http://www.microsoft.com/technet/security/advisory/2607712.mspx

Before you continue with creating your own solution to removign DigiNotar, review this recent update from Microsoft for an out-of-band update: http://support.microsoft.com/kb/2607712.

The code below will remove certificates containing the word “DigiNotar” in the SubjectName field. The code iterates all certificates in the following stores, in this order, using nearly identical blocks of code:

1. REMOVES *DigiNotar* in the Intermediate certificates store for Current User
2. REMOVES *DigiNotar*in the Intermediate certificates store on Local Machine
3. REMOVES *DigiNotar*in the Trusted “Root” certificate store for Current User
4. REMOVES *DigiNotar*in the Trusted “Root” certificate store on Local Machine

The code removes certificates from both the current user and local machine. Obviously, the local machine will require administrative permissions and the current user will need to be ran on every user. For deployment, you would need to run for each user in their context on every system and once for each system for the root certificate. If you are only concerned with the root certificate, then remove the blocks of code that reference current user.

As with all of my blog articles, there is no warranty or guarantee from the sample provided below. The security of your environment is your responsibility. If the code does not work or causes other issues in your environment, it is your responsibility. You should thorough test prior to release to a production environment.

Removing DigiNotar certificates .NET Framework 2.0 code example:

Imports System
Imports System.Security.Cryptography
Imports System.Security.Cryptography.X509Certificates
Imports System.IO

Module Module1
Dim certsRemoved As Boolean = False
Dim myExitCode As Integer = 0
‘exit code table
’0 = cert removed
’1 = nothing removed
’2 = error

Sub Main()
Console.WriteLine(“devtrends.com — September 2, 2011″)
Console.WriteLine(“Removes DigiNotar* from the Root and CertificateAuthority (Intermediate) certificate store.”)
Console.WriteLine(“”)

’1. REMOVES DigiNotar in the Intermediate certificates store for Current User
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.CertificateAuthority, StoreLocation.CurrentUser)
store.Open(OpenFlags.ReadWrite)

‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
‘Console.WriteLine(cert.SubjectName.Name)
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“User Intermediate Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next

‘close the store object
store.Close()

‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“User Intermediate: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“User Intermediate Error: ” & ex.Message)
myExitCode = 2
End Try

’2. REMOVES DigiNotar in the Intermediate certificates store on Local Machine
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.CertificateAuthority, StoreLocation.LocalMachine)
store.Open(OpenFlags.ReadWrite)

‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
‘Console.WriteLine(cert.SubjectName.Name)
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“Local Machine Intermediate Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next

‘close the store object
store.Close()

‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“Local Machine Intermediate: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“Local Machine Intermediate Error: ” & ex.Message)
myExitCode = 2
End Try

’3. REMOVES DigiNotar in the Trusted “Root” certificate store for Current User
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.Root, StoreLocation.CurrentUser)
store.Open(OpenFlags.ReadWrite)

‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“User Root Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next
‘close the store object

store.Close()
‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“User Root: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“User Root Error: ” & ex.Message)
myExitCode = 2
End Try

’4. REMOVES DigiNotar in the Trusted “Root” certificate store on Local Machine
Try
‘open a connection to the X509 local certificate store.
Dim store As X509Store = New X509Store(X509Certificates.StoreName.Root, StoreLocation.LocalMachine)
store.Open(OpenFlags.ReadWrite)

‘loop through and find the cert we want to work with
For Each cert As X509Certificate2 In store.Certificates
If (cert.SubjectName.Name.Contains(“DigiNotar”)) Then
Console.WriteLine(“Local Machine Root Removed: ” & cert.SubjectName.Name)
store.Remove(cert)
certsRemoved = True
End If
Next

‘close the store object
store.Close()

‘did we remove anything?
If certsRemoved Then
myExitCode = 0
Else
myExitCode = 1
Console.WriteLine(“Local Machine Root: DigiNotar not found. Nothing removed.”)
End If
Catch ex As Exception
Console.WriteLine(“Local Machine Root Error: ” & ex.Message)
myExitCode = 2
End Try

‘exit with specific exit code
Console.WriteLine(“”)
Console.WriteLine(“Exit code: (” & myExitCode & “)”)
Environment.Exit(myExitCode)
End Sub

