Chapter 5. Bind on Win2k and NT 4.0

WinNT 4.0 and Win2k Installation

We decided that it was time to try out BIND 9 on our aging NT 4.0 desktops and a Win2000 server that we keep around for some light relief. We primarily wanted to use dig consistently across all our systems so that we could forget nslookup and this seemed like the ideal way to do it and provide some local DNS cache services as well on all our remaining NT 4.0 desktops. We had a couple of problems mostly due to Bind's normal paucity of documentation. Still its good to see that some things in life don't change.

Note: As of BIND 9.3.2 NT 4.0 is no longer supported by ISC BIND releases. That's the bad news, the good news is Windows XP and Server 2003 are now supported. So you can read about NT 4.0 installation just like you would a history book - stuff that happened in the past or skip to Windows 2000 install if you subscribe to the theory that 'history is bunk'.

Install on NT 4.0

We took a low risk approach to set up a simple caching DNS server and defaulted everything. This was what we did:

  1. We down-loaded Bind 9.3.0.zip from the ISC site and unzipped it into a temporary location. So far so good.

  2. We found the readme1st.txt file in the temporary install directory and took the 15 seconds required to read this copious document. The most interesting thing at this point is that Bind9 is going to run as an NT service and that it appears it will require a unique NT account, passwords and special permissions. Very unwindows like.

  3. From here on out we are logged in as a local administrator on the NT 4.0 PC.

  4. We added a new user account called named (the default assumed by the BIND install) using Start->programs->administrative tools->user manager. Entered passwords and set user can't change password and password never expires options. Otherwise it's a normal account so far - but it requires NT service logon capabilities. So we have a little more work to do. We subsequently installed BIND 9 on Windows 2000 and discovered the install process will create the required named account automatically so you can bypass this step.

  5. In User Manager select User Rights from Policies menu, check the Show Advanced User Rights and then find and select the log on as a service right and click the Add button.

  6. Select the local PC if you are working in a domain and because, by default, it only shows the groups click Show Users then select the named account and click the Add button on this window to assign the log on as a service to the named account. We did not remove any rights so we suspected the BIND install would object during the install because the readme1st.txt file suggests that if there any more permissions than the one required (log on as a service) it will send you a little message. If you are allergic to messages and have a couple of minutes to spare you can remove the excess rights. We didn't - we love chatty messages and were quite looking forward to it! Kill all the User Manager windows and we're done with this phase. Again as we subsequently discovered the install process automatically creates the relevant account with the correct permissions.

  7. Back to our temporary directory and double click the BindInstall.exe and up pops this screen:

    Bind9 Install screen

    We just added the password for the named account and noted in passing that the default install directory is c:\Winnt\system32\dns (or %SystemRoot%\system32\dns in windows terms) and clicked the Install button. The install appeared to run like a dream. And yes, we got our little message about too many permissions. It was the highlight of the install. Note: We did not check the box labelled Start BIND Service after Install, we have some more stuff to do before run the service.

  8. We set up a directory called c:\Winnnt\system32\dns\etc\named and then created three sub-directories called run, zones and log. You can do this anywhere but we were a little suspicious of Bind9's ability to figure out Windows paths so we did it this way.

    We placed our master.localhost, localhost.rev and root.servers files in the zones sub-directory and the named.conf file below into the %SystemRoot%\system32\dns\etc directory.

    // generated by MEE
    // CACHING NAME SERVER for NT 4.0
    // 1. dec 2004
    //	a. changed directory statement to windows format
    //	b. changed location of log file to named\log\named.log
    // 	c. changed location of all zone files to named\zones
    // 	d. added pid-file directive in named\run\named.pid
    options {
    	directory "C:\Winnt\system32\dns\etc";
    	// version added for security otherwise may be able to exploit known weaknesses	
    	version "not currently available";
    	pid-file "named\run\named.pid";
    	recursion yes;
    };
    
