radin/my-docs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added bind9 docs

Browse Source
This commit is contained in:
radinpirouz
2026-04-21 23:09:34 +03:30
parent fa6bb1557d
commit 457faf1989
3 changed files with 526 additions and 32 deletions
Download Patch File Download Diff File Expand all files Collapse all files

233
Security-Networking/BIND9-DNS/01-Installtion.md Normal file
View File

@@ -0,0 +1,233 @@
# BIND9 DNS Forwarder Configuration Guide
## 1. Installing BIND9
```bash
sudo apt install bind9
```
### Explanation
BIND9 (Berkeley Internet Name Domain) is one of the most widely used DNS servers. In this setup, it will act as a **DNS forwarder**, meaning it forwards DNS queries to upstream servers instead of resolving them recursively from root servers.
---
## 2. Configuration Overview
The configuration snippet defines how BIND9 behaves as a DNS server. It is typically located in:
```
/etc/bind/named.conf.options
```
---
## 3. Detailed Configuration Breakdown
### Global Options Block
```conf
options {
directory "/var/cache/bind";
```
* `directory`: Specifies where BIND stores cache and zone files.
* `/var/cache/bind`: Default working directory for cached DNS data.
---
### Forwarders
```conf
forwarders {
192.168.1.10;
8.8.8.8;
1.1.1.1;
};
```
* Defines upstream DNS servers to which queries are forwarded.
* `192.168.1.10`: Likely an internal DNS server (e.g., corporate or local network).
* `8.8.8.8`: Public DNS server provided by Google.
* `1.1.1.1`: Public DNS server provided by Cloudflare.
**Behavior:**
* Queries that BIND cannot resolve locally are sent to these servers.
---
### DNSSEC Validation
```conf
dnssec-validation no;
```
* Disables DNSSEC (DNS Security Extensions) validation.
* DNSSEC ensures DNS responses are authentic and not tampered with.
**Why disable it?**
* Simplicity in lab or internal environments.
* Avoid issues if upstream servers or zones are misconfigured.
**Production note:**
* It is generally recommended to enable DNSSEC in secure environments.
---
### Listening Interfaces
```conf
#listen-on { any; };
# listen-on-v6 { any; };
listen-on port 53 { 127.0.0.1; };
listen-on-v6 { none; };
```
* `listen-on port 53 { 127.0.0.1; };`
* BIND listens only on the loopback interface (localhost).
* This means only the local machine can query this DNS server.
* `listen-on-v6 { none; };`
* Disables IPv6 listening.
* Commented lines:
* `#listen-on { any; };` would allow all IPv4 interfaces.
* `#listen-on-v6 { any; };` would enable IPv6 support.
**Implication:**
* This configuration is suitable for a **local DNS resolver**, not a network-wide DNS server.
---
### Forwarding Mode
```conf
forward only;
```
* Forces BIND to **only use forwarders**.
* It will not attempt full recursive resolution if forwarders fail.
**Behavior:**
* If all forwarders fail → DNS resolution fails.
---
### Query Access Control
```conf
allow-query { any; };
```
* Allows any client to query the DNS server.
**Note:**
* Safe here because the server only listens on `127.0.0.1`.
---
### Recursion Settings
```conf
recursion yes;
allow-recursion { any; };
```
* `recursion yes;`
* Enables recursive DNS resolution (required for a caching resolver).
* `allow-recursion { any; };`
* Allows all clients to use recursion.
**Important:**
* In public-facing servers, unrestricted recursion can lead to abuse (e.g., DNS amplification attacks).
* In this case, it is safe due to localhost restriction.
---
## 4. Summary of Behavior
This configuration sets up BIND9 as:
* A **local DNS forwarder**
* Listening only on **localhost (127.0.0.1)**
* Forwarding queries to:
* Internal DNS: `192.168.1.10`
* Public DNS: `8.8.8.8`, `1.1.1.1`
* Performing recursion via forwarders only
* Not using DNSSEC validation
* Not exposed to external clients
---
## 5. Typical Use Cases
* Local development environments
* Caching DNS resolver for a single machine
* Forwarding DNS queries inside containers or VMs
* Acting as a DNS proxy for internal services
---
## 6. Recommendations for Production
* Enable DNSSEC validation:
```conf
dnssec-validation auto;
```
* Restrict recursion:
```conf
allow-recursion { trusted_network; };
```
* Bind to specific internal interfaces instead of localhost if needed:
```conf
listen-on { 192.168.1.0/24; };
```
* Implement logging for observability
---
## 7. Restarting the Service
After making changes:
```bash
sudo systemctl restart bind9
```
To check status:
```bash
sudo systemctl status bind9
```
---
## 8. Testing DNS Resolution
```bash
dig google.com @127.0.0.1
```
* Confirms that the local BIND server is resolving queries correctly via forwarders.