Differences

This shows you the differences between two versions of the page.

--- build:dns [2010/08/01 13:41]
99.100.133.164 Use sudo.
+++ build:dns [2012/12/10 22:41] (current)
@@ Line 1: / Line 1: @@
 ====== DNS ======
-We are running a caching name server on the server, bound to the loopback interface only.
+We run a caching name server on all our servers. This speeds up name lookups, and reduces network load to external name servers a bit.
-We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits.
+On some servers, we also serve DNS for several domains to the outside world. We use BuddyNS as our secondary servers; they use AXFR to transfer changes to our domains.
+We decided to use BIND 9, as it is popular and well supported. BIND 9 was completely rewritten with security in mind, and so it seems to have a lot fewer security issues than BIND 4 and BIND 8 did. We decided to put BIND into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits that do turn up.
-Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page.
 ===== Installation =====
@@ Line 12: / Line 13: @@
 <code bash>
-sudo apt-get install -y bind9 bind9-host dnsutils bind9-doc
+sudo apt-get install bind9 bind9utils bind9-doc dnsutils
 </code>
@@ Line 21: / Line 22: @@
 </code>
-Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it:
+Next build out ''/var/lib/bind/chroot'' to contain enough so that bind9 can run chrooted within it:
 <code bash>
-sudo mkdir -p /var/lib/named
+sudo mkdir -p /var/lib/bind/chroot/{etc,dev,var/cache/bind,var/run/named}
-sudo mkdir -p /var/lib/named/etc /var/lib/named/dev
+sudo mknod /var/lib/bind/chroot/dev/null c 1 3
-sudo mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind
+sudo mknod /var/lib/bind/chroot/dev/random c 1 8
-sudo chown -R bind:bind /var/lib/named/var/*
+sudo chmod 660 /var/lib/bind/chroot/dev/{null,random}
-sudo mknod /var/lib/named/dev/random c 1 8
+sudo chmod 775 /var/lib/bind/chroot/var/{cache/bind,run/named}
-sudo mknod /var/lib/named/dev/null c 1 3
+sudo chown -R bind:bind /var/lib/bind/chroot/{etc,var/*,dev}
-sudo chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
+sudo rm -rf /var/run/named /var/cache/bind
-sudo ln -sf /var/lib/named/var/run/bind /var/run/bind
+sudo ln -s /var/lib/bind/chroot/var/run/named /var/run/named
-sudo ln -sf /var/lib/named/var/cache/bind /var/cache/bind
+sudo ln -s /var/lib/bind/chroot/var/cache/bind /var/cache/bind
 </code>
 ===== Configuration =====
@@ Line 41: / Line 43: @@
 <code bash>
 sudo mv /etc/bind /etc/bind.dist
-sudo cp -a /etc/bind.dist /var/lib/named/etc/bind
+sudo cp -a /etc/bind.dist /var/lib/bind/chroot/etc/bind
-sudo ln -s /var/lib/named/etc/bind /etc/bind
+sudo ln -s /var/lib/bind/chroot/etc/bind /etc/bind
 </code>
-Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named:
+Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/bind9/chroot:
 <code bash>
-sudo sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9
+sudo sed -i -e 's|OPTIONS="-u bind"|OPTIONS="-u bind -t /var/lib/bind/chroot"|' /etc/default/bind9
 </code>
-Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date.
+Edit ''/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include names for a few backup forwarders, in case we decide to use them at a later date.
 <file>
+acl loopback        {127.0.0.1;};                   # The "localhost" ACL is pre-defined, but includes all interfaces.
+acl external_subnet {192.168.210.0/24;};
+acl buddyns         {173.244.206.26; 88.198.106.11; 74.117.59.111;};            # Allow AXFR to these addresses for BuddyNS to provide secondary/authoritative DNS for us.
+acl opendns         {208.67.220.220; 208.67.222.222;};                          # OpenDNS public DNS servers.
+acl verizon_dns     {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;};    # Verizon public DNS servers.
 options {
-	directory "/var/cache/bind";
+    directory "/var/cache/bind";
-	listen-on {127.0.0.1;}; # only act as a DNS cache for localhost
+    listen-on {loopback; external_subnet;};         # Listen on loopback interface (for DNS caching), plus any interface on our external subnet (for queries and transfers).
-	forwarders {209.20.72.4; 209.20.72.5;}; # SliceHost DNS servers
