10.7. BIND

BIND 9 is the official DNS server solution in PNS. BIND under PNS always runs in a chrooted environment, so its configuration file(s) are stored under the /var/chroot/bind9/etc/bind/ directory.

BIND 9 introduced the notion of split-DNS installations where basic access control can be applied to DNS Zone records. That is, for each record in the DNS database file you can specify whether outside resolvers can query those records („public” records in DNS terminology) or they are only available to internal resolver clients („private” records).

Choosing split-DNS setup is optional. In this case there are two configuration files:

  • named.conf, and

  • named.conf.shared.

The named.conf.shared file hosts information that is intended to be public, that is, accessible to outside resolvers.

Tip

Setting up a split-DNS configuration only makes sense if the firewall is going to be an authoritative nameserver for one or more domains. If it is only used as a forward-only, split-DNS is not necessary.

In forward-only configurations, only the named.conf file is used. Being a forward-only server, the nameserver under PNS does not perform recursive name resolution on the Internet for the internal clients, but instead it forwards queries as-is to the nameserver(s) configured as its forwarder(s).

This is probably the simplest functional named configuration possible, as only a single entry has to be edited in the configuration file.

forwarders {
  10.20.30.40; //IP address of the forwarder nameserver
};

You can use BIND 9 as a slave nameserver. In this setup, you do not maintain zone information on the firewall, instead, pull zone database records from an authoritative master nameserver through the zone transfer process. This setup provides fault tolerance, since if the master nameserver fails, the slave still contains a more or less up-to-date copy of the zone database.

The daemon running the BIND service is called named (hence the name for the configuration file), but the directory of the configuration file is still called bind.conf, after the name of the original Berkeley Unix implementation of the service. The startup script for the service is also called /etc/init.d/bind9.

For further information on BIND, see Chapter 9, Native services, and the references listed in Appendix C, Further readings.

Previous Up Next
 Home