Private BIND-9 server for Slackware
07 February 2021In the past when I used to run my own small LAN I used DNRD which allowed me to provide DNS lookup for the private machines, and acted as a DNS proxy for general DNS lookups. While there is a fork for IPv6 support neither it nor DNRD in general seems to be properly supported these days, so I decided to look elsewhere for alternatives. This guide is for BIND which is included as standard with Slackware and although a bit heavyweight fulfills the following requirements:
- Provide IPv4 & IPv6 DNS lookup for top-level domain
.lan
- Provide Reverse-DNS lookup for the
192.168.0.0/16
IPv4 range - Provide Reverse-DNS lookup for the
fc01::/64
IPv6 range - Forwarding of other lookups
Setting up BIND
This guide is basically a condensed down version of Digital Ocean's Private DNS Server, keeping only the bare-bones details, and modified to account for differences that Slackware 14.2 has compared to Ubuntu.RNDC configuration
The first things to do if it does not already exists is to generaterndc.conf
using the following command:
rndc-confgen > /etc/rndc.conf
After doing this the resulting /etc/rndc.conf
will be simular to the following snippet.
Pay close attention to the secret
parameter highlighted in bold as this will have to match with that in the BIND configuration.
# Start of rndc.conf key "rndc-key" { algorithm hmac-sha256; secret "vK5PHduSJ+QWLae/oHaoM40o9CtjC0DEIYB/TsdXUEg="; }; options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf # Use with the following in named.conf, adjusting the allow list as needed: # key "rndc-key" { # algorithm hmac-sha256; # secret "vK5PHduSJ+QWLae/oHaoM40o9CtjC0DEIYB/TsdXUEg="; # }; # # controls { # inet 127.0.0.1 port 953 # allow { 127.0.0.1; } keys { "rndc-key"; }; # }; # End of named.conf
For testing purposes the above snippet could just be just cut'n'pasted but for production use a config with a unique secret should be generated.BIND configuration
The BIND configuration file for some reason I forget is named/etc/named.conf
and it should contain the following.
acl "allowed-clients" { 192.168.0.0/16; }; options { directory "/etc/named"; recursion yes; allow-recursion { allowed-clients; }; allow-transfer { none; }; forwarders { 192.168.1.254; }; dnssec-validation no; max-cache-size 2m; }; zone "lan" { type master; file "lan.zone"; allow-transfer { none; }; allow-query { 192.168.0.0/16; }; }; zone "168.192.in-addr.arpa" { type master; file "168.192.zone"; allow-transfer { none; }; allow-query { 192.168.0.0/16; }; }; zone "0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa" { type master; file "fc01.zone"; allow-transfer { none; }; allow-query { 192.168.0.0/16; }; }; key "rndc-key" { algorithm hmac-sha256; secret "+gvGYUKOUGY2oblNZGYz+3qYKXPYY+48TH/DXStYmm8="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };
Some points to note before copying this configuration:- Caching is set to pretty much minimum allowed values as caching is not an end goal with this configuration.
- DNSSEC has been disabled as enabling it is beyond the scope of this article.
- The sub-directory for the zone files is
/etc/named/
rather than the default of/var/named/
. - The
forwarders
sub-directive needs to use either your ISP's DNS server(s) or some third-party ones such as Google's8.8.8.8
. - The last two directives should match the commented-out part of the RNDC configuration generated previously.
DNS zone record
This is where things get interesting as it is where machines on the LAN get their names, and these zone records will be inlan.zone
which should match the filename given in the BIND configuration
The top-level domain .lan
refers to the private LAN and for this example there are two machines: waypoint.lan
which is going to be the DNS server, and wilderness.lan
which is a workstation of mine.
lan.zone
$TTL 86400 @ IN SOA lan root.lan ( 4 ; Serial 28800 ; Refresh 14400 ; Retry 2419200 ; Expire 604800 ) ; Minimum IN NS waypoint.lan. waypoint.lan. IN A 192.168.1.16 IN AAAA fc01::16 wilderness.lan. IN A 192.168.1.14 IN AAAA fc01::14
Every time this zone file is changed the Serial
field should be incremented.
Note that when a sub-domain has both A
(IPv4) and AAAA
(IPv6) records, the latter is preferentially chosen which may sometimes break things.
As a result it is sometimes recommended to give IPv4 and IPv6 different sub-domains.
Reverse lookup for IPv4
Reverse DNS allows dotted IP addresses to be converted back into domain names, which is more or less implemented by reversing the order of the octets, sticking.in-addr.arpa
on the end, and then doing a lookup on the resulting name.
In this case reverse lookups for the 192.168.0.0/16
subnet are specified in /etc/named/168.192.zone
with the following:
$TTL 86400 @ IN SOA lan root.lan ( 4 ; Serial 28800 ; Refresh 14400 ; Retry 2419200 ; Expire 604800 ) ; Minimum IN NS waypoint.lan. 14.1 IN PTR wilderness.lan. 16.1 IN PTR waypoint.lan.
Reverse lookup for IPv6
For IPv6 reverse lookups are much the same as IPv4 except that they use.ip6.arpa
and the zone records for these lookups in /etc/named/fc01.zone
which contains the following:
$TTL 86400 @ IN SOA lan root.lan ( 4 ; Serial 28800 ; Refresh 14400 ; Retry 2419200 ; Expire 604800 ) ; Minimum IN NS waypoint.lan. $ORIGIN 0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa. 6.1 PTR waypoint.lan. 4.1 PTR wilderness.lan.
The $ORIGIN
directive is short-hand that avoids the need to write out entre IPv6 addresses in dotted notation.
The long-hand alternative is to use:
6.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR waypoint.lan. 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0 IN PTR wilderness.lan.
Or even longer-hand:
6.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa. IN PTR waypoint.lan. 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa. IN PTR wilderness.lan.
The latter is required if you want to mix $ORIGIN
and fully spelled-out IPv6 addresses.
Starting BIND
To enable starting of BIND on system boot, the relevent statrup script needs to be set to executable:chmod 755 /etc/rc.d/rc.bind
And finally, to manually start BIND itself:
/etc/rc.d/rc.bind start
Various useful commands
These are various commands that will be useful in checking that things are working as intended.Check configuration files
These commands check BIND's configuration files and should only give output if there are problems that need attention.named-checkconf named-checkzone 168.192.in-addr.arpa /etc/named/168.192.zone named-checkzone 0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa /etc/named/fc01.zone named-checkzone lan /etc/named/lan.zone
Clesr the DNS cache
rndc flush
Check forward lookup
$ nslookup wilderness.lan Server: 192.168.1.16 Address: 192.168.1.16#53 Name: wilderness.lan Address: 192.168.1.14 Name: wilderness.lan Address: fc01::14
Check reverse DNS
$ host 192.168.1.14 14.1.168.192.in-addr.arpa domain name pointer wilderness.lan. $host fc01::14 4.1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.1.0.c.f.ip6.arpa domain name pointer wilderness.lan.