End Module

Ensuring Streaming Capability

The first step is to ensure that we have the appropriate application for playing our music on hold stream. Because we will be using an MP3 stream, we will want to use mpg123. Unfortunately, the mpg123 application is not included in the Elastix distribution, so, let’s install it. We will also need to install other components/applications associated with mpg123:

Let’s start by downloading the RPM package for mpg123:

[root@server /]# cd /usr/src
[root@server /usr/src]# wget “ftp://ftp.sunet.se/pub/os/Linux/RPMForge/dag/redhat/el3/en/i386/RPMS.dag/mpg123-1.6.2-1.el3.rf.i386.rpm”

Next, well install the required applications to make mpg123 work (if you don’t want to explicitly run these, skip to installing the rpm and install the required application as you are requested):

[root@server /usr/src]# yum install audiofile
[root@server /usr/src]# yum install glibc
[root@server /usr/src]# yum install libtool-ltdl
[root@server /usr/src]# yum install esound

Finally, lets install mpg123:

[root@server /usr/src]# rpm -ivh mpg123-1.6.2-1.el3.rf.i386.rpm

Acquiring a Stream

The second step in configuring streaming music on hold is finding the stream you want to use. For this example, I will use a Digitally Imported stream named Chillout Dreams.

Because of the way that Firefox handles downloads, I’m going to demonstrate accessing the stream file using Firefox:

1. Open Firefox and browse to www.di.fm
2. Using the mouse, hover over the DI menu “Listen Now!”, then hover over “Chillout Dreams”, then hover over “MP3 Streams”, and finally click on “96k Cable/DSL”.
   
3. Once the download has completed, right click on listen.pls and then click on “Open Containing Folder”.
   
4. Using your favorite text editor, mine is UltraEdit, open listen.pls and select the http:// stream for file1 and copy to your clipboard.
   

Configuring Elastix

Now that you have a stream URL ready for use, open your Elastix web interface and click on the PBX tab.

1. Under PBX configuration, on the left side of the screen, click on the “Music on Hold” link from the Internal Options & Configuration section.
2. Now click on the “Add Streaming Category” on the right side of the screen.
3. In the Category Name field, enter whatever you wish, “DI-Chillout-Dreams”?
4. In the Application field, enter the following, then paste the stream URL at the end of the application string (replacing [streamURL] of course):

/usr/bin/mpg123 -q -s –mono -r 8000 -f 8192 -b 0 [streamURL]

Now that you have the Music on Hold defined, we need to configure your inbound and outbound routes to use the music on hold:

1. Click on the “Outbound Routes” and then click on your route(s), then in the drop down list for “Music on Hold?”, choose your new music on hold category.
2. Click on the “Inbound Routes” and then click on your route(s), then in the drop down list for “Music on Hold?”, choose your new music on hold category.

On the Back End

When  you created the music on hold category/application, the Asterisk file modified is /etc/asterisk/musiconhold_additional.conf, which is included in the base music on hold file /etc/asterisk/musiconhold.conf.

If you open the conf file in a text editor, you’ll notice the category/application that you added earlier.

-Aaron

As you may know, to make a Linux server replace a Windows file server you’ll need a common file sharing protocol between both server and client. Well, SAMBA is the answer. In reality I think that SAMBA is the only answer.

Installing SAMBA

To be honest, I just rebuilt my Linux machine this month and have already forgotten whether SAMBA came preinstalled on Ubuntu Server 9.10 or not. Even if it is already install, it doesn’t hurt to try installing it again:

aaron@server:/# sudo apt-get install samba

Among other files, the three files you will use the most in configuring SAMBA are the config file, /etc/samba/smb.conf, and the init script for the daemon, /etc/init.d/samba, and the SAMBA password tool, /usr/bin/smbpasswd.

Configuring Users and Groups for SAMBA

The first step is creating the users and groups that will be accessing the SAMBA share. In this example, we will use local Linux accounts and groups, then activate the user account in SAMBA. The group will be used to assign permissions to the directory in the Linux file system.

Because my set up is small, I have only a few accounts and one group that I use for SAMBA shares. The group has all SAMBA users in it and is named “dtusers”. Let’s work with my configuration as the example.

