From 457faf19895b550dd6a6b450849879db44bf06c5 Mon Sep 17 00:00:00 2001 From: radinpirouz Date: Tue, 21 Apr 2026 23:09:34 +0330 Subject: [PATCH] Added bind9 docs --- .../BIND9-DNS/01-Installtion.md | 233 ++++++++++++++ Security-Networking/BIND9-DNS/02-Zones.md | 293 ++++++++++++++++++ Security-Networking/BIND9-DNS/main.md | 32 -- 3 files changed, 526 insertions(+), 32 deletions(-) create mode 100644 Security-Networking/BIND9-DNS/01-Installtion.md create mode 100644 Security-Networking/BIND9-DNS/02-Zones.md delete mode 100644 Security-Networking/BIND9-DNS/main.md diff --git a/Security-Networking/BIND9-DNS/01-Installtion.md b/Security-Networking/BIND9-DNS/01-Installtion.md new file mode 100644 index 0000000..31f6425 --- /dev/null +++ b/Security-Networking/BIND9-DNS/01-Installtion.md @@ -0,0 +1,233 @@ +# BIND9 DNS Forwarder Configuration Guide + +## 1. Installing BIND9 + +```bash +sudo apt install bind9 +``` + +### Explanation + +BIND9 (Berkeley Internet Name Domain) is one of the most widely used DNS servers. In this setup, it will act as a **DNS forwarder**, meaning it forwards DNS queries to upstream servers instead of resolving them recursively from root servers. + +--- + +## 2. Configuration Overview + +The configuration snippet defines how BIND9 behaves as a DNS server. It is typically located in: + +``` +/etc/bind/named.conf.options +``` + +--- + +## 3. Detailed Configuration Breakdown + +### Global Options Block + +```conf +options { + directory "/var/cache/bind"; +``` + +* `directory`: Specifies where BIND stores cache and zone files. +* `/var/cache/bind`: Default working directory for cached DNS data. + +--- + +### Forwarders + +```conf + forwarders { + 192.168.1.10; + 8.8.8.8; + 1.1.1.1; + }; +``` + +* Defines upstream DNS servers to which queries are forwarded. +* `192.168.1.10`: Likely an internal DNS server (e.g., corporate or local network). +* `8.8.8.8`: Public DNS server provided by Google. +* `1.1.1.1`: Public DNS server provided by Cloudflare. + +**Behavior:** + +* Queries that BIND cannot resolve locally are sent to these servers. + +--- + +### DNSSEC Validation + +```conf + dnssec-validation no; +``` + +* Disables DNSSEC (DNS Security Extensions) validation. +* DNSSEC ensures DNS responses are authentic and not tampered with. + +**Why disable it?** + +* Simplicity in lab or internal environments. +* Avoid issues if upstream servers or zones are misconfigured. + +**Production note:** + +* It is generally recommended to enable DNSSEC in secure environments. + +--- + +### Listening Interfaces + +```conf + #listen-on { any; }; + # listen-on-v6 { any; }; + + listen-on port 53 { 127.0.0.1; }; + listen-on-v6 { none; }; +``` + +* `listen-on port 53 { 127.0.0.1; };` + + * BIND listens only on the loopback interface (localhost). + * This means only the local machine can query this DNS server. + +* `listen-on-v6 { none; };` + + * Disables IPv6 listening. + +* Commented lines: + + * `#listen-on { any; };` would allow all IPv4 interfaces. + * `#listen-on-v6 { any; };` would enable IPv6 support. + +**Implication:** + +* This configuration is suitable for a **local DNS resolver**, not a network-wide DNS server. + +--- + +### Forwarding Mode + +```conf + forward only; +``` + +* Forces BIND to **only use forwarders**. +* It will not attempt full recursive resolution if forwarders fail. + +**Behavior:** + +* If all forwarders fail → DNS resolution fails. + +--- + +### Query Access Control + +```conf + allow-query { any; }; +``` + +* Allows any client to query the DNS server. + +**Note:** + +* Safe here because the server only listens on `127.0.0.1`. + +--- + +### Recursion Settings + +```conf + recursion yes; + allow-recursion { any; }; +``` + +* `recursion yes;` + + * Enables recursive DNS resolution (required for a caching resolver). + +* `allow-recursion { any; };` + + * Allows all clients to use recursion. + +**Important:** + +* In public-facing servers, unrestricted recursion can lead to abuse (e.g., DNS amplification attacks). +* In this case, it is safe due to localhost restriction. + +--- + +## 4. Summary of Behavior + +This configuration sets up BIND9 as: + +* A **local DNS forwarder** +* Listening only on **localhost (127.0.0.1)** +* Forwarding queries to: + + * Internal DNS: `192.168.1.10` + * Public DNS: `8.8.8.8`, `1.1.1.1` +* Performing recursion via forwarders only +* Not using DNSSEC validation +* Not exposed to external clients + +--- + +## 5. Typical Use Cases + +* Local development environments +* Caching DNS resolver for a single machine +* Forwarding DNS queries inside containers or VMs +* Acting as a DNS proxy for internal services + +--- + +## 6. Recommendations for Production + +* Enable DNSSEC validation: + + ```conf + dnssec-validation auto; + ``` + +* Restrict recursion: + + ```conf + allow-recursion { trusted_network; }; + ``` + +* Bind to specific internal interfaces instead of localhost if needed: + + ```conf + listen-on { 192.168.1.0/24; }; + ``` + +* Implement logging for observability + +--- + +## 7. Restarting the Service + +After making changes: + +```bash +sudo systemctl restart bind9 +``` + +To check status: + +```bash +sudo systemctl status bind9 +``` + +--- + +## 8. Testing DNS Resolution + +```bash +dig google.com @127.0.0.1 +``` + +* Confirms that the local BIND server is resolving queries correctly via forwarders. + diff --git a/Security-Networking/BIND9-DNS/02-Zones.md b/Security-Networking/BIND9-DNS/02-Zones.md new file mode 100644 index 0000000..24b2eb5 --- /dev/null +++ b/Security-Networking/BIND9-DNS/02-Zones.md @@ -0,0 +1,293 @@ +# BIND9 Zone File and SOA Configuration Guide + +## 1. What is a Zone File + +A **zone file** defines DNS records for a specific domain. It maps domain names to IP addresses and other resources. + +In this example, we are configuring a zone for: + +``` +test.com +``` + +--- + +## 2. SOA (Start of Authority) Record + +### Example + +```conf id="soa-example" +$TTL 120 + +@ IN SOA test.com. admin.test.com ( + 1; + 86400; + 7200; + 57600; + 3600); +``` + +### Explanation + +#### `$TTL 120` + +* Default Time To Live for all records in this zone. +* Value is in seconds (120 seconds = 2 minutes). +* Controls how long DNS responses are cached. + +--- + +### SOA Record Structure + +``` +@ IN SOA ( + + + + + +) +``` + +#### Fields Breakdown + +* `@` + + * Refers to the root of the zone (`test.com`). + +* `IN` + + * Internet class (standard for DNS). + +* `SOA` + + * Start of Authority record. Defines the authoritative source for the zone. + +--- + +### SOA Parameters + +* **Primary Nameserver** + + ``` + test.com. + ``` + + * The authoritative DNS server for this zone. + * Must be a fully qualified domain name (FQDN). + +* **Admin Email** + + ``` + admin.test.com + ``` + + * Represents `admin@test.com`. + * The `@` is replaced with a dot in DNS format. + +--- + +### Timing Parameters + +* **Serial** + + ``` + 1; + ``` + + * Version number of the zone. + * Must be incremented on every change. + * Secondary DNS servers use this to detect updates. + +* **Refresh (86400 seconds = 24 hours)** + + * How often secondary servers check for updates. + +* **Retry (7200 seconds = 2 hours)** + + * Retry interval if refresh fails. + +* **Expire (57600 seconds = 16 hours)** + + * Time after which secondary servers discard the zone if they cannot reach the primary. + +* **Minimum TTL (3600 seconds = 1 hour)** + + * Default negative caching time (NXDOMAIN responses). + +--- + +## 3. DNS Records in the Zone + +### Example Zone File + +```conf id="zone-file" +@ IN NS test.com. + +@ IN A 10.10.30.1 + +www IN CNAME docs.test.com +docs IN A 10.10.20.1 +``` + +--- + +### NS Record + +```conf id="ns-record" +@ IN NS test.com. +``` + +* Defines the authoritative nameserver for the domain. +* `test.com.