# emerge -v bind
When it finishes, here is the message:
* Messages for package net-dns/bind-9.4.3_p1:
* The default zone files are now installed as *.zone,
* be careful merging config files if you have modified
* /var/bind/pri/127 or /var/bind/pri/localhost
*
* You can edit /etc/conf.d/named to customize named settings
*
* The BIND ebuild now includes chroot support.
* If you like to run bind in chroot AND this is a new install OR
* your bind doesn't already run in chroot, simply run:
* `emerge --config '=net-dns/bind-9.4.3_p1'`
* Before running the above command you might want to change the chroot
* dir in /etc/conf.d/named. Otherwise /chroot/dns will be used.
*
* Recently verisign added a wildcard A record to the .COM and .NET TLD
* zones making all .com and .net domains appear to be registered
* This causes many problems such as breaking important anti-spam checks
* which verify source domains exist. ISC released a patch for BIND which
* adds 'delegation-only' zones to allow admins to return the .com and .net
* domain resolution to their normal function.
*
* There is no need to create a com or net data file. Just the
* entries to the named.conf file is enough.
*
* zone com IN { type delegation-only; };
* zone net IN { type delegation-only; };
* BIND >=9.2.5 makes the priority argument to MX records mandatory
* when it was previously optional. If the priority is missing, BIND
* won't load the zone file at all.
Follow the above message, and run the "emerge --config" util:
# emerge --config '=net-dns/bind-9.4.3_p1'
Configuring pkg...*
* Setting up the chroot directory... Done.
*
* Add the following to your root .bashrc or .bash_profile:
* alias rndc='rndc -k /chroot/dns/etc/bind/rndc.key'
* Then do the following:
* source /root/.bashrc or .bash_profile
Follow the instruction in the above message to edit /root/.bashrc and then source it. Now let's start named:
# /etc/init.d/named start
If you do a "ps -ef | grep named" you will see that it is running from within chroot.
For a local caching, forwarding nameserver, we should only allow recursion from local queries. Here is an example named using "view" to separate "local" from "public" queries:
acl "local-subnets" { 192.168.1.0/16; };
# our 'local' view will be accessible only within the LAN.
# the name is arbitrary; we have chosen 'local' for convenience
view "local" {
# any local subnets that should see this zone should be listed below. You can also list
# specific IPs if you prefer.match-clients { local-subnets; };
recursion yes;
allow-recursion { local-subnets; };# private-only zones go here!
zone "." {
type hint;
file "named.ca";
};zone "127.in-addr.arpa" IN {
type master;
# the file stores the zone record.
file "pri/127.zone";
allow-update { none; };
notify no;
};zone "localhost" IN {
type master;
file "pri/localhost.zone";
allow-update { none; };
notify no;
};zone "1.168.192.in-addr.arpa" IN {
type master;
file "pri/home.local.rev";
allow-update { none; };
notify no;
};};
view "public" {
match-clients { any; };
recursion no;# public-only zones go here!
# zone "home.net" IN {
# type master;
# file "external/home.local.fw";
# };};
If you don't plan to make your named be the authority for name domain, then this is it. Otherwise, you will need to set at least one zone (with zone file) for the public view.
For a local caching, forwarding nameserver, you only need to open UDP port 53 to your local hosts that will use the service.
Recent comments
2 weeks 5 days ago
3 weeks 6 days ago
7 weeks 4 days ago
32 weeks 4 days ago
33 weeks 3 days ago
44 weeks 3 days ago
45 weeks 5 days ago
1 year 2 weeks ago
1 year 2 weeks ago
1 year 3 weeks ago