server. And if you're not sure you can do a sudo apt info BIND Nine, and that'll show you a little bit more about that package to make sure. And I can see this one is the BIND Nine server. That's the one that I want to install. - [Sophie] Okay. So I noticed a package here called BIND Nine DNS utils. So how is that different from BIND Nine utils? - Okay, so there's a couple of different packages involved. And so I mentioned, let me pull my list back up. Here we go. I mention how the BIND Nine package, That's the one that I want, but there's several others that come along with it. And they each serve kind of a different purpose depending on what it is you're trying to do. So, for example, there's BIND Nine utils and there's BIND Nine, here's another BIND Nine util, same name, BIND Nine DNS utils. So you can use the info command to be able to find a little more information about each of those and what they do and why they're there. But basically, the BIND Nine utils package, this guy right here, the BIND Nine utils package, that one has tools for maintaining the DNS server, right? So those are my server utilities. And then the BIND Nine DNS utils. Those are tools for a client. So if I'm a user trying to connect to a DNS server, there's going to be tools in there, like NS Lookup and Dig and, and other utilities that we use to interface with a DNS server versus BIND Nine utils. They'll have tools like RNDC that let you remotely manage a domain, a DNS server. So each kind of serves a different purpose. So poke around and look at it. But the one that's called BIND Nine, that's the one that actually has the server. And technically that's the only one we need. - [Sophie] Okay. So does BIND start answering queries right away? Or do we have to configure it first? - So we do have to configure it. Yeah. Installing it's pretty easy. Once it's installed, it's there, but it's not going to actually answer queries until we do three basic things. You know, we do need to start the service, I guess there's that, right? It's not going to do anything unless we start it, but we need to define the listening ports. So what ports is it going to listen to? DNS does default to Port 53, but you can also do secure DNS and other things. It might need to run on a different port, as well as avoiding conflicts. We need to configure an access control list to restrict who has access to the DNS server, who can do zone transfers and things of that nature. And then lastly, miscellaneous options. There's other things that we can set like DNS forwarders, and we can get those put in place. Once we've got all that defined, then we can start up BIND, and then it's ready to rock and, and get in and, and start answering queries. - You said the first thing we need to do to configure it is to, to determine our listen reports. So how do we do that? - Right. Okay. So let's, let's go through that process. So I haven't actually installed BIND on this system yet. So let's get it installed, which is pretty easy. We can just say sudo apt install BIND Nine. And when I run that, it's going to look for dependencies, see how it's installing the BIND Nine utils package. That's the utilities for the service. So it's going to install those automatically. It's not installing the BIND Nine DNS utils, but I normally do want those because I can use it for troubleshooting, but I'll leave 'em off for right now. So I'll go ahead and let those install, and that's going to install the server, but like I told Sophie a moment ago, it's not actually going to do anything. It's not going to start answering queries or whatever. It's not even started yet. So now I need to go in and do a little bit of work. But before I move on, I just want to highlight right here. It created a SIM link for System D, and look at the name. Right there. Named.service, pay attention to what that name is on your distro, 'cause it might be a little bit different. When we use the system CTL command to start, stop or restart BIND, that's the name we have to use. And I can see mine, even though the package was called BIND Nine, the service is called Name D. So always keep an eye out for that. All right, then I want to configure my listener ports. So that's done inside of BIND's configuration. I showed using the SS command to be able to view what ports are already in use. I know Port 53 is already in use on my system because of System D Resolve D. I could turn that off on a server, On a client I wouldn't want to do that, but I could also just move DNS to a different port or tie it to a particular IP address. To do that, we need to modify our configuration, and that is found in /etc/BIND. So I'm going to change directory into /etc/BIND. And just take a look at the files that are in there. There's a lot of stuff. Some of these are important. Some of them are not. You'll see some database files, some key files. Most of these are either empty or auto-generated. So they, you know, we'll deal with them in other episodes. But the one that I want is named.conf. Now that's the primary configuration file for BIND, but they don't recommend that you edit it. In other words, it's supposed to serve as kind of the default configuration. When you upgrade BIND in some scenarios, that file can get overwritten and you can lose your changes. So instead, I want to put my changes in a different file. Notice how I have