User Tools

Site Tools


build:dns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:dns [2010/08/01 13:37]
99.100.133.164 old revision restored
build:dns [2012/12/10 22:41] (current)
Line 1: Line 1:
 ====== DNS ====== ====== DNS ======
  
-We are running ​a caching name server on the serverbound to the loopback interface only.+We run a caching name server on all our servers. This speeds up name lookupsand reduces network load to external name servers a bit.
  
-We decided to use bind 9, as it is well supported ​now(Note that Debian'​s default is bind 8if you just say "​bind"​.We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits.+On some servers, we also serve DNS for several domains to the outside world. We use BuddyNS as our secondary servers; they use AXFR to transfer changes to our domains.  
 + 
 +We decided to use BIND 9, as it is popular and well supported. ​BIND 9 was completely rewritten with security in mindand so it seems to have a lot fewer security issues than BIND 4 and BIND 8 did. We decided to put BIND into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits ​that do turn up.
  
-Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page. 
  
 ===== Installation ===== ===== Installation =====
  
 First, install the required packages: First, install the required packages:
-<​code ​rootshell+ 
-apt-get install ​-y bind9 bind9-host dnsutils ​bind9-doc+<​code ​bash
 +sudo apt-get install bind9 bind9utils ​bind9-doc dnsutils
 </​code>​ </​code>​
  
 Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done: Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done:
-<​code ​rootshell+ 
-/​etc/​init.d/​bind9 stop+<​code ​bash
 +sudo /​etc/​init.d/​bind9 stop
 </​code>​ </​code>​
  
-Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it: +Next build out ''​/var/lib/bind/​chroot'' ​to contain enough so that bind9 can run chrooted within it: 
-<​code ​rootshell+ 
-mkdir -p /​var/​lib/​named +<​code ​bash
-mkdir -p /var/lib/named/etc /var/lib/named/dev +sudo mkdir -p /var/lib/​bind/​chroot/​{etc,​dev,​var/​cache/​bind,​var/​run/named} 
-mkdir -p /var/lib/named/var/run/bind/​run ​/var/lib/named/​var/​cache/​bind +sudo mknod /var/lib/bind/chroot/​dev/​null c 1 3 
-chown -R bind:bind /var/lib/named/var/* +sudo mknod /var/lib/bind/chroot/dev/random c 1 8 
-mknod /​var/​lib/​named/​dev/random c 1 8 +sudo chmod 660 /var/lib/bind/chroot/dev/{null,​random} 
-mknod /var/lib/named/dev/null c 1 3 +sudo chmod 775 /var/lib/bind/chroot/var/{cache/bind,run/named} 
-chmod 666 /var/lib/named/​dev/​null /​var/​lib/​named/​dev/​random +sudo chown -R bind:bind /var/lib/bind/chroot/​{etc,​var/*,dev} 
-ln -sf /var/lib/named/var/run/bind /var/run/bind +sudo rm -rf /var/run/named /var/cache/bind 
-ln -sf /var/lib/named/​var/​cache/​bind /​var/​cache/​bind+sudo ln -/var/lib/bind/chroot/var/run/named /var/run/named 
 +sudo ln -/var/lib/bind/chroot/​var/​cache/​bind /​var/​cache/​bind
 </​code>​ </​code>​
 +
  
 ===== Configuration ===== ===== Configuration =====
  
 Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location: Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location:
-<​code ​rootshell+ 
-mv /etc/bind /​etc/​bind.dist +<​code ​bash
-cp -a /​etc/​bind.dist /var/lib/named/etc/bind +sudo mv /etc/bind /​etc/​bind.dist 
-ln -s /var/lib/named/etc/bind /etc/bind+sudo cp -a /​etc/​bind.dist /var/lib/bind/chroot/etc/bind 
 +sudo ln -s /var/lib/bind/chroot/etc/bind /etc/bind
 </​code>​ </​code>​
  
-Next edit /​etc/​default/​bind9 to tell it to start up chrooted to /var/lib/named+Next edit /​etc/​default/​bind9 to tell it to start up chrooted to /var/lib/bind9/​chroot: 
-<​code ​rootshell+ 
-sed -i -e 's:OPTIONS="​-u bind":OPTIONS="​-u bind -t /var/lib/named":' /​etc/​default/​bind9+<​code ​bash
 +sudo sed -i -e 's|OPTIONS="​-u bind"|OPTIONS="​-u bind -t /var/lib/bind/chroot"|' /​etc/​default/​bind9
 </​code>​ </​code>​
  
