This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
build:dns [2010/08/01 13:41] 99.100.133.164 Use sudo. |
build:dns [2012/12/10 22:41] (current) |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== DNS ====== | ====== DNS ====== | ||
- | We are running a caching name server on the server, bound to the loopback interface only. | + | We run a caching name server on all our servers. This speeds up name lookups, and reduces network load to external name servers a bit. |
- | We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits. | + | On some servers, we also serve DNS for several domains to the outside world. We use BuddyNS as our secondary servers; they use AXFR to transfer changes to our domains. |
+ | |||
+ | We decided to use BIND 9, as it is popular and well supported. BIND 9 was completely rewritten with security in mind, and so it seems to have a lot fewer security issues than BIND 4 and BIND 8 did. We decided to put BIND into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits that do turn up. | ||
- | Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page. | ||
===== Installation ===== | ===== Installation ===== | ||
Line 12: | Line 13: | ||
<code bash> | <code bash> | ||
- | sudo apt-get install -y bind9 bind9-host dnsutils bind9-doc | + | sudo apt-get install bind9 bind9utils bind9-doc dnsutils |
</code> | </code> | ||
Line 21: | Line 22: | ||
</code> | </code> | ||
- | Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it: | + | Next build out ''/var/lib/bind/chroot'' to contain enough so that bind9 can run chrooted within it: |
<code bash> | <code bash> | ||
- | sudo mkdir -p /var/lib/named | + | sudo mkdir -p /var/lib/bind/chroot/{etc,dev,var/cache/bind,var/run/named} |
- | sudo mkdir -p /var/lib/named/etc /var/lib/named/dev | + | sudo mknod /var/lib/bind/chroot/dev/null c 1 3 |
- | sudo mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind | + | sudo mknod /var/lib/bind/chroot/dev/random c 1 8 |
- | sudo chown -R bind:bind /var/lib/named/var/* | + | sudo chmod 660 /var/lib/bind/chroot/dev/{null,random} |
- | sudo mknod /var/lib/named/dev/random c 1 8 | + | sudo chmod 775 /var/lib/bind/chroot/var/{cache/bind,run/named} |
- | sudo mknod /var/lib/named/dev/null c 1 3 | + | sudo chown -R bind:bind /var/lib/bind/chroot/{etc,var/*,dev} |
- | sudo chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random | + | sudo rm -rf /var/run/named /var/cache/bind |
- | sudo ln -sf /var/lib/named/var/run/bind /var/run/bind | + | sudo ln -s /var/lib/bind/chroot/var/run/named /var/run/named |
- | sudo ln -sf /var/lib/named/var/cache/bind /var/cache/bind | + | sudo ln -s /var/lib/bind/chroot/var/cache/bind /var/cache/bind |
</code> | </code> | ||
+ | |||
===== Configuration ===== | ===== Configuration ===== | ||
Line 41: | Line 43: | ||
<code bash> | <code bash> | ||
sudo mv /etc/bind /etc/bind.dist | sudo mv /etc/bind /etc/bind.dist | ||
- | sudo cp -a /etc/bind.dist /var/lib/named/etc/bind | + | sudo cp -a /etc/bind.dist /var/lib/bind/chroot/etc/bind |
- | sudo ln -s /var/lib/named/etc/bind /etc/bind | + | sudo ln -s /var/lib/bind/chroot/etc/bind /etc/bind |
</code> | </code> | ||
- | Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named: | + | Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/bind9/chroot: |
<code bash> | <code bash> | ||
- | sudo sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9 | + | sudo sed -i -e 's|OPTIONS="-u bind"|OPTIONS="-u bind -t /var/lib/bind/chroot"|' /etc/default/bind9 |
</code> | </code> | ||
- | Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date. | + | Edit ''/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include names for a few backup forwarders, in case we decide to use them at a later date. |
<file> | <file> | ||
+ | acl loopback {127.0.0.1;}; # The "localhost" ACL is pre-defined, but includes all interfaces. | ||
+ | acl external_subnet {192.168.210.0/24;}; | ||
+ | acl buddyns {173.244.206.26; 88.198.106.11; 74.117.59.111;}; # Allow AXFR to these addresses for BuddyNS to provide secondary/authoritative DNS for us. | ||
+ | acl opendns {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers. | ||
+ | acl verizon_dns {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers. | ||
+ | |||
options { | options { | ||
- | directory "/var/cache/bind"; | + | directory "/var/cache/bind"; |
- | listen-on {127.0.0.1;}; # only act as a DNS cache for localhost | + | listen-on {loopback; external_subnet;}; # Listen on loopback interface (for DNS caching), plus any interface on our external subnet (for queries and transfers). |
- | forwarders {209.20.72.4; 209.20.72.5;}; # SliceHost DNS servers | + | forwarders {208.67.220.220; 208.67.222.222;}; # Forward queries here, unless we're authoritative. (Cannot use named ACLs here.) |
- | #forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers | + | allow-transfer {buddyns; localhost;}; # Allow AXFRs to BuddyNS (so they can mirror us), and all local interfaces (for testing). |
