167 lines
7.0 KiB
Plaintext
167 lines
7.0 KiB
Plaintext
|
#
|
||
|
# Configuring BIND
|
||
|
#
|
||
|
|
||
|
Config files
|
||
|
------------
|
||
|
named.conf, root.hints, 127.0.0, rndc.conf and resolv.conf
|
||
|
Configuration Information
|
||
|
|
||
|
|
||
|
|
||
|
BIND will be configured to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.
|
||
|
|
||
|
The unprivileged user and group named are alredy setup
|
||
|
|
||
|
Set up some files, directories and devices needed by BIND:
|
||
|
|
||
|
cd /srv/named &&
|
||
|
mkdir -p dev etc/namedb/{slave,pz} usr/lib/engines var/run/named &&
|
||
|
mknod /srv/named/dev/null c 1 3 &&
|
||
|
mknod /srv/named/dev/random c 1 8 &&
|
||
|
chmod 666 /srv/named/dev/{null,random} &&
|
||
|
cp /etc/localtime etc &&
|
||
|
touch /srv/named/managed-keys.bind &&
|
||
|
cp /usr/lib/engines/libgost.so usr/lib/engines &&
|
||
|
[ $(uname -m) = x86_64 ] && ln -sv lib usr/lib64
|
||
|
|
||
|
The rndc.conf file contains information for controlling named operations with the rndc utility. Generate a key for use in the named.conf and rdnc.conf with the rndc-confgen command:
|
||
|
|
||
|
rndc-confgen -r /dev/urandom -b 512 > /etc/rndc.conf &&
|
||
|
sed '/conf/d;/^#/!d;s:^# ::' /etc/rndc.conf > /srv/named/etc/named.conf
|
||
|
|
||
|
Complete the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys:
|
||
|
|
||
|
cat >> /srv/named/etc/named.conf << "EOF"
|
||
|
options {
|
||
|
directory "/etc/namedb";
|
||
|
pid-file "/var/run/named.pid";
|
||
|
statistics-file "/var/run/named.stats";
|
||
|
};
|
||
|
zone "." {
|
||
|
type hint;
|
||
|
file "root.hints";
|
||
|
};
|
||
|
zone "0.0.127.in-addr.arpa" {
|
||
|
type master;
|
||
|
file "pz/127.0.0";
|
||
|
};
|
||
|
|
||
|
// Bind 9 now logs by default through syslog (except debug).
|
||
|
// These are the default logging rules.
|
||
|
|
||
|
logging {
|
||
|
category default { default_syslog; default_debug; };
|
||
|
category unmatched { null; };
|
||
|
|
||
|
channel default_syslog {
|
||
|
syslog daemon; // send to syslog's daemon
|
||
|
// facility
|
||
|
severity info; // only send priority info
|
||
|
// and higher
|
||
|
};
|
||
|
|
||
|
channel default_debug {
|
||
|
file "named.run"; // write to named.run in
|
||
|
// the working directory
|
||
|
// Note: stderr is used instead
|
||
|
// of "named.run"
|
||
|
// if the server is started
|
||
|
// with the '-f' option.
|
||
|
severity dynamic; // log at the server's
|
||
|
// current debug level
|
||
|
};
|
||
|
|
||
|
channel default_stderr {
|
||
|
stderr; // writes to stderr
|
||
|
severity info; // only send priority info
|
||
|
// and higher
|
||
|
};
|
||
|
|
||
|
channel null {
|
||
|
null; // toss anything sent to
|
||
|
// this channel
|
||
|
};
|
||
|
};
|
||
|
EOF
|
||
|
|
||
|
Create a zone file with the following contents:
|
||
|
|
||
|
cat > /srv/named/etc/namedb/pz/127.0.0 << "EOF"
|
||
|
$TTL 3D
|
||
|
@ IN SOA ns.local.domain. hostmaster.local.domain. (
|
||
|
1 ; Serial
|
||
|
8H ; Refresh
|
||
|
2H ; Retry
|
||
|
4W ; Expire
|
||
|
1D) ; Minimum TTL
|
||
|
NS ns.local.domain.
|
||
|
1 PTR localhost.
|
||
|
EOF
|
||
|
|
||
|
Create the root.hints file with the following commands:
|
||
|
[Note]
|
||
|
Note
|
||
|
|
||
|
Caution must be used to ensure there are no leading spaces in this file.
|
||
|
|
||
|
cat > /srv/named/etc/namedb/root.hints << "EOF"
|
||
|
. 6D IN NS A.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS B.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS C.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS D.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS E.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS F.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS G.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS H.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS I.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS J.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS K.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS L.ROOT-SERVERS.NET.
|
||
|
. 6D IN NS M.ROOT-SERVERS.NET.
|
||
|
A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
|
||
|
B.ROOT-SERVERS.NET. 6D IN A 192.228.79.201
|
||
|
C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
|
||
|
D.ROOT-SERVERS.NET. 6D IN A 199.7.91.13
|
||
|
E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
|
||
|
F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
|
||
|
G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
|
||
|
H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
|
||
|
I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
|
||
|
J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
|
||
|
K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
|
||
|
L.ROOT-SERVERS.NET. 6D IN A 199.7.83.42
|
||
|
M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
|
||
|
EOF
|
||
|
|
||
|
The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. A current copy of root.hints can be obtained from ftp://rs.internic.net/domain/named.root. Consult the BIND 9 Administrator Reference Manual for details.
|
||
|
|
||
|
Create or modify resolv.conf to use the new name server with the following commands:
|
||
|
[Note] Replace <yourdomain.com> with your own valid domain name.
|
||
|
|
||
|
cp /etc/resolv.conf /etc/resolv.conf.bak &&
|
||
|
cat > /etc/resolv.conf << "EOF"
|
||
|
search <yourdomain.com>
|
||
|
nameserver 127.0.0.1
|
||
|
EOF
|
||
|
|
||
|
Set permissions on the chroot jail with the following command:
|
||
|
chown -R named:named /srv/named
|
||
|
|
||
|
Boot Script
|
||
|
Now start BIND with the new boot script:
|
||
|
/etc/rc.d/init.d/bind start
|
||
|
|
||
|
Testing BIND
|
||
|
Test out the new BIND 9 installation. First query the local host address with dig:
|
||
|
|
||
|
dig -x 127.0.0.1
|
||
|
|
||
|
Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:
|
||
|
|
||
|
dig www.linuxfromscratch.org &&
|
||
|
dig www.linuxfromscratch.org
|
||
|
|
||
|
You can see almost instantaneous results with the named caching lookups. Consult the BIND Administrator Reference Manual located at doc/arm/Bv9ARM.html in the package source tree, for further configuration options.
|
||
|
|