First, if you dare, switch to the root account (or best practice is to use sudo for every command):

root@server:/# sudo su

To create a new system group, use the following:

root@server:/# groupadd -r dtusers

Now that we have the group created, we should create some users as well. As we create the users, we will assign the group we just created as a supplemental group.

root@server:/# useradd -G dtusers -p P@ssW0rd aaron

Use the above command as many times as needed for your users. “aaron” is the username, by the way. Additional thought, “P@ssW0rd” is not a secure password, and even though SAMBA is configured to synchronize passwords (see “unix password sync” setting in the smb.conf file), we want to ensure a password is set prior to SAMBA configuration.

Finally, we need to enable these accounts using the SAMBA smbpasswd password tool.

root@server:/# smbpasswd -a aaron

When you are prompted for a password, use the same password as you did when you created the user. Use the above command as many times as needed for your users.

Configuring Directories for SAMBA Sharing

The next step is figuring out which directories you want to share through SAMBA. In my case, I created all of my shares under /datastore/. For the example, lets copy my configuration.

Create the /datastore/ root directory. Then create a directory named aaron, a directory named music, a directory named pictures and a directory named downloads.

root@server:/# mkdir /datastore
root@server:/# cd /datastore
root@server:/datastore# mkdir aaron
root@server:/datastore# mkdir music
root@server:/datastore# mkdir pictures
root@server:/datastore# mkdir downloads

Now that we have our directories created, we need to ensure owners and  permissions are set correctly for each of the directories.

First, we need to change the user and group owners. I recommend root as the main user for any “shared” directories:

root@server:/datastore# chown aaron:dtusers aaron
root@server:/datastore# chown root:dtusers music
root@server:/datastore# chown root:dtusers pictures
root@server:/datastore# chown root:dtusers downloads

Last, we need to change the permissions. I recommend 775 (see Unix Permissions at the bottom of this article for more info on 775) for any of the “shared” directories and 750 or 700 for the user specific directories.

root@server:/datastore# chmod 700 aaron
root@server:/datastore# chmod 775 music
root@server:/datastore# chmod 775 pictures
root@server:/datastore# chmod 775 downloads

Now, have a look at your directories to make sure they have the appropriate permissions:

Configuring SAMBA

The final step in configuring SAMBA is, well, configuring SAMBA. The SAMBA configuration file, smb.conf, that comes with the SAMBA install is rather large. We’ll go through it and change only some of the settings and add some of our own.

Using your favorite text editor (mine is actually vi, but if you are new to Linux, you’ll like nano better) and open the SAMBA configuration file:

root@server:/# vi /etc/samba/smb.conf

Scroll through the configuration file and review the various options. Once you have looked around, start changing variables. First if you have a DNS domain defined, I would change the following:

workgroup = dt.local

Next, scroll to the bottom of the configuration file and add your SAMBA share definitions. In this example, I have also configured a “create mask” which forces certain permission types for all new files, “directory mask” which forces certain permission types for all new directories, and “force group” to ensure the group is always my dtusers group:

[aaron]
path = /datastore/aaron
valid users = aaron
writable = yes
browseable = yes
read only = no
create mask = 0700
directory mask = 0700
guest ok = no
force group = dtusers

[music]
path = /datastore/music
valid users = @dtusers
writable = yes
browseable = yes
read only = no
create mask = 0775
directory mask = 0775
guest ok = no
force group = dtusers

[pictures]
path = /datastore/pictures
valid users = @dtusers
writable = yes
browseable = yes
read only = no
create mask = 0775
directory mask = 0775
guest ok = no
force group = dtusers

[downloads]
path = /datastore/downloads
valid users = @dtusers
writable = yes
browseable = yes
read only = no
create mask = 0775
directory mask = 0775
guest ok = no
force group = dtusers

You’ll notice that the [aaron] share contains “valid users” of only aaron, while the other “shared” shares contain “valid users” of @dtusers. The @ sign defines a group. If you have more than one group or users, separate them with a space.

Save the configuration file and then restart the SAMBA service:

root@server:/# /etc/init.d/samba restart

Using SAMBA

Now that you have SAMBA configured with some shares, give it a whirl from your Windows machine. If the user that you sign into on your Windows machine is the same, with the same password, as the Linux/SAMBA user you will not be prompted to authenticate.

Click Start > Run and then type in the UNC path to your Linux server. If you have a DNS host (A) record for your server it could be \\server\share_name, otherwise just use the IP address, \\192.168.0.1\share_name.

