Differences

This shows you the differences between two versions of the page.

Link to this comparison view

installing-bind-dns-server-with-multi-view-on-debian-jessie_en [2017/09/05 12:18] (current)
Line 1: Line 1:
 +====== Installing Bind DNS Server with Multi-View on Debian Jessie ======
  
 +Configuring Bind DNS server on Debian Jessie with MultiView support into the same domain and replicating the information.
 +
 +**Issue:** When the replication starts the domain zones with the same name were overwritten by the last one replicated (internal or external)
 +
 +
 +How to solve the issue, inside each view let's force to who we will send the information to each view configuration that will have an ip to each one. Example: Internal View 192.168.25.111 so when we need to send the replication to the internal view we send to 192.168.25.111 and when needs to send to the external View we send the information to 192.168.25.112. ​
 +
 +  - Internal View ip address into Slave Server: 192.168.25.111
 +  - External View ip address into Slave Server: 192.168.25.112
 +  - Ip address into Master Server: 192.168.25.110
 +  - Client Networks: 10.0.0.0/​23,​ 10.100.0.0/​24,​ 10.101.0.0/​24,​ 10.200.0.0/​24,​ 172.16.0.0/​24,​ 192.168.25.0/​24
 +
 +Make sure that your system is already configured properly and run the following script [[https://​github.com/​douglasqsantos/​easy-debian|Easy-Debian]]. My environment is working with that script so if you have had some issue with some package please google by it and fix by yourself.
 +
 +Let's star configuring the Master server.
 +
 +===== Configuring the Bind DNS Server Master =====
 +
 +Let's install the bind packets.
 +
 +<sxh bash>
 +aptitude update
 +aptitude install bind9 dnsutils -y
 +</​sxh>​
 +
 +Let's stop the Bind DNS service, before start configure it.
 +
 +<sxh bash>
 +systemctl stop bind9
 +</​sxh>​
 +
 +Now we need to create the chroot environment to put the Bind DNS server running inside it.
 +<sxh bash>
 +mkdir -p /​var/​lib/​named/​etc/​bind/​zones/​{disabled,​external,​internal}
 +mkdir -p /​var/​lib/​named/​dev
 +mkdir -p /​var/​lib/​named/​var/​log
 +mkdir -p /​var/​lib/​named/​var/​cache/​bind/​{disabled,​dynamic,​master,​slave}
 +mkdir -p /​var/​lib/​named/​var/​run/​bind/​run
 +mknod /​var/​lib/​named/​dev/​null c 1 3
 +mknod /​var/​lib/​named/​dev/​random c 1 8
 +mknod /​var/​lib/​named/​dev/​zero c 1 5
 +</​sxh>​
 +
 +Now let's fix the permissions.
 +<sxh bash>
 +chmod 666 /​var/​lib/​named/​dev/​{null,​random,​zero}
 +chown -R bind:bind /​var/​lib/​named/​var/​*
 +</​sxh>​
 +
 +Now we need to move the default configuration file directory into the chroot, create a link to the system to be more easy to access it and fix the permissions.
 +<sxh bash>
 +mv /etc/bind/* /​var/​lib/​named/​etc/​bind/​
 +rm -rf /etc/bind
 +ln -sf /​var/​lib/​named/​etc/​bind /etc/bind
 +cp /​etc/​localtime /​var/​lib/​named/​etc
 +chown -R bind:bind /​var/​lib/​named/​etc/​bind
 +chown -R root:bind /​var/​lib/​named/​var/​cache/​bind/​dynamic
 +chmod -R 775 /​var/​lib/​named/​var/​cache/​bind/​dynamic
 +</​sxh>​
 +
 +Now we need to tell the Bind dns server where is its home directory, so let's configure it.
 +
 +Let's copy the systemd configuration file.
 +<sxh bash>
 +cp /​lib/​systemd/​system/​bind9.service /​etc/​systemd/​system
 +</​sxh>​
 +
 +Why copy the file and don't change the default one, so if you update the service the /​lib/​systemd/​system/​bind9.service will be overwritten and we will lost the configuration.
 +<sxh apache>
 +vim /​etc/​systemd/​system/​bind9.service
 +[Unit]
 +Description=BIND Domain Name Server
 +Documentation=man:​named(8)
 +After=network.target
 +
 +[Service]
 +ExecStart=/​usr/​sbin/​named -f -u bind -t /​var/​lib/​named
 +ExecReload=/​usr/​sbin/​rndc reload
 +ExecStop=/​usr/​sbin/​rndc stop
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​sxh>​
 +
 +Now we need to configure the /​etc/​resolv.conf to use the current server as dns server.
 +<sxh bash>
 +vim /​etc/​resolv.conf
 +nameserver 127.0.0.1
 +</​sxh>​
 +
 +Now we need to configure the /​etc/​bind/​named.conf.options to set up the options that we need, fell free to change what you want.
