User Tools

Site Tools


build:dns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:dns [2010/07/29 09:39]
217.151.52.75 zqAoYFZxUNhiFNoxXu
build:dns [2012/12/10 22:41] (current)
Line 1: Line 1:
 +====== DNS ======
 +
 +We run a caching name server on all our servers. This speeds up name lookups, and reduces network load to external name servers a bit.
 +
 +On some servers, we also serve DNS for several domains to the outside world. We use BuddyNS as our secondary servers; they use AXFR to transfer changes to our domains. ​
 +
 +We decided to use BIND 9, as it is popular and well supported. BIND 9 was completely rewritten with security in mind, and so it seems to have a lot fewer security issues than BIND 4 and BIND 8 did. We decided to put BIND into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits that do turn up.
 +
 +
 +===== Installation =====
 +
 +First, install the required packages:
 +
 +<code bash>
 +sudo apt-get install bind9 bind9utils bind9-doc dnsutils
 +</​code>​
 +
 +Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done:
 +
 +<code bash>
 +sudo /​etc/​init.d/​bind9 stop
 +</​code>​
 +
 +Next build out ''/​var/​lib/​bind/​chroot''​ to contain enough so that bind9 can run chrooted within it:
 +
 +<code bash>
 +sudo mkdir -p /​var/​lib/​bind/​chroot/​{etc,​dev,​var/​cache/​bind,​var/​run/​named}
 +sudo mknod /​var/​lib/​bind/​chroot/​dev/​null c 1 3
 +sudo mknod /​var/​lib/​bind/​chroot/​dev/​random c 1 8
 +sudo chmod 660 /​var/​lib/​bind/​chroot/​dev/​{null,​random}
 +sudo chmod 775 /​var/​lib/​bind/​chroot/​var/​{cache/​bind,​run/​named}
 +sudo chown -R bind:bind /​var/​lib/​bind/​chroot/​{etc,​var/​*,​dev}
 +sudo rm -rf /​var/​run/​named /​var/​cache/​bind
 +sudo ln -s /​var/​lib/​bind/​chroot/​var/​run/​named /​var/​run/​named
 +sudo ln -s /​var/​lib/​bind/​chroot/​var/​cache/​bind /​var/​cache/​bind
 +</​code>​
 +
 +
 +===== Configuration =====
 +
 +Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location:
 +
 +<code bash>
 +sudo mv /etc/bind /​etc/​bind.dist
 +sudo cp -a /​etc/​bind.dist /​var/​lib/​bind/​chroot/​etc/​bind
 +sudo ln -s /​var/​lib/​bind/​chroot/​etc/​bind /etc/bind
 +</​code>​
 +
 +Next edit /​etc/​default/​bind9 to tell it to start up chrooted to /​var/​lib/​bind9/​chroot:​
 +
 +<code bash>
 +sudo sed -i -e '​s|OPTIONS="​-u bind"​|OPTIONS="​-u bind -t /​var/​lib/​bind/​chroot"​|'​ /​etc/​default/​bind9
 +</​code>​
 +
 +Edit ''/​etc/​bind/​named.conf.options''​ and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include names for a few backup forwarders, in case we decide to use them at a later date.
 +
 +<​file>​
 +acl loopback ​       {127.0.0.1;​}; ​                  # The "​localhost"​ ACL is pre-defined,​ but includes all interfaces.
 +acl external_subnet {192.168.210.0/​24;​};​
 +acl buddyns ​        ​{173.244.206.26;​ 88.198.106.11;​ 74.117.59.111;​}; ​           # Allow AXFR to these addresses for BuddyNS to provide secondary/​authoritative DNS for us.
 +acl opendns ​        ​{208.67.220.220;​ 208.67.222.222;​}; ​                         # OpenDNS public DNS servers.
 +acl verizon_dns ​    ​{4.2.2.1;​ 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;​}; ​   # Verizon public DNS servers. ​
 +
 +options {
 +    directory "/​var/​cache/​bind";​
 +    listen-on {loopback; external_subnet;​}; ​        # Listen on loopback interface (for DNS caching), plus any interface on our external subnet (for queries and transfers).
