This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
build:dns [2010/08/01 10:40] 81.200.144.110 QrLjLQtjEeqpkOyaqA |
build:dns [2012/12/10 22:41] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
- | http://www.viagra-advice.com order viagra online 2680 http://www.buyphenterminenow.net/ cheap phentermine 08775 http://www.treatanxietydisorder.net/ xanax 9606 http://www.buyxanaxnow.net/ xanax %-[ http://www.prozacsearch.com/ generic prozac %-[[ | + | ====== DNS ====== |
+ | |||
+ | We run a caching name server on all our servers. This speeds up name lookups, and reduces network load to external name servers a bit. | ||
+ | |||
+ | On some servers, we also serve DNS for several domains to the outside world. We use BuddyNS as our secondary servers; they use AXFR to transfer changes to our domains. | ||
+ | |||
+ | We decided to use BIND 9, as it is popular and well supported. BIND 9 was completely rewritten with security in mind, and so it seems to have a lot fewer security issues than BIND 4 and BIND 8 did. We decided to put BIND into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits that do turn up. | ||
+ | |||
+ | |||
+ | ===== Installation ===== | ||
+ | |||
+ | First, install the required packages: | ||
+ | |||
+ | <code bash> | ||
+ | sudo apt-get install bind9 bind9utils bind9-doc dnsutils | ||
+ | </code> | ||
+ | |||
+ | Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done: | ||
+ | |||
+ | <code bash> | ||
+ | sudo /etc/init.d/bind9 stop | ||
+ | </code> | ||
+ | |||
+ | Next build out ''/var/lib/bind/chroot'' to contain enough so that bind9 can run chrooted within it: | ||
+ | |||
+ | <code bash> | ||
+ | sudo mkdir -p /var/lib/bind/chroot/{etc,dev,var/cache/bind,var/run/named} | ||
+ | sudo mknod /var/lib/bind/chroot/dev/null c 1 3 | ||
+ | sudo mknod /var/lib/bind/chroot/dev/random c 1 8 | ||
+ | sudo chmod 660 /var/lib/bind/chroot/dev/{null,random} | ||
+ | sudo chmod 775 /var/lib/bind/chroot/var/{cache/bind,run/named} | ||
+ | sudo chown -R bind:bind /var/lib/bind/chroot/{etc,var/*,dev} | ||
+ | sudo rm -rf /var/run/named /var/cache/bind | ||
+ | sudo ln -s /var/lib/bind/chroot/var/run/named /var/run/named | ||
+ | sudo ln -s /var/lib/bind/chroot/var/cache/bind /var/cache/bind | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ===== Configuration ===== | ||
+ | |||
+ | Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location: | ||
+ | |||
+ | <code bash> | ||
+ | sudo mv /etc/bind /etc/bind.dist | ||
+ | sudo cp -a /etc/bind.dist /var/lib/bind/chroot/etc/bind | ||
+ | sudo ln -s /var/lib/bind/chroot/etc/bind /etc/bind | ||
+ | </code> | ||
+ | |||
+ | Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/bind9/chroot: | ||
+ | |||
+ | <code bash> | ||
+ | sudo sed -i -e 's|OPTIONS="-u bind"|OPTIONS="-u bind -t /var/lib/bind/chroot"|' /etc/default/bind9 | ||
+ | </code> | ||
+ | |||
+ | Edit ''/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include names for a few backup forwarders, in case we decide to use them at a later date. | ||
+ | |||
+ | <file> | ||
+ | acl loopback {127.0.0.1;}; # The "localhost" ACL is pre-defined, but includes all interfaces. | ||
+ | acl external_subnet {192.168.210.0/24;}; | ||
+ | acl buddyns {173.244.206.26; 88.198.106.11; 74.117.59.111;}; # Allow AXFR to these addresses for BuddyNS to provide secondary/authoritative DNS for us. | ||
+ | acl opendns {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers. | ||
+ | acl verizon_dns {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers. | ||
