Debugging bind zones and config files

While maintaining zones and config files by hand sometimes you can make typo. Nothing to worry. Let us start with basics:

named-checkconf /etc/bind/named.conf
named-checkzone domain /var/cache/bind/domain.zone.file
tail –f /var/log/message

named-checkconf /etc/bind/named.conf

named-checkzone domain /var/cache/bind/domain.zone.file

tail –f /var/log/message

First command check named.conf (if you use that one) for errors. Second check if everything is ok with given zone files for given domain. Third and last one show what bind output to log file that he didn’t like.

Common mistake is to update zones files manually while using signed dns. But there is an easy fix for that.

Running a secure DDNS service with BIND

If you lack of static ip for your home machines but would like to have static address to access them there is a simple setup to make on your primary DNS server to achieve that.

On our client side let’s generate some keys:

#replace keyname with anything
dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n HOST keyname

1 2	#replace keyname with anything dnssec-keygen -a HMAC-MD5 -b 512 -r /dev/urandom -n HOST keyname

This will results in creating Kkeyname.***.key and Kkeyname.***.private, we will need to copy key from *.private file which will look like this:

Key: pRP5FapFoJ95JEL06sv4PQ==

1	Key: pRP5FapFoJ95JEL06sv4PQ==

Now on server let us edit BIND configuration file (eg. named.conf or named.conf.local) and add:

key "keyname." {
  algorithm hmac-md5;
  secret "pRP5FapFoJ95JEL06sv4PQ==";
};

key "keyname." {

algorithm hmac-md5;

secret "pRP5FapFoJ95JEL06sv4PQ==";

};

From now on we can allow zone updates by editing zone declaration and adding allow-update:

zone "example.com" {
  type master;
  file "master/db.example.com";
  allow-update { key "keyname."; };
};

zone "example.com" {

type master;

file "master/db.example.com";

allow-update { key "keyname."; };

};

Last thing that we need to do on server i restart BIND

On client side we would need to use something capable of updating dns records (eg. nsupdate)

#!/bin/bash
# Script to update DNS zones on a remote server
# Copyright © 2005-2007 - Julien Valroff <julien@kirya.net>
# Parts of the script Copyright © 2001-2002 - Dag Wieers <dag@wieers.com>
 
KEY="/root/Kkeyname.+157+29630.private"
SERVER="ns.domain.com"
LOGFILE="/var/log/syslog"
PPP_IFACE="ppp0"
 
if [ "$PPP_LOCAL" != '' ]; then
   if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then
      echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \
        address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1
      exit 0
   fi
   IPADDR=$PPP_LOCAL
   sleep 3
else
   IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }')
fi
 
(
cat <<EOF | nsupdate -k "$KEY"
server $SERVER
zone example.com
update delete example.com. A
update add example.com. 60 A $IPADDR
update delete mail.example.com. A
update add mail.example.com. 60 A $IPADDR
send
EOF
 
  RC=$?
 
  if [ $RC != 0 ]; then
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: FAILURE: Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    (
        echo "Subject: DDNS update failed"
        echo
        echo "Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"
    ) | /usr/sbin/sendmail root
  else
    echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: SUCCESS: Updating dynamic IP $IPADDR on $SERVER succeeded"
  fi
) >>$LOGFILE 2>&1
 
exit $RC

#!/bin/bash

# Script to update DNS zones on a remote server

KEY="/root/Kkeyname.+157+29630.private"

SERVER="ns.domain.com"

LOGFILE="/var/log/syslog"

PPP_IFACE="ppp0"

if [ "$PPP_LOCAL" != '' ]; then

if [ "$PPP_IFACE" != "$PPP_IFACE" ]; then

echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: ABORTED: Not updating dynamic IP \

address $PPP_LOCAL (already done for $(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }'))" >>$LOGFILE 2>&1

exit 0

IPADDR=$PPP_LOCAL

sleep 3

else

IPADDR=$(ip addr show $PPP_IFACE | awk '/inet/ { print $2 }')

(

cat <<EOF | nsupdate -k "$KEY"

server $SERVER

zone example.com

update delete example.com. A

update add example.com. 60 A $IPADDR

update delete mail.example.com. A

update add mail.example.com. 60 A $IPADDR

send

EOF

RC=$?