 +
 +<sxh bash>
 +vim /​etc/​bind/​named.conf.options
 +#/​etc/​bind/​named.conf.options
 +acl "​internal_hosts"​ {
 +   ​127.0.0.1/​32;​
 +   ​10.0.0.0/​23;​
 +   ​10.100.0.0/​24;​
 +   ​10.101.0.0/​24;​
 +   ​10.200.0.0/​24;​
 +   ​172.16.0.0/​24;​
 +   ​192.168.25.0/​24;​
 +};
 +
 +acl "​internal_slave"​ {
 +   ​192.168.25.111;​
 +};
 +
 +acl "​external_slave"​ {
 +   ​192.168.25.112;​
 +};
 +
 +options {
 + ​directory "/​var/​cache/​bind";​
 + ​managed-keys-directory "/​var/​cache/​bind/​dynamic";​
 + ​auth-nxdomain no;
 + ​listen-on-v6 { any; };
 + ​listen-on { 127.0.0.1/​32;​ 192.168.25.0/​24;​ };
 + ​forwarders { 8.8.8.8; 8.8.4.4; };
 + ​allow-query { any; };
 + ​recursion no;
 + ​version "Nao Disponivel";​
 + ​dnssec-enable no;
 + ​dnssec-validation no;
 + ​dnssec-lookaside auto;
 + ​empty-zones-enable yes;
 +};
 +
 +include "/​etc/​bind/​rndc.key";​
 +controls {
 +        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
 +};
 +
 +#LOGS
 +logging {
 + ​channel xfer-log {
 + file "/​var/​log/​named.log";​
 + ​print-category yes;
 + ​print-severity yes;
 + ​print-time yes;
 + ​severity info;
 + };
 + ​category xfer-in { xfer-log; };
 + ​category xfer-out { xfer-log; };
 + ​category notify { xfer-log; };
 +
 + ​channel update-debug {
 + file "/​var/​log/​named-update-debug.log";​
 + ​severity ​ debug 3;
 + ​print-category yes;
 + ​print-severity yes;
 + ​print-time ​     yes;
 + };
 + ​channel security-info ​   {
 + file "/​var/​log/​named-auth-info.log";​
 + ​severity ​ info;
 + ​print-category yes;
 + ​print-severity yes;
 + ​print-time ​     yes;
 + };
 + ​category update { update-debug;​ };
 + ​category security { security-info;​ };
 +};
 +
 +include "/​etc/​bind/​bind.keys";​
 +</​sxh>​
 +
 +Now let's change the /​etc/​bind/​named.conf to insert the files that will be used by the Bind DNS server.
 +<sxh bash>
 +vim /​etc/​bind/​named.conf
 +#/​etc/​bind/​named.conf
 +include "/​etc/​bind/​named.conf.options";​
 +include "/​etc/​bind/​named.conf.local";​
 +include "/​etc/​bind/​named.conf.internal-zones";​
 +include "/​etc/​bind/​named.conf.external-zones";​
 +</​sxh>​
 +
 +Now we need to configure the internal zones file /​etc/​bind/​named.conf.internal-zones make sure you added your network client into internal_hosts inside named.conf.options. ​
 +<sxh bash>
 +vim /​etc/​bind/​named.conf.internal-zones
 +#/​etc/​bind/​named.conf.internal-zones
 +
 +view "​internal"​ {
 +
 +# Setting up which clients can use this view
 +match-clients {
 +  !external_slave;​
 +  internal_hosts;​
 +};
 +
 +# As we will allow the internal network to use this view
 +# we need to enable the recursion to resolve another domains, besides ours
 +recursion yes;
 +
 +# Setting up which server will be able to get the transfer.
 +allow-transfer {
 +   ​internal_slave;​
 +};
 +
 +# Setting up which server will be notified about the changes
 +allow-notify {
 +   ​internal_slave;​
 +};
 +
 +# The following lines will include the files about the internal zones
 +# they are divide by function
 +include "/​etc/​bind/​zones/​internal/​named.conf.internal.master-zones";​
 +include "/​etc/​bind/​zones/​internal/​named.conf.internal.slave-zones";​
 +include "/​etc/​bind/​zones/​internal/​named.conf.internal.forward-zones";​
 +
 +};
 +</​sxh>​
 +
 +Now let's configure the External View /​etc/​bind/​named.conf.external-zones
 +<sxh bash>
 +vim /​etc/​bind/​named.conf.external-zones
 +#/​etc/​bind/​named.conf.external-zones
 +
 +view "​external"​ {
 +
 +# Setting up which clients can use this view
 +match-clients {
 +  external_slave;​
 +  !internal_hosts;​
 +  any;
 +};
 +
 +# The clients of this view cannot use this server to resolve recursive queries.
