FreeBSDwiki - User contributions [en]

BIND, managing

2007-09-30T00:58:07Z

71.170.114.32: say "serial"

By far the easiest way to manage BIND is via [[webmin]], where its all GUI click and drop-down menus (see image below). But you should at the very least know how to manage it via command line for systems that you cannot set up [[webmin]] on for whatever reason or for those times when webmin fails.

To add records to a zone, you'll need to find that zone's file, edit it to include the record, '''increase your SOA serial number''' and reload your server with
rndc reload

If your server is a slave and you want it to retransfer the records from the master:
rndc retransfer

To check the status of your server:
rndc status

For example:

number of zones: 1077
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 1/0/1000
tcp clients: 0/100
server is up and running

To stop your server:
rndc stop

To flush the DNS cache:
rndc flush

BIND can be a pain to manage properly, and not without reason there are thousands of pages on how to do it written.

* [[http://www.bind9.net/manuals BIND9.net Manuals]]
* bind-users FAQ
* [[http://www.reedmedia.net/books/bind-dns BIND 9 DNS Administration Reference Book]]
* [[http://www.netwidget.net/books/apress/dns/ Pro DNS and BIND]]

And here's a screenshot of Webmin's "Bind 9 Dynamic Server" module (which you'll have to install seperately from the webmin.com site; the basic webmin BIND module doesn't do views very well and was designed for BIND 8):

http://images.penismightier.com/userfiles/Dave/bind9webmin.PNG

[[BIND]]

[[BIND (installing)]]

[[BIND (configuring)]]

[[BIND (securing)]]

[[Category:Configuring FreeBSD]]
[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, managing

2007-09-30T00:55:40Z

71.170.114.32: add URL for a resource; this wiki makes this tough

By far the easiest way to manage BIND is via [[webmin]], where its all GUI click and drop-down menus (see image below). But you should at the very least know how to manage it via command line for systems that you cannot set up [[webmin]] on for whatever reason or for those times when webmin fails.

To add records to a zone, you'll need to find that zone's file, edit it to include the record, '''increase your SOA number''' and reload your server with
rndc reload

If your server is a slave and you want it to retransfer the records from the master:
rndc retransfer

To check the status of your server:
rndc status

For example:

number of zones: 1077
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 1/0/1000
tcp clients: 0/100
server is up and running

To stop your server:
rndc stop

To flush the DNS cache:
rndc flush

BIND can be a pain to manage properly, and not without reason there are thousands of pages on how to do it written.

* [[http://www.bind9.net/manuals BIND9.net Manuals]]
* bind-users FAQ
* [[http://www.reedmedia.net/books/bind-dns BIND 9 DNS Administration Reference Book]]
* [[http://www.netwidget.net/books/apress/dns/ Pro DNS and BIND]]

And here's a screenshot of Webmin's "Bind 9 Dynamic Server" module (which you'll have to install seperately from the webmin.com site; the basic webmin BIND module doesn't do views very well and was designed for BIND 8):

http://images.penismightier.com/userfiles/Dave/bind9webmin.PNG

[[BIND]]

[[BIND (installing)]]

[[BIND (configuring)]]

[[BIND (securing)]]

[[Category:Configuring FreeBSD]]
[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, managing

2007-09-30T00:53:45Z

71.170.114.32: add two more external resources

By far the easiest way to manage BIND is via [[webmin]], where its all GUI click and drop-down menus (see image below). But you should at the very least know how to manage it via command line for systems that you cannot set up [[webmin]] on for whatever reason or for those times when webmin fails.

To add records to a zone, you'll need to find that zone's file, edit it to include the record, '''increase your SOA number''' and reload your server with
rndc reload

If your server is a slave and you want it to retransfer the records from the master:
rndc retransfer

To check the status of your server:
rndc status

For example:

number of zones: 1077
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 1/0/1000
tcp clients: 0/100
server is up and running

To stop your server:
rndc stop

To flush the DNS cache:
rndc flush

BIND can be a pain to manage properly, and not without reason there are thousands of pages on how to do it written.

