User Tools

Site Tools


build:dns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:dns [2010/07/30 20:32]
216.166.14.180 iGPygxpSbLNUGKR
build:dns [2012/12/10 22:41] (current)
Line 1: Line 1:
- http://www.modernelectricguitars.com/acomplia.html acomplia brand 8))) http://www.maranguapefutebolclube.com/pricelist_tramadol.html bill consolidation buy tramadol ​>:-[[ http://www.filmspunk.comaccutane 60463 http://www.agamistathemovie.com/tramadol.html buy tramadol %((( +====== DNS ====== 
 + 
 +We run a caching name server on all our servers. This speeds up name lookups, and reduces network load to external name servers a bit. 
 + 
 +On some servers, we also serve DNS for several domains to the outside world. We use BuddyNS as our secondary servers; they use AXFR to transfer changes to our domains.  
 + 
 +We decided to use BIND 9, as it is popular and well supported. BIND 9 was completely rewritten with security in mind, and so it seems to have a lot fewer security issues than BIND 4 and BIND 8 did. We decided to put BIND into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits that do turn up. 
 + 
 + 
 +===== Installation ===== 
 + 
 +First, install the required packages: 
 + 
 +<code bash> 
 +sudo apt-get install bind9 bind9utils bind9-doc dnsutils 
 +</code> 
 + 
 +Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done: 
 + 
 +<code bash> 
 +sudo /etc/init.d/bind9 stop 
 +</​code>​ 
 + 
 +Next build out ''/​var/​lib/​bind/​chroot''​ to contain enough so that bind9 can run chrooted within it: 
 + 
 +<code bash> 
 +sudo mkdir -p /​var/​lib/​bind/​chroot/​{etc,​dev,​var/​cache/​bind,​var/​run/​named} 
 +sudo mknod /​var/​lib/​bind/​chroot/​dev/​null c 1 3 
 +sudo mknod /​var/​lib/​bind/​chroot/​dev/​random c 1 8 
 +sudo chmod 660 /​var/​lib/​bind/​chroot/​dev/​{null,​random} 
 +sudo chmod 775 /​var/​lib/​bind/​chroot/​var/​{cache/​bind,​run/​named} 
 +sudo chown -R bind:bind /​var/​lib/​bind/​chroot/​{etc,​var/​*,​dev} 
 +sudo rm -rf /​var/​run/​named /​var/​cache/​bind 
 +sudo ln -s /​var/​lib/​bind/​chroot/​var/​run/​named /​var/​run/​named 
 +sudo ln -s /​var/​lib/​bind/​chroot/​var/​cache/​bind /​var/​cache/​bind 
 +</​code>​ 
 + 
 + 
 +===== Configuration ===== 
 + 
 +Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location: 
 + 
 +<code bash> 
 +sudo mv /etc/bind /etc/bind.dist 
 +sudo cp -a /etc/bind.dist /​var/​lib/​bind/​chroot/​etc/​bind 
 +sudo ln -s /​var/​lib/​bind/​chroot/​etc/​bind /etc/bind 
 +</​code>​ 
 + 
 +Next edit /​etc/​default/​bind9 to tell it to start up chrooted to /​var/​lib/​bind9/​chroot:​ 
 + 
 +<code bash> 
 +sudo sed -i -e '​s|OPTIONS="​-u bind"​|OPTIONS="​-u bind -t /​var/​lib/​bind/​chroot"​|'​ /​etc/​default/​bind9 
 +</​code>​ 
 + 
 +Edit ''/​etc/​bind/​named.conf.options''​ and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include names for a few backup forwarders, in case we decide to use them at a later date. 
 + 
 +<​file>​ 
 +acl loopback ​       {127.0.0.1;​}; ​                  # The "​localhost"​ ACL is pre-defined,​ but includes all interfaces. 
 +acl external_subnet {192.168.210.0/​24;​};​ 
 +acl buddyns ​        ​{173.244.206.26;​ 88.198.106.11;​ 74.117.59.111;​}; ​           # Allow AXFR to these addresses for BuddyNS to provide secondary/​authoritative DNS for us. 
 +acl opendns ​        ​{208.67.220.220;​ 208.67.222.222;​}; ​                         # OpenDNS public DNS servers. 