 +recursion no;
 +
 +# Setting up which server will be able to get the transfer.
 +allow-transfer {
 + ​external_slave;​
 +};
 +
 +# Setting up which server will be notified about the changes
 +allow-notify {
 + ​external_slave;​
 +};
 +
 +# The following lines will include the files about the external zones
 +include "/​etc/​bind/​zones/​external/​named.conf.external.master-zones";​
 +include "/​etc/​bind/​zones/​external/​named.conf.external.slave-zones";​
 +include "/​etc/​bind/​zones/​external/​named.conf.external.forward-zones";​
 +};
 +</​sxh>​
 +
 +Now let's create and configure the master internal zones configuration file.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​internal/​named.conf.internal.master-zones
 +#/​etc/​bind/​zones/​internal/​named.conf.internal.master-zones
 +zone "​."​ {
 +   type hint;
 +   file "/​etc/​bind/​db.root";​
 +};
 +
 +zone "​localhost"​ {
 +   type master;
 +   file "/​etc/​bind/​db.local";​
 +};
 +
 +zone "​127.in-addr.arpa"​ {
 +   type master;
 +   file "/​etc/​bind/​db.127";​
 +};
 +
 +zone "​0.in-addr.arpa"​ {
 +   type master;
 +   file "/​etc/​bind/​db.0";​
 +};
 +
 +zone "​255.in-addr.arpa"​ {
 +   type master;
 +   file "/​etc/​bind/​db.255";​
 +};
 +
 +zone  "​douglasqsantos.com.br"​ {
 +       type master;
 +       file "​master/​db.douglasqsantos.com.br-internal";​
 +};
 +</​sxh>​
 +
 +
 +Now let's create and configure the slave internal zones configuration file. Here I will configure another domain zone only to show that a master dns server can be slave server from another domain, if you don't want to use this configuration leave only the line starting with the #.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​internal/​named.conf.internal.slave-zones
 +#/​etc/​bind/​zones/​internal/​named.conf.internal.slave-zones
 +zone "​douglasqsantos.lan"​ {
 +     type slave;
 +     ​masters { 172.32.0.120;​ }; 
 +     ​transfer-source 172.32.0.122;​
 +     file "​slave/​db.douglasqsantos.lan-internal";​
 +};
 +</​sxh>​
 +
 +Now let's create and configure the master external zones configuration file.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​external/​named.conf.external.master-zones
 +#/​etc/​bind/​zones/​external/​named.conf.external.master-zones
 +zone  "​douglasqsantos.com.br"​ {
 +       type master;
 +       file "​master/​db.douglasqsantos.com.br-external";​
 +};
 +</​sxh>​
 +
 +Sometimes we got some issues about merge of companies and we can not replicate all the structure or we cannot do it, so we can forward the requests about a specific domain name and forward to a specific dns server that we are sure is authoritative about the zone. Usually this kind of configuration work through the VPN connection or another kind of direct connection.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​internal/​named.conf.internal.forward-zones
 +#/​etc/​bind/​zones/​internal/​named.conf.internal.forward-zones
 +zone  "​douglas.wiki.br"​ {
 +         type forward;
 +         ​forwarders { 172.32.0.120;​ 172.32.0.122;​ }; 
 +};
 +</​sxh>​
 +
 +Into the configuration about when we need to know about the domain zone douglas.wiki.br the server will forward the request to the authoritative dns server of that domain in our case 172.32.0.120 or the second one 172.32.0.122 whether the first one is not working.
 +
 +So until now we do not have any external zone that we want to send directly the request but we can as we already done into the last configuration file, this kind of configuration occurs when we have a lot of connections to the same domain and we do not want to use cache or for another kind of issue.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​external/​named.conf.external.forward-zones
 +#/​etc/​bind/​zones/​external/​named.conf.external.forward-zones
 +</​sxh>​
 +
 +So we do not have any external zone yet, but we add the file into named.conf so the file needs to exists and need to have some content such as a comment as we shall do below.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​external/​named.conf.external.slave-zones
 +#/​etc/​bind/​zones/​external/​named.conf.external.slave-zones
 +</​sxh>​
 +
 +After configure the zone configuration file we need to create the zone database file that will store the information about the zones, such as the records and its address.
 +
 +Let's create the internal database file of douglasqsantos.com.br /​var/​lib/​named/​var/​cache/​bind/​master/​db.douglasqsantos.com.br-internal
 +<sxh dns>
 +vim /​var/​lib/​named/​var/​cache/​bind/​master/​db.douglasqsantos.com.br-internal
 +$TTL 86400
 +@ IN SOA  dns.douglasqsantos.com.br. root.dns.douglasqsantos.com.br. (
 +                              2016011901 ​ ; Serial
 +                              3600       ; Refresh
 +                              1800        ; Retry
 +                              1209600 ​     ; Expire
 +                              3600 )     ; Minimum
 + 
 +;
 +@               ​IN ​     NS   ​douglasqsantos.com.br.