-Edit ''​/​var/​lib/​named/​etc/​bind/​named.conf.options''​ and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders ​commented out, in case we decide to use them at a later date.+Edit ''/​etc/​bind/​named.conf.options''​ and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include ​names for a few backup forwarders, in case we decide to use them at a later date. 
 <​file>​ <​file>​
 +acl loopback ​       {127.0.0.1;​}; ​                  # The "​localhost"​ ACL is pre-defined,​ but includes all interfaces.
 +acl external_subnet {192.168.210.0/​24;​};​
 +acl buddyns ​        ​{173.244.206.26;​ 88.198.106.11;​ 74.117.59.111;​}; ​           # Allow AXFR to these addresses for BuddyNS to provide secondary/​authoritative DNS for us.
 +acl opendns ​        ​{208.67.220.220;​ 208.67.222.222;​}; ​                         # OpenDNS public DNS servers.
 +acl verizon_dns ​    ​{4.2.2.1;​ 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;​}; ​   # Verizon public DNS servers. ​
 +
 options { options {
- directory "/​var/​cache/​bind";​ +    ​directory "/​var/​cache/​bind";​ 
- listen-on {127.0.0.1;}; # only act as a DNS cache for localhost +    listen-on {loopback; external_subnet;};         ​Listen on loopback interface (for DNS caching), plus any interface on our external subnet (for queries and transfers)
- forwarders {209.20.72.4; 209.20.72.5;​};​ # SliceHost DNS servers +    forwarders {208.67.220.220;​ 208.67.222.222;​}; ​  ​Forward queries here, unless we're authoritative. (Cannot use named ACLs here.) 
- #forwarders {208.67.220.220;​ 208.67.222.222;​};​ # OpenDNS public DNS servers +    ​allow-transfer ​{buddynslocalhost;};           ​Allow AXFRs to BuddyNS (so they can mirror us), and all local interfaces (for testing). 
- #​forwarders ​{4.2.2.14.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers +    auth-nxdomain no;                               ​Conform ​to RFC1035
- auth-nxdomain no; # conform ​to RFC1035+    version none;                                   # Don't publicize our version number.
 }; };
 </​file>​ </​file>​
 +
 +For caching-only servers, remove the ''​external_subnet''​ from ''​listen-on'',​ and remove the ''​allow-transfer''​ line.
 +
  
 ===== Logging ===== ===== Logging =====
  
-To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket ​in a '​-a'​ option. This is set in the SYSLOGD parameter in the ''/​etc/​init.d/​sysklogd''​ file+To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it.  
-<​code ​rootshell+ 
-sed -i -e 's:​^SYSLOGD="​"$:​SYSLOGD="​-a ​/var/lib/named/​dev/​log"​:' ​/etc/default/syslogd+Since Debian 5+ uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket: 
 + 
 +<​code ​bash
 +sudo sh -'echo "\$AddUnixListenSocket ​/var/lib/bind/chroot/​dev/​log" ​/etc/rsyslog.d/bind9.conf'​
 </​code>​ </​code>​
  
 Then restart the logging daemon: Then restart the logging daemon:
-<​code ​rootshell+ 
-/​etc/​init.d/​sysklogd ​restart+<​code ​bash
 +sudo /​etc/​init.d/​rsyslog ​restart
 </​code>​ </​code>​
 +
  
 ===== Startup ===== ===== Startup =====
  
 Start the named server: Start the named server:
-<​code ​rootshell+ 
-/​etc/​init.d/​bind9 start+<​code ​bash
 +sudo /​etc/​init.d/​bind9 start
 </​code>​ </​code>​
  
 If startup fails, tail the ''/​var/​log/​syslog''​ file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. If startup fails, tail the ''/​var/​log/​syslog''​ file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file.
  
-==== Daily Restart ==== 
  
-On our VPS system, we've got very limited memory, so it's a good idea to restart BIND every week to decrease the memory it usesSo we'll do that as daily cron task:+===== Client Configuration ===== 
 + 
 +Edit ''/​etc/​resolv.conf''​ to tell clients ​to use localhost to resolve DNS namesAgain, ​we include ​few other name servers just as documentation.
  