* [[http://www.bind9.net/manuals BIND9.net Manuals]]
* bind-users FAQ
* [[http://www.reedmedia.net/books/bind-dns BIND 9 DNS Administration Reference Book]]
* Pro DNS and BIND

And here's a screenshot of Webmin's "Bind 9 Dynamic Server" module (which you'll have to install seperately from the webmin.com site; the basic webmin BIND module doesn't do views very well and was designed for BIND 8):

http://images.penismightier.com/userfiles/Dave/bind9webmin.PNG

[[BIND]]

[[BIND (installing)]]

[[BIND (configuring)]]

[[BIND (securing)]]

[[Category:Configuring FreeBSD]]
[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, managing

2007-09-30T00:51:55Z

71.170.114.32: added resourc ein last commit, now add URL

By far the easiest way to manage BIND is via [[webmin]], where its all GUI click and drop-down menus (see image below). But you should at the very least know how to manage it via command line for systems that you cannot set up [[webmin]] on for whatever reason or for those times when webmin fails.

To add records to a zone, you'll need to find that zone's file, edit it to include the record, '''increase your SOA number''' and reload your server with
rndc reload

If your server is a slave and you want it to retransfer the records from the master:
rndc retransfer

To check the status of your server:
rndc status

For example:

number of zones: 1077
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 1/0/1000
tcp clients: 0/100
server is up and running

To stop your server:
rndc stop

To flush the DNS cache:
rndc flush

BIND can be a pain to manage properly, and not without reason there are thousands of pages on how to do it written.

* [[http://www.bind9.net/manuals BIND9.net Manuals]]
* [[http://www.reedmedia.net/books/bind-dns BIND 9 DNS Administration Reference Book]]

And here's a screenshot of Webmin's "Bind 9 Dynamic Server" module (which you'll have to install seperately from the webmin.com site; the basic webmin BIND module doesn't do views very well and was designed for BIND 8):

http://images.penismightier.com/userfiles/Dave/bind9webmin.PNG

[[BIND]]

[[BIND (installing)]]

[[BIND (configuring)]]

[[BIND (securing)]]

[[Category:Configuring FreeBSD]]
[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, managing

2007-09-30T00:50:35Z

71.170.114.32: add resources bullet for resources and grammar fix

By far the easiest way to manage BIND is via [[webmin]], where its all GUI click and drop-down menus (see image below). But you should at the very least know how to manage it via command line for systems that you cannot set up [[webmin]] on for whatever reason or for those times when webmin fails.

To add records to a zone, you'll need to find that zone's file, edit it to include the record, '''increase your SOA number''' and reload your server with
rndc reload

If your server is a slave and you want it to retransfer the records from the master:
rndc retransfer

To check the status of your server:
rndc status

For example:

number of zones: 1077
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 1/0/1000
tcp clients: 0/100
server is up and running

To stop your server:
rndc stop

To flush the DNS cache:
rndc flush

BIND can be a pain to manage properly, and not without reason there are thousands of pages on how to do it written.

* [[http://www.bind9.net/manuals BIND9.net Manuals]]

BIND 9 DNS Administration Reference Book

And here's a screenshot of Webmin's "Bind 9 Dynamic Server" module (which you'll have to install seperately from the webmin.com site; the basic webmin BIND module doesn't do views very well and was designed for BIND 8):

http://images.penismightier.com/userfiles/Dave/bind9webmin.PNG

[[BIND]]

[[BIND (installing)]]

[[BIND (configuring)]]

[[BIND (securing)]]

[[Category:Configuring FreeBSD]]
[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, managing

2007-09-30T00:48:36Z

71.170.114.32: add "rndc status" example

By far the easiest way to manage BIND is via [[webmin]], where its all GUI click and drop-down menus (see image below). But you should at the very least know how to manage it via command line for systems that you cannot set up [[webmin]] on for whatever reason or for those times when webmin fails.