 +douglasqsantos.com.br. IN TXT "​v=spf1 a mx ip4:​192.168.25.0/​24 -all"
 +douglasqsantos.com.br. IN SPF "​v=spf1 a mx ip4:​192.168.25.0/​24 -all"
 +mail.douglasqsantos.com.br IN TXT "​v=spf1 a -all"
 +mail.douglasqsantos.com.br IN SPF "​v=spf1 a -all"
 + 
 +@               ​IN ​     NS   ​ns1.douglasqsantos.com.br.
 +@               ​IN ​     NS   ​ns2.douglasqsantos.com.br.
 +@               ​IN ​     MX   0 mail.douglasqsantos.com.br.
 + 
 +;NAME SERVERS
 +@               ​IN ​     A    192.168.25.94
 +ns1             ​IN ​     A    192.168.25.110
 +ns2             ​IN ​     A    192.168.25.111
 +dns             ​IN ​     A    192.168.25.110
 + 
 +;MAIL SERVERS
 +mail            IN      A    192.168.25.242
 +imap            IN      CNAME mail
 +pop             ​IN ​     CNAME mail
 +smtp            IN      CNAME mail
 +webmail ​        ​IN ​     CNAME mail
 + 
 +;WEB SERVERS
 +www             ​IN ​     A    192.168.25.94
 +ftp             ​IN ​     CNAME www
 +mailadmin ​      ​IN ​     CNAME www
 +</​sxh>​
 +
 +Let's create the external database file of douglasqsantos.com.br /​var/​lib/​named/​var/​cache/​bind/​master/​db.douglasqsantos.com.br-external
 +<sxh dns>
 +vim /​var/​lib/​named/​var/​cache/​bind/​master/​db.douglasqsantos.com.br-external
 +$TTL 86400
 +@ IN SOA  dns.douglasqsantos.com.br. root.dns.douglasqsantos.com.br. (
 +                              2016011901 ​ ; Serial
 +                              3600       ; Refresh
 +                              1800        ; Retry
 +                              1209600 ​     ; Expire
 +                              3600 )     ; Minimum
 + 
 +;
 +@               ​IN ​     NS   ​douglasqsantos.com.br.
 +douglasqsantos.com.br. IN TXT "​v=spf1 a mx ip4:​200.200.200.0/​28 -all"
 +douglasqsantos.com.br. IN SPF "​v=spf1 a mx ip4:​200.200.200.0/​28 -all"
 +mail.douglasqsantos.com.br IN TXT "​v=spf1 a -all"
 +mail.douglasqsantos.com.br IN SPF "​v=spf1 a -all"
 + 
 +@               ​IN ​     NS   ​ns1.douglasqsantos.com.br.
 +@               ​IN ​     NS   ​ns2.douglasqsantos.com.br.
 +@               ​IN ​     MX   0 mail.douglasqsantos.com.br.
 + 
 +;NAME SERVERS
 +@               ​IN ​     A    200.200.200.25
 +ns1             ​IN ​     A    200.200.200.25
 +ns2             ​IN ​     A    200.200.200.27
 +dns             ​IN ​     A    200.200.200.25
 + 
 +;MAIL SERVERS
 +mail            IN      A    200.200.200.25
 +imap            IN      CNAME mail
 +pop             ​IN ​     CNAME mail
 +smtp            IN      CNAME mail
 +webmail ​        ​IN ​     CNAME mail
 + 
 +;WEB SERVERS
 +www             ​IN ​     A    200.200.200.27
 +ftp             ​IN ​     CNAME www
 +mailadmin ​      ​IN ​     CNAME www
 +</​sxh>​
 +
 +Now we can start the Bind DNS server and take a look if everything is working properly.