 <code bash> <code bash>
-sudo sh -c 'cat > /etc/cron.weekly/​restart-bind' <<EOF +DOMAIN=$(hostname -d) 
-#!/bin/sh +sudo sh -c 'cat > /etc/resolv.conf' <<​EOF 
-/​etc/​init.d/​bind9 reload >/​dev/​null +domain ​$DOMAIN
-EOF +
-sudo chmod +x /​etc/​cron.weekly/​restart-bind +
-</​code>​ +
- +
-===== Client Configuration ===== +
- +
-Edit ''/​etc/​resolv.conf''​ to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation. +
-<​file>​ +
-domain ​boochtek.com+
 nameserver 127.0.0.1 nameserver 127.0.0.1
-#nameserver 205.242.92.2 # ns1.primary.net 
-#nameserver 205.242.176.103 # ns2.primary.net 
 #nameserver 208.67.220.220 # OpenDNS public DNS server #nameserver 208.67.220.220 # OpenDNS public DNS server
 #nameserver 208.67.222 .222 # OpenDNS public DNS server #nameserver 208.67.222 .222 # OpenDNS public DNS server
-#nameserver 209.20.72.4 # SliceHost +EOF 
-#nameserver 209.20.72.5 # SliceHost +</code>
-</file>+
  
 We also need to delete any dns-* lines from ''/​etc/​network/​interfaces'',​ as they cause ''/​etc/​resolv.conf''​ to be updated when the interface comes up. We also need to delete any dns-* lines from ''/​etc/​network/​interfaces'',​ as they cause ''/​etc/​resolv.conf''​ to be updated when the interface comes up.
-<​code ​rootshell+ 
-sed -i -e 's/^.*dns-.*//' ​/​etc/​network/​interfaces+<​code ​bash
 +sudo sed -i /​etc/​network/​interfaces ​-e '/​^.*dns-.*/​d'
 </​code>​ </​code>​
 +
  
 ===== Testing ===== ===== Testing =====
Line 118: Line 132:
 Check ''/​var/​log/​daemon.log''​ and ''/​var/​log/​syslog''​ for startup/​shutdown info from the bind9 daemon. Check ''/​var/​log/​daemon.log''​ and ''/​var/​log/​syslog''​ for startup/​shutdown info from the bind9 daemon.
  
-Run ''​rndc status''​ to check the status of the server.+Run ''​sudo rndc status''​ to check the status of the server
 + 
 +Run ''​sudo rndc stats''​ and then read ''/​var/​cache/​bind/​named.stats''​ to get server stats, including number of successful and failed DNS lookups.
  
-Run ''​rndc stats''​ and then read ''/​var/​lib/​named/​var/​cache/​bind/​named.stats''​ to get server stats, including number of successful and failed DNS lookups. 
  
 ===== Notes ===== ===== Notes =====
- 
-These settings are for hosting at SliceHost. Our forwarders will need to be changed if we change hosting/​ISPs. 
  
 The OpenDNS servers are publicly available for anyone to use. It probably doesn'​t make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. The OpenDNS servers are publicly available for anyone to use. It probably doesn'​t make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services.
  
 The 4.2.2.x addresses are supposedly Verizon'​s publicly-available DNS server that anyone can use. The 4.2.2.x addresses are supposedly Verizon'​s publicly-available DNS server that anyone can use.
 +
  
 ===== TODO ===== ===== TODO =====
  
-If we move the servers, we need to change the forwarders in ''/​var/​lib/​named/​etc/​bind/​named.conf.options'' ​to the upstream ISP's DNS servers, or use some of the public ​DNS servers.+We should probably hit the root servers ​instead of forwarding ​to OpenDNSOr forward ​to the DNS servers ​provided by our ISP. 
  
 ===== Credits ===== ===== Credits =====
  
-Much of this is based on the [[http://​www.howtoforge.com/​howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]].+Details using BIND under chroot ​is available ​on the [[http://​wiki.debian.org/​Bind9#​Bind_Chroot | Debian Wiki page on BIND]], as well as the [[http://​www.howtoforge.com/​howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]] ​on HowtoForge. 
build/dns.1280687847.txt.gz · Last modified: 2012/12/10 22:41 (external edit)