Private BIND-9 server for Slackware

07 February 2021
In the past when I used to run my own small LAN I used DNRD which allowed me to provide DNS lookup for the private machines, and acted as a DNS proxy for general DNS lookups. While there is a fork for IPv6 support neither it nor DNRD in general seems to be properly supported these days, so I decided to look elsewhere for alternatives. This guide is for BIND which is included as standard with Slackware and although a bit heavyweight fulfills the following requirements:

Provide IPv4 & IPv6 DNS lookup for top-level domain .lan
Provide Reverse-DNS lookup for the 192.168.0.0/16 IPv4 range
Provide Reverse-DNS lookup for the fc01::/64 IPv6 range
Forwarding of other lookups

Setting up BIND

This guide is basically a condensed down version of Digital Ocean's Private DNS Server, keeping only the bare-bones details, and modified to account for differences that Slackware 14.2 has compared to Ubuntu.

RNDC configuration

The first things to do if it does not already exists is to generate rndc.conf using the following command:

rndc-confgen > /etc/rndc.conf

After doing this the resulting /etc/rndc.conf will be simular to the following snippet. Pay close attention to the secret parameter highlighted in bold as this will have to match with that in the BIND configuration.

# Start of rndc.conf key "rndc-key" { algorithm hmac-sha256; secret "vK5PHduSJ+QWLae/oHaoM40o9CtjC0DEIYB/TsdXUEg="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-sha256; # secret "vK5PHduSJ+QWLae/oHaoM40o9CtjC0DEIYB/TsdXUEg="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf

For testing purposes the above snippet could just be just cut'n'pasted but for production use a config with a unique secret should be generated.

BIND configuration

The BIND configuration file for some reason I forget is named /etc/named.conf and it should contain the following.

acl "allowed-clients" { 192.168.0.0/16; }; options { directory "/etc/named"; recursion yes; allow-recursion { allowed-clients; }; allow-transfer { none; }; forwarders { 192.168.1.254; }; dnssec-validation no; max-cache-size 2m; }; zone "lan" { type master; file "lan.zone"; allow-transfer { none; }; allow-query { 192.168.0.0/16; }; }; zone "168.192.in-addr.arpa" { type master; file "168.192.zone"; allow-transfer { none; }; allow-query { 192.168.0.0/16; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa" { type master; file "fc01.zone"; allow-transfer { none; }; allow-query { 192.168.0.0/16; }; }; key "rndc-key" { algorithm hmac-sha256; secret "+gvGYUKOUGY2oblNZGYz+3qYKXPYY+48TH/DXStYmm8="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };

Some points to note before copying this configuration:

Caching is set to pretty much minimum allowed values as caching is not an end goal with this configuration.
DNSSEC has been disabled as enabling it is beyond the scope of this article.
The sub-directory for the zone files is /etc/named/ rather than the default of /var/named/.
The forwarders sub-directive needs to use either your ISP's DNS server(s) or some third-party ones such as Google's 8.8.8.8.
The last two directives should match the commented-out part of the RNDC configuration generated previously.

DNS zone record

This is where things get interesting as it is where machines on the LAN get their names, and these zone records will be in lan.zone which should match the filename given in the BIND configuration The top-level domain .lan refers to the private LAN and for this example there are two machines: waypoint.lan which is going to be the DNS server, and wilderness.lan which is a workstation of mine. lan.zone

$TTL 86400 @ IN SOA lan root.lan ( 4 ; Serial 28800 ; Refresh 14400 ; Retry 2419200 ; Expire 604800 ) ; Minimum IN NS waypoint.lan. waypoint.lan. IN A 192.168.1.16 IN AAAA fc01::16 wilderness.lan. IN A 192.168.1.14 IN AAAA fc01::14

Every time this zone file is changed the Serial field should be incremented. Note that when a sub-domain has both A (IPv4) and AAAA (IPv6) records, the latter is preferentially chosen which may sometimes break things. As a result it is sometimes recommended to give IPv4 and IPv6 different sub-domains.

Reverse lookup for IPv4

Reverse DNS allows dotted IP addresses to be converted back into domain names, which is more or less implemented by reversing the order of the octets, sticking .in-addr.arpa on the end, and then doing a lookup on the resulting name. In this case reverse lookups for the 192.168.0.0/16 subnet are specified in /etc/named/168.192.zone with the following:

$TTL 86400 @ IN SOA lan root.lan ( 4 ; Serial 28800 ; Refresh 14400 ; Retry 2419200 ; Expire 604800 ) ; Minimum IN NS waypoint.lan. 14.1 IN PTR wilderness.lan. 16.1 IN PTR waypoint.lan.

Reverse lookup for IPv6

For IPv6 reverse lookups are much the same as IPv4 except that they use .ip6.arpa and the zone records for these lookups in /etc/named/fc01.zone which contains the following:

$TTL 86400 @ IN SOA lan root.lan ( 4 ; Serial 28800 ; Refresh 14400 ; Retry 2419200 ; Expire 604800 ) ; Minimum IN NS waypoint.lan. $ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa. 6.1 PTR waypoint.lan. 4.1 PTR wilderness.lan.

The $ORIGIN directive is short-hand that avoids the need to write out entre IPv6 addresses in dotted notation. The long-hand alternative is to use:

6.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR waypoint.lan. 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wilderness.lan.

Or even longer-hand:

6.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa. IN PTR waypoint.lan. 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa. IN PTR wilderness.lan.

The latter is required if you want to mix $ORIGIN and fully spelled-out IPv6 addresses.

Starting BIND

To enable starting of BIND on system boot, the relevent statrup script needs to be set to executable:

chmod 755 /etc/rc.d/rc.bind

And finally, to manually start BIND itself:

/etc/rc.d/rc.bind start

Various useful commands

These are various commands that will be useful in checking that things are working as intended.

Check configuration files

These commands check BIND's configuration files and should only give output if there are problems that need attention.

named-checkconf named-checkzone 168.192.in-addr.arpa /etc/named/168.192.zone named-checkzone 0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa /etc/named/fc01.zone named-checkzone lan /etc/named/lan.zone

Clesr the DNS cache

rndc flush

Check forward lookup

$ nslookup wilderness.lan Server: 192.168.1.16 Address: 192.168.1.16#53 Name: wilderness.lan Address: 192.168.1.14 Name: wilderness.lan Address: fc01::14

Check reverse DNS

$ host 192.168.1.14 14.1.168.192.in-addr.arpa domain name pointer wilderness.lan. $host fc01::14 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa domain name pointer wilderness.lan.