 +<sxh bash>
 +systemctl daemon-reload
 +systemctl start bind9
 +</​sxh>​
 +
 +Now let's check if the service is working ​
 +<sxh bash>
 +systemctl status bind9
 +● bind9.service - BIND Domain Name Server
 +   ​Loaded:​ loaded (/​etc/​systemd/​system/​bind9.service;​ enabled)
 +  Drop-In: /​run/​systemd/​generator/​bind9.service.d
 +           ​└─50-insserv.conf-$named.conf
 +   ​Active:​ active (running) since Tue 2016-01-19 17:25:47 BRST; 1min 5s ago
 +     Docs: man:​named(8)
 +  Process: 1967 ExecStop=/​usr/​sbin/​rndc stop (code=exited,​ status=0/​SUCCESS)
 + Main PID: 1972 (named)
 +   ​CGroup:​ /​system.slice/​bind9.service
 +           ​└─1972 /​usr/​sbin/​named -f -u bind -t /​var/​lib/​named
 +
 +Jan 19 17:25:47 dns1 named[1972]:​ managed-keys-zone/​internal:​ loaded serial 3
 +Jan 19 17:25:47 dns1 named[1972]:​ managed-keys-zone/​external:​ loaded serial 3
 +Jan 19 17:25:47 dns1 named[1972]:​ zone 0.in-addr.arpa/​IN/​internal:​ loaded serial 1
 +Jan 19 17:25:47 dns1 named[1972]:​ zone 127.in-addr.arpa/​IN/​internal:​ loaded serial 1
 +Jan 19 17:25:47 dns1 named[1972]:​ zone douglasqsantos.com.br/​IN/​internal:​ loaded serial 2016011901
 +Jan 19 17:25:47 dns1 named[1972]:​ zone localhost/​IN/​internal:​ loaded serial 2
 +Jan 19 17:25:47 dns1 named[1972]:​ zone 255.in-addr.arpa/​IN/​internal:​ loaded serial 1
 +Jan 19 17:25:47 dns1 named[1972]:​ zone douglasqsantos.com.br/​IN/​external:​ loaded serial 2016011901
 +Jan 19 17:25:47 dns1 named[1972]:​ all zones loaded
 +Jan 19 17:25:47 dns1 named[1972]:​ running
 +</​sxh>​
 +
 +As we can see all zones are loaded and the service is running, so we need to run some queries and make sure that everything is working.
 +
 +Let's check the www.douglasqsantos.com.br
 +<sxh bash>
 +nslookup www.douglasqsantos.com.br
 +Server: ​        ​127.0.0.1
 +Address: ​       127.0.0.1#​53
 + 
 +Name:   ​www.douglasqsantos.com.br
 +Address: 192.168.25.94
 +</​sxh>​
 +
 +Now let's check ns1.douglasqsantos.com.br
 +<sxh bash>
 +nslookup ns1.douglasqsantos.com.br
 +Server: ​        ​127.0.0.1
 +Address: ​       127.0.0.1#​53
 + 
 +Name:   ​ns1.douglasqsantos.com.br
 +Address: 192.168.25.110
 +</​sxh>​
 +
 +Now let's check if the server is doing the recursive queries
 +<sxh bash>
 +nslookup www.terra.com.br
 +Server: ​  ​127.0.0.1
 +Address: ​ 127.0.0.1#​53
 +
 +Non-authoritative answer:
 +www.terra.com.br ​ canonical name = web-portal-cdn.terra.com.br.
 +Name: web-portal-cdn.terra.com.br
 +Address: 200.192.176.65
 +</​sxh>​
 +
 +Now let's configure the logrotate to do its job with the Bind DNS server log files.
 +<sxh bash>
 +vim /​etc/​logrotate.d/​named ​
 +/​var/​lib/​named/​var/​log/​*.log {
 +  weekly
 +  missingok
 +  rotate 7
 +  postrotate
 +    /​bin/​systemctl reload bind9 > /dev/null
 +  endscript
 +  compress
 +  notifempty
 +}
 +</​sxh>​
 +
 +===== Configuring the Bind DNS Server Slave =====
 +
 +Let's install the bind packets.
 +<sxh bash>
 +aptitude update
 +aptitude install bind9 dnsutils -y
 +</​sxh>​
 +
 +Let's stop the Bind DNS service, before start configure it.
 +<sxh bash>
 +systemctl stop bind9
 +</​sxh>​
 +
 +Now we need to create the chroot environment to put the Bind DNS server running inside it.
 +<sxh bash>
 +mkdir -p /​var/​lib/​named/​etc/​bind/​zones/​{disabled,​external,​internal}
 +mkdir -p /​var/​lib/​named/​dev
 +mkdir -p /​var/​lib/​named/​var/​log
 +mkdir -p /​var/​lib/​named/​var/​cache/​bind/​{disabled,​dynamic,​master,​slave}
 +mkdir -p /​var/​lib/​named/​var/​run/​bind/​run
 +mknod /​var/​lib/​named/​dev/​null c 1 3
 +mknod /​var/​lib/​named/​dev/​random c 1 8
 +mknod /​var/​lib/​named/​dev/​zero c 1 5
 +</​sxh>​
 +
 +Now let's fix the permissions.
 +<sxh bash>
 +chmod 666 /​var/​lib/​named/​dev/​{null,​random,​zero}
 +chown -R bind:bind /​var/​lib/​named/​var/​*
 +</​sxh>​
 +
 +Now we need to move the default configuration file directory into the chroot, create a link to the system to be more easy to access it and fix the permissions.
