Setting Up a BIND Slave DNS Server

BIND DNS Service

We're building an Active Directory server from Samba running on FreeBSD, free server software on a free operating system. Our first step was to set up the needed DNS infrastructure on an existing BIND master (or primary) DNS server. Then we installed FreeBSD on a Raspberry Pi. Now we need to set that up as a slave (or secondary) DNS server for those same zones. Jump back to the start for an overview of the project.

How to establish a slave DNS server

On my existing DNS master server, I added some lines to the options{...} section of the main /etc/named.conf configuration file:

options {
	listen-on port 53 { 127.0.0.1; 10.1.1.100; 192.168.1.102; };
	listen-on-v6 port 53 { ::1; fe80::211:95ff:fe1e:8eb6; fc00::213:3bff:fe12:6fa9; };
	[... lines deleted ...]
	// send notifications to slaves when updates happen
	notify yes;
	also-notify { 10.1.1.235; };
	// Allowing transfers from the entire subnets.
	// This could be an explicit list of slaves.
	allow-transfer { 10.0.0.0/8; 196.168.0.0/16; fc00::/16; };
	[... lines deleted ...]
} 

I also added NS records to all zone files, making the new slave server authoritative.

Don't forget to update the serial number so all the servers realize that the zone file has been updated! That's the step I overlook so often.

The SOA serial number value is an unsigned 32-bit integer. So, the maximum value is 4,294,967,295. The usual convention is a number string of the form YYYYMMDDss, where YYYY is the 4-digit year, MM is the 2-digit month, DD is the 2-digit day, and ss is a 2-digit serial number.

Now that we're well past Y2K it would be reasonable to use YYMMDDhhmm where YY is the last 2 digits of the year and hhmm is the 24-hour time.

Whatever you do, make sure that it increases.

I restarted named there and verified that no error messages went to /var/log/messages.

Then, on the FreeBSD system that was to be the new slave, I modified the file /usr/local/etc/namedb/named.conf. Note that while the manual page for named.conf says that it should be in /etc/, BIND as built for FreeBSD uses the file in /usr/local/etc/namedb/.

Near the top, I changed the listen-on entry to list all of the server's IPv4 and IPv6 addresses:

[... lines deleted ...]
listen-on	{ 127.0.0.1; 10.1.1.235; };
listen-on-v6	{ ::1; fc00::ba27:ebff:fe41:b9ae;
			fe80::ba27:ebff:fe41:b9ae; };
[... lines deleted ...]

Further down, I commented out the existing definitions of the 10.in-addr.arpa, 168.192.in-addr.arpa, and 0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.f.ip6.arpa zones as empty zones, as I am using the 10/8, 192.168/16, and fc00::/16 address blocks internally and have PTR records set up.

Then, I added these stanzas at the bottom:

[... lines deleted ...]

zone "example.com" IN {
	type slave;
	masters { 10.1.1.100; };
	file "/usr/local/etc/namedb/slave/named.example.com";
};

zone "10.in-addr.arpa" IN {
	type slave;
	masters { 10.1.1.100; };
	file "/usr/local/etc/namedb/slave/named.10.in-addr.arpa";
};

zone "168.192.in-addr.arpa" IN {
	type slave;
	masters { 10.1.1.100; };
	file "/usr/local/etc/namedb/slave/named.169.192.in-addr.arpa";
};

zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.c.f.ip6.arpa." IN {
	type slave;
	masters { 10.1.1.100; };
	file "/usr/local/etc/namedb/slave/named.ip6.fc00";
}; 

I started the daemon as named -fg, which keeps it in the foreground and sends all output to stderr. Then I tested it from another system:

$ dig @freebsd www.google.com A
[... you should get an answer here! ...]
$ dig @freebsd example.com NS
[... the answer should include the new server ...]

It worked, so I added a line named_enable="YES" to /etc/rc.conf and rebooted, verifying that the daemon started and I could query it from another system.