+ | |||
+ | options { | ||
+ | directory "/var/cache/bind"; | ||
+ | listen-on {loopback; external_subnet;}; # Listen on loopback interface (for DNS caching), plus any interface on our external subnet (for queries and transfers). | ||
+ | forwarders {208.67.220.220; 208.67.222.222;}; # Forward queries here, unless we're authoritative. (Cannot use named ACLs here.) | ||
+ | allow-transfer {buddyns; localhost;}; # Allow AXFRs to BuddyNS (so they can mirror us), and all local interfaces (for testing). | ||
+ | auth-nxdomain no; # Conform to RFC1035. | ||
+ | version none; # Don't publicize our version number. | ||
+ | }; | ||
+ | </file> | ||
+ | |||
+ | For caching-only servers, remove the ''external_subnet'' from ''listen-on'', and remove the ''allow-transfer'' line. | ||
+ | |||
+ | |||
+ | ===== Logging ===== | ||
+ | |||
+ | To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. | ||
+ | |||
+ | Since Debian 5+ uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket: | ||
+ | |||
+ | <code bash> | ||
+ | sudo sh -c 'echo "\$AddUnixListenSocket /var/lib/bind/chroot/dev/log" > /etc/rsyslog.d/bind9.conf' | ||
+ | </code> | ||
+ | |||
+ | Then restart the logging daemon: | ||
+ | |||
+ | <code bash> | ||
+ | sudo /etc/init.d/rsyslog restart | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ===== Startup ===== | ||
+ | |||
+ | Start the named server: | ||
+ | |||
+ | <code bash> | ||
+ | sudo /etc/init.d/bind9 start | ||
+ | </code> | ||
+ | |||
+ | If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. | ||
+ | |||
+ | |||
+ | ===== Client Configuration ===== | ||
+ | |||
+ | Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other name servers just as documentation. | ||
+ | |||
+ | <code bash> | ||
+ | DOMAIN=$(hostname -d) | ||
+ | sudo sh -c 'cat > /etc/resolv.conf' <<EOF | ||
+ | domain $DOMAIN | ||
+ | nameserver 127.0.0.1 | ||
+ | #nameserver 208.67.220.220 # OpenDNS public DNS server | ||
+ | #nameserver 208.67.222 .222 # OpenDNS public DNS server | ||
+ | EOF | ||
+ | </code> | ||
+ | |||
+ | We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up. | ||
+ | |||
+ | <code bash> | ||
+ | sudo sed -i /etc/network/interfaces -e '/^.*dns-.*/d' | ||
+ | </code> | ||
+ | |||
+ | |||
+ | ===== Testing ===== | ||
+ | |||
+ | Run ''nslookup'' and/or ''dig'' to resolve some DNS names. Make sure you get answers back from 127.0.0.1. | ||
+ | |||
+ | Run some client programs to make sure they are resolving host names properly. | ||
+ | |||
+ | Check ''/var/log/daemon.log'' and ''/var/log/syslog'' for startup/shutdown info from the bind9 daemon. | ||
+ | |||
+ | Run ''sudo rndc status'' to check the status of the server. | ||
+ | |||
+ | Run ''sudo rndc stats'' and then read ''/var/cache/bind/named.stats'' to get server stats, including number of successful and failed DNS lookups. | ||
+ | |||
+ | |||
+ | ===== Notes ===== | ||
+ | |||
+ | The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. | ||
+ | |||
+ | The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use. | ||
+ | |||
+ | |||
+ | ===== TODO ===== | ||
+ | |||
+ | We should probably hit the root servers instead of forwarding to OpenDNS. Or forward to the DNS servers provided by our ISP. | ||
+ | |||
+ | |||
+ | ===== Credits ===== | ||
+ | |||
+ | Details using BIND under chroot is available on the [[http://wiki.debian.org/Bind9#Bind_Chroot | Debian Wiki page on BIND]], as well as the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]] on HowtoForge. |