 +acl verizon_dns ​    ​{4.2.2.1;​ 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;​}; ​   # Verizon public DNS servers.  
 + 
 +options { 
 +    directory "/​var/​cache/​bind";​ 
 +    listen-on {loopback; external_subnet;​}; ​        # Listen on loopback interface (for DNS caching), plus any interface on our external subnet (for queries and transfers)
 +    forwarders {208.67.220.220;​ 208.67.222.222;​}; ​  # Forward queries here, unless we're authoritative. (Cannot use named ACLs here.) 
 +    allow-transfer {buddyns; localhost;​}; ​          # Allow AXFRs to BuddyNS (so they can mirror us), and all local interfaces (for testing). 
 +    auth-nxdomain no;                               # Conform to RFC1035. 
 +    version none;                                   # Don't publicize our version number. 
 +}; 
 +</​file>​ 
 + 
 +For caching-only servers, remove the ''​external_subnet''​ from ''​listen-on'',​ and remove the ''​allow-transfer''​ line. 
 + 
 + 
 +===== Logging ===== 
 + 
 +To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it.  
 + 
 +Since Debian 5+ uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket: 
 + 
 +<code bash> 
 +sudo sh -c 'echo "​\$AddUnixListenSocket ​/var/lib/​bind/​chroot/​dev/​log"​ > /​etc/​rsyslog.d/bind9.conf'​ 
 +</code> 
 + 
 +Then restart the logging daemon: 
 + 
 +<code bash> 
 +sudo /etc/init.d/rsyslog restart 
 +</code> 
 + 
 + 
 +===== Startup ===== 
 + 
 +Start the named server: 
 + 
 +<code bash> 
 +sudo /​etc/​init.d/​bind9 start 
 +</​code>​ 
 + 
 +If startup fails, tail the ''/​var/​log/​syslog''​ file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. 
 + 
 + 
 +===== Client Configuration ===== 
 + 
 +Edit ''/​etc/​resolv.conf''​ to tell clients to use localhost to resolve DNS names. Again, we include a few other name servers just as documentation. 
 + 
 +<code bash> 
 +DOMAIN=$(hostname -d) 
 +sudo sh -c 'cat > /​etc/​resolv.conf'​ <<​EOF 
 +domain $DOMAIN 
 +nameserver 127.0.0.1 
 +#nameserver 208.67.220.220 # OpenDNS public DNS server 
 +#nameserver 208.67.222 .222 # OpenDNS public DNS server 
 +EOF 
 +</​code>​ 
 + 
 +We also need to delete any dns-* lines from ''/​etc/​network/​interfaces'',​ as they cause ''/​etc/​resolv.conf''​ to be updated when the interface comes up. 
 + 
 +<code bash> 
 +sudo sed -i /​etc/​network/​interfaces -e '/​^.*dns-.*/​d'​ 
 +</​code>​ 
 + 
 + 
 +===== Testing ===== 
 + 
 +Run ''​nslookup''​ and/or ''​dig''​ to resolve some DNS names. Make sure you get answers back from 127.0.0.1. 
 + 
 +Run some client programs to make sure they are resolving host names properly. 
 + 
 +Check ''/​var/​log/​daemon.log''​ and ''/​var/​log/​syslog''​ for startup/​shutdown info from the bind9 daemon. 
 + 
 +Run ''​sudo rndc status''​ to check the status of the server. 
 + 
 +Run ''​sudo rndc stats''​ and then read ''/​var/​cache/​bind/​named.stats''​ to get server stats, including number of successful and failed DNS lookups. 
 + 
 + 
 +===== Notes ===== 
 + 
 +The OpenDNS servers are publicly available for anyone to use. It probably doesn'​t make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. 
 + 
 +The 4.2.2.x addresses are supposedly Verizon'​s publicly-available DNS server that anyone can use. 
 + 
 + 
 +===== TODO ===== 
 + 
 +We should probably hit the root servers instead of forwarding to OpenDNS. Or forward to the DNS servers provided by our ISP. 
 + 
 + 
 +===== Credits ===== 
 + 
 +Details using BIND under chroot is available on the [[http://wiki.debian.org/Bind9#​Bind_Chroot | Debian Wiki page on BIND]], as well as the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]] on HowtoForge. 
build/dns.1280539951.txt.gz · Last modified: 2012/12/10 22:41 (external edit)