BIND
BIND, or the Berkeley Internet Name Daemon, is a popular free software DNS server, and also one of the most frequently used name servers on the Internet.
With BIND, users are able to set up a name server for managing their own DNS records, for caching DNS, or acting as a slave DNS server. The software supports DNSSEC which provides cryptographic signatures on the DNS records as a means to natively authenticate the integrity and ownership of the records.
Installation
BIND is offered through the net-dns/bind package. As with most packages, it is good practice to check the USE flags before emerging. Since BIND is a popular name server software, it is also a popular target for hackers and malicious groups. Is wise to securely configure BIND, which includes building in support for only features that will be actually used. If a feature will not be used, reduce the surface area of security vulnerabilities by disabling it.
USE flags
USE flags for net-dns/bind Berkeley Internet Name Domain - Name Server
+caps
|
Use Linux capabilities library to control privilege |
+dlz
|
Enables dynamic loaded zones, 3rd party extension |
+zlib
|
Add support for zlib compression |
berkdb
|
Add support for sys-libs/db (Berkeley DB for MySQL) |
dnsrps
|
Enable the DNS Response Policy Service (DNSRPS) API, a mechanism to allow an external response policy provider |
dnstap
|
Enables dnstap packet logging |
doc
|
Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally |
doh
|
Enables dns-over-https |
fixed-rrset
|
Enables fixed rrset-order option |
geoip
|
Add geoip support for country and city lookup based on IPs |
geoip2
|
Enable GeoIP2 API from MaxMind |
gssapi
|
Enable gssapi support |
idn
|
Enable support for Internationalized Domain Names |
jemalloc
|
Use dev-libs/jemalloc for memory management |
json
|
Enable JSON statistics channel |
ldap
|
Add LDAP support (Lightweight Directory Access Protocol) |
lmdb
|
Enable LMDB support to store configuration for 'addzone' zones |
mysql
|
Add mySQL Database support |
odbc
|
Add ODBC Support (Open DataBase Connectivity) |
postgres
|
Add support for the postgresql database |
python
|
Add optional support/bindings for the Python language |
selinux
|
!!internal use only!! Security Enhanced Linux support, this must be set by the selinux profile or breakage will occur |
static-libs
|
Build static versions of dynamic libraries as well |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
verify-sig
|
Verify upstream signatures on distfiles |
xml
|
Add support for XML files |
Emerge
root #emerge --ask net-dns/bindAdditional software
Bind-tools
USE flags for bind-tools:
USE flags for net-dns/bind-tools bind tools: dig, nslookup, host, nsupdate, dnssec-keygen
+caps
|
Use Linux capabilities library to control privilege |
doc
|
Add extra documentation (API, Javadoc, etc). It is recommended to enable per package instead of globally |
gssapi
|
Enable gssapi support |
idn
|
Enable support for Internationalized Domain Names |
libedit
|
Use the libedit library (replacement for readline) |
readline
|
Enable support for libreadline, a GNU line-editing library that almost everyone wants |
test
|
Enable dependencies and/or preparations necessary to run tests (usually controlled by FEATURES=test but can be toggled independently) |
verify-sig
|
Verify upstream signatures on distfiles |
xml
|
Add support for XML files |
Install:
root #emerge --ask net-dns/bind-toolsConfiguration
Service
OpenRC
To have automatically start BIND at system boot:
root #rc-update add named defaultTo start the service now:
root #rc-service named startMost management of BIND is done through its rndc command, although the /etc/init.d/named (OpenRC) init script can be passed the following arguments, in addition the typical start/stop/restart routines:
checkconfig- Validates the configuration file /etc/bind/named.conf for correct syntax.
checkzones- Validates the zone files for correct syntax.
reload- Reloads the zone files without restarting the named daemon itself.
For example:
root #rc-service named reloadChroots
System that will be using BIND in a chrooted environment should set the CHROOT variable in /etc/conf.d/named accordingly. Check the comments as well, as they provide information on automatically creating the chrooted environment using emerge --config.
Recipes
Easy caching DNS
root #echo 'dns_servers="127.0.0.1"' >> /etc/conf.d/netAs root edit /etc/bind/named.conf add an internet service provider's DNS where the x.x.x.x are.
/etc/bind/named.confforwarders {
x.x.x.x; // Your ISP NS
x.x.x.x; // Your ISP NS
4.2.2.1; // Level3 Public DNS
4.2.2.2; // Level3 Public DNS
8.8.4.4; // Google Open DNS
8.8.8.8; // Google Open DNS
};
root #rc-service named restartuser $dig google.comSee also
External resources
- https://bind9.readthedocs.io/en/latest/# - Official BIND Administrator Reference Manual (ARM)
- https://tldp.org/LDP/lame/LAME/linux-admin-made-easy/domain-name-server.html - The Linux Documenation Projects guide for BIND (a bit antiquated), but perhaps helpful reference maternal.
- https://zytrax.com/books/dns/ - DNS for Rocket Scientists - A high quality, detailed open source guide to DNS.