That’s it. Enjoy Linux!

Unix Permissions

764 defines the permissions for User (the 7)/Group (the 6)/Everyone (the 4). As another example, if you wanted only the User to have full permissions, assign 700, which is User (the 7)/Group (the 0)/Everyone (the 0).

The number represents the collective of permission types: 4 is Read, 2 is Write, 1 is Execute. So a 7 would be 4 + 2 + 1, which means that when assigned to the User, it will have all three permission types, or full control. A zero means no permission types, and therefore no permissions.

Links

http://www.samba.org/
http://support.quickbooks.intuit.com/support/Articles/HOW12300

-Aaron

http://linuxbites.wordpress.com/2010/03/26/configure-iscsi-in-centos-45-rehl-45/

-Aaron

GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}

-or- if you feel like being different:

DevilMode.{ED7BA470-8E54-465E-825C-99712043E01C}

http://www.microsoftnow.com/2010/01/windows-7-godmode-not-really.html

-Aaron

Microsoft DreamSpark

While looking around for Microsoft Visual Basic 2008 Express Edition, I came across a site at Microsoft.com that states its sole purpose is: “It’s about giving students Microsoft professional tools at no charge.”

Wow. I’ve been a student for many years, taking one class here and there at local community colleges and have never heard of this offering.

If you have a TechNet subscription, then some of these products are already available to you, such as the Server Operating Systems; however, even my TechNet (standard for $199/yr) doesn’t provide tools like Microsoft Visual Studio 2010 Professional or Microsoft Robotics Developer Studio 2008 R3 or even Microsoft Windows Embedded Standard 7!!

So sign up if you have a student email address at your college/university and start programming in Visual Studio 2010 Professional!

As a final benefit, you get a free Microsoft exam voucher. That alone is worth the sign up.

-Aaron

This article is not to argument security threats, but instead to show you how to configure an NTP server on Ubuntu Server 9.10. Once you have the NTP Server functioning, you may configure devices that understand NTP to get time from your new NTP Server. Let’s get started.

Install NTP Server

Remember that installing packages in Linux will require elevated privileges, so make sure you sudo first.

1. root@server:/# apt-get install ntp

Configure the NTP Server

Next we will configure the NTP server to use a NTP pool and to allow access for your network to do NTP queries to this server.

1. root@server:/# vi /etc/ntp.conf

Locate the following section in the conf file:

# You do need to talk to an NTP server or two (or three).
server ntp.ubuntu.com

Change that to be this instead (servers from pool.ntp.org):

# You do need to talk to an NTP server or two (or three).
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server 3.pool.ntp.org

Next locate the “restrict” statements and add the following new line (replace with your subnet):

restrict 192.168.0.0 mask 255.255.255.0 nomodify notrap

Set Time on Server

This is an important step, as you will not be able to synchronize your NTP Server with the NTP pool time if the time is off by too many minutes.

Make sure the NTP Server is stopped, as the following command will require the same port:

1. root@server:/# /etc/init.d/ntp stop

Set the system time:

2. root@server:/# ntpdate pool.ntp.org

Start the NTP Server.

3. root@server:/# /etc/init.d/ntp start

Check the NTP Server Status

In order for your clients to be able to successfully query time from your new NTP Server, your NTP Server must be synchronized with the specified Internet NTP servers. After you have started the NTP Server, this may take 10 minutes for synchronization.

To check the status, use:

1. root@server:/# ntpq -pn

If you server is not synchronized yet, and assuming your configured the servers as explained above, you should see something similar to the following:

Once it is synchronized, it will display something similar to the following:

Notice the * and + symbols next to the IP addresses, the one with the * is the server that your computer is synchronized with.

Note: If you try to synchronize a Windows device with the NTP Server before it is synchronized with the Internet, you will probably receive an error similar to: “An error occurred while Windows was synchronizing with 192.168.0.10. The time sample was rejected because: The peer’s stratum is less than the host’s stratum.”

For this example we will use atftp daemon, which is apparently the best solution for Linux at the time of this article.

Install atftpd

Obviously the installation requires root access, so make sure that you sudo.

