# installing bind 9.14.3



## sirmosi1986 (Jun 24, 2019)

hi 
recently i installed bind 9.14.3 on freebsd 11
i wanna use this as a local dns server and forward another queries to the internet.
i've just installed bind with *PKG *command and when i looked at /var there is no *named *directory for creating zone and it installed on /usr/local/etc/namedb. is it ok ?
right now when i set dns on my windows 8 client it works but not for local dns just openning web pages  out of my network.


----------



## SirDice (Jun 24, 2019)

sirmosi1986 said:


> I just installed bind with pkg(8) command and when I looked at /var there is no named directory for creating zone and it installed on /usr/local/etc/namedb. Is it ok ?


Yes. The /var/named/* is only created when you run BIND in a chroot configuration (it's off by default).


```
# named_chrootdir (str):            Chroot directory (or "" not to auto-chroot it)
#                                   Historically, was /var/named
# named_chroot_autoupdate (bool):   Automatically install/update chrooted
#                                   components of named.
```


----------



## sirmosi1986 (Jun 24, 2019)

SirDice said:


> Yes. The /var/named/* is only created when you run BIND in a chroot configuration (it's off by default).
> 
> 
> ```
> ...



so is it necessary to do this ?
i just wanna use this as dns local server and forwarding anything else to the internet.
if it's ok with default installation how should i make my zone files ?


----------



## SirDice (Jun 24, 2019)

sirmosi1986 said:


> so is it necessary to do this ?


That's up to you to decide.


----------



## sirmosi1986 (Jun 24, 2019)

SirDice said:


> That's up to you to decide.



*I* just wanna want to use this as DNS local server and forwarding anything else to the internet.
If it's ok with default installation how should I make my zone files?


----------



## SirDice (Jun 24, 2019)

Why do you think it matters? Just create them in /usr/local/etc/namedb/{master,dynamic}.


----------



## sirmosi1986 (Jun 24, 2019)

SirDice said:


> Why do you think it matters? Just create them in /usr/local/etc/namedb/{master,dynamic}.



cause I new in FreeBSD and Linux too... but so thx buddy


----------



## tommiie (Jun 24, 2019)

May I suggest you read the BIND administrator's reference manual? It's very good documentation!


----------



## sirmosi1986 (Jun 24, 2019)

tommiie said:


> May I suggest you read the BIND administrator's reference manual? It's very good documentation!



yeah i read but it's till 9.12 not 9.14


----------



## SirDice (Jun 24, 2019)

sirmosi1986 said:


> it's till 9.12 not 9.14








						BIND 9.14.0 Released
					

BIND 9.14.0 is our new stable branch for 2019. As of BIND 9.




					www.isc.org
				




There's no mention of any major configuration changes. No mention of doing things completely different either. So why do you think the version difference matters?


----------



## tommiie (Jun 24, 2019)

sirmosi1986 said:


> yeah i read but it's till 9.12 not 9.14


But you asked "how should I make my zone files" while the ARM explains this. There is no difference between 9.12 and 9.14 with regard to zone files.


----------



## hruodr (Jun 24, 2019)

sirmosi1986 said:


> i wanna use this as a local dns server and forward another queries to the internet.



The `unbound` that is in base does that. It listens on localhost:53. If you want to offer DNS in other, public,
IP, you can install nsd.



> If it's ok with default installation how should I make my zone files?


 
Why not /etc/hosts?

Or perhaps `nsd` as forwarder to `unbound`? Never tried it.


----------



## sirmosi1986 (Jun 25, 2019)

SirDice said:


> BIND 9.14.0 Released
> 
> 
> BIND 9.14.0 is our new stable branch for 2019. As of BIND 9.
> ...



ok thank you so much anyway 
i read the article


----------



## sirmosi1986 (Jun 25, 2019)

tommiie said:


> But you asked "how should I make my zone files" while the ARM explains this. There is no difference between 9.12 and 9.14 with regard to zone files.


thanks buddy i do it


----------



## sirmosi1986 (Jun 25, 2019)

SirDice said:


> BIND 9.14.0 Released
> 
> 
> BIND 9.14.0 is our new stable branch for 2019. As of BIND 9.
> ...



i read the article till how to setup and configure named.conf file but the problem is i don't know how to make master file zone and reverse one....
does it need because i wanna just add records via my local network


----------



## SirDice (Jun 25, 2019)

Why don't you start with something "simpler"? Setting up BIND isn't easy and requires quite a bit of knowledge of DNS. I would suggest you try local-unbound(8) first. There's no need to install anything, it comes with the OS. Another "easy" to use DNS (and DHCP) is dns/dnsmasq. It's relatively easy to set up, at least compared to BIND.


----------



## tommiie (Jun 25, 2019)

Perhaps adding entries to /etc/hosts would be a better fit for you. Or you could give dnsmasq(8) a try. I never used it but I believe it's a very simple DNS server for small (home) networks.


