Tinycore – Installing IPv6 enabled Nameserver

Posted on 2. July 2011 by fsormok


Contents

 

Installing IPv6
1
2
tce-load -wi ipv6-2.6.33.3-l1-rt19
tce-load -wi ipv6-2.6.33.3-tinycore

Installing bind9

Prepare the system
1
2
3
4
5
sudo addgroup -g 53 -S bind
sudo adduser -h / -g "bind9 daemon" -s /bin/false -G bind -S -D -H -u 53 bind
sudo mkdir -p /usr/local/etc/bind /usr/local/etc/bind/slave
sudo chgrp bind /usr/local/etc/bind/slave
sudo chmod 770 /usr/local/etc/bind/slave
  1. Create a system group “bind” with the GID of 53
  2. This will create a system-user (-S) with his home in /, a shell of /bin/false, without a password (-D), without creating the homedir (-H) and a UID or 53.
  3. Create our config directory for bind9 and a bind-user writable directory for the slave-zone-files.
  4. Change the group of the directory to bind
  5. Allow bind to write

Searching for bind9
1
/usr/bin/ab bind

Installing bind
1
tce-load -wi bind

Create /usr/local/etc/bind/named.conf
1
2
mkdir /usr/local/etc/bind
vi /usr/local/etc/bin/named.conf

So here we go with the different sections of a named.conf file:

1
2
3
4
//
// This is the primary configuration file for the BIND DNS server named.
//    created 20110705 by fsormok_at_thebc.ch
//

Set ACL for zone-transfer

First we are creating some ACL (Access Control List) which defines which servers are allowed to make a “zone-transfer”.

1
2
3
4
5
acl "trusted-nameservers"       {
    localhost;                    // my localhost
    194.209.24.210;               // ns1.thebc.ch
    194.209.131.125;              // ns1.downlevel.net
};

Setting options{}

Now to the options. There are many of them…

1
2
3
4
5
6
7
8
9
10
options {
    directory            "/usr/local/etc/bind";
    pid-file             "/var/run/named.pid";
    session-keyfile      "/var/run/session.key";
    auth-nxdomain        no;                         // conform to RFC1035
    listen-on-v6         { any; };                   // enable IPv6 support
    version              "Not disclosed";            // hide bind version 9.8.0
    notify               yes;                        // inform slaves of updates
    allow-transfer       { trusted-nameservers; };   // allow servers to make zonetransfer
};
  1. This defines the “base” directory. In our installation it doesn’t really matter, because we are using absolute path when ever possible.
  2. Defines the location of the PID file
  3. The location of the Session-Keyfile
  4. auth-nx-domain ??? have to research….
  5. Enable IPv6
  6. Hides the version information if you are queering dig @localhost version.bind chaos txt or dig @localhost version.bind any ch
  7. Notifies the slaves if they have to update they’re zones
  8. Allow servers to “zone-transfer” only, if they are defined within the ACL “trusted-nameservers”

Some other interesting option-parameters you might want to use are:

1
2
3
4
query-source-v6 address  port
;
notify-source-v6  [port port];
allow-query { trusted-clients; };
1
2
forward first;
forwarders { 0.0.0.0; };
1
2
3
recoursion no;
allow-recursion { recurseallow; };
allow-recursion { ip.address.range/26; 172.20.20.0/24; ip.address; };

Define the DNS-root-servers

First of all we need to know where the dns-root-servers stay.

1
2
3
cd /usr/local/etc/bind
sudo wget ftp://FTP.INTERNIC.NET/domain/named.cache
mv named.cache db.root

This will get you an up2date list of all the dns-root-server.
You can also use dig to get the information:

1
dig +bufsize=1200 +norec NS . @a.root-servers.net > /usr/local/etc/bind/db.root

Then we configure the root-zone within named.conf

1
2
// prime the server with knowledge of the root servers
zone "."            { type hint;    file "/usr/local/etc/bind/db.root"; };

The “special” zones (like loopback, private…)

The next section would tell bind9 what to do with questions about the

  • localhost
  • reverse localhost
  • … etc …

Both with IPv4 and IPv6. But as far as i’ve seen this isn’t necessary anymore. This zones get’s populated by default if you don’t specify them. And if not, who cares? These zones shouldn’t be published anyway…
The reason for populating this zones on your local nameserver is to reduce tension on the root-servers. If your local clients try to resolve some private addresses and your nameserver isn’t able to properly resolve them, he will forward these queries to an upstream (probably root) dnsserver. Of course the root-server isn’t able to answer the queries correctly, but this generates unnecessary load and trust me, these servers have already enough to do 🙂
So here is just the listing for references. Please leave a comment if i’m completely wrong.

1
2
3
4
5
6
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
//zone "localhost"      { type master;  file "/usr/local/etc/bind/db.local";    };
//zone "127.in-addr.arpa"   { type master;  file "/usr/local/etc/bind/db.127";  };
//zone "0.in-addr.arpa"         { type master;  file "/usr/local/etc/bind/db.0";    };
//zone "255.in-addr.arpa"   { type master;  file "/usr/local/etc/bind/db.255";  };
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
// be authoritative for the 1918 zones as per RFC 1918
//zone "10.in-addr.arpa"        { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "16.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "17.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "18.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "19.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "20.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "21.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "22.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "23.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "24.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "25.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "26.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "27.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "28.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "29.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "30.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "31.172.in-addr.arpa"    { type master;  file "/usr/local/etc/bind/db.empty";    };
//zone "168.192.in-addr.arpa"   { type master;  file "/usr/local/etc/bind/db.empty";    };

The same goes for the IPv6 zones:

1
2
3
4
5
6
7
8
9
10
11
12
13
0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA  // No host range
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA  // Loopback Address
C.F.IP6.ARPA  // Unique Local Unicast
D.F.IP6.ARPA  // Unique Local Unicast
8.E.F.IP6.ARPA  // Link Local Unicast
9.E.F.IP6.ARPA  // Link Local Unicast
A.E.F.IP6.ARPA  // Link Local Unicast
B.E.F.IP6.ARPA  // Link Local Unicast
C.E.F.IP6.ARPA  // Site Local Unicast
D.E.F.IP6.ARPA  // Site Local Unicast
E.E.F.IP6.ARPA  // Site Local Unicast
F.E.F.IP6.ARPA  // Site Local Unicast
F.F.IP6.ARPA  // Multicast

And the CHAOS stuff…

1
2
3
4
version.bind
hostname.bind
authors.bind
id.server

Now for the important part. The part because we are setting up a name server actually…

IPv4 reverse lookup zone
1
2
3
4
5
// ********** IPv4 - REVERSELOOKUP - ZONE **********
zone "24.209.194.in-addr.arpa" {
type master;
file "/usr/local/etc/bind/24.209.194.zone";
};

IPv6 reverse lookup zone
1
2
3
4
5
6
// ********** IPv6 - REVERSELOOKUP - ZONE **********
// Reverse for 2001:470:26:6f7::/64
zone "7.f.6.0.6.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa" IN {
type master;
file "/usr/local/etc/bind/2001:470:26:6f7.zone";
};

IPv4/IPv6 (forward) lookup zone
1
2
3
4
5
6
7
8
9
10
11
12
// ***********************************************************
// *
// *  P R I M A R Y  -  D O M A I N S
// *
// ***********************************************************
zone "thebc.ch" {
type master;
file "/usr/local/etc/bind/zone_thebc.ch";
allow-query     { any; };       // no restriction on queries
allow-update    { none; };      // don't allow dynamic updates
allow-transfer  { trusted-nameservers; }; // restrict zone trans
};

Create the zone files

IPv4 reverse lookup zone

IPv6 reverse lookup zone
1
$TTL    86400   // 1day
1
2
3
4
5
6
7
@       IN      SOA     7.f.6.0.6.2.0.0.0.7.4.0.1.0.0.2.ip6.arpa. sysop.nx.thebc.ch. (
10004           // serial
3600            // refresh
900             // retry
3600000         // expiry
3600 )          // minimum
IN      NS      ns1.nx.thebc.ch.
1
2
// 2001:470:26:6f7:20c:29ff:fe08:d1aa
a.a.1.d.8.0.e.f.f.f.9.2.c.0.2.0     IN PTR  mail.nx.thebc.ch.

IPv4/IPv6 (forward) zone
1
2
3
4
5
6
7
8
9
10
$TTL 86400
; Information for the "forward" domain thebc.ch.
@       IN SOA ns1.nx.thebc.ch.            sysop.nx.thebc.ch.  (
2010012629      ; Serial number
43200           ; Refresh timer - 12 hours
3600            ; Retry timer - 1 hour
7200            ; Expire timer - 2 hour
86400           ; Minimum timer - 1 day
)
IN      NS      ns1.nx.thebc.ch.                     ; primary
1
 
1
2
3
4
5
ns1             IN  AAAA    2001:470:26:6f7:20c:29ff:fe08:d1aa   ; primary
fw                            IN      AAAA    2001:470:26:6f7::1                   ; firewall
www             IN  AAAA    2001:470:26:6f7:20c:29ff:fe08:d1aa   ; web-server
mail                            IN      AAAA    2001:470:26:6f7:20c:29ff:fe08:d1aa   ; web-server
nx.thebc.ch.                    IN      MX 5    mail

Create start-script
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/bin/sh
# bind9 is a Domain Name Server (DNS)

PATH=/sbin:/bin:/usr/sbin:/usr/bin

# for a chrooted server: "-u bind -t /var/lib/named"
#test -x /usr/sbin/rndc || exit 0

PIDFILE=/var/run/named.pid

case "$1" in
start)
echo "Starting domain name service..." "bind9"

mkdir -p /var/log/bind
chmod 775 /var/log/bind
chown root:bind /var/log/bind >/dev/null 2>&1 || true

# start the server
/usr/local/sbin/named -c /usr/local/etc/bind/named.conf -u bind
;;
stop)
echo "Stopping domain name service..." "bind9"

pid=$(/bin/cat ${PIDFILE})
if [ -n "$pid" ]; then
while kill $pid 2>/dev/null; do
echo "waiting for pid $pid to die"
sleep 1
done
fi
echo "Stoped!" $?
;;
restart)
$0 stop
$0 start
;;
*)
echo "Usage: /etc/init.d/bind9 {start|stop|restart}"
exit 1
;;
esac
exit 0

Save configuration

To save the configuration and make all the scripts and files available after a reboot do the following (tinycore way):

1
2
3
4
5
6
echo "etc/passwd" >> /opt/.filetool.lst
echo "etc/group" >> /opt/.filetool.lst
echo "etc/shadow" >> /opt/.filetool.lst
echo "usr/local/etc/bind" >> /opt/.filetool.lst
echo "etc/init.d/bind9" >> /opt/.filetool.lst
filetool.sh -b -p

Additional stuff

Remote Name Daemon Control

The remote name daemon control (rndc) program allows the system administrator to control the operation of a name server.

This entry was posted in Linux, Tiny Core Linux. Bookmark the permalink.

One Response to Tinycore – Installing IPv6 enabled Nameserver

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.