2002-08-23 09:03:18 +08:00
|
|
|
<sect2>
|
|
|
|
|
<title>Configuring BIND</title>
|
|
|
|
|
<para>We will configure BIND to run in a chroot jail as an unprivileged
|
|
|
|
|
user(named). This configuration is more secure in that a DNS
|
|
|
|
|
compromise can only affect a few files in the named user's $HOME
|
|
|
|
|
directory </para>
|
|
|
|
|
|
|
|
|
|
<para>First we set up some files and directories needed by
|
|
|
|
|
BIND:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
groupadd -g 200 named &&
|
|
|
|
|
useradd -m -g named -u 200 -s /bin/false named &&
|
|
|
|
|
cd /home/named &&
|
|
|
|
|
mkdir -p dev etc/namedb/slave var/run &&
|
|
|
|
|
mknod /home/named/dev/null c 1 3 &&
|
|
|
|
|
mknod /home/named/dev/random c 1 8 &&
|
|
|
|
|
chmod 666 /home/named/dev/{null,random} &&
|
|
|
|
|
mkdir /home/named/etc/namedb/pz &&
|
|
|
|
|
cp /etc/localtime /home/named/etc
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<sect3><title>Config files</title>
|
|
|
|
|
<para><userinput>named.conf, root.hints, 127.0.0, rndc.conf
|
|
|
|
|
</userinput></para>
|
|
|
|
|
|
|
|
|
|
<para>Create the named.conf file with the following commands:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
cat > /home/named/etc/named.conf << "EOF"
|
|
|
|
|
options {
|
|
|
|
|
directory "/etc/namedb";
|
|
|
|
|
pid-file "/var/run/named.pid";
|
|
|
|
|
statistics-file "/var/run/named.stats";
|
|
|
|
|
|
|
|
|
|
};
|
|
|
|
|
controls {
|
|
|
|
|
inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
|
|
|
|
|
};
|
|
|
|
|
key "rndc_key" {
|
|
|
|
|
algorithm hmac-md5;
|
|
|
|
|
secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
|
|
|
|
};
|
|
|
|
|
zone "." {
|
|
|
|
|
type hint;
|
|
|
|
|
file "root.hints";
|
|
|
|
|
};
|
|
|
|
|
zone "0.0.127.in-addr.arpa" {
|
|
|
|
|
type master;
|
|
|
|
|
file "pz/127.0.0";
|
|
|
|
|
};
|
|
|
|
|
EOF
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
<para>Create a zone file with the following contents: </para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"
|
|
|
|
|
$TTL 3D
|
|
|
|
|
@ IN SOA ns.local.domain. hostmaster.local.domain. (
|
|
|
|
|
1 ; Serial
|
|
|
|
|
8H ; Refresh
|
|
|
|
|
2H ; Retry
|
|
|
|
|
4W ; Expire
|
|
|
|
|
1D) ; Minimum TTL
|
|
|
|
|
NS ns.local.domain.
|
|
|
|
|
1 PTR localhost.
|
|
|
|
|
EOF
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>Create the root.hints file with the following commands: </para>
|
|
|
|
|
<note><para>Caution must be used to insure no leading spaces in this
|
|
|
|
|
file.</para></note>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
cat > /home/named/etc/namedb/root.hints << "EOF"
|
|
|
|
|
. 6D IN NS A.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS B.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS C.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS D.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS E.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS F.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS G.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS H.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS I.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS J.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS K.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS L.ROOT-SERVERS.NET.
|
|
|
|
|
. 6D IN NS M.ROOT-SERVERS.NET.
