User Tools

Site Tools


build:dns

This is an old revision of the document!


DNS

We are running a caching name server on the server, bound to the loopback interface only.

We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits.

Installation

First, install the required packages:

sudo apt-get install -y bind9 bind9-host dnsutils bind9-doc

Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done:

sudo /etc/init.d/bind9 stop

Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it:

sudo mkdir -p /var/lib/named
sudo mkdir -p /var/lib/named/etc /var/lib/named/dev
sudo mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind
sudo chown -R bind:bind /var/lib/named/var/*
sudo mknod /var/lib/named/dev/random c 1 8
sudo mknod /var/lib/named/dev/null c 1 3
sudo chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
sudo ln -sf /var/lib/named/var/run/bind /var/run/bind
sudo ln -sf /var/lib/named/var/cache/bind /var/cache/bind

Configuration

Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location:

sudo mv /etc/bind /etc/bind.dist
sudo cp -a /etc/bind.dist /var/lib/named/etc/bind
sudo ln -s /var/lib/named/etc/bind /etc/bind

Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named:

sudo sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9

Edit /var/lib/named/etc/bind/named.conf.options and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date.

options {
	directory "/var/cache/bind";
	listen-on {127.0.0.1;}; # only act as a DNS cache for localhost
	forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers
	#forwarders {209.20.72.4; 209.20.72.5;}; # SliceHost DNS servers
	#forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers
	auth-nxdomain no; # conform to RFC1035
};

Logging

To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it.

Since Debian 5 uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket:

sudo sh -c 'echo "\$AddUnixListenSocket /var/lib/named/dev/log" > /etc/rsyslog.d/bind9.conf'

Then restart the logging daemon:

sudo /etc/init.d/rsyslog restart

Startup

Start the named server:

sudo /etc/init.d/bind9 start

If startup fails, tail the /var/log/syslog file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file.

Daily Restart

On our VPS system, we've got very limited memory, so it's a good idea to restart BIND every week to decrease the memory it uses. So we'll do that as a weekly cron task:

sudo sh -c 'cat > /etc/cron.weekly/restart-bind' <<EOF
#!/bin/sh
/etc/init.d/bind9 reload >/dev/null
EOF
sudo chmod +x /etc/cron.weekly/restart-bind

Client Configuration

Edit /etc/resolv.conf to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation.

domain boochtek.com
nameserver 127.0.0.1
#nameserver 205.242.92.2 # ns1.primary.net
#nameserver 205.242.176.103 # ns2.primary.net
#nameserver 208.67.220.220 # OpenDNS public DNS server
#nameserver 208.67.222 .222 # OpenDNS public DNS server
#nameserver 209.20.72.4 # SliceHost
#nameserver 209.20.72.5 # SliceHost

We also need to delete any dns-* lines from /etc/network/interfaces, as they cause /etc/resolv.conf to be updated when the interface comes up.

sudo sed -i -e 's/^.*dns-.*//' /etc/network/interfaces

Testing

Run nslookup and/or dig to resolve some DNS names. Make sure you get answers back from 127.0.0.1.

Run some client programs to make sure they are resolving host names properly.

Check /var/log/daemon.log and /var/log/syslog for startup/shutdown info from the bind9 daemon.

Run rndc status to check the status of the server.

Run rndc stats and then read /var/lib/named/var/cache/bind/named.stats to get server stats, including number of successful and failed DNS lookups.

Notes

These settings are for hosting at SliceHost. Our forwarders will need to be changed if we change hosting/ISPs.

The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services.

The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use.

TODO

If we move the servers, we need to change the forwarders in /var/lib/named/etc/bind/named.conf.options to the upstream ISP's DNS servers, or use some of the public DNS servers.

Credits

Much of this is based on the Bind-Chroot-Howto for Debian.

build/dns.1281477704.txt.gz · Last modified: 2012/12/10 22:41 (external edit)