named.conf.options and named.conf.local. Those are the two files that I'm going to use to put my configuration in. Named.conf.local, we'll deal with in another episode, that's where we define our zones, but named.conf.options, that's the one that stores my server options. So I'm going to edit that. I'll do a sudoedit named.conf.options, And we'll go in there. On Ubuntu, this is really well documented. On other distros, it may be empty. It may just have a couple of little things in there, but basically here's where we come through. When we put the information that dictates how our server is going to function and looking at mine, it is well documented, but there's not actually a whole lot in here on this one. So what I want to do is not documented. I want to configure my listener port. Well, I do have one listener down here at the bottom. See how it says "listen on v6 any"? so it's listening on any IP v6 address that I have. Well, that's good. What about IP v4? Not on the list, right? And as I scroll up, I don't really see anything in here either. So, so much for documentation. So I'm going to come in and add an extra entry in here. This whole thing is wrapped up under the options tag. So at the top, it says "options," with a curly brace. And then inside of that is where I'm going to add other things. And I'm just going to come in here, to the line right above, "listen on v6". And I'm going to add another entry. I'm going to say, "listen-on Port 53", and then I'll do a curly brace and I'll specify the IP addresses that I want to listen on. So maybe I just want this one to listen on the loop back address. I could type 127.0.0.1 and leave it like that, Or I could do a semicolon and add another address. I'll add the address of my server, which is 10.0.222.51. And then I'll close that curly brace and stick a semicolon on the end. Now the server knows that I also wanted to listen on this other port. Okay. Now we do have to be careful. If the listeners are defined in another spot, then this command will override what was in the other spot. If we wanted to supplement what's in the other spot, then we need to do something a little bit different, which is add a, a plus character before it, but in my case, I want it to replace. So it is kind of set up the way I want it. Oh, I spelled "listen" wrong. Let me me fix that. So it is the way that I want it to be. That's it. Now it knows I want it to listen on those addresses, and it's going to default to Port 53. - Now that we've configured those listen reports. The next thing we talked about was an access control list. So do we configure that in the same place? - You know, I don't normally use ACLs inside of DNS because I can use a firewall to do it, but you can create an ACL inside of here to dictate who's allowed to connect. And it's really useful when you're setting up replication. So if I have more than one DNS server, like primary and a secondary, and I want to do zone transfers, I probably want to put an ACL in place to limit who can do a zone transfer. I don't want just anybody on the internet to be able to connect up and download my whole zone, right? I want them to at least have to know the names to be able to get in and find it. So we can add an ACL if we want. It's added right here in the options, just like we've seen, I would just add a new line and type in ACL. I would give it a name. So maybe I'll call mine trusted-hosts, like that. And then I would open up a curly brace. And then from here, I could add in whatever restrictions I wanted to put. So they have a whole syntax for that. I could allow local host, for example, I could allow all local networks if I wanted by saying "local nets". And I could put in IP addresses for individual machines that I want to be able to connect, and so on. You just kind of list them here like that. And then inside of, oh, actually I am making a big mistake here that I need to fix. I put the ACL inside of the options segment. You're actually supposed to define the ACL after the options segment. So I need to kind of move that to a different place. So I'm going to just cut that. Whoops. And I highlighted it the wrong way. So let me highlight the right way, and then I'm going to cut that and move it down here to the bottom of the screen. So I need to define the ACL outside of the options segment, because I'm going to attach the ACL in the options segment. So once I get that put in the right place, like that, then I'm going to come back up to options. And in this section here, I can add another entry that just says allow-query. And then I can specify who's allowed to connect. So I might say trusted hosts is the name of my ACL. And I can also say, allow-transfer. And here's where I'd specify my other DNS servers, if I had other ones, or I could just say none. If I don't want anybody to be able to do a transfer, I could outright block that. And now no one's allowed to do his own transfer off my server. So each of these little entries is just kind of customizing the way the server behaves. - [Sophie] And all of that's going to bring us to the final step, which is just miscellaneous options. And for me, it's a little vague. So what are the other options that we're probably going to need to configure? - You might choose to set things like a default domain name. You know, if somebody does a single name lookup, that'll append a lookup zone