 +<sxh bash>
 +mv /etc/bind/* /​var/​lib/​named/​etc/​bind/​
 +rm -rf /etc/bind
 +ln -sf /​var/​lib/​named/​etc/​bind /etc/bind
 +cp /​etc/​localtime /​var/​lib/​named/​etc
 +chown -R bind:bind /​var/​lib/​named/​etc/​bind
 +chown -R root:bind /​var/​lib/​named/​var/​cache/​bind/​dynamic
 +chmod -R 775 /​var/​lib/​named/​var/​cache/​bind/​dynamic
 +</​sxh>​
 +
 +Now we need to tell the Bind dns server where is its home directory, so let's configure it.
 +
 +Let's copy the systemd configuration file.
 +<sxh bash>
 +cp /​lib/​systemd/​system/​bind9.service /​etc/​systemd/​system
 +</​sxh>​
 +
 +Why copy the file and don't change the default one, so if you update the service the /​lib/​systemd/​system/​bind9.service will be overwritten and we will lost the configuration.
 +<sxh apache>
 +vim /​etc/​systemd/​system/​bind9.service
 +[Unit]
 +Description=BIND Domain Name Server
 +Documentation=man:​named(8)
 +After=network.target
 +
 +[Service]
 +ExecStart=/​usr/​sbin/​named -f -u bind -t /​var/​lib/​named
 +ExecReload=/​usr/​sbin/​rndc reload
 +ExecStop=/​usr/​sbin/​rndc stop
 +
 +[Install]
 +WantedBy=multi-user.target
 +</​sxh>​
 +
 +Now we need to configure the /​etc/​resolv.conf to use the current server as dns server.
 +<sxh bash>
 +vim /​etc/​resolv.conf
 +nameserver 127.0.0.1
 +</​sxh>​
 +
 +Now we need to configure the /​etc/​bind/​named.conf.options to set up the options that we need, fell free to change what you want.
 +<sxh bash>
 +vim /​etc/​bind/​named.conf.options
 +#/​etc/​bind/​named.conf.options
 +acl "​internal_hosts"​ {
 +   ​127.0.0.1/​32;​
 +   ​10.0.0.0/​23;​
 +   ​10.100.0.0/​24;​
 +   ​10.101.0.0/​24;​
 +   ​10.200.0.0/​24;​
 +   ​172.16.0.0/​24;​
 +   ​192.168.25.0/​24;​
 +};
 +
 +acl "​dns_master"​ {
 + ​192.168.25.110;​
 +};
 +
 +options {
 + ​directory "/​var/​cache/​bind";​
 + ​managed-keys-directory "/​var/​cache/​bind/​dynamic";​
 + ​auth-nxdomain no;
 + ​listen-on-v6 { any; };
 + ​listen-on { 127.0.0.1/​32;​ 192.168.25.0/​24;​ };
 + ​forwarders { 8.8.8.8; 8.8.4.4; };
 + ​allow-query { any; };
 + ​recursion no;
 + ​version "Nao Disponivel";​
 + ​dnssec-enable no;
 + ​dnssec-validation no;
 + ​dnssec-lookaside auto;
 + ​empty-zones-enable yes;
 +};
 +
 +include "/​etc/​bind/​rndc.key";​
 +controls {
 +  inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { rndc-key; };
 +};
 +
 +#LOGS
 +logging {
 + ​channel xfer-log {
 + file "/​var/​log/​named.log";​
 + ​print-category yes;
 + ​print-severity yes;
 + ​print-time yes;
 + ​severity info;
 + };
 + ​category xfer-in { xfer-log; };
 + ​category xfer-out { xfer-log; };
 + ​category notify { xfer-log; };
 +
 + ​channel update-debug {
 + file "/​var/​log/​named-update-debug.log";​
 + ​severity ​ debug 3;
 + ​print-category yes;
 + ​print-severity yes;
 + ​print-time ​     yes;
 + };
 + ​channel security-info ​   {
 + file "/​var/​log/​named-auth-info.log";​
 + ​severity ​ info;
 + ​print-category yes;
 + ​print-severity yes;
 + ​print-time ​     yes;
 + };
 + ​category update { update-debug;​ };
 + ​category security { security-info;​ };
 +
 +};
 +
 +include "/​etc/​bind/​bind.keys";​
 +</​sxh>​
 +
 +Now let's change the /​etc/​bind/​named.conf to insert the files that will be used by the Bind DNS server.