To add records to a zone, you'll need to find that zone's file, edit it to include the record, '''increase your SOA number''' and reload your server with
rndc reload

If your server is a slave and you want it to retransfer the records from the master:
rndc retransfer

To check the status of your server:
rndc status

For example:

number of zones: 1077
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
recursive clients: 1/0/1000
tcp clients: 0/100
server is up and running

To stop your server:
rndc stop

To flush the DNS cache:
rndc flush

BIND can be a pain to manage properly, and not without reason are there thousands of pages on how to do it written.

[[http://www.bind9.net/manuals BIND9.net Manuals]]

And here's a screenshot of Webmin's "Bind 9 Dynamic Server" module (which you'll have to install seperately from the webmin.com site; the basic webmin BIND module doesn't do views very well and was designed for BIND 8):

http://images.penismightier.com/userfiles/Dave/bind9webmin.PNG

[[BIND]]

[[BIND (installing)]]

[[BIND (configuring)]]

[[BIND (securing)]]

[[Category:Configuring FreeBSD]]
[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, managing

2007-09-30T00:31:32Z

71.170.114.32: it's means "it is"

By far the easiest way to manage BIND is via [[webmin]], where its all GUI click and drop-down menus (see image below). But you should at the very least know how to manage it via command line for systems that you cannot set up [[webmin]] on for whatever reason or for those times when webmin fails.

To add records to a zone, you'll need to find that zone's file, edit it to include the record, '''increase your SOA number''' and reload your server with
rndc reload

If your server is a slave and you want it to retransfer the records from the master:
rndc retransfer

To check the status of your server:
rndc status

To stop your server:
rndc stop

To flush the DNS cache:
rndc flush

BIND can be a pain to manage properly, and not without reason are there thousands of pages on how to do it written.

[[http://www.bind9.net/manuals BIND9.net Manuals]]

And here's a screenshot of Webmin's "Bind 9 Dynamic Server" module (which you'll have to install seperately from the webmin.com site; the basic webmin BIND module doesn't do views very well and was designed for BIND 8):

http://images.penismightier.com/userfiles/Dave/bind9webmin.PNG

[[BIND]]

[[BIND (installing)]]

[[BIND (configuring)]]

[[BIND (securing)]]

[[Category:Configuring FreeBSD]]
[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, installing

2007-09-30T00:29:43Z

71.170.114.32: add to Related Links

The most common versions of BIND are 9 and 8, although you will occasionally see a BIND version 4 server around, they're not very common -- which is a good thing, since DNS bugs and vulnerabilities are Bad News and older versions of BIND were plagued with both.

BIND in FreeBSD is part of the base system -- it's already there and waiting for you. If you ''must'' install it yourself, you can do it from ports, but remember to use
# make -DWITH_PORT_REPLACES_BASE_BIND9 install clean
to overwrite the base installation.

Installing BIND is fairly straightforward; the latest version is 9.3.4-P1 and it's in ports:
# cd /usr/ports/dns/bind9
# make install clean
and you're pretty much done.

==Wait, I thought you said we were done==

Well, you're done if you want a standard install. If you want a really secure DNS server, you're probably going to want to install BIND in a [[chroot]] [[jail]]. It's a pain, but it means that even if your server gets compromised, the rest of the box isn't at risk.

When making a program live inside a jail, the important thing to remember is that everything that the program will need to access will need to live inside the same directories that are inside the jail environment. BIND needs to have some kind of randomness, so you'll need to put a copy of /dev/random inside the jail, as well as all the DNS config files and zone files etc are all in the same jail dir.

So the easy way to do it is to specify the directory that you want to build BIND into using the --prefix=/path/to/chroot/dir and --with-randomdev=/path/to/chroot/dir/dev/random

Rememer the [[chroot]] into your jail's ''chroot'' directory before you start BIND, and if you have any problems, it's likely because you are missing files in your jail that are necessary for your installation to run; [[ldd]] will help you find any missing libraries.

==Logging from within the [[chroot]] [[jail]]==
You may be interested in keeping logs of queries made to BIND, zone transfers, etc. This is easy enough using BIND's logging directive. However, because you've likely installed BIND within a chroot jail, you'll have just a few extra hoops to jump through to get logging to work correctly from within the chroot environment.

First, you need to tell syslogd, the syslog daemon, that it should listen for logging messages inside the jail, since BIND cannot send its logging messages outside the jail. To do this add
syslogd_flags=-ss -l /var/named/var/log
to your /etc/rc.conf file.

Second, tell BIND where to place its log files. If you chose the default installation of BIND9, BIND was installed to /var/named and that is where it is chrooted. Conveniently enough, there is a directory /var/named/var/log where it seems obvious to place your log files. So, in BIND9's named.conf file (/etc/namedb/named.conf) you might use a logging directive such as:
logging {
queries_file {
channel queries_file { file "/var/log/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
};
category queries { queries_file; };
};

Finally, you may forget that BIND's log files are located in the chroot jail. Therefore, you may wish to place a soft link in /var/log to the directory where your log files are located. For example:
cd /var/log
ln -s /var/named/var/log named

==Related Links==

[[BIND]]

[[BIND (configuring)]]

[[BIND (managing)]]

[[BIND (securing)]]

[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]

BIND, installing

2007-09-30T00:28:17Z

71.170.114.32: update bind version in ports (maybe shouldn't have the version in this wiki?)

The most common versions of BIND are 9 and 8, although you will occasionally see a BIND version 4 server around, they're not very common -- which is a good thing, since DNS bugs and vulnerabilities are Bad News and older versions of BIND were plagued with both.

BIND in FreeBSD is part of the base system -- it's already there and waiting for you. If you ''must'' install it yourself, you can do it from ports, but remember to use
# make -DWITH_PORT_REPLACES_BASE_BIND9 install clean
to overwrite the base installation.

Installing BIND is fairly straightforward; the latest version is 9.3.4-P1 and it's in ports:
# cd /usr/ports/dns/bind9
# make install clean
and you're pretty much done.

==Wait, I thought you said we were done==

Well, you're done if you want a standard install. If you want a really secure DNS server, you're probably going to want to install BIND in a [[chroot]] [[jail]]. It's a pain, but it means that even if your server gets compromised, the rest of the box isn't at risk.

When making a program live inside a jail, the important thing to remember is that everything that the program will need to access will need to live inside the same directories that are inside the jail environment. BIND needs to have some kind of randomness, so you'll need to put a copy of /dev/random inside the jail, as well as all the DNS config files and zone files etc are all in the same jail dir.

So the easy way to do it is to specify the directory that you want to build BIND into using the --prefix=/path/to/chroot/dir and --with-randomdev=/path/to/chroot/dir/dev/random

Rememer the [[chroot]] into your jail's ''chroot'' directory before you start BIND, and if you have any problems, it's likely because you are missing files in your jail that are necessary for your installation to run; [[ldd]] will help you find any missing libraries.

==Logging from within the [[chroot]] [[jail]]==
You may be interested in keeping logs of queries made to BIND, zone transfers, etc. This is easy enough using BIND's logging directive. However, because you've likely installed BIND within a chroot jail, you'll have just a few extra hoops to jump through to get logging to work correctly from within the chroot environment.

First, you need to tell syslogd, the syslog daemon, that it should listen for logging messages inside the jail, since BIND cannot send its logging messages outside the jail. To do this add
syslogd_flags=-ss -l /var/named/var/log
to your /etc/rc.conf file.

Second, tell BIND where to place its log files. If you chose the default installation of BIND9, BIND was installed to /var/named and that is where it is chrooted. Conveniently enough, there is a directory /var/named/var/log where it seems obvious to place your log files. So, in BIND9's named.conf file (/etc/namedb/named.conf) you might use a logging directive such as:
logging {
queries_file {
channel queries_file { file "/var/log/queries.log" versions 3 size 5m; severity dynamic; print-time yes; };
};
category queries { queries_file; };
};

Finally, you may forget that BIND's log files are located in the chroot jail. Therefore, you may wish to place a soft link in /var/log to the directory where your log files are located. For example:
cd /var/log
ln -s /var/named/var/log named

==Related Links==

[[BIND (configuring)]]

[[BIND (managing)]]

[[BIND (securing)]]

[[Category:Ports and Packages]]
[[Category:Common Tasks]]
[[Category:DNS]]