Solaris 11: Install Bind Server

Solaris 11: Install Bind Server

Today I am going to document the process of install BIND in Solaris 11.  I am using a Solaris 11.1 zone for this task, though nothing in this is specific to zones, and it should work on previous versions of Solaris 11.  I have done this quite a few times and it is not a very intuitive process.  As of the time of this writing the version of BIND in IPS is 9.6.3.7.2 (9.6-ESV-R7-P2).

Install BIND

Using the IPS we can install the BIND software.

# pkg install pkg://solaris/network/dns/bind

Create Required Directories

We will need a few directories to have a functional name server.

# mkdir -p /var/named/master

Create Group to Run BIND

We don’t want to run the service as root, so we will need to create a group.  Disregard the warning, this is due to the gid being <100.

# groupadd -g 98 named
UX: groupadd: WARNING: gid 98 is reserved.

Create User to Run BIND

We will also create another user to run the software.  Disregard the warning, this is due to the uid being <100.

# useradd -g named -d /var/named -u 98 named
UX: useradd: WARNING: uid 98 is reserved.

Set Directory Ownership

Permissions will need to be modified as well to support the new user/group.

# chown -R named:named /var/named

Modify Start User

Here we are going to set the dns/server service (full FMRI: svc:/network/dns/server) to use the named user we created earlier.

# svccfg -s dns/server:default setprop start/user=named

Modify Start Group

Here we are going to set the dns/server service (full FMRI: svc:/network/dns/server) to use the named group we created earlier.

# svccfg -s dns/server:default setprop start/group=named

Build Basic Configuration

Solaris 11 doesn’t come with a sample configuration, so we need to start from scratch.  To test our previous steps we will simply setup a caching and forward only DNS server.  Keep in mind you will need to allow additional networks to query or the name resolution itself will not work.

# cat /etc/named.conf
options {
 directory "/var/named";
 version "unknown";
 pid-file "/var/named/named.pid";
 forwarders { 8.8.8.8; 8.8.4.4; };
 forward only;
 allow-transfer { "none"; };
 allow-query {192.168.1.0/24; 192.168.2.0/24;};
};

zone "localhost" {
 type master;
 file "localhost.db";
 allow-update{none;};
};

zone "0.0.127.in-addr.arpa" {
 type master;
 file "localhost.rev.db";
 allow-update{none;};
};

Build Localhost Zone

# cat /var/named/localhost.db

$TTL 3h
@ IN SOA ns01.yourdomain.local. hostmaster.yourdomain.net. (
 2014061201 ; se = serial numbers
 12h ; ref = refresh
 15m ; ret = update retry
 3w ; ex = expiry
 3h ; min = minimum
 )

IN NS ns01.yourdomain.local.
 IN NS ns02.yourdomain.local.
 IN NS ns03.yourdomain.local.

@ IN NS @
 IN NS 127.0.0.1

Build Localhost Reverse Zone

# cat /var/named/localhost.rev.db

$TTL 3h
@ IN SOA ns01.yourdomain.local. hostmaster.yourdomain.net. (
 2014061201 ; se = serial numbers
 12h ; ref = refresh
 15m ; ret = update retry
 3w ; ex = expiry
 3h ; min = minimum
 )

IN NS ns01.yourdomain.local.
 IN NS ns02.yourdomain.local.
 IN NS ns03.yourdomain.local.

1 IN PTR localhost.

Add BIND Authorization

This allows the named user to administer the dns/server service.

# usermod -A solaris.smf.manage.bind named

Refresh Service Configuration

This will re-read the configuration from the SMF and capture the user and group changes we made earlier.

# svcadm refresh dns/server

Start DNS Server

Now we are done and ready to validate.  Lets start the service.

# svcadm enable dns/server

Check the Service

If the following command generates no output then that means the service has started properly with no errors.

# svcs -x

To confirm with actual output we can use the following command.

# svcs dns/server
STATE STIME FMRI
online 18:58:31 svc:/network/dns/server:default

But lets assume that we have a problem for a second, this is what you will see.

# svcs -x
svc:/network/dns/server:default (BIND DNS server)
State: maintenance since June 14, 2014 06:57:34 PM CDT
Reason: Start method failed repeatedly, last exited with status 1.
See: http://support.oracle.com/msg/SMF-8000-KS
See: named(1M)
See: /var/svc/log/network-dns-server:default.log
Impact: This service is not running.

Now we have two things to check the log file of the SMF service /var/svc/log/network-dns-server:default.log and /var/adm/messages.  Usually tailing the service file and grepping for named in the messages file will reveal the problem.  A common problem I have had is forgetting to set permissions properly or forgetting to refresh the service after the user and groups are updated.  The latter is visible by checking which user is running the named process.  If you do run into a problem, once the problem is fixed you can mark the service as fixed by using the following.

# svcadm clear dns/server