- | #forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers | + | auth-nxdomain no; # Conform to RFC1035. |
- | auth-nxdomain no; # conform to RFC1035 | + | version none; # Don't publicize our version number. |
}; | }; | ||
</file> | </file> | ||
+ | |||
+ | For caching-only servers, remove the ''external_subnet'' from ''listen-on'', and remove the ''allow-transfer'' line. | ||
+ | |||
===== Logging ===== | ===== Logging ===== | ||
- | To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the ''/etc/init.d/sysklogd'' file: | + | To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. |
+ | |||
+ | Since Debian 5+ uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket: | ||
<code bash> | <code bash> | ||
- | sudo sed -i -e 's:^SYSLOGD=""$:SYSLOGD="-a /var/lib/named/dev/log":' /etc/default/syslogd | + | sudo sh -c 'echo "\$AddUnixListenSocket /var/lib/bind/chroot/dev/log" > /etc/rsyslog.d/bind9.conf' |
</code> | </code> | ||
Line 75: | Line 88: | ||
<code bash> | <code bash> | ||
- | sudo /etc/init.d/sysklogd restart | + | sudo /etc/init.d/rsyslog restart |
</code> | </code> | ||
+ | |||
===== Startup ===== | ===== Startup ===== | ||
Line 88: | Line 102: | ||
If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. | If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. | ||
- | ==== Daily Restart ==== | ||
- | |||
- | On our VPS system, we've got very limited memory, so it's a good idea to restart BIND every week to decrease the memory it uses. So we'll do that as a daily cron task: | ||
- | |||
- | <code bash> | ||
- | sudo sh -c 'cat > /etc/cron.weekly/restart-bind' <<EOF | ||
- | #!/bin/sh | ||
- | /etc/init.d/bind9 reload >/dev/null | ||
- | EOF | ||
- | sudo chmod +x /etc/cron.weekly/restart-bind | ||
- | </code> | ||
===== Client Configuration ===== | ===== Client Configuration ===== | ||
- | Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation. | + | Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other name servers just as documentation. |
- | <file> | + | <code bash> |
- | domain boochtek.com | + | DOMAIN=$(hostname -d) |
+ | sudo sh -c 'cat > /etc/resolv.conf' <<EOF | ||
+ | domain $DOMAIN | ||
nameserver 127.0.0.1 | nameserver 127.0.0.1 | ||
- | #nameserver 205.242.92.2 # ns1.primary.net | ||
- | #nameserver 205.242.176.103 # ns2.primary.net | ||
#nameserver 208.67.220.220 # OpenDNS public DNS server | #nameserver 208.67.220.220 # OpenDNS public DNS server | ||
#nameserver 208.67.222 .222 # OpenDNS public DNS server | #nameserver 208.67.222 .222 # OpenDNS public DNS server | ||
- | #nameserver 209.20.72.4 # SliceHost | + | EOF |
- | #nameserver 209.20.72.5 # SliceHost | + | </code> |
- | </file> | + | |
We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up. | We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up. | ||
<code bash> | <code bash> | ||
- | sudo sed -i -e 's/^.*dns-.*//' /etc/network/interfaces | + | sudo sed -i /etc/network/interfaces -e '/^.*dns-.*/d' |
</code> | </code> | ||
+ | |||
===== Testing ===== | ===== Testing ===== | ||
Line 129: | Line 132: | ||
Check ''/var/log/daemon.log'' and ''/var/log/syslog'' for startup/shutdown info from the bind9 daemon. | Check ''/var/log/daemon.log'' and ''/var/log/syslog'' for startup/shutdown info from the bind9 daemon. | ||
- | Run ''rndc status'' to check the status of the server. | + | Run ''sudo rndc status'' to check the status of the server. |
+ | |||
+ | Run ''sudo rndc stats'' and then read ''/var/cache/bind/named.stats'' to get server stats, including number of successful and failed DNS lookups. | ||
- | Run ''rndc stats'' and then read ''/var/lib/named/var/cache/bind/named.stats'' to get server stats, including number of successful and failed DNS lookups. | ||
===== Notes ===== | ===== Notes ===== | ||
- | |||
- | These settings are for hosting at SliceHost. Our forwarders will need to be changed if we change hosting/ISPs. | ||
The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. | The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. | ||
The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use. | The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use. | ||
+ | |||
===== TODO ===== | ===== TODO ===== | ||
- | If we move the servers, we need to change the forwarders in ''/var/lib/named/etc/bind/named.conf.options'' to the upstream ISP's DNS servers, or use some of the public DNS servers. | + | We should probably hit the root servers instead of forwarding to OpenDNS. Or forward to the DNS servers provided by our ISP. |
===== Credits ===== | ===== Credits ===== | ||
- | Much of this is based on the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]]. | + | Details using BIND under chroot is available on the [[http://wiki.debian.org/Bind9#Bind_Chroot | Debian Wiki page on BIND]], as well as the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]] on HowtoForge. |