+    forwarders {208.67.220.220; 208.67.222.222;};   # Forward queries here, unless we're authoritative. (Cannot use named ACLs here.)
-	#forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers
+    allow-transfer {buddyns; localhost;};           # Allow AXFRs to BuddyNS (so they can mirror us), and all local interfaces (for testing).
-	#forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers
+    auth-nxdomain no;                               # Conform to RFC1035.
-	auth-nxdomain no; # conform to RFC1035
+    version none;                                   # Don't publicize our version number.
 };
 </file>
+For caching-only servers, remove the ''external_subnet'' from ''listen-on'', and remove the ''allow-transfer'' line.
 ===== Logging =====
-To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the ''/etc/init.d/sysklogd'' file:
+To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it.
+Since Debian 5+ uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket:
 <code bash>
-sudo sed -i -e 's:^SYSLOGD=""$:SYSLOGD="-a /var/lib/named/dev/log":' /etc/default/syslogd
+sudo sh -c 'echo "\$AddUnixListenSocket /var/lib/bind/chroot/dev/log" > /etc/rsyslog.d/bind9.conf'
 </code>
@@ Line 75: / Line 88: @@
 <code bash>
-sudo /etc/init.d/sysklogd restart
+sudo /etc/init.d/rsyslog restart
 </code>
 ===== Startup =====
@@ Line 88: / Line 102: @@
 If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file.
-==== Daily Restart ====
-On our VPS system, we've got very limited memory, so it's a good idea to restart BIND every week to decrease the memory it uses. So we'll do that as a daily cron task:
-<code bash>
-sudo sh -c 'cat > /etc/cron.weekly/restart-bind' <<EOF
-#!/bin/sh
-/etc/init.d/bind9 reload >/dev/null
-EOF
-sudo chmod +x /etc/cron.weekly/restart-bind
-</code>
 ===== Client Configuration =====
-Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation.
+Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other name servers just as documentation.
-<file>
+<code bash>
-domain boochtek.com
+DOMAIN=$(hostname -d)
+sudo sh -c 'cat > /etc/resolv.conf' <<EOF
+domain $DOMAIN
 nameserver 127.0.0.1
-#nameserver 205.242.92.2 # ns1.primary.net
-#nameserver 205.242.176.103 # ns2.primary.net
 #nameserver 208.67.220.220 # OpenDNS public DNS server
 #nameserver 208.67.222 .222 # OpenDNS public DNS server
-#nameserver 209.20.72.4 # SliceHost
+EOF
-#nameserver 209.20.72.5 # SliceHost
+</code>
-</file>
 We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up.
 <code bash>
-sudo sed -i -e 's/^.*dns-.*//' /etc/network/interfaces
+sudo sed -i /etc/network/interfaces -e '/^.*dns-.*/d'
 </code>
 ===== Testing =====
@@ Line 129: / Line 132: @@
 Check ''/var/log/daemon.log'' and ''/var/log/syslog'' for startup/shutdown info from the bind9 daemon.
-Run ''rndc status'' to check the status of the server.
+Run ''sudo rndc status'' to check the status of the server.
+Run ''sudo rndc stats'' and then read ''/var/cache/bind/named.stats'' to get server stats, including number of successful and failed DNS lookups.
-Run ''rndc stats'' and then read ''/var/lib/named/var/cache/bind/named.stats'' to get server stats, including number of successful and failed DNS lookups.
 ===== Notes =====
-These settings are for hosting at SliceHost. Our forwarders will need to be changed if we change hosting/ISPs.
 The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services.
 The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use.
 ===== TODO =====
-If we move the servers, we need to change the forwarders in ''/var/lib/named/etc/bind/named.conf.options'' to the upstream ISP's DNS servers, or use some of the public DNS servers.
+We should probably hit the root servers instead of forwarding to OpenDNS. Or forward to the DNS servers provided by our ISP.
 ===== Credits =====
-Much of this is based on the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]].
+Details using BIND under chroot is available on the [[http://wiki.debian.org/Bind9#Bind_Chroot | Debian Wiki page on BIND]], as well as the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]] on HowtoForge.

BoochTek Wiki

User Tools

Site Tools

Differences

Page Tools