1. root@server:/# apt-get install atftpd

Configure atftpd

1. root@server:/# vi /etc/default/atftpd

We are going to change USE_INETD to false and then if you feel like it, remove some of the options. Be sure to add the option “–daemon”, as shown below:

USE_INETD=false
OPTIONS=”–tftpd-timeout 300 –retry-timeout 5 –maxthread 100 –verbose=5 –daemon /var/lib/tftpboot/”

If you do not add the –daemon option, then atftpd daemon will not start when you restart with /etc/init.d/atftpd restart. Instead it will display the atftpd options, as though you ran the binary file from /usr/sbin/atftpd.

If you are interested in learning about the options, be sure to read the atftpd man page.

2. root@server:/# /etc/init.d/atftpd restart

This command will restart the deamon with the new settings.

Testing the TFTP Server

The final step, unless you think you are totally awesome or trust my articles, is to test the TFTP server to make sure that it works. You can accomplish this from a Windows machine by running a command similar to (the -i means binary trasnfer):

1. C:\tftp -i server_address put picture.gif

From a Linux machine, you can install tftp (apt-get install tftp).

Other Notes

I didn’t like the default location of /var/lib/tftpboot/ for the files to be stored. I have a directory called /datastore/ that I put all of my files into for backup purposes.

After attempting to configure atftpd to use a different location, such as changing the path specified in /etc/default/atftpd, I was unable to change to a new location. With that stated, I made a symbolic link in /datastore/ to point to /var/lib/tftpboot/, which is good enough for me.

1. root@server:/datastore# ln -s /var/lib/tftpboot/ ./tftproot

Entourage uses Outlook Web Access (OWA) to connect to the Exchange environment. This isn’t just any version of OWA, it’s a specific version, the older clunky version that you would never want to use in a production environment as a webmail solution. When you add an Exchange account to Entourage, you are required to provide an Exchange server name (obviously) which Entourage takes and creates the OWA URL for accessing the mailbox. The issue seems to be that Entourage uses a defined URL generation function that may or may not work correctly with your Exchange environment. I found this to be particularly true when trying to add shared mailboxes as a delegated mailbox into a primary account.

In my particular case, we had some shared mailboxes that would not connect correctly. After adding them to the “Users I am a delegate for” list, I could not see the Inbox, regardless of the permissions that were set. What was more interesting Some accounts it worked fine for.

So what is the fix?

Let’s start by understanding Entourage and its unique relationship with OWA. If you open a web browser and point it to http://[your exchange server]/exchange/, what do you get? On a domain joined computer you should see OWA and your mailbox. In Entourage, when you provide only the Exchange server name, Entourage builds the URL similar to the one above. This works great as you are able to view the default content, which is your mailbox.

Now, what about when you add an item to the “Users I am a delegate for” list? How does Entourage build the URL for accessing something other than the default content, which is your mailbox? Easy! Just put a unique identifier following the /exchange/ directory in the URL, http://[your exchange server]/exchange/aaron/. Wait if it were THAT easy, I wouldn’t be writing this article.

The issue is that Entourage builds a URL that may not match what is defined in the Exchange environment. Luckily, Entourage lets you type the full URL if you happen to know what it is, just in case the URL generation function screws up.

There are two ways to connect to another account using OWA:

1. http://[your exchange server]/exchange/[unique identifier ?? for your account]/
2. http://[your exchange server]/exchange/[default SMTP address]/

The reason I put two question marks in the first option is because I have yet to determine where this unique identifier is stored and what decides what it is (can someone enlighten me?). This is where the failure might occur; Entourage uses the top one by default when creating the URL, so if Entourage thinks your unique identifier is “aaron” but Exchange says its “aaron.devtrends”, then Entourage isn’t going to be able to connect to that mailbox. This is unfortunate as it complicates adding a mailbox to the “Users I am a delegate for” list. But, at least there is a solution.

The resolution is to use the second option of URL generation scripts. In the Exchange properties, you can set the Exchange server to the full path of the specific mailbox that you want to open:

http://[your exchange server]/exchange/[default SMTP address]/

http://devtrends/exchange/noemails@devtrends.com/

Replace [your exchange server] with your Exchange server name and the [default SMTP address] with the default SMTP email address of the mailbox you are trying to open. As you test this, be sure to be patient with replication if you are in a multi-site domain; this being true if you just added or changed an SMTP address. Otherwise you may see error 18597 or HTTP errors.

