Last active
October 19, 2023 20:54
-
-
Save shr00mie/740bd9ae89d04dd6d8f076c7793346a3 to your computer and use it in GitHub Desktop.
BIND9 slave for AD DNS master
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| # | |
| ## -------------------------------=[ Info ]=--------------------------------- ## | |
| # | |
| # Inspired by and adapted from: | |
| # /u/rootwyrm | |
| # https://www.reddit.com/r/homelab/comments/3zqg2y/using_bind_linux_as_a_backup_dns_server_to_a/ | |
| # | |
| # Successfully tested on: | |
| # - ESXi 6.7 -> Ubuntu Server 18.04 | |
| # - Raspberry Pi 2 -> Raspbian Stretch Lite | |
| # | |
| ## -=[ Author ]=------------------------------------------------------------- ## | |
| # | |
| # shr00mie | |
| # 01.14.2019 | |
| # v0.1 | |
| # | |
| ## -=[ Use Case ]=----------------------------------------------------------- ## | |
| # | |
| # Deploy and config bind9 slave for AD DNS master. | |
| # | |
| ## -=[ Notes ]=-------------------------------------------------------------- ## | |
| # | |
| # Minimum bind9 versions (based on functional domain level): | |
| # - Server 2k8(r2) = 9.6 | |
| # - Server 2k12(r2) = 9.9 | |
| # | |
| ## -=[ Prep ]=--------------------------------------------------------------- ## | |
| # | |
| # Create (A) entry for bind9 slave on AD DNS master | |
| # | |
| # AD DNS Prep: | |
| # - DNS Snap-in | |
| # - View -> Advanced (Enabled) | |
| # - DNS Server (Right Click) -> Properties | |
| # - [Advanced] | |
| # - Enable bind secondaries (Enabled) | |
| # - Enable netmask ordering (Enabled) | |
| # - Enable DNSSEC validation for remote responses | |
| # - Name Checking: Muiltibyte (UTF8) or All Names | |
| # - Load zone data on startup: From Active Directory and registry | |
| # - Enable automatic scavenging (set optimal interval for your use case) | |
| # - * Root Hints MUST BE UPDATED MANUALLY (You can use the "Resolve" to do this.) | |
| # - Forward Lookup Zones | |
| # - domain.com -> Properties | |
| # - [General] | |
| # - Dynamic Updates: Secure Only | |
| # - [Zone Transfers] | |
| # - Allow Zone Transfers (Enabled) | |
| # - Only to servers listed on the Name Servers tab | |
| # - <Apply> | |
| # - [Name Servers] | |
| # - <Add> | |
| # - Enter FQDN of bind9 slave | |
| # - <OK> | |
| # - _msdcs.domain.com | |
| # - same as above | |
| # - Reverse Lookup Zones | |
| # - X.X.X.in-addr.arpa -> Properties (repeat for all reverse lookup zones) | |
| # - same steps as for forward lookup zones | |
| # - [Security] | |
| # - Everyone -> Read (Enabled) | |
| # | |
| ## -=[ Breakdown ]=---------------------------------------------------------- ## | |
| # | |
| # 1. Update system | |
| # 2. Install bind9 | |
| # 3. Cleanup | |
| # 4. Edit /etc/default/bind9. Attach bind to IPv4 | |
| # 5. Backup /etc/bind/named.conf.options | |
| # 6. Create /var/cache/bind/zones folder and set permissions | |
| # 7. Config /etc/bind/named.conf.options | |
| # 8. Append reverse lookup zones to /etc/bind/named.conf.options | |
| # 9. Restart bind9 | |
| # | |
| ## -=[ To-Do ]=-------------------------------------------------------------- ## | |
| # | |
| # 1. Change DNS var to array and mod script to account for array iteration. | |
| # 2. Separate out acl, options, zones, and logging into separate files | |
| # | |
| ## ----------------------------=[ Functions ]=------------------------------- ## | |
| # | |
| # Usage: status "Status Text" | |
| function status() { | |
| GREEN='\033[00;32m' | |
| RESTORE='\033[0m' | |
| echo -e "\n...${GREEN}$1${RESTORE}..." | |
| } | |
| function add_reverse_zone(){ | |
| cat << EOF | sudo tee -a /etc/bind/named.conf.options > /dev/null | |