    // log to named\log\named.log events from info UP in severity (no debug)
    // defaults to use 3 files in rotation
    // failure messages up to this point are in the event log
    	logging{
    	channel my_log{
    		file "named\log\named.log" versions 3 size 250k;
    		severity info;
    	};
    	category default{
    		my_log;
    	};
    };
    zone "." {
    	type hint;
    	file "named\zones\root.servers";
    };
    
    zone "localhost" in{
    	type master;
    	file "named\zones\master.localhost";
    	allow-update{none;};
    };
    zone "0.0.127.in-addr.arpa" in{
    	type master;
    	file "named\zones\localhost.rev";
    	allow-update{none;};
    };
    
    
    

  9. We used windows explorer to give the account named full control over the directory c:\Winnt\system32\dns with the inherit property set so all lower directories pick up the same permissions. The install process does not set permissions - as we subsequently discovered on Windows 2000 - so this step is essential.

  10. We are lazy and forgetful so decided to add the BIND9 bin directory (%SystemRoot%\system32\dns\bin) to the Windows path since we are going to use dig for sure on a regular basis and in a couple of days we will have forgotten where is it - scrub that idea - in a couple of hours we will have forgotten where it is. So Start->settings->control panel->system and check the environment tab. Find and click the Path and Add the following (or wherever your BIND9 bin directory is).

    ;%SystemRoot%\system32\dns\bin
    

    Click Set and exit. Note: the separator on windows is a semi-colon not a colon as in the *nix world. Cost us 10 minutes with a magnifying glass to fix that one.

  11. Time to start the service. Start->settings->control panel->services. Select ISC BIND and try and start it. It failed for us with a login error. So we re-entered the password (using User Manager) and tried again and it worked. The standard install is set for automatic start so we re-booted the PC and checked that named.exe was started with Task Manager. It was.

  12. Finally we opened a dos box and tried a dig command. Seemed to run a bit slowly but we got our results. And yes we had already forgotten where we installed bind. Thank goodness we set the path variable.

We have not used the service frequently but we were pleasantly surprised at how easy it was to install. Task Manager shows about 380K of memory usage which is by no means excessive. If you want consistently of DNS across a mixed Windows and *nix environment using BIND is the only way to do it.

Win2k Installation

This section describes installation of BIND 9.3.0 on Windows 2000 server.

Having setup BIND on NT 4.0 we decided to install BIND on a server - again as a simple caching server. This was what we did:

  1. We down-loaded Bind 9.3.0.zip from the ISC site and unzipped it into a temporary location. So far so good.

  2. We found the readme1st.txt file in the temporary install directory and took the 15 seconds required to read this copious document. The most interesting thing at this point is that Bind9 is going to run as an NT service and that it appears it will require a unique NT account, passwords and special permissions. The install process creates the required account but we manually set the account up under NT 4.0 entirely due to a misplaced mistrust in BIND's install process and because the documentation did not tell us it would do so.

  3. In our temporary directory we double clicked BindInstall.exe and up pops this screen:

    Bind9 Install screen

    The password entry is optional - you can leave it blank or not as you choose - we left it blank (but see NT 4.0). We noted in passing that the default install directory is c:\Winnt\system32\dns (or %SystemRoot%\system32\dns in windows terms) and clicked the Install button. The install appeared to run like a dream. We did not check the box labelled Start BIND Service after Install, we have some more stuff to do before run the service.

  4. We set up a directory called c:\Winnnt\system32\dns\etc\named and then created three sub-directories called run, zones and log. You can do this anywhere but we were a little suspicious of Bind9's ability to figure out Windows paths so we did it this way.

    We placed our master.localhost, localhost.rev and root.servers files in the zones sub-directory and the named.conf file below into the %SystemRoot%\system32\dns\etc directory.