----------



## sirmosi1986 (Jun 25, 2019)

SirDice said:


> Why don't you start with something "simpler"? Setting up BIND isn't easy and requires quite a bit of knowledge of DNS. I would suggest you try local-unbound(8) first. There's no need to install anything, it comes with the OS. Another "easy" to use DNS (and DHCP) is dns/dnsmasq. It's relatively easy to set up, at least compared to BIND.


I get it .
I'm not a beginner in Linux or maybe DNS, I was a Microsoft admin before but work with Linux for fun or just knowing and I just wanna want to start to be more useful in this part so.
I found an article here and use this for creating zones. 
So first I tried to test on virtual environment after that implementing.


----------



## tommiie (Jun 25, 2019)

Excellent! That looks like a good article to get you started. When I took MCSA classes I learned about DNS and stuff, but it wasn't until I took some Linux classes (e.g. BIND) that I really learned how DNS on a protocol level works. That knowledge makes you that much better of an admin (is this a correct English sentence)? The same goes for Cisco courses. There you really learn how networking (and related protocols) work.

Welcome to Linux/BSD and enjoy the experience. You will learn more than you can imagine.


----------



## sirmosi1986 (Jun 25, 2019)

tommiie said:


> Excellent! That looks like a good article to get you started. When I took MCSA classes I learned about DNS and stuff, but it wasn't until I took some Linux classes (e.g. BIND) that I really learned how DNS on a protocol level works. That knowledge makes you that much better of an admin (is this a correct English sentence)? The same goes for Cisco courses. There you really learn how networking (and related protocols) work.
> 
> Welcome to Linux/BSD and enjoy the experience. You will learn more than you can imagine.



thanks buddy
i wish u best


----------



## sirmosi1986 (Jun 25, 2019)

tommiie said:


> Excellent! That looks like a good article to get you started. When I took MCSA classes I learned about DNS and stuff, but it wasn't until I took some Linux classes (e.g. BIND) that I really learned how DNS on a protocol level works. That knowledge makes you that much better of an admin (is this a correct English sentence)? The same goes for Cisco courses. There you really learn how networking (and related protocols) work.
> 
> Welcome to Linux/BSD and enjoy the experience. You will learn more than you can imagine.




is it ok that i said " i have a dns server with hostname like a.local, and i have a zone inside my bind server such as b.com"?
so my problem is when i wanna configure my forward zone files what should i type as a SOA record?
or can i write a nameserver in my forward zone with diffrent domain?


----------



## SirDice (Jun 25, 2019)

sirmosi1986 said:


> i have a dns server with hostname like a.local, and i have a zone inside my bind server such as b.com"?


Yes, they are not related or relevant.



sirmosi1986 said:


> or can i write a nameserver in my forward zone with diffrent domain?











						What is the difference between Authoritative and Recursive DNS servers?
					

DNS In A nutshell    DNS (the Domain Name System) is one of the most important protocols of the Internet’s infrastructure. DNS allows people to connect to a website like “opendns.com”, without y...




					support.opendns.com


----------



## hruodr (Jun 25, 2019)

SirDice said:


> Why don't you start with something "simpler"?



I think `unbound` and nsd could be simpler than bind

The config file /etc/unbound/unbound.conf for `unbound` may be something like:



> server:
> ip-address: 127.0.0.1
> qname-minimisation: yes
> auto-trust-anchor-file: "/var/lib/unbound/root.key"
> ...



The config file /usr/local/etc/nsd/nsd.conf for nsd:



> server:
> ip-address: your-public--IP
> do-ip6: no
> identity: domain.tld
> ...



And the zone file /etc/nsd/zone.domain.tld is quite typical.

If some DNS points to your `nsd` as authoritative, then unbound will get also what you make public
with `nsd`, but through internet, not locally. All this is simple.

The question is, how to get it work locally, offline, not through the internet. I think you can make nsd listen on localhost,
but on other port than 53, and then use the "Forward Zone Options". See `man unbound.conf`. I did
not try it. Just try and tell us.


----------



## sirmosi1986 (Jun 25, 2019)

SirDice said:


> Yes, they are not related or relevant.
> 
> 
> 
> ...



thanks to you, i found out something good


----------



## sirmosi1986 (Jun 25, 2019)

hruodr said:


> I think `unbound` and nsd could be simpler than bind
> 
> The config file /etc/unbound/unbound.conf for `unbound` may be something like:
> 
> ...



dude, it's not about a simple thing, I should install a DNS server for my company and configure it for using some records inside and query our public ip or maybe forward it outside


----------



## sirmosi1986 (Jun 25, 2019)

SirDice said:


> Yes, they are not related or relevant.
> 
> 
> 
> ...


we have public dns for our website and everything works well cause it's on our hosting company but my boss want to run local dns server for programmer department to query everything via the dns server not to change local host on every client


----------



## SirDice (Jun 25, 2019)

sirmosi1986 said:


> I should install a DNS server for my company and configure it for using some records inside and query our public ip or maybe forward it outside


Don't get me wrong here but you probably bitten off more than you can chew. Your questions make it apparent that you don't know how to set this up or even where to begin. Which is fine, we all had to learn at some point. But this might not be the right time for it. Setting up BIND is quite an undertaking and can easily be done incorrectly. It's also quite easy to get a server like that abused, I'm sure your boss isn't going to like it when the internet provider kills your internet connection because your DNS server became part of a DDoS network. 