to it, you might want to do that. You might choose to put in additional ACLs for different purposes, if you want, what are some other things? I'm trying to think of things that I normally configure on these. Recursion! If somebody does a lookup against my server, and I don't have the answer, do I want to allow going out to another server to find an answer? That's called recursion. We might want to turn that on or off. So to do that, I would just go back up into my options section here. I'm just going to add another line and I could say recursion yes. And throw in a semicolon right there. So now it'll allow recursion. I could use ACLs to restrict who could do recursion. So I could say, allow-recursion and then specify the name of an ACL. So I would do my trusted hosts again, that I've got. So I could define that. So that's an option. Forwarders, actually, forwarders is one of the only things documented. Here on my screen, up top, I've got the forwarder section. So I could open that up and add in some forwarders to use. Right now, it's got a forwarder of all zeros, which is not valid. So I need to change that to something that is valid. Maybe I want to forward to, like, CloudFlare, So I can put in their IP or other servers, maybe Google. So if I don't know the answer, here's the servers I'm going to go out and talk to, and then, you know, get out there and get the answers that I need. - [Sophie] Now, does BIND automatically apply all of our changes? - It doesn't. So once we save this config file, these config files are only read when BIND starts. So I have to restart BIND to be able to go and load this file and bring it into place. So that is something to be aware of. We can edit this thing all day long. The changes won't actually do anything until we start up BIND, but it also means that you could potentially break something and not know it until you go to restart BIND, and you can end up in a bit of a headache. So we have a troubleshooting episode where we're going to take a look at how that works, but otherwise, if I want to test this out, I could just start up BIND. I'm going to run sudo systemCTL. And since this is my first time starting it, I'm going to say enable--now. "Enable" means I want BIND to start when my system starts. And "--now" says I want it to start right now. Otherwise, I could do systemCTL start BIND, well, Name D and I'm going to put named.service as my unit name right there, because I saw that one. I did the install. That's what it's expecting. So sudo systemCTL enable--now named.service. And, assuming I don't have any typos, which I'm pretty sure I do. I was typing kind of fast. If I don't have any typos, it'll start. Oh my goodness. I have magically somehow avoided having any typos. It fired up. Stay tuned for our troubleshooting episode. 'cause I'll show you how to check for typos even before you start it. It's a really handy thing to have. But I just got lucky on this one and it started up. Now my BIND server is ready to answer queries. - I think I make an average of two typos per minute, when I'm typing. So that's going to be a very helpful episode for me. So we've covered a lot of different configuration tasks. Are there any other tasks that we need to be worried about? - You know, I mentioned firewalls earlier, so if you have a software firewall in place like UFW, IP Tables, whatever, you probably need to open up a port to allow that traffic to be able to come in. I think I am running UFW. Let me see sudo UFW status. And yep. So I've got UFW turned on, so nobody would actually be able to query my system right now until I open that up. So I could open that up real quick by saying sudo UFW allow. I got a few different ways I could do this. There's actually a shortcut. I could just type BIND Nine and it knows what BIND Nine means. And so it's going to open that up. Or I could be a little more specific. I could say sudo UFW allow 53. I'm saying 53 by itself because DNS uses TCP and UDP. It uses both. So I don't want to specify a protocol here. So sudo UFW allow 53, and I can stick a comment on this so I can remember what it is. I'll say this is my BIND DNS server. I'll stick that in quotes. And let's take a look at UFW now, and now I can see I've got a couple of entries. The BIND Nine shortcut is there, which would've worked. I could have left that alone, but I also have Port 53 listed independently. So either way that opens it up, IP Tables, Firewall D, they're all done a little bit different. So, you know, look to your syntax for that. - You've definitely covered a lot of ground, given me a lot to chew on for this episode. Would you be able to kind of just wrap up what we talked about today? - [Don] Sure. Yep. So in this episode, we did focus on getting BIND installed. We haven't actually done a query yet, so stay tuned for future episodes on that. We saw how to locate the package name, get it installed, do a basic configuration, and now have our server up and running. In the next few episodes we're going to continue to tweak that. Add some lookup zones, add some other things and do some basic troubleshooting. You'll definitely want to catch it all. - Like Don said, definitely stay tuned. We get a lot more coming for you. Thanks so much for covering this for us. We'll see you next time. (techno music) - [Introducer] Thank you for watching ITproTV. (techno music)

Contents