` must resolve to an IP (via an A record). + +--- + +### A Record + +```conf id="a-record-root" +@ IN A 10.10.30.1 +``` + +* Maps `test.com` → `10.10.30.1`. + +--- + +### CNAME Record + +```conf id="cname-record" +www IN CNAME docs.test.com +``` + +* `www.test.com` becomes an alias of `docs.test.com`. +* DNS queries for `www` will resolve to the IP of `docs`. + +--- + +### Additional A Record + +```conf id="a-record-docs" +docs IN A 10.10.20.1 +``` + +* Maps `docs.test.com` → `10.10.20.1`. + +--- + +## 4. The Trailing Dot in DNS + +### Example + +``` +test.com. +``` + +### Explanation + +* The trailing dot (`.`) indicates a **fully qualified domain name (FQDN)**. +* Without the dot, BIND appends the current zone name. + +#### Example Behavior + +* `docs.test.com` (no dot) + → interpreted as `docs.test.com.test.com` + +* `docs.test.com.` (with dot) + → interpreted correctly as `docs.test.com` + +**Rule:** + +* Always use a trailing dot for absolute domain names in zone files. + +--- + +## 5. Zone Configuration in BIND + +### File: `/etc/bind/named.conf.local` + +```conf id="named-conf-local" +zone 'test.com' IN { + type master; + file "/etc/bind/zones/test.com.zone"; +}; +``` + +### Explanation + +* `zone 'test.com'` + + * Declares the domain being managed. + +* `type master` + + * This server is the authoritative source for the zone. + +* `file` + + * Path to the zone file. + +--- + +## 6. Validating the Zone File + +```bash id="check-zone" +named-checkzone test.com /etc/bind/zones/test.com.zone +``` + +### Purpose + +* Validates syntax and logic of the zone file. +* Detects: + + * Missing dots + * Invalid records + * Formatting errors + +--- + +## 7. Applying Configuration Changes + +### Reconfigure BIND + +```bash id="rndc-reconfig" +rndc reconfig +``` + +* Reloads BIND configuration files. +* Detects new or modified zones. + +--- + +### Reload Specific Zone + +```bash id="rndc-reload" +rndc reload test.com +``` + +* Reloads only the `test.com` zone. +* Faster and more efficient than restarting the entire service. + +--- + +## 8. Key Operational Notes + +* Always increment the **serial number** after modifying the zone. +* Use `named-checkzone` before applying changes. +* Prefer `rndc reload` over full service restart for production systems. +* Ensure proper file permissions for `/etc/bind/zones/`. + +--- + +## 9. Summary + +This setup defines: + +* A **master DNS zone** for `test.com` +* Authoritative records: + + * Root domain (`test.com`) + * `docs.test.com` + * Alias `www.test.com` +* Proper SOA configuration for synchronization +* DNS validation and reload workflow using BIND tools + diff --git a/Security-Networking/BIND9-DNS/main.md b/Security-Networking/BIND9-DNS/main.md deleted file mode 100644 index f74c892..0000000 --- a/Security-Networking/BIND9-DNS/main.md +++ /dev/null @@ -1,32 +0,0 @@ -```bash -sudo apt install bind9 -``` - - - -```conf -options { - directory "/var/cache/bind"; - - forwarders { - 192.168.1.10; - 8.8.8.8; - 1.1.1.1; - }; - - - dnssec-validation no; - - #listen-on { any; }; - # listen-on-v6 { any; }; - - listen-on port 53 { 127.0.0.1; }; - listen-on-v6 { none; }; - forward only; - allow-query { any; }; - recursion yes; - allow-recursion { any; }; -}; - - -``` \ No newline at end of file