[[build:dns]]
 
Trace:

Differences

This shows you the differences between two versions of the page.

build:dns [2010/03/03 15:10]
99.100.133.164 old revision restored 		build:dns [2010/08/10 17:02] (current)
Craig Buchek Cron task is weekly, not daily.
Line 5: Line 5:
We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits. We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits.
-Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page.+
===== Installation ===== ===== Installation =====
First, install the required packages: First, install the required packages:
-<code rootshell+ 
-apt-get install -y bind9 bind9-host dnsutils bind9-doc+<code bash
 +sudo apt-get install -y bind9 bind9-host dnsutils bind9-doc
</code> </code>
Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done: Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done:
-<code rootshell+ 
-/etc/init.d/bind9 stop+<code bash
 +sudo /etc/init.d/bind9 stop
</code> </code>
Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it: Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it:
-<code rootshell> 
-mkdir -p /var/lib/named 
-mkdir -p /var/lib/named/etc /var/lib/named/dev 
-mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind 
-chown -R bind:bind /var/lib/named/var/* 
-mknod /var/lib/named/dev/random c 1 8 
-mknod /var/lib/named/dev/null c 1 3 
-chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random 
-ln -sf /var/lib/named/var/run/bind /var/run/bind 
-ln -sf /var/lib/named/var/cache/bind /var/cache/bind 
-</code> 
 +<code bash>
 +sudo mkdir -p /var/lib/named
 +sudo mkdir -p /var/lib/named/etc /var/lib/named/dev
 +sudo mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind
 +sudo chown -R bind:bind /var/lib/named/var/*
 +sudo mknod /var/lib/named/dev/random c 1 8
 +sudo mknod /var/lib/named/dev/null c 1 3
 +sudo chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
 +sudo ln -sf /var/lib/named/var/run/bind /var/run/bind
 +sudo ln -sf /var/lib/named/var/cache/bind /var/cache/bind
 +</code>
===== Configuration ===== ===== Configuration =====
Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location: Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location:
-<code rootshell+ 
-mv /etc/bind /etc/bind.dist +<code bash
-cp -a /etc/bind.dist /var/lib/named/etc/bind +sudo mv /etc/bind /etc/bind.dist 
-ln -s /var/lib/named/etc/bind /etc/bind+sudo cp -a /etc/bind.dist /var/lib/named/etc/bind 
 +sudo ln -s /var/lib/named/etc/bind /etc/bind
</code> </code>
Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named: Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named:
-<code rootshell+ 
-sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9+<code bash
 +sudo sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9
</code> </code>
Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date. Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date.
 +
<file> <file>
options { options {
directory "/var/cache/bind"; directory "/var/cache/bind";
listen-on {127.0.0.1;}; # only act as a DNS cache for localhost listen-on {127.0.0.1;}; # only act as a DNS cache for localhost
- forwarders {209.20.72.4; 209.20.72.5;}; # SliceHost DNS servers + forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers 
- #forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers+ #forwarders {209.20.72.4; 209.20.72.5;}; # SliceHost DNS servers
#forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers #forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers
auth-nxdomain no; # conform to RFC1035 auth-nxdomain no; # conform to RFC1035
}; };
</file> </file>
- 
===== Logging ===== ===== Logging =====
-To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the ''/etc/init.d/sysklogd'' file+To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it.  
-<code rootshell+ 
-sed -i -e 's:^SYSLOGD=""$:SYSLOGD="-a /var/lib/named/dev/log":' /etc/default/syslogd+Since Debian 5 uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket: 
 + 
 +<code bash
 +sudo sh -c 'echo "\$AddUnixListenSocket /var/lib/named/dev/log" > /etc/rsyslog.d/bind9.conf'
</code> </code>
Then restart the logging daemon: Then restart the logging daemon:
-<code rootshell+ 
-/etc/init.d/sysklogd restart+<code bash
 +sudo /etc/init.d/rsyslog restart
</code> </code>
Line 73: Line 81:
Start the named server: Start the named server:
-<code rootshell+ 
-/etc/init.d/bind9 start+<code bash
 +sudo /etc/init.d/bind9 start
</code> </code>
If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file.
-==== Daily Restart ====+==== Weekly Restart ====
-On our VPS system, we've got very limited memory, so it's a good idea to restart BIND every week to decrease the memory it uses. So we'll do that as a daily cron task:+On our VPS system, we've got very limited memory, so it's a good idea to restart BIND every week to decrease the memory it uses. So we'll do that as a weekly cron task:
<code bash> <code bash>
Line 94: Line 103:
Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation. Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation.
 +
<file> <file>
domain boochtek.com domain boochtek.com
Line 106: Line 116:
We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up. We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up.
-<code rootshell+ 
-sed -i -e 's/^.*dns-.*//' /etc/network/interfaces+<code bash
 +sudo sed -i -e 's/^.*dns-.*//' /etc/network/interfaces
</code> </code>
 
build/dns.1267650611.txt.gz · Last modified: 2010/03/03 15:10 by 99.100.133.164
 
Except where otherwise noted, content on this wiki is licensed under the following license:CC Attribution 3.0 Unported
Recent changes RSS feed Donate Powered by PHP Valid XHTML 1.0 Valid CSS Driven by DokuWiki