As a last note, I’d recommend testing the URL in Safari prior to saving it in your Entourage configuration!

Recently I migrated core functionality from my home Windows 2000 Server to a new host running ESXi 4.0 with three Ubuntu Server 9.10 VMs. If you want to see a simple diagram on my set up, view my article on Linux Backup Shell Script. One of the core functionality that I migrated was my internal DNS services. Hence the title of this article, DNS Server with Bind9.

bind9

I am impressed, once again, with Linux and the services residing within this amazing operating system. The most amazing part about Linux services is that many of them have been around as long as I have — where have I been?

Before I begin rambling too much, let’s get started on creating DNS forward and reverse zones for your local network …

First ensure you have bind9 installed by running the following command:

whereis bind

If the results is blank, such as just “bind: “, then you will need to install bind9. On Ubuntu, I would imagine the command would look like this:

sudo apt-get install bind9

Forward Zones

We need to configure your DNS forward zones, which will provide name to address resolution in your internal network. As we progress the configuration, keep in mind that your specific configuration will be slightly different than mine; adapt as needed.

For simple networks, such as mine at home, there are only a few changes that you will need to make for Forward lookup zones. The first file is /etc/bind/db.local.

/etc/bind/db.local

The changes are fairly easy because we going to use most of what is provided in the original file. Change the Start of Authority (SOA) to be the domain environment for your network. My domain is dt.local and my primary DNS server is dtsfile.dt.local. Change the SOA to reflect your choices and also change the nameserver (NS) line to be your primary DNS server.

Also, you will want to add A records for your various servers/computers on the network. For this example, I added my Asterisk server:

dtsvoip.dt.local.	IN	A	192.168.0.11

The next file to change, which we will also make changes for reverse DNS at the same time, is the /etc/bind/named.conf.default-zones file.

/etc/bind/named.conf.default-zones

The line for the primary zone, which references the /etc/bind/db.local file must state your local domain in the quotes following the zone directive:

zone “dt.local” {
  type master;
  file “/etc/bind/db.local”;
};

As we have more changes in this file, leave it open and continue to the next section.

Reverse Lookup Zones

As you probably know, a reverse lookup provides a name to an IP address. In Windows you would find the name of 192.168.0.10 by typing “nslookup 192.168.0.10” from a command prompt. If you have configured reverse DNS properly, you will see output similar to this:

C:\>nslookup 192.168.0.10
Server:  dtsfile.dt.local
Address:  192.168.0.10

Name:    dtsfile.dt.local
Address:  192.168.0.10

You may be wondering why the entry appears twice. This is because the Server and the name that I am looking up is the same server. If I were to locate my Asterisk server, it would look like this:

C:\>nslookup 192.168.0.11
Server:  dtsfile.dt.local
Address:  192.168.0.10

Name:    dtsvoip.dt.local
Address:  192.168.0.11

On with the configuration…

/etc/bind/named.conf.default-zones

If you were paying attention in the previous section you would still have that file open. Regardless, let’s add another zone to the file that represents our reverse lookup for the IP subnet in your network. In my network I use 192.168.0.0/24 which is the same as saying 192.168.0.0 with a subnet of 255.255.255.0 (192.168.0.0 to 192.168.0.255).

Immediately after the zone directive for your domain, add the following text for your reverse lookup:

zone “0.168.192.in-addr.arpa” {
  type master;
  file “/etc/bind/db.0.168.192”;
};

If you’re sharp, you’ll immediately know that the file db.0.168.192 doesn’t exist. We’ll create it next. And yes, it’s backwards; in reverse DNS lookups the IP address is reversed as part of the requirements set in the RFC and obviously for functionality pointing back to the host name of the IP. Read more: http://en.wikipedia.org/wiki/Reverse_DNS_lookup

Save changes to named.conf.default-zones.

/etc/bind/db.0.168.192

Next we’ll create a new zone db file for our newly created reverse lookup. Start by copying db.0 into a new file named db.0.168.192 (or whatever your local subnet IP address is).

cp /etc/bind/db.0 /etc/bind/db.0.168.192

Just like in your db.local file, let’s change the SOA to reflect your domain and nameserver. This includes the NS line that should already exist in the file. Now let’s add pointer (PTR) records for your servers/computers on the network. I’ll use mine for examples:

10	IN	PTR	dtsfile.dt.local
11	IN	PTR	dtsvoip.dt.local

Save changes to db.0.168.192.