For your situation start with dns/dnsmasq, it will be more than sufficient for this purpose. If you want to know how to set up BIND do so in a lab environment or your home. At least somewhere where others (and especially a company) aren't going to depend on it. Making mistakes is part of the learning process. You just can't afford them when it's a company that's on the line. So make those mistakes in a lab or on your home network. At least until you are confident enough not to fall for the most obvious ones and know how to fix those mistakes quickly.


----------



## hruodr (Jun 25, 2019)

You put your private records in /etc/hosts, your public records in a zone file, `nsd`
configured similar as above. For resolving DN yourself `unbound` as configured automatically by
FreeBSD or similar as above. At least you can begin in this simple way, later try DNSsec.

But the ISP must write some NS and glue records to link to your server:





__





						NS Resource Record – Wikipedia
					






					de.wikipedia.org
				




For writing the zone file, just google a little, the wikipedia pages really help. It is not difficult.

And learn how to query a DNS server with `drill`, then you can test your zone file.


----------



## hruodr (Jun 25, 2019)

sirmosi1986 said:


> but my boss want to run local dns server for programmer department to query everything via the dns server not to change local host on every client



Then nsd will listen a local IP,  not reachable from outside, not linked from outside, then you can put
it in /etc/resolv.conf of every client, together with other nameservers.


----------



## hruodr (Jun 25, 2019)

Look at "local-zone" and "local-data" in `man unbound.conf`. It seems, you can put data in /etc/unbound/unbound.conf instead of in /etc/hosts. And unbound could listen at a local IP.

See also this thread:



			[Unbound-users] Replacing /etc/hosts aliases with local-data:	directive
		


It looks like a very simple solution to your main problem.


----------



## msplsh (Jun 26, 2019)

Here are some sample zonefiles and some portions of named.conf to set up a custom .lan TLD.  The thing is if you want to create a custom TLD, you'll be at the mercy of somebody else being able to take control over that TLD when you're not on your network.  If you use your own domain, you'll have to manage what's known as a "split horizon" DNS which is kind of difficult.  Instead of doing .lan, you could use internal.domain.com which would partition that portion of your domain and you wouldn't have the problem.

------ named.conf (Some security settings)

```
acl clients {
        10.0.0.0/8;
        192.168.0.0/16;
    localnets;
    ::1;
};

options {
    version "no";
        listen-on    { 127.0.0.1; 192.168.1.1; };

        dnssec-enable yes;
        dnssec-validation yes;

        recursion yes;
    # Or you could do this
        # forwarders { 1.1.1.1; };

    # Apply the ACL above
    allow-recursion { clients; };
    allow-query { clients; };
    allow-transfer { none; };
};
```

------ named.conf (zone portion)

```
zone "168.192.IN-ADDR.ARPA" {
        type master;
        file "master/192.168.1.db";
};

zone "lan" {
        type master;
        file "master/lan.db";
};
```

------ Zonefile (lan.db)

```
$TTL 1h

@ IN SOA ns.lan. webmaster.lan. (
        2018022802;Serial
        2h      ;Refresh
        1h      ;Retry
        1d      ;Expire
        1h )    ;Negative caching TTL

@               IN NS           ns.lan.

ns.lan.        IN A    192.168.1.1

# Note these DON'T end in a . making the full name router.home.lan
router.home    IN A    192.168.1.1
firewall.home    IN CNAME router.home
```

----- Reverse file (192.168.1.db)

```
$TTL 1h;

@ IN SOA ns.lan. webmaster.lan. (
        2014120601 ;Serial
        2h      ;Refresh
        1h      ;Retry
        1w      ;Expire
        1h )    ;Negative caching TTL

@               IN NS   ns.lan.

1.1.168.192.in-addr.arpa.       IN PTR  router.home.lan.
```


----------



## sirmosi1986 (Jun 26, 2019)

SirDice said:


> Don't get me wrong here but you probably bitten off more than you can chew. Your questions make it apparent that you don't know how to set this up or even where to begin. Which is fine, we all had to learn at some point. But this might not be the right time for it. Setting up BIND is quite an undertaking and can easily be done incorrectly. It's also quite easy to get a server like that abused, I'm sure your boss isn't going to like it when the internet provider kills your internet connection because your DNS server became part of a DDoS network.
> 
> For your situation start with dns/dnsmasq, it will be more than sufficient for this purpose. If you want to know how to set up BIND do so in a lab environment or your home. At least somewhere where others (and especially a company) aren't going to depend on it. Making mistakes is part of the learning process. You just can't afford them when it's a company that's on the line. So make those mistakes in a lab or on your home network. At least until you are confident enough not to fall for the most obvious ones and know how to fix those mistakes quickly.



thanks for your advice sir
i decided as all of you mentioned some other simple solutions , to try* NSD *.
i think it's better for authoritative name server.


