radin/my-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added bind9 docs

Browse Source
This commit is contained in:
radinpirouz
2026-04-21 23:09:34 +03:30
parent fa6bb1557d
commit 457faf1989
3 changed files with 526 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

233
Security-Networking/BIND9-DNS/01-Installtion.md Normal file
View File

@@ -0,0 +1,233 @@
# BIND9 DNS Forwarder Configuration Guide
## 1. Installing BIND9
```bash
sudo apt install bind9
```
### Explanation
BIND9 (Berkeley Internet Name Domain) is one of the most widely used DNS servers. In this setup, it will act as a **DNS forwarder**, meaning it forwards DNS queries to upstream servers instead of resolving them recursively from root servers.
---
## 2. Configuration Overview
The configuration snippet defines how BIND9 behaves as a DNS server. It is typically located in:
```
/etc/bind/named.conf.options
```
---
## 3. Detailed Configuration Breakdown
### Global Options Block
```conf
options {
directory "/var/cache/bind";
```
* `directory`: Specifies where BIND stores cache and zone files.
* `/var/cache/bind`: Default working directory for cached DNS data.
---
### Forwarders
```conf
forwarders {
192.168.1.10;
8.8.8.8;
1.1.1.1;
};
```
* Defines upstream DNS servers to which queries are forwarded.
* `192.168.1.10`: Likely an internal DNS server (e.g., corporate or local network).
* `8.8.8.8`: Public DNS server provided by Google.
* `1.1.1.1`: Public DNS server provided by Cloudflare.
**Behavior:**
* Queries that BIND cannot resolve locally are sent to these servers.
---
### DNSSEC Validation
```conf
dnssec-validation no;
```
* Disables DNSSEC (DNS Security Extensions) validation.
* DNSSEC ensures DNS responses are authentic and not tampered with.
**Why disable it?**
* Simplicity in lab or internal environments.
* Avoid issues if upstream servers or zones are misconfigured.
**Production note:**
* It is generally recommended to enable DNSSEC in secure environments.
---
### Listening Interfaces
```conf
#listen-on { any; };
# listen-on-v6 { any; };
listen-on port 53 { 127.0.0.1; };
listen-on-v6 { none; };
```
* `listen-on port 53 { 127.0.0.1; };`
* BIND listens only on the loopback interface (localhost).
* This means only the local machine can query this DNS server.
* `listen-on-v6 { none; };`
* Disables IPv6 listening.
* Commented lines:
* `#listen-on { any; };` would allow all IPv4 interfaces.
* `#listen-on-v6 { any; };` would enable IPv6 support.
**Implication:**
* This configuration is suitable for a **local DNS resolver**, not a network-wide DNS server.
---
### Forwarding Mode
```conf
forward only;
```
* Forces BIND to **only use forwarders**.
* It will not attempt full recursive resolution if forwarders fail.
**Behavior:**
* If all forwarders fail → DNS resolution fails.
---
### Query Access Control
```conf
allow-query { any; };
```
* Allows any client to query the DNS server.
**Note:**
* Safe here because the server only listens on `127.0.0.1`.
---
### Recursion Settings
```conf
recursion yes;
allow-recursion { any; };
```
* `recursion yes;`
* Enables recursive DNS resolution (required for a caching resolver).
* `allow-recursion { any; };`
* Allows all clients to use recursion.
**Important:**
* In public-facing servers, unrestricted recursion can lead to abuse (e.g., DNS amplification attacks).
* In this case, it is safe due to localhost restriction.
---
## 4. Summary of Behavior
This configuration sets up BIND9 as:
* A **local DNS forwarder**
* Listening only on **localhost (127.0.0.1)**
* Forwarding queries to:
* Internal DNS: `192.168.1.10`
* Public DNS: `8.8.8.8`, `1.1.1.1`
* Performing recursion via forwarders only
* Not using DNSSEC validation
* Not exposed to external clients
---
## 5. Typical Use Cases
* Local development environments
* Caching DNS resolver for a single machine
* Forwarding DNS queries inside containers or VMs
* Acting as a DNS proxy for internal services
---
## 6. Recommendations for Production
* Enable DNSSEC validation:
```conf
dnssec-validation auto;
```
* Restrict recursion:
```conf
allow-recursion { trusted_network; };
```
* Bind to specific internal interfaces instead of localhost if needed:
```conf
listen-on { 192.168.1.0/24; };
```
* Implement logging for observability
---
## 7. Restarting the Service
After making changes:
```bash
sudo systemctl restart bind9
```
To check status:
```bash
sudo systemctl status bind9
```
---
## 8. Testing DNS Resolution
```bash
dig google.com @127.0.0.1
```
* Confirms that the local BIND server is resolving queries correctly via forwarders.

