Exploring the new Bind 10 name server

Test Drive

Article from Issue 152/2013

Admins have waited all of five years for the 10th major release of the Bind name server, which appeared at the end of March this year. The latest release is a complete rewrite of the DNS server, with a modular design and new configuration tools, but is it ready for business?

The Bind name server has a mixed reputation. Although the lion's share of DNS servers on the web run it, veteran administrators will recall – with a mixture of melancholy and horror – the difficult transition from Bind 4 to Bind 8: Although the zone files were almost identical, the configuration moved from named.boot to named.conf. The format suddenly contained brackets and semicolons that were once unnecessary. Additionally, Bind 8 and its successor allowed more configuration options, for which the old format proved insufficient.

After five years of development (Figure 1), Bind 10 brings even greater upheaval. Not only the configuration, but also the architecture has changed fundamentally. JSON database files replace named.conf; zones are still configured with familiar zone files, but in operation they are also stored in SQLite. (The administrator has the option to disable the default database storage option and go back to storage in normal zone files.)

Figure 1: Started in 2008, completed in 2013 – is everything on schedule for Bind 10?

Configuration is managed through a Rest API using HTTPS. To allow this to happen, Bind 10 comes with a command-line utility that lets administrators make configuration changes in a proprietary language.

Finally, instead of a named, Bind 10 operates through 12 processes (DHCP not included), most of which are Python processes. The built-in DHCP components, according to the project website, are still "experimental," but you can already configure and test. The modularization of Bind 10 into individual daemons is the biggest change for administrators, and it prevents you from upgrading many existing enterprise scenarios. Figure 2 shows the setup that most enterprises use for name resolution. A single name server instance handles both the authoritative and the recursive service. All clients use the name of an existing server that provides all the answers.

Figure 2: In the setup commonly used in business today, a single DNS server does all the work.

But the standard scenario depicted in Figure 2 is not ideal. A cleaner approach would be to separate the two functions, as shown in Figure 3. The recursive name server in this configuration has entries for the local zones that tell it to query the authoritative name server explicitly – through either the secondary mechanism or the forward zone entries.

Figure 3: The recommended configuration using a separate DNS resolver and an authoritative server is currently not possible with Bind 10.

As an inquiry on the Bind 10 mailing list confirmed, the configuration shown in Figure 3 is currently not possible with Bind 10. Requests for the local network would go through the Internet, with no prospect for successful responses because they only exist locally.

However, the developers say they plan to implement the setup shown in Figure 3 in a later version by letting the server evaluate the RD (Recursion Desired) bit in the query. The server will then either forward the request to the authoritative component or to the resolver. As of now, if your network reflects the scenario shown in Figure 3, you can't use Bind 10.


Bind 10 is still quite new, with no official packages, let alone repositories, when this issue went to press. The Linux Magazine test team had to build the complete application from source [1]. Shortly before the editorial deadline, packages for Bind 10 appeared on the openSUSE Build Service, which allowed for easy installation with just one click [2].

On the Gentoo installation used for the test, we needed to install the boost, botan, log4cplus, and sqlite3 packages before building Bind; Python version 3.1 or later is also required. The DHCP component requires MySQL, but you can do without it for simple tests. After installing the packages, quickly compile using:

w ./configure && make && make install

If you want to run the DHCP server with a MySQL back end, you need the --with-dhcp-mysql option.

After installing Bind 10, you first need an administrative account for the configuration interface. To set it up, run b10-cmdctl-usermgr; this utility prompts you for a username and password, which it then adds to the cmdctl-accounts.csv file in $INSTALLDIR/etc/bind10. The program is still very rudimentary and only allows you to add users; it has no other functions. Incidentally, the utility names all start with b10.

Before you set out to configure the name server, you need to decide on the mode in which you will be running it: recursive or authoritative (i.e., as the master for your own zones). Unlike the previous versions, modularization in Bind 10 leads to only one component accepting connections on one IP address. Things are different for a host with multiple IPs.


To start the name server, run the INSTALLDIR/sbin/bind10 wrapper script, which, in turn, starts b10-init, which is located in the libexec directory of the installation. b10-init launches the configured components. When you first start Bind 10, all the log messages are routed to the console. In a second shell on the same machine, you then launch bindctl from the INSTALLDIR/bin directory. This command-line front end for the Restful API is used to configure Bind 10.

By default, the server accepts requests on localhost port 8080 and accepts only secure SSL connections. A self-signed certificate is installed with Bind 10, but you can replace it if necessary. When a connection is opened for the first time, bindctl queries the username and password; they are sent to ~/.bind10/default_user.csv for reuse – but in plaintext.

