Home Internet Mail Server Proxy Server Virus Windows Windows Server

Wednesday, November 02, 2011

Bind DNS on Windows Web Server 2008

One of the things it's the most excited about Windows Server 2008 is the new Web-focused version of Windows called Windows Web Server 2008. It is a special, low-priced version of Windows (half the price of Standard edition and available anywhere Windows Server is sold) that is focused exclusively on Internet-based Web serving.

The 2003 version of this edition was severely limited by licensing to what you could install and do on it, and was really only a solution for the most basic of web sites. The 2008 version has had most of those limits removed and is now a much more viable alternative for hosts and companies looking for a economical Windows based web server running IIS7. One of the most glaring oversights for this edition of Windows Web Server is the exclusion of the DNS role. I understand the argument from Microsoft that if you are running this edition of server more than likely your hosting company will have a DNS infrastructure in place and most users can and will use that.

I counter with the fact that I like to control my own DNS name servers with a hosting company infrastructure that may or may not be streamlined for DNS requests. I have read in various forums that the Server team is looking into this and it may change in the future, but for now we will have to find another solution for this problem. This low cost (free) solution is going to be installing BIND DNS on the server and configuring it to handle DNS queries.


BIND (Berkeley Internet Name Domain) is an open source implementation of Domain Name System (DNS) protocols distributed for free under the BSD License. It is currently maintained on the Internet Systems Consortium and is used by the majority of the DNS servers on the Internet. Download Bind DNS > Bind 9.8.1 or you can download the current version at: http://www.isc.org/downloads

Here are steps will show you how to install BIND DNS on Windows Web Server 2008:
  • Creating a User Account for BIND
BIND requires a local user with only "Log on as a service" privilege. The installer will actually check for this, and if the user has more rights it will ask if you really want to use that ID. The default user for the BIND installer is named, but you can do any other name you want.

1. Open the Computer Management console.
2. Select Local Users and Groups and then right click on Users, select New User.

3. Fill in the new user information and going to use the following and then click Create before closing the New User window:

User name: named
Description: BIND DNS Account
Password: %password%
Confirm Password: %password%
Unselect: User must change password at next logon
Select: User cannot change password
Select: Password never expires

4. Now open the Local Security Policy MMC from the Administrative Tools Menu.

5. Expand Local Policies then select User Rights Assignment in the policy pane; scroll down and right click on Log on as a service, then left click Properties.

6. Click on Add User or Group.

7. Type in the user account you created, in our case the default named, then click Check Names to make sure you typed it correctly, then click Ok.

8. Click Ok to exit the properties box, and you should see the account listed now next to the Log on as a service policy.

That’s it for the user account for now. Later you will have to give the account you created read/write rights to the directory you install BIND into, but that will be covered in a bit.

  • Install BIND DNS on Windows Web Server 2008
1. Unzip the download and then click on BindInstall.exe to start the installation.
2. The installer will ask for the following information:
Target Directory: Your choice
Service Account Name: The account we created earlier
Service Account Password: Password used
Confirm Service Account Password: Password used
For options I am leaving the default , when you are done click Install.
3. When you click on Install you might get a message saying the account has too many privileges, just click on No to continue. You can go in and strip out more of the accounts rights, but as a average user, the attack profile will be low.

4. After a few seconds you should see a message that states Bind installation completed successfully. Click Ok, and then click Exit on the installer.

5. We now want to go in and give the user account you have been using full read/write rights to the directory you installed BIND to.

You have now installed BIND on the server and set it up to run as a service. It is important to note that the installer does not copy over the help html files, so if you are going to need those you can move them to a convenient location yourself.

  • Configure BIND DNS on Windows Web Server 2008
Every DNS zone, like www.google.com, is served by at least one authoritative name server which contains all the DNS records for the zone. To account for fault tolerance most zones have more than one server that keeps all these records in case of outages. Because of this you will have two types of Authoritative Name Servers, one that keeps the master copy of the zone and that server is called the primary master, and the other called a slave or secondary server that loads their data from the master server by a means of zone replication. Recursive name server, this is most commonly the local DNS server that your operating system talks to. When you make a request on your local PC, more than likely it will go out to your ISP’s DNS Caching server which will make a request to the Authoritative Name Server. One of the features of most caching servers is that it will keep that request cached for a certain amount of time to speed lookups.