 +<sxh bash>
 +vim /​etc/​bind/​named.conf
 +#/​etc/​bind/​named.conf
 +include "/​etc/​bind/​named.conf.options";​
 +include "/​etc/​bind/​named.conf.local";​
 +include "/​etc/​bind/​named.conf.internal-zones";​
 +include "/​etc/​bind/​named.conf.external-zones";​
 +</​sxh>​
 +
 +Now we need to configure the internal zones file /​etc/​bind/​named.conf.internal-zones make sure you added your network client into internal_hosts inside named.conf.options. ​
 +<sxh bash>
 +vim /​etc/​bind/​named.conf.internal-zones
 +#/​etc/​bind/​named.conf.internal-zones
 +view "​internal"​ {
 +
 +# Setting up which clients can use this view
 +match-clients {
 + ​internal_hosts;​
 +};
 +
 +# As we will allow the internal network to use this view
 +# we need to enable the recursion to resolve another domains, besides ours
 +recursion yes;
 +
 +# Setting up which server will be able to get the transfer.
 +allow-transfer {
 +  none;
 +};
 +
 +# Setting up which server will be notified about the changes
 +allow-notify {
 + ​dns_master;​
 +};
 +
 +
 +# The following lines will include the files about the internal zones
 +# they are divide by function
 +include "/​etc/​bind/​zones/​internal/​named.conf.internal.master-zones";​
 +include "/​etc/​bind/​zones/​internal/​named.conf.internal.slave-zones";​
 +include "/​etc/​bind/​zones/​internal/​named.conf.internal.forward-zones";​
 +
 +};
 +</​sxh>​
 +
 +
 +Now let's configure the External View configuration file /​etc/​bind/​named.conf.external-zones ​
 +<sxh bash>
 +vim /​etc/​bind/​named.conf.external-zones
 +#/​etc/​bind/​named.conf.external-zones
 +
 +view "​external"​ {
 +
 +# Setting up which clients can use this view
 +match-clients {
 + ​!internal_hosts;​
 + any;
 +};
 +
 +# The clients of this view cannot use this server to resolve recursive queries.
 +recursion no;
 +
 +# Setting up which server will be able to get the transfer.
 +allow-transfer {
 + none;
 +};
 +
 +# Setting up which server will be notified about the changes
 +allow-notify {
 + ​dns_master;​
 +};
 +
 +# The following lines will include the files about the external zones
 +include "/​etc/​bind/​zones/​external/​named.conf.external.master-zones";​
 +include "/​etc/​bind/​zones/​external/​named.conf.external.slave-zones";​
 +include "/​etc/​bind/​zones/​external/​named.conf.external.forward-zones";​
 +
 +};
 +</​sxh>​
 +
 +Now let's create and configure the master internal zones configuration file.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​internal/​named.conf.internal.master-zones
 +#/​etc/​bind/​zones/​internal/​named.conf.internal.master-zones
 +zone "​."​ {
 + type hint;
 + file "/​etc/​bind/​db.root";​
 +};
 +
 +zone "​localhost"​ {
 + type master;
 + file "/​etc/​bind/​db.local";​
 +};
 +
 +zone "​127.in-addr.arpa"​ {
 + type master;
 + file "/​etc/​bind/​db.127";​
 +};
 +
 +zone "​0.in-addr.arpa"​ {
 + type master;
 + file "/​etc/​bind/​db.0";​
 +};
 +
 +zone "​255.in-addr.arpa"​ {
 + type master;
 + file "/​etc/​bind/​db.255";​
 +};
 +</​sxh>​
 +
 +Now let's create and configure the slave internal zones configuration file.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​internal/​named.conf.internal.slave-zones
 +#/​etc/​bind/​zones/​internal/​named.conf.internal.slave-zones
 +zone "​douglasqsantos.com.br"​ {
 +         type slave;
 +         ​masters { 192.168.25.110;​ }; # DNS Server Master Ip address
 +         ​transfer-source ​ 192.168.25.111;​ # Setting up which ip address I will be awaiting for replication.
 +         file "​slave/​db.douglasqsantos.com.br-internal";​
 +};
 +</​sxh>​
 +
 +Now let's create and configure the slave external zones configuration file.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​external/​named.conf.external.slave-zones
 +#/​etc/​bind/​zones/​external/​named.conf.external.master-zones
 +zone "​douglasqsantos.com.br"​ {
 +         type slave;
 +         ​masters { 192.168.25.110;​ }; # DNS Server Master Ip address
 +         ​transfer-source 192.168.25.112;​ # Setting up which ip address I will be awaiting for replication.
 +         file "​slave/​db.douglasqsantos.com.br-external";​
 +};
 +</​sxh>​
 +
 +
 +Now we need to create some files only with the some comment into them only to not get any warning or errors, those files can be used in a near future.
 +
 +Internal forward zones configuration file for the internal view.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​internal/​named.conf.internal.forward-zones
 +#/​etc/​bind/​zones/​internal/​named.conf.internal.forward-zones
 +</​sxh>​
 +
 +External forward zones configuration file for the External view.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​external/​named.conf.external.forward-zones
 +#/​etc/​bind/​zones/​external/​named.conf.external.forward-zones
 +</​sxh>​
 +
 +Internal master zones configuration file for the external view.