After logging on to the server with the user you created, you need to create the desired component. In the first example (Listing 1), this is an authoritative name server. The first line creates an instance of an authoritative name server. Line 2 is used to tag Bind services that require special attention at start and stop time, including the resolver and the web server for the configuration.

Listing 1

Creating an Auth Server

01 dns-test ~ # /opt/bind10/bin/bindctl
02 ["login success "] login as dnsadmin
03 > config add Init/components b10-auth
04 > config set Init/components/b10-auth/special auth
05 > config set Init/components/b10-auth/kind needed
06 > config commit
07 > quit
09 Exit from bindctl
10 dns-test ~ #

The third line indicates whether the auth service is necessary for this configuration. config commit enables the changes, and you can then immediately test the name server. To query the version.bind entry, for example, use the following command:

dig @ -c CH -t TXT version.bind

Now it is time to teach the name server about the zones it needs to provide. Bind 10 can use a SQLite database or legacy zone files to manage them. Despite SQLite, you still need to use zone files.

Apart from dynamic DNS updates, changes end up in the zone file; the old zone definition is automatically overwritten when you import the new version. Although it is possible to modify the database directly using requests, this will most likely cause inconsistencies; the bind authors advised against doing this when I asked. The import program goes by the name b10-loadzone. Listing 2 shows a sample call.

Listing 2

Importing a Zone into Bind 10

01 dns-test ~ # /opt/bind10/bin/b10-loadzone 1.168.192.in-addr.arpa db.192.168.1
02 2013-03-19 21:18:47.381 INFO  [b10-loadzone.loadzone/2644] LOADZONE_SQLITE3_USING_DEFAULT_CONFIG Using default configuration with SQLite3 DB file /opt/bind10/var/bind10/zone.sqlite3
03 2013-03-19 21:18:47.483 INFO  [b10-loadzone.loadzone/2644] LOADZONE_ZONE_CREATED Zone 1.168.192.in-addr.arpa./IN does not exist in the data source, newly created
04 2013-03-19 21:18:47.566 INFO  [b10-loadzone.loadzone/2644] LOADZONE_DONE Loaded 31 RRs into zone 1.168.192.in-addr.arpa./IN in 0.08 seconds

Zone Import

Bind 10 not only imports zones but also implicitly runs the bindctl commands, which are necessary for creating the zone. The zone is then immediately enabled. Although it is possible to point to your own SQLite database using the -c option, it is probably only necessary to split the file if you are a large provider supporting many zones. If you do not want to copy the zone to the database, but prefer to go on working with traditional zone files, you need to stick with bindctl (see Listing 3).

Listing 3

Creating a Zone with Zone Files

01 config add data_sources/classes/IN
02 config set data_sources/classes/IN[1]/type MasterFiles
03 config set data_sources/classes/IN[1]/params { "bind10test.local" : "/var/bind/db-test" }
04 config set data_sources/classes/IN[1]/cache-enable true
05 config commit

In the first step, Listing 3 creates a new instance of the class IN, to which it then adds parameters. The type is MasterFiles, in contrast to sqlite3 in the standard configuration. The parameters comprise the zone and the corresponding file in JSON format. The last line finally enables the cache, which serves up the zone from main memory instead of from the disk. This step is absolutely essential for zones made up of text files.

An entry in the data_sources/classes/IN hierarchy is not created for every new IN zone, only for the MasterFiles and sqlite3 types. The SQLite database can contain multiple zones, in which the Master Files type requires a JSON entry for each pair from a zone together with the associated file, all neatly separated by commas. As with legacy versions of Bind, admins need to communicate changes in the zone file; in Bind 10, the auth loadzone example.org command reloads the example.org zone.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • DoS Attack Exploit in BIND 9

    A specially crafted dynamic update message to a DNS zone for which the server is a master can raise havoc in BIND 9. An active remote exploit is already "in wide circulation."


    Some Internet exploits target name resolution servers. DNSSEC uses cryptography to protect the name resolution service.

  • Charly's Column

    A partly overloaded DNS server can slow down all the workstations on the network. Dnsgraph is an early warning system that gives administrators a graph of critical values. Your Dnsgraph charts will help you keep your systems serving names.

  • DHCP and DNS on Rasp Pi

    The versatile Raspberry Pi can serve many roles on a home network. We'll show you how to set up the Pi to provide some important network services.

  • Security Lessons: DNS Security

    Kurt describes how to keep bad guys out of your network using a targeted filtering approach.

comments powered by Disqus

Direct Download

Read full article as PDF:

Price $2.95


njobs Europe
Njobs Netherlands Njobs Deutschland Njobs United Kingdom Njobs Italia Njobs France Njobs Espana Njobs Poland
Njobs Austria Njobs Denmark Njobs Belgium Njobs Czech Republic Njobs Mexico Njobs India Njobs Colombia