293
Security-Networking/BIND9-DNS/02-Zones.md Normal file
View File

@@ -0,0 +1,293 @@
# BIND9 Zone File and SOA Configuration Guide
## 1. What is a Zone File
A **zone file** defines DNS records for a specific domain. It maps domain names to IP addresses and other resources.
In this example, we are configuring a zone for:
```
test.com
```
---
## 2. SOA (Start of Authority) Record
### Example
```conf id="soa-example"
$TTL 120
@ IN SOA test.com. admin.test.com (
1;
86400;
7200;
57600;
3600);
```
### Explanation
#### `$TTL 120`
* Default Time To Live for all records in this zone.
* Value is in seconds (120 seconds = 2 minutes).
* Controls how long DNS responses are cached.
---
### SOA Record Structure
```
@ IN SOA <primary-ns> <admin-email> (
<serial>
<refresh>
<retry>
<expire>
<minimum>
)
```
#### Fields Breakdown
* `@`
* Refers to the root of the zone (`test.com`).
* `IN`
* Internet class (standard for DNS).
* `SOA`
* Start of Authority record. Defines the authoritative source for the zone.
---
### SOA Parameters
* **Primary Nameserver**
```
test.com.
```
* The authoritative DNS server for this zone.
* Must be a fully qualified domain name (FQDN).
* **Admin Email**
```
admin.test.com
```
* Represents `admin@test.com`.
* The `@` is replaced with a dot in DNS format.
---
### Timing Parameters
* **Serial**
```
1;
```
* Version number of the zone.
* Must be incremented on every change.
* Secondary DNS servers use this to detect updates.
* **Refresh (86400 seconds = 24 hours)**
* How often secondary servers check for updates.
* **Retry (7200 seconds = 2 hours)**
* Retry interval if refresh fails.
* **Expire (57600 seconds = 16 hours)**
* Time after which secondary servers discard the zone if they cannot reach the primary.
* **Minimum TTL (3600 seconds = 1 hour)**
* Default negative caching time (NXDOMAIN responses).
---
## 3. DNS Records in the Zone
### Example Zone File
```conf id="zone-file"
@ IN NS test.com.
@ IN A 10.10.30.1
www IN CNAME docs.test.com
docs IN A 10.10.20.1
```
---
### NS Record
```conf id="ns-record"
@ IN NS test.com.
```
* Defines the authoritative nameserver for the domain.
* `test.com.` must resolve to an IP (via an A record).
---
### A Record
```conf id="a-record-root"
@ IN A 10.10.30.1
```
* Maps `test.com` → `10.10.30.1`.
---
### CNAME Record
```conf id="cname-record"
www IN CNAME docs.test.com
```
* `www.test.com` becomes an alias of `docs.test.com`.
* DNS queries for `www` will resolve to the IP of `docs`.
---
### Additional A Record
```conf id="a-record-docs"
docs IN A 10.10.20.1
```
* Maps `docs.test.com` → `10.10.20.1`.
---
## 4. The Trailing Dot in DNS
### Example
```
test.com.
```
### Explanation
* The trailing dot (`.`) indicates a **fully qualified domain name (FQDN)**.
* Without the dot, BIND appends the current zone name.
#### Example Behavior
* `docs.test.com` (no dot)
→ interpreted as `docs.test.com.test.com`
* `docs.test.com.` (with dot)
→ interpreted correctly as `docs.test.com`
**Rule:**
* Always use a trailing dot for absolute domain names in zone files.
---
## 5. Zone Configuration in BIND
### File: `/etc/bind/named.conf.local`
```conf id="named-conf-local"
zone 'test.com' IN {
type master;
file "/etc/bind/zones/test.com.zone";
};
```
### Explanation
* `zone 'test.com'`
* Declares the domain being managed.
* `type master`
* This server is the authoritative source for the zone.
* `file`
* Path to the zone file.
---
## 6. Validating the Zone File
```bash id="check-zone"
named-checkzone test.com /etc/bind/zones/test.com.zone
```
### Purpose
* Validates syntax and logic of the zone file.
* Detects:
* Missing dots
* Invalid records
* Formatting errors
---
## 7. Applying Configuration Changes
### Reconfigure BIND
```bash id="rndc-reconfig"
rndc reconfig
```
* Reloads BIND configuration files.
* Detects new or modified zones.
---
### Reload Specific Zone
```bash id="rndc-reload"
rndc reload test.com
```
* Reloads only the `test.com` zone.
* Faster and more efficient than restarting the entire service.
---
## 8. Key Operational Notes
* Always increment the **serial number** after modifying the zone.
* Use `named-checkzone` before applying changes.
* Prefer `rndc reload` over full service restart for production systems.
* Ensure proper file permissions for `/etc/bind/zones/`.
---
## 9. Summary
This setup defines:
* A **master DNS zone** for `test.com`
* Authoritative records:
* Root domain (`test.com`)
* `docs.test.com`
* Alias `www.test.com`
* Proper SOA configuration for synchronization
* DNS validation and reload workflow using BIND tools

32
Security-Networking/BIND9-DNS/main.md
View File

@@ -1,32 +0,0 @@
```bash
sudo apt install bind9
```
```conf
options {
directory "/var/cache/bind";
forwarders {
192.168.1.10;
8.8.8.8;
1.1.1.1;
};
dnssec-validation no;
#listen-on { any; };
# listen-on-v6 { any; };
listen-on port 53 { 127.0.0.1; };
listen-on-v6 { none; };
forward only;
allow-query { any; };
recursion yes;
allow-recursion { any; };
};
```