if [ $RC != 0 ]; then

echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: FAILURE: Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"

(

echo "Subject: DDNS update failed"

echo

echo "Updating dynamic IP $IPADDR on $SERVER failed (RC=$RC)"

) | /usr/sbin/sendmail root

else

echo "$(LANG=C date +'%b %e %X') $(hostname) ddupdate[$$]: SUCCESS: Updating dynamic IP $IPADDR on $SERVER succeeded"

) >>$LOGFILE 2>&1

exit $RC

Fixing BIND’s journal out of sync with zone error

When BIND stop to work and throw error like this:

zone example.com/IN: journal rollforward failed: journal out of sync with zone
zone example.com/IN: not loaded due to errors.

1 2	zone example.com/IN: journal rollforward failed: journal out of sync with zone zone example.com/IN: not loaded due to errors.

The simplest and fastest fix is by removing that journal file for zone

rm /var/cache/bind/zones/example.com.jnl

1	rm /var/cache/bind/zones/example.com.jnl

and then restart bind

service bind9 restart
# or
systemctl restart bind9

service bind9 restart

# or

systemctl restart bind9

Linux – Hide Bind version

If we would like to hide version of our bind server and make it harder for bot to sniff what version you use (assuming you always update 😉 ) you can make it by editing file: /etc/bind/named.conf.options:

#lets add this into 'options {'
version "unknown";
#or use other text in brackets

#lets add this into 'options {'

version "unknown";

#or use other text in brackets

Restart service:

service bind9 restart

1	service bind9 restart

Use dig to check that version you use now:

dig @example.com -c CH -t txt version.bind

1	dig @example.com -c CH -t txt version.bind

Linux – Own DNS server (bind9)

The second most important service for internet use is DNS server.

In my opinion www server (Apache/NginX) is most important part but DNS is just after it ;-). DNS service use very useful when we are managing your own domain.

Here is the simplest setup for own service:

apt-get install bind9
#config file
vim /etc/bind/named.conf.local
### named.conf.local ###
acl slaves {
        ip.adres.secondary.dns;
};

zone "example.com" {
        type master;
        file "/etc/bind/zones/db.example.com";
        allow-transfer { slaves; };
};
### end named.conf.local ###
# this setup allow you to use your server as master-slave setup

vim /etc/bind/zones/db.example.com
### db.example.com ###
; example.com
$TTL    604800
@       IN      SOA     ns1.example.com. root.example.com. (
                     2006020201 ; Serial
                         604800 ; Refresh
                          86400 ; Retry
                        2419200 ; Expire
                         604800); Negative Cache TTL
;
@       IN      NS      ns1
        IN      MX      10 mail
        IN      A       192.0.2.1
ns1     IN      A       192.0.2.1
mail    IN      A       192.0.2.128
www     IN      A       192.0.2.1
client1 IN      A       192.0.2.201
### end db.example.com ###

apt-get install bind9

#config file

vim /etc/bind/named.conf.local

### named.conf.local ###

acl slaves {

ip.adres.secondary.dns;

};

zone "example.com" {

type master;

file "/etc/bind/zones/db.example.com";

allow-transfer { slaves; };

};

### end named.conf.local ###

# this setup allow you to use your server as master-slave setup

vim /etc/bind/zones/db.example.com

### db.example.com ###

; example.com

$TTL 604800

@ IN SOA ns1.example.com. root.example.com. (

2006020201 ; Serial

604800 ; Refresh

86400 ; Retry

2419200 ; Expire

604800); Negative Cache TTL

;

@ IN NS ns1

IN MX 10 mail

IN A 192.0.2.1

ns1 IN A 192.0.2.1

mail IN A 192.0.2.128

www IN A 192.0.2.1

client1 IN A 192.0.2.201

### end db.example.com ###

Everytime we add ‘zone’ file we need to restart server:

service bind9 restart

1	service bind9 restart

M	T	W	T	F	S	S
« Dec
				1	2	3
4	5	6	7	8	9	10
11	12	13	14	15	16	17
18	19	20	21	22	23	24
25	26	27	28