    // generated by ME
    // CACHING NAME SERVER for NT 4.0
    // 1. dec 2004
    //	a. changed directory statement to windows format
    //	b. changed location of log file to named\log\named.log
    // 	c. changed location of all zone files to named\zones
    // 	d. added pid-file directive in named\run\named.pid
    options {
    	directory "C:\Winnt\system32\dns\etc";
    	// version added for security otherwise may be able to exploit known weaknesses	
    	version "not currently available";
    	pid-file "named\run\named.pid";
    	recursion yes;
    };
    
    // log to named\log\named.log events from info UP in severity (no debug)
    // defaults to use 3 files in rotation
    // failure messages up to this point are in the event log
    	logging{
    	channel my_log{
    		file "named\log\named.log" versions 3 size 250k;
    		severity info;
    	};
    	category default{
    		my_log;
    	};
    };
    zone "." {
    	type hint;
    	file "named\zones\root.servers";
    };
    
    zone "localhost" in{
    	type master;
    	file "named\zones\master.localhost";
    	allow-update{none;};
    };
    zone "0.0.127.in-addr.arpa" in{
    	type master;
    	file "named\zones\localhost.rev";
    	allow-update{none;};
    };
    
    
    

  5. We used windows explorer to give the account named everything except full control over the directory c:\Winnt\system32\dns with the inherit property set so all lower directories pick up the same permissions. This is essential to avoid permission errors when you start the BIND service.

  6. Select the BIND install directory (this shows the default in c:\%SystemRoot%\system32\dns)in Windows Explorer:

    Bind9 directory permissions

    Right click properties then permissions and find and select the named account and Add:

    Bind9 directory permissions

    Add all permissions except full control and leave the inherit check box set (the default):

    Bind9 directory permissions

  7. We are lazy and forgetful so decided to add the BIND9 bin directory (%SystemRoot%\system32\dns\bin) to the Windows path since we are going to use dig for sure on a regular basis and in a couple of days we will have forgotten where is it - scrub that idea - in a couple of hours we will have forgotten where it is. So Start->settings->control panel->system:

    Bind9 path variable

    Click Environment Variables from the Advanced tab:

    Bind9 directory permissions

    Find and double click the path line and Add the following (or wherever your BIND9 bin directory is located):

    Bind9 directory permissions

    Click OK and exit. Note: the separator on windows is a semi-colon not a colon as in the *nix world. Cost us 10 minutes with a magnifying glass to fix that one.

  8. Time to start the BIND service. This is a Server so the standard Windows DNS services is activated by default. First we have to disable it using Computer Management; expand Services and Applications then double click Services and find DNS Server:

    Bind9 Services

    Double click DNS Server and disable the service then click Stop then OK

    :

    Bind9 Services

    Find and double click ISC BIND

    :

    Bind9 Services

    Double click ISC BIND and click Start (the service is set to Automatic by default which means it will load on start-up

    :

    Bind9 Services

    Any errors will be logged under Applications in the Event Log.

  9. Finally we opened a DOS box (Start->run->cmd) and tried a dig command:

    dig @192.168.2.2 example.com any
    

    Seemed to run a bit slowly but we got our results. And yes we had already forgotten where we installed bind. Thank goodness we set the path variable.

    Note: The @192.168.2.2 is required to force use of the local service irrespective of the TCP configuration.

  10. We changed the DNS settings to use the local DNS service (Start->Control Panel->Network and dial-up Connections->select Local LAN->Properties->find and double click Internet TCP/IP) and re-booted the PC. We used Task Manager to check that the ISC BIND service started-up (is loads as named.exe):

    Bind9 Services

We were pleasantly surprised at how easy it was to install. If you want consistently of DNS for maintenance and other purposes across a mixed Windows and *nix environment using BIND is the only way to do it. As serious side benefit you get dig and other tools as a bonus.

Pro DNS and BIND by Ron Aitchison

Contents

tech info
guides home
dns articles
intro
contents
1 objectives
big picture
2 concepts
3 reverse map
4 dns types
quickstart
5 install bind
6 samples
reference
7 named.conf
8 dns records
operations
9 howtos
10 tools
11 trouble
programming
12 bind api's
security
13 dns security
bits & bytes
15 messages
resources
notes & tips
registration FAQ
dns resources
dns rfc's
change log