|
|
|
|
|
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
|
|
|
|
|
B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107
|
|
|
|
|
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
|
|
|
|
|
D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
|
|
|
|
|
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
|
|
|
|
|
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
|
|
|
|
|
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
|
|
|
|
|
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
|
|
|
|
|
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
|
2002-11-27 23:43:53 +08:00
|
|
|
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
|
2002-08-23 09:03:18 +08:00
|
|
|
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
|
|
|
|
|
L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12
|
|
|
|
|
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
|
|
|
|
|
EOF
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>Create the rndc.conf with the following commands:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
cat > /etc/rndc.conf << "EOF"
|
|
|
|
|
key rndc_key {
|
|
|
|
|
algorithm "hmac-md5";
|
|
|
|
|
secret
|
|
|
|
|
"c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
|
|
|
|
|
};
|
|
|
|
|
options {
|
|
|
|
|
default-server localhost;
|
|
|
|
|
default-key rndc_key;
|
|
|
|
|
};
|
|
|
|
|
EOF
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>Create or modify resolv.conf to use the new nameserver with the
|
|
|
|
|
following commands: </para>
|
|
|
|
|
<note><para>Replace yourdomain.com with your own valid domain
|
|
|
|
|
name.</para></note>
|
|
|
|
|
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
cp /etc/resolv.conf /etc/resolv.conf.bak
|
|
|
|
|
cat > /etc/resolv.conf << "EOF"
|
|
|
|
|
search yourdomain.com
|
|
|
|
|
nameserver 127.0.0.1
|
|
|
|
|
EOF
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>Set permissions on the chroot jail with the following
|
|
|
|
|
command:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
chown -R named.named /home/named
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>Create the BIND boot script:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
cat > /etc/rc.d/init.d/bind << "EOF"
|
|
|
|
|
#!/bin/bash
|
|
|
|
|
# Begin $rc_base/init.d/bind
|
|
|
|
|
# Based on sysklogd script from LFS-3.1 and earlier.
|
|
|
|
|
# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
|
|
|
|
|
source /etc/sysconfig/rc
|
|
|
|
|
source $rc_functions
|
|
|
|
|
case "$1" in
|
|
|
|
|
start)
|
|
|
|
|
echo "Starting named..."
|
|
|
|
|
loadproc /usr/sbin/named -u named -t /home/named -c \
|
|
|
|
|
/etc/named.conf
|
|
|
|
|
;;
|
|
|
|
|
stop)
|
|
|
|
|
echo "Stopping named..."
|
|
|
|
|
killproc /usr/sbin/named
|
|
|
|
|
;;
|
|
|
|
|
restart)
|
|
|
|
|
$0 stop
|
|
|
|
|
sleep 1
|
|
|
|
|
$0 start
|
|
|
|
|
;;
|
|
|
|
|
reload)
|
|
|
|
|
echo "Reloading named..."
|
|
|
|
|
/usr/sbin/rndc -c /etc/rndc.conf reload
|
|
|
|
|
;;
|
|
|
|
|
|
|
|
|
|
status)
|
|
|
|
|
statusproc /usr/sbin/named
|
|
|
|
|
;;
|
|
|
|
|
*)
|
|
|
|
|
echo "Usage: $0 {start|stop|restart|status}"
|
|
|
|
|
exit 1
|
|
|
|
|
;;
|
|
|
|
|
esac
|
|
|
|
|
# End $rc_base/init.d/bind
|
|
|
|
|
EOF
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>Add the run level symlinks:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
chmod 754 /etc/rc.d/init.d/bind &&
|
2002-10-07 01:38:20 +08:00
|
|
|
ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind &&
|
|
|
|
|
ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind &&
|
|
|
|
|
ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K49bind &&
|
|
|
|
|
ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind &&
|
|
|
|
|
ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind &&
|
|
|
|
|
ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind &&
|
|
|
|
|
ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind
|
2002-08-23 09:03:18 +08:00
|
|
|
</userinput></screen></para>
|
|
|
|
|
|
|
|
|
|
<para>Now start BIND with the new boot script: </para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
/etc/rc.d/init.d/bind start
|
|
|
|
|
</userinput></screen></para></sect3>
|
|
|
|
|
|
|
|
|
|
<sect3><title>Testing BIND</title>
|
|
|
|
|
<para>Test out the new BIND 9 installation. First query the local
|
|
|
|
|
host address with dig:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
dig -x 127.0.0.1
|
|
|
|
|
</userinput></screen></para>
|
|
|
|
|
<para>Now try an external name lookup, taking note of the speed
|
|
|
|
|
difference in repeated lookups due to the caching. Run the dig
|
|
|
|
|
command twice on the same address:</para>
|
|
|
|
|
<para><screen><userinput>
|
|
|
|
|
dig beyond.linuxfromscratch.org &&
|
|
|
|
|
dig beyond.linuxfromscratch.org
|
|
|
|
|
</userinput></screen>
|
|
|
|
|
You can see almost instantaneous results with the named caching
|
|
|
|
|
lookups. Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND
|
|
|
|
|
Administrator Reference Manual for further configuration options.
|
|
|
|
|
</para></sect3>
|
|
|
|
|
</sect2>
|
|
|
|
|
|