----------



## sirmosi1986 (Jun 26, 2019)

hruodr said:


> Then nsd will listen a local IP,  not reachable from outside, not linked from outside, then you can put
> it in /etc/resolv.conf of every client, together with other nameservers.



could you tell me some toturial about this ?


----------



## hruodr (Jun 26, 2019)

sirmosi1986 said:


> could you tell me some toturial about this ?



I do not know tutorial. Only man pages, I mentioned wikipedia for learning to write zone files. drill (comes with nsd) to
test your zone file.

Just try with the configuration file I put above and test. Try and err. It is really not difficult.


----------



## tommiie (Jun 26, 2019)

hruodr said:


> Only man pages


I would imagine nsd(8) and unbound(8) also have documentation which is a bit easier to read that the man pages. But I guess not. The official web page only lists man pages.


----------



## hruodr (Jun 27, 2019)

*sirmosi1986 asks: *could you tell me some toturial about this?

*Tutorial on trial and err*

After configuring /usr/local/etc/nsd/nsd.conf as above and writing your zonefile
/etc/nsd/zone.domain.tld, start nsd:

`nsd -a listened-ip@port`

here is listened-ip and port selected for testing purposes.

If something was wrong and it did not start, correct it and start again.

Otherwise, test if it gives correct answers about domains in the zone file with:

`drill -p port domain @listened-ip`

And for domains of other type than A:

`drill -p port type domain @listened-ip`

if somethething is wrong, alter the zone file and reload it with

`pkill -HUP nsd`

and test again, change again, reload again, and repeat these three steps until all is OK ....

Then you can make it listen the public IP on port 53 and ask the hoster of the domain to add NS and glue records.

*SirDice,* I dont think it is danger, it is just a specialized hierarchical database that can be queried through internet.
Also PostgreSQL and MySQL could be then danger.


----------



## tommiie (Jun 27, 2019)

hruodr: DNS servers can be used for amplification DDoS attacks. This is a real danger. Not for losing data but for DDoS'ing companies or organizations.


----------



## SirDice (Jun 27, 2019)

hruodr said:


> I dont think it is danger, it is just a specialized hierarchical database that can be queried through internet.





			https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
		




hruodr said:


> Also PostgreSQL and MySQL could be then danger.


They are but for different reasons and attack surfaces. Anything and everything you put out on the internet will get attacked.


----------



## hruodr (Jun 29, 2019)

SirDice said:


> Anything and everything you put out on the internet will get attacked.



I see. Terrible.


----------



## sirmosi1986 (Jun 29, 2019)

SirDice said:


> https://www.cloudflare.com/learning/ddos/dns-amplification-ddos-attack/
> 
> 
> 
> ...



 I don't wanna make my server available on the internet, it's just for local using and that's all


----------



## sirmosi1986 (Jun 29, 2019)

msplsh said:


> @ IN SOA ns.lan. webmaster.lan. (



I can't get it yet, I've got confused about the name "ns.lan.webmaster.lan" could u tell me is this for instance my dns name?
lan.webmaster.lan? i don't choose a domain name yet but if i try *.local *for example. how could it be written?


----------



## hruodr (Jun 29, 2019)

sirmosi1986 said:


> I've got confused about the name "ns.lan. webmaster.lan"



Do you see the space between ns.lan. and  webmaster.lan?

The first is the primary name server and the second the email for the person managing it.

Nameservers, including this one, go also in NS records.

There is no way to avoid reading some info about zonefiles. Just beginn with Wikipedia:





__





						Zone file - Wikipedia
					






					en.wikipedia.org
				








__





						SOA Resource Record – Wikipedia
					






					de.wikipedia.org
				








__





						NS Resource Record – Wikipedia
					






					de.wikipedia.org
				




For your try and err you can also use:





__





						Name Server Daemon (NSD) by NLnet Labs — NSD 4.3.9 documentation
					






					www.nlnetlabs.nl
				








__





						Name Server Daemon (NSD) by NLnet Labs — NSD 4.3.9 documentation
					






					www.nlnetlabs.nl
				




BTW, if you want to use it only locally, better try unbound, not nsd, and see my hint above on "local-zone" and
"local-data".


----------