 +    forwarders {208.67.220.220;​ 208.67.222.222;​}; ​  # Forward queries here, unless we're authoritative. (Cannot use named ACLs here.)
 +    allow-transfer {buddyns; localhost;​}; ​          # Allow AXFRs to BuddyNS (so they can mirror us), and all local interfaces (for testing).
 +    auth-nxdomain no;                               # Conform to RFC1035.
 +    version none;                                   # Don't publicize our version number.
 +};
 +</​file>​
 +
 +For caching-only servers, remove the ''​external_subnet''​ from ''​listen-on'',​ and remove the ''​allow-transfer''​ line.
 +
 +
 +===== Logging =====
 +
 +To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. 
 +
 +Since Debian 5+ uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket:
 +
 +<code bash>
 +sudo sh -c 'echo "​\$AddUnixListenSocket /​var/​lib/​bind/​chroot/​dev/​log"​ > /​etc/​rsyslog.d/​bind9.conf'​
 +</​code>​
 +
 +Then restart the logging daemon:
 +
 +<code bash>
 +sudo /​etc/​init.d/​rsyslog restart
 +</​code>​
 +
 +
 +===== Startup =====
 +
 +Start the named server:
 +
 +<code bash>
 +sudo /​etc/​init.d/​bind9 start
 +</​code>​
 +
 +If startup fails, tail the ''/​var/​log/​syslog''​ file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file.
 +
 +
 +===== Client Configuration =====
 +
 +Edit ''/​etc/​resolv.conf''​ to tell clients to use localhost to resolve DNS names. Again, we include a few other name servers just as documentation.
 +
 +<code bash>
 +DOMAIN=$(hostname -d)
 +sudo sh -c 'cat > /​etc/​resolv.conf'​ <<EOF
 +domain $DOMAIN
 +nameserver 127.0.0.1
 +#nameserver 208.67.220.220 # OpenDNS public DNS server
 +#nameserver 208.67.222 .222 # OpenDNS public DNS server
 +EOF
 +</​code>​
 +
 +We also need to delete any dns-* lines from ''/​etc/​network/​interfaces'',​ as they cause ''/​etc/​resolv.conf''​ to be updated when the interface comes up.
 +
 +<code bash>
 +sudo sed -i /​etc/​network/​interfaces -e '/​^.*dns-.*/​d'​
 +</​code>​
 +
 +
 +===== Testing =====
 +
 +Run ''​nslookup''​ and/or ''​dig''​ to resolve some DNS names. Make sure you get answers back from 127.0.0.1.
 +
 +Run some client programs to make sure they are resolving host names properly.
 +
 +Check ''/​var/​log/​daemon.log''​ and ''/​var/​log/​syslog''​ for startup/​shutdown info from the bind9 daemon.
 +
 +Run ''​sudo rndc status''​ to check the status of the server.
 +
 +Run ''​sudo rndc stats''​ and then read ''/​var/​cache/​bind/​named.stats''​ to get server stats, including number of successful and failed DNS lookups.
 +
 +
 +===== Notes =====
 +
 +The OpenDNS servers are publicly available for anyone to use. It probably doesn'​t make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services.
 +
 +The 4.2.2.x addresses are supposedly Verizon'​s publicly-available DNS server that anyone can use.
 +
 +
 +===== TODO =====
 +
 +We should probably hit the root servers instead of forwarding to OpenDNS. Or forward to the DNS servers provided by our ISP.
 +
 +
 +===== Credits =====
 +
 +Details using BIND under chroot is available on the [[http://​wiki.debian.org/​Bind9#​Bind_Chroot | Debian Wiki page on BIND]], as well as the [[http://​www.howtoforge.com/​howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]] on HowtoForge.
  
build/dns.1280414343.txt.gz ยท Last modified: 2012/12/10 22:41 (external edit)