 +<sxh bash>
 +vim /​etc/​bind/​zones/​external/​named.conf.external.master-zones
 +#/​etc/​bind/​zones/​external/​named.conf.external.master-zones
 +</​sxh>​
 +
 +Now we can start the Bind DNS server and take a look if everything is working properly.
 +<sxh bash>
 +systemctl daemon-reload
 +systemctl start bind9
 +</​sxh>​
 +
 +Now let's check if the service is working ​
 +<sxh bash>
 +systemctl status bind9
 +● bind9.service - BIND Domain Name Server
 +   ​Loaded:​ loaded (/​etc/​systemd/​system/​bind9.service;​ enabled)
 +  Drop-In: /​run/​systemd/​generator/​bind9.service.d
 +           ​└─50-insserv.conf-$named.conf
 +   ​Active:​ active (running) since Tue 2016-01-19 18:01:37 BRST; 3s ago
 +     Docs: man:​named(8)
 + Main PID: 1611 (named)
 +   ​CGroup:​ /​system.slice/​bind9.service
 +           ​└─1611 /​usr/​sbin/​named -f -u bind -t /​var/​lib/​named
 +
 +Jan 19 18:01:37 dns2 named[1611]:​ zone 0.in-addr.arpa/​IN/​internal:​ loaded serial 1
 +Jan 19 18:01:37 dns2 named[1611]:​ zone 255.in-addr.arpa/​IN/​internal:​ loaded serial 1
 +Jan 19 18:01:37 dns2 named[1611]:​ zone localhost/​IN/​internal:​ loaded serial 2
 +Jan 19 18:01:37 dns2 named[1611]:​ zone 127.in-addr.arpa/​IN/​internal:​ loaded serial 1
 +Jan 19 18:01:37 dns2 named[1611]:​ all zones loaded
 +Jan 19 18:01:37 dns2 named[1611]:​ running
 +Jan 19 18:01:37 dns2 named[1611]:​ zone douglasqsantos.com.br/​IN/​internal:​ Transfer started.
 +Jan 19 18:01:37 dns2 named[1611]:​ zone douglasqsantos.com.br/​IN/​internal:​ transferred serial 2016011901
 +Jan 19 18:01:38 dns2 named[1611]:​ zone douglasqsantos.com.br/​IN/​external:​ Transfer started.
 +Jan 19 18:01:38 dns2 named[1611]:​ zone douglasqsantos.com.br/​IN/​external:​ transferred serial 2016011901
 +</​sxh>​
 +
 +As we can see all zones are loaded and the service is running, so we need to run some queries and make sure that everything is working.
 +
 +Let's check the www.douglasqsantos.com.br
 +<sxh bash>
 +nslookup www.douglasqsantos.com.br
 +Server: ​        ​127.0.0.1
 +Address: ​       127.0.0.1#​53
 + 
 +Name:   ​www.douglasqsantos.com.br
 +Address: 192.168.25.94
 +</​sxh>​
 +
 +Now let's check ns1.douglasqsantos.com.br
 +<sxh bash>
 +nslookup ns1.douglasqsantos.com.br
 +Server: ​        ​127.0.0.1
 +Address: ​       127.0.0.1#​53
 + 
 +Name:   ​ns1.douglasqsantos.com.br
 +Address: 192.168.25.110
 +</​sxh>​
 +
 +Now let's check if the server is doing the recursive queries
 +<sxh bash>
 +nslookup www.terra.com.br
 +Server: ​  ​127.0.0.1
 +Address: ​ 127.0.0.1#​53
 +
 +Non-authoritative answer:
 +www.terra.com.br ​ canonical name = web-portal-cdn.terra.com.br.
 +Name: web-portal-cdn.terra.com.br
 +Address: 200.192.176.65
 +</​sxh>​
 +
 +Now let's configure the logrotate to do its job with the Bind DNS server log files.
 +<sxh bash>
 +vim /​etc/​logrotate.d/​named ​
 +/​var/​lib/​named/​var/​log/​*.log {
 +  weekly
 +  missingok
 +  rotate 7
 +  postrotate
 +    /​bin/​systemctl reload bind9 > /dev/null
 +  endscript
 +  compress
 +  notifempty
 +}
 +</​sxh>​
 +
 +====== References ======
 +
 +  - http://​www.isc.org/​software/​bind
 +  - http://​www.isc.org/​software/​bind/​history
 +  - http://​www.isc.org/​software/​bind/​whatis
 +  - http://​www.isc.org/​software/​bind/​versions
 +  - http://​ftp.isc.org/​isc/​bind9/​
 +  - http://​www.isc.org/​software/​bind/​documentation
 +  - https://​www.freeture.ch/?​p=782