Forwarders

The last section, assuming you want to use this DNS server as your primary DNS on all computers, is to set up a forwarder for all names that are not a part of your network. You will need to edit /etc/bind/named.conf.options.

/etc/bind/named.conf.options

The change is really simple, uncomment the forwarders directive and modify the IP address within to be your local router or your ISP DNS servers. Mine is similar to the following:

forwarders {
  192.168.0.1;
};

Local Name Resolution

The final step is to change your /etc/resolv.conf file to point your DNS server and to set the domain and search realm. This is what mine looks like:

domain dt.local
search dt.local
nameserver 192.168.0.1

Restart the bind9 daemon

After making all of these changes, the final is to restart the bind9 daemon. Oh, one other step is to change your computers to use this DNS server as the primary.

Configuration Files Examples

/etc/bind directory listing

/etc/bind# ls -la
drwxr-sr-x   2 root bind  4096 2010-08-01 17:52 .
drwxr-xr-x 141 root root 12288 2010-08-01 17:54 ..
-rw-r--r--   1 root root   237 2009-08-19 15:00 db.0
-rw-r--r--   1 root root   271 2009-08-19 15:00 db.127
-rw-r--r--   1 root bind   295 2010-08-01 17:22 db.0.168.192
-rw-r--r--   1 root root   237 2009-08-19 15:00 db.255
-rw-r--r--   1 root root   353 2009-08-19 15:00 db.empty
-rw-r--r--   1 root root   316 2010-08-01 17:14 db.local
-rw-r--r--   1 root root  2940 2009-08-19 15:00 db.root
-rw-r--r--   1 root bind   463 2009-08-19 15:00 named.conf
-rw-r--r--   1 root bind   573 2010-08-01 16:50 named.conf.default-zones
-rw-r--r--   1 root bind   165 2009-08-19 15:00 named.conf.local
-rw-r--r--   1 root bind   570 2010-07-16 11:58 named.conf.options
-rw-r-----   1 bind bind    77 2010-01-30 11:50 rndc.key
-rw-r--r--   1 root root  1317 2009-08-19 15:00 zones.rfc1918

./db.0.168.192

;
; BIND reverse data file for broadcast zone
;
$TTL    604800
@       IN      SOA     dt.local. dtsfile.dt.local. (
        1         ; Serial
   604800         ; Refresh
    86400         ; Retry
  2419200         ; Expire
   604800 )       ; Negative Cache TTL
;
@       IN      NS      dt.local.
10     IN      PTR     dtsfile.dt.local.
11     IN      PTR     dtsvoip.dt.local.

./db.local

;
; BIND data file for local loopback interface
;
$TTL    604800
@       IN      SOA     dt.local. dtsfile.dt.local. (
        2         ; Serial
   604800         ; Refresh
    86400         ; Retry
  2419200         ; Expire
   604800 )       ; Negative Cache TTL
;
@       IN      NS      dtsfile.dt.local.
@       IN      A       127.0.0.1
@       IN      AAAA    ::1
dtsvoip.dt.local.       IN      A       192.168.0.11

./named.conf.default-zones

// prime the server with knowledge of the root servers
zone "." {
  type hint;
  file "/etc/bind/db.root";
};

// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912

zone "dt.local" {
  type master;
  file "/etc/bind/db.local";
};

zone "0.168.192.in-addr.arpa" {
  type master;
  file "/etc/bind/db.0.168.192";
};

zone "127.in-addr.arpa" {
  type master;
  file "/etc/bind/db.127";
};

zone "0.in-addr.arpa" {
  type master;
  file "/etc/bind/db.0";
};

zone "255.in-addr.arpa" {
  type master;
  file "/etc/bind/db.255";
};

./named.conf.options

options {
directory "/var/cache/bind";

// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk.  See http://www.kb.cert.org/vuls/id/800113

// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.

forwarders {
  192.168.0.1;
};

auth-nxdomain no;    # conform to RFC1035
  listen-on-v6 { any; };
};

/etc/resolv.conf

domain dt.local
search dt.local
nameserver 192.168.0.1