Install Bind with MySQL support on an AWS instance

From JMK Wiki
Jump to: navigation, search

Prerequisites

Required packages

root@localhost ~ # yum install bind-sdb mariadb-server

MySQL

Enable MySQL at boot

root@localhost ~ # systemctl enable mariadb.service

Check if it is enabled.

root@localhost ~ # systemctl list-unit-files

Start MySQL

root@localhost ~ # systemctl start mariadb.service

Set up root user for mysql

root@localhost ~ # mysqladmin -u root -h localhost password <password>

Secure the MySQL installation

Rename the root user

root@localhost ~ # mysql -u root -p
RENAME USER 'root'@'localhost' TO 'user'@'localhost';
flush privileges;
exit

Remove unnecessary users

root@localhost ~ # mysql -u user -p
DELETE FROM mysql.user WHERE User != 'user';
flush privileges;
exit;

Remove unnecessary databases

root@localhost ~ # mysql -u user -p
SHOW DATABASES;
DROP DATABASE test;
SHOW DATABASES;

Create user for Bind

root@localhost ~ # mysql -u user -p
CREATE DATABASE bind;
GRANT ALL on bind.* to 'bind'@'localhost' IDENTIFIED BY 'S3cr3t';

Create the dns_records table

CREATE TABLE bind.dns_records (
	record_uid INT NOT NULL PRIMARY KEY AUTO_INCREMENT,
	view TEXT,
	zone TEXT,
	ttl INT,
	type TEXT,
	host TEXT,
	mx_priority text,
	data TEXT,
	primary_ns TEXT,
	email_address TEXT,
	serial_number INT,
	refresh INT,
	retry INT,
	expiry INT,
	nxdomain_ttl INT
) ENGINE = MyISAM;

Bind

Create directories

root@localhost ~ # mkdir -p /etc/named /var/log/named
root@localhost ~ # chown named:named /var/log/named

Create configuration

root@localhost ~ # nano -w /etc/named/named.conf
include "/etc/named/named.log.conf";

acl "localnet" {
        127.0.0.1/32;
        10.0.0.0/24;
};

acl "trusted" {
        localhost;
};

acl "xfer" {
        none;
};

options {
        directory "/var/named";
        pid-file "/run/named/named.pid";

        zone-statistics yes;
        statistics-file "/var/named/named.stats";
        #statistics-interval 1;

        listen-on { any; };
        listen-on-v6 { any; };
        interface-interval 1;

        dnssec-enable yes;
        dnssec-validation yes;

        allow-query { any; };
        allow-query-cache { any; };
        allow-recursion { localnet; };
        allow-notify { none; };
        allow-transfer { none; };
        allow-update { none; };

        bindkeys-file "/etc/bind.keys";
        session-keyfile "/var/named/session.key";
        managed-keys-directory "/var/named/dynamic";
};

include "/etc/named/named.dlz.conf";
root@localhost ~ # nano -w /etc/named/named.dlz.conf
view "external" {
	match-clients { any; };

	dlz "mysql zone" {
		database "mysql
			{host=127.0.0.1 port=3306 dbname=bind user=bind pass=S3cr3t}
			{
			select
					zone
				from
					dns_records
				where
					view = 'external'
					and zone = '$zone$';
			}
			{
			select
					ttl,
					type,
					mx_priority,
					case
						when lower(type) = 'txt' then concat('\"', data, '\"')
						when lower(type) = 'soa' then concat(primary_ns, ' ', email_address, ' ', serial_number, ' ', refresh, ' ', retry, ' ', expiry, ' ', nxdomain_ttl)
						else data
					end
				from
					dns_records
				where
					view = 'external'
					and zone = '$zone$'
					and host = '$record$'
			}
			{}
			{
			select
					ttl,
					type,
					host,
					mx_priority,
					case
						when lower(type) = 'txt' then concat('\"', data, '\"') else data
					end,
					email_address,
					serial_number,
					refresh,
					retry,
					expiry,
					nxdomain_ttl
				from
					dns_records
				where
					view = 'external'
					and zone = '$zone$'
					and not (type = 'SOA' or type = 'NS')
			}
			{
			select
					zone
				from
					xfr_table
				where
					view = 'external'
					zone = '$zone$'
					and client = '$client$'
			}
		";
	};
};
root@localhost ~ # nano -w /etc/named/named.log.conf
logging {
	channel client_file { file "/var/log/named/client.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel config_file { file "/var/log/named/config.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel database_file { file "/var/log/named/database.log" versions 3 size 5M; severity debug 1; print-time yes; print-severity yes; print-category yes; };
	channel default_file { file "/var/log/named/default.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel delegation-only_file { file "/var/log/named/delegation-only.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel dispatch_file { file "/var/log/named/dispatch.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel dnssec_file { file "/var/log/named/dnssec.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel general_file { file "/var/log/named/general.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel lame-servers_file { file "/var/log/named/lame-servers.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel network_file { file "/var/log/named/network.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel notify_file { file "/var/log/named/notify.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel queries_file { file "/var/log/named/queries.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel resolver_file { file "/var/log/named/resolver.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel security_file { file "/var/log/named/security.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel unmatched_file { file "/var/log/named/unmatched.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel update_file { file "/var/log/named/update.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel update-security_file { file "/var/log/named/update-security.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel xfer-in_file { file "/var/log/named/xfer-in.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };
	channel xfer-out_file { file "/var/log/named/xfer-out.log" versions 3 size 5M; severity info; print-time yes; print-severity yes; print-category yes; };

	category client { client_file; };
	category config { config_file; };
	category database { database_file; };
	category default { default_file; };
	category delegation-only { delegation-only_file; };
	category dispatch { dispatch_file; };
	category dnssec { dnssec_file; };
	category general { general_file; };
	category lame-servers { lame-servers_file; };
	category network { network_file; };
	category notify { notify_file; };
	category queries { queries_file; };
	category resolver { resolver_file; };
	category security { security_file; };
	category unmatched { unmatched_file; };
	category update { update_file; };
	category update-security { update-security_file; };
	category xfer-in { xfer-in_file; };
	category xfer-out { xfer-out_file; };
};

Update config path in systemd init script

root@localhost ~ # nano -w /usr/lib/systemd/system/named-sdb.service
Environment=NAMEDCONF=/etc/named/named.conf

Start named

Enable bind at boot

root@localhost ~ # systemctl enable named-sdb.service

Check if bind is enabled

root@localhost ~ # systemctl list-unit-files

Start bind

root@localhost ~ # systemctl start named-sdb.service