  • Creating an Authoritative Name Server with BIND DNS
Once BIND DNS is installed you will see that it is a pretty bare install and needs to be setup via configuration files. In this demo, create a Authoritative Name Server for the domain test.com at the IP of Install BIND DNS at C:\Windows\System32\dns.
1. Start by opening a command prompt with administrative rights by clicking on the Start menu, right click Command Prompt then left click on Run as Administrator.
2. Type in the following at the command prompt hitting Enter after each line:
cd c:\windows\system32\dns\bin (or where you installed BIND)

rndc-confgen –a
rndc-confgen > C:\windows\system32\dns\etc\rndc.conf
Close the command prompt.

3. Open Explorer and go to C:\windows\system32\dns\etc and create the following directories:
  • Run
  • Zones
  • Log
Create an empty file in the log directory called named.log.

4. Download the following file: named.conf and place it in C:\windows\system32\dns\etc (or wherever you installed BIND).
If you did install BIND in a different directory, then in the named.conf go in and change the location in options for the directory to your install location. 

5. You also need to modify the named.conf to change the zone to the domain you want to manage.

In our example using test.com, but you need to change this to match your domain. You should also change the file name to replace db.test.com.txt to db.%yourdomain.com%.txt.
Replacing %yourdomain.com% with your domain name.

6. Open rndc.conf in notepad (in the etc folder) and copy everything below the line that says:

# Use with the following in named.conf

7. Open named.conf and paste the contents of the clipboard at the end of the file.

Remove all the # from each line and delete the first line copied in and the last line copied in so it looks like the picture below. Save and close named.conf

8. Download the following file: db.test.com.txt and place it in C:\windows\system32\dns\etc\zones

9. Rename db.test.com.txt to whatever you used in step 5, so that the file is named db.%yourdomain.com%.txt.

Replacing %yourdomain.com% with your domain name.

10. Open the db.test.com.txt (or whatever you renamed it) and modify the following then save the file:

Change any reference to test.com to your domain name

Change the serial line to reflect the current date in this format: YYYYMMDDRR
RR = Revision number (01 if this is the first time)

Change the IPs to the IPs that your servers are using

Now you are configured to be an Authoritative Name Server for test.com (or whatever your domain is named) with no recursive lookup.
  • Open Server Firewall
If you are using a firewall for your server either software or hardware, make sure that incoming requests on UDP port 53 are open. This will make sure that your server will accept incoming queries.
  • Start the BIND DNS Service
1. Go to the Start button, then to the Administrative Tools, then left click on Services.

2. Scroll down and find ISC Bind and right click on it, then click on Start to start the service.

The BIND DNS service is now up and running and ready to accept queries. Let’s test out the service.
  • Testing BIND DNS
A very cool tool that is loaded with BIND DNS that’s called dig.

You will find it in the bin directory where you installed BIND. The tool will go out and query for a domain name and grab all the DNS records.

1. Open a command prompt and navigate to the bin directory.

2. Type in the following to get a feel for what you get back and hit Enter: dig google.com any

3. Below you will see a piece of the output:

4. Now that you know what to look for, use test domain test.com with the dig tool by typing: dig @ test.com any

5. You can see that the BIND Name Server is responding with the correct information:

We have now configured an Authoritative Name Server for the test server test.com that responds correctly to DNS requests.


  • When you make changes you will have to restart the ISC BIND Service or run the command c:\windows\system32\dns\bin\rndc reload from a command prompt or batch file.
  • One more thing, you can stop and start BIND inside the cmd.exe prompt so there’s no need to close the cmd.exe prompt.
net start “ISC BIND”
net stop “ISC BIND”

Source: trainsignal.com


Post a Comment

Home Photography
Copyright © 2017 Xiu's Blog | All Rights Reserved.