| zone "$1.in-addr.arpa" { | |
| type slave; | |
| masters { $AD_Server_IP; }; | |
| file "$Zone_DB_Root.$1.in-addr.arpa"; | |
| allow-transfer { dns_master; }; | |
| allow-notify { dns_master; }; | |
| }; | |
| EOF | |
| } | |
| # | |
| ## ----------------------------=[ Variables ]=------------------------------- ## | |
| # IP of AD DNS server | |
| AD_Server_IP="x.x.x.x" | |
| # IP of bind9 server | |
| BIND_Server_IP="x.x.x.x" | |
| # CIDR mask for LAN for allowed query acl | |
| LAN_Supernet="x.x.0.0/16" | |
| # Forwarder | |
| PiHole="x.x.x.x" | |
| Domain_Name="domain.com" | |
| # Array of reverse LANs (4.1.10) | |
| Reverse_Subnets=("x.x.x" "x.x.x" "x.x.x" "x.x.x") | |
| # Root path for zone dbs | |
| Zone_DB_Root="/var/cache/bind/zones/db" | |
| ## ---------------------------=[ Script Start ]=----------------------------- ## | |
| status "Updating system and installing bind9" | |
| sudo apt update && sudo apt upgrade -y | |
| sudo apt install bind9 bind9utils bind9-doc -y | |
| sudo apt autoclean && sudo apt autoremove -y | |
| status "Editing /etc/default/bind9 to bind to IPv4" | |
| sudo sed -i.back "s/OPTIONS=\"-u bind\"/OPTIONS=\"-u bind -4\"/" /etc/default/bind9 | |
| status "Backing up named.conf.options" | |
| sudo cp /etc/bind/named.conf.options /etc/bind/named.conf.options.back | |
| status "Creating Zones folder" | |
| sudo mkdir /var/cache/bind/zones | |
| sudo mkdir /var/cache/bind/log | |
| sudo chown -R bind:bind /var/cache/bind | |
| status "Configuring bind9 options" | |
| cat << EOF | sudo tee /etc/bind/named.conf.options > /dev/null | |
| acl "lan" { | |
| $LAN_Supernet; | |
| }; | |
| acl "dns_master" { | |
| $AD_Server_IP; | |
| }; | |
| options { | |
| directory "/var/cache/bind"; | |
| check-names master warn; | |
| allow-notify { localhost; dns_master; }; | |
| allow-transfer { localhost; dns_master; }; | |
| edns-udp-size 4096; | |
| max-udp-size 4096; | |
| dnssec-enable yes; | |
| dnssec-validation yes; | |
| allow-query { lan; }; | |
| forwarders { $PiHole; }; | |
| }; | |
| zone "$Domain_Name" { | |
| type slave; | |
| masters { $AD_Server_IP; }; | |
| file "$Zone_DB_Root.$Domain_Name"; | |
| allow-transfer { dns_master; }; | |
| allow-notify { dns_master; }; | |
| }; | |
| zone "_msdcs.$Domain_Name" { | |
| type slave; | |
| masters { $AD_Server_IP; }; | |
| file "$Zone_DB_Root._msdcs.$Domain_Name"; | |
| allow-transfer { dns_master; }; | |
| allow-notify { dns_master; }; | |
| }; | |
| EOF | |
| status "Appending reverse lookup zones" | |
| for sub in ${Reverse_Subnets[@]} | |
| do | |
| status "Appending ${sub}.in-addr.arpa" | |
| add_reverse_zone ${sub} | |
| done | |
| status "Appending logging configuration" | |
| cat << EOF | sudo tee -a /etc/bind/named.conf.options > /dev/null | |
| logging { | |
| channel update_debug { | |
| file "/var/cache/bind/log/update_debug.log" versions 3 size 100k; | |
| severity debug; | |
| print-severity yes; | |
| print-time yes; | |
| }; | |
| channel security_info { | |
| file "/var/cache/bind/log/security_info.log" versions 1 size 100k; | |
| severity info; | |
| print-severity yes; | |
| print-time yes; | |
| }; | |
| channel bind_log { | |
| file "/var/cache/bind/log/bind.log" versions 3 size 1m; | |
| severity info; | |
| print-category yes; | |
| print-severity yes; | |
| print-time yes; | |
| }; | |
| category default { bind_log; }; | |
| category lame-servers { null; }; | |
| category update { update_debug; }; | |
| category update-security { update_debug; }; | |
| category security { security_info; }; | |
| }; | |
| EOF | |
| status "Restarting bind9" | |
| sudo systemctl restart bind9 |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment