User Tools

Site Tools


build:dns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
build:dns [2010/12/29 14:38]
Craig Buchek No longer need to restart BIND every week, as we have enough RAM.
build:dns [2012/12/10 22:41] (current)
Line 1: Line 1:
 ====== DNS ====== ====== DNS ======
  
-We are running ​a caching name server on the serverbound to the loopback interface only.+We run a caching name server on all our servers. This speeds up name lookupsand reduces network load to external name servers a bit.
  
-We decided ​to use bind 9, as it is well supported now(Note that Debian'​s default is bind 8, if you just say "​bind"​.) ​We also decided to put it into a chroot jail, as it's pretty simple ​to do and well-documented. This will protect us from most bind and DNS exploits.+On some servers, we also serve DNS for several domains ​to the outside world. We use BuddyNS ​as our secondary servers; they use AXFR to transfer changes to our domains
  
 +We decided to use BIND 9, as it is popular and well supported. BIND 9 was completely rewritten with security in mind, and so it seems to have a lot fewer security issues than BIND 4 and BIND 8 did. We decided to put BIND into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits that do turn up.
  
  
Line 12: Line 13:
  
 <code bash> <code bash>
-sudo apt-get install ​-y bind9 bind9-host dnsutils ​bind9-doc+sudo apt-get install bind9 bind9utils ​bind9-doc dnsutils
 </​code>​ </​code>​
  
Line 21: Line 22:
 </​code>​ </​code>​
  
-Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it:+Next build out ''​/var/lib/bind/​chroot'' ​to contain enough so that bind9 can run chrooted within it:
  
 <code bash> <code bash>
-sudo mkdir -p /​var/​lib/​named +sudo mkdir -p /var/lib/​bind/​chroot/​{etc,​dev,​var/​cache/​bind,​var/​run/named} 
-sudo mkdir -p /var/lib/named/etc /var/lib/named/dev +sudo mknod /var/lib/bind/chroot/​dev/​null c 1 3 
-sudo mkdir -p /var/lib/named/var/run/bind/​run ​/var/lib/named/​var/​cache/​bind +sudo mknod /var/lib/bind/chroot/dev/random c 1 8 
-sudo chown -R bind:bind /var/lib/named/var/* +sudo chmod 660 /var/lib/bind/chroot/dev/{null,​random} 
-sudo mknod /​var/​lib/​named/​dev/random c 1 8 +sudo chmod 775 /var/lib/bind/chroot/var/{cache/bind,run/named} 
-sudo mknod /var/lib/named/dev/null c 1 3 +sudo chown -R bind:bind /var/lib/bind/chroot/{etc,var/*,dev} 
-sudo chmod 666 /var/lib/named/​dev/​null /​var/​lib/​named/​dev/​random +sudo rm -rf /var/run/named /var/cache/bind 
-sudo ln -sf /var/lib/named/var/run/bind /var/run/bind +sudo ln -/var/lib/bind/chroot/var/run/named /var/run/named 
-sudo ln -sf /var/lib/named/​var/​cache/​bind /​var/​cache/​bind+sudo ln -/var/lib/bind/chroot/​var/​cache/​bind /​var/​cache/​bind
 </​code>​ </​code>​
 +
 +
 ===== Configuration ===== ===== Configuration =====
  
Line 40: Line 43:
 <code bash> <code bash>
 sudo mv /etc/bind /​etc/​bind.dist sudo mv /etc/bind /​etc/​bind.dist
-sudo cp -a /​etc/​bind.dist /var/lib/named/etc/bind +sudo cp -a /​etc/​bind.dist /var/lib/bind/chroot/etc/bind 
-sudo ln -s /var/lib/named/etc/bind /etc/bind+sudo ln -s /var/lib/bind/chroot/etc/bind /etc/bind
 </​code>​ </​code>​
  
-Next edit /​etc/​default/​bind9 to tell it to start up chrooted to /var/lib/named:+Next edit /​etc/​default/​bind9 to tell it to start up chrooted to /var/lib/bind9/​chroot:
  
 <code bash> <code bash>
-sudo sed -i -e 's:OPTIONS="​-u bind":OPTIONS="​-u bind -t /var/lib/named":' /​etc/​default/​bind9+sudo sed -i -e 's|OPTIONS="​-u bind"|OPTIONS="​-u bind -t /var/lib/bind/chroot"|' /​etc/​default/​bind9
 </​code>​ </​code>​
  
-Edit ''​/​var/​lib/​named/​etc/​bind/​named.conf.options''​ and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders ​commented out, in case we decide to use them at a later date.+Edit ''/​etc/​bind/​named.conf.options''​ and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include ​names for a few backup forwarders, in case we decide to use them at a later date.
  
 <​file>​ <​file>​
 +acl loopback ​       {127.0.0.1;​}; ​                  # The "​localhost"​ ACL is pre-defined,​ but includes all interfaces.
 +acl external_subnet {192.168.210.0/​24;​};​
 +acl buddyns ​        ​{173.244.206.26;​ 88.198.106.11;​ 74.117.59.111;​}; ​           # Allow AXFR to these addresses for BuddyNS to provide secondary/​authoritative DNS for us.
 +acl opendns ​        ​{208.67.220.220;​ 208.67.222.222;​}; ​                         # OpenDNS public DNS servers.
 +acl verizon_dns ​    ​{4.2.2.1;​ 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;​}; ​   # Verizon public DNS servers. ​
 +
 options { options {
- directory "/​var/​cache/​bind";​ +    ​directory "/​var/​cache/​bind";​ 
- listen-on {127.0.0.1;}; # only act as a DNS cache for localhost +    listen-on {loopback; external_subnet;};         ​Listen on loopback interface (for DNS caching), plus any interface on our external subnet (for queries and transfers). 
- forwarders {208.67.220.220;​ 208.67.222.222;​};​ # OpenDNS public DNS servers +    forwarders {208.67.220.220;​ 208.67.222.222;​}; ​  ​Forward queries here, unless we're authoritative(Cannot use named ACLs here.) 
- #​forwarders {209.20.72.4; 209.20.72.5;​};​ # SliceHost DNS servers +    ​allow-transfer ​{buddynslocalhost;};           ​Allow AXFRs to BuddyNS (so they can mirror us), and all local interfaces (for testing). 
- #​forwarders ​{4.2.2.14.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers +    auth-nxdomain no;                               ​Conform ​to RFC1035
- auth-nxdomain no; # conform ​to RFC1035+    version none;                                   # Don't publicize our version number.
 }; };
 </​file>​ </​file>​
 +
 +For caching-only servers, remove the ''​external_subnet''​ from ''​listen-on'',​ and remove the ''​allow-transfer''​ line.
 +
 +
 ===== Logging ===== ===== Logging =====
  
 To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it.  To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. 
  
-Since Debian 5 uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket:+Since Debian 5uses rsyslog, we simply had to find the config option that would listen on an additional UNIX socket:
  
 <code bash> <code bash>
-sudo sh -c 'echo "​\$AddUnixListenSocket /var/lib/named/​dev/​log"​ > /​etc/​rsyslog.d/​bind9.conf'​+sudo sh -c 'echo "​\$AddUnixListenSocket /var/lib/bind/chroot/​dev/​log"​ > /​etc/​rsyslog.d/​bind9.conf'​
 </​code>​ </​code>​
  
Line 77: Line 90:
 sudo /​etc/​init.d/​rsyslog restart sudo /​etc/​init.d/​rsyslog restart
 </​code>​ </​code>​
 +
  
 ===== Startup ===== ===== Startup =====
Line 91: Line 105:
 ===== Client Configuration ===== ===== Client Configuration =====
  
-Edit ''/​etc/​resolv.conf''​ to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation.+Edit ''/​etc/​resolv.conf''​ to tell clients to use localhost to resolve DNS names. Again, we include a few other name servers just as documentation.
  
-<file+<code bash
-domain boochtek.com+DOMAIN=$(hostname -d) 
 +sudo sh -c 'cat > /etc/resolv.conf' <<​EOF 
 +domain $DOMAIN
 nameserver 127.0.0.1 nameserver 127.0.0.1
-#nameserver 205.242.92.2 # ns1.primary.net 
-#nameserver 205.242.176.103 # ns2.primary.net 
 #nameserver 208.67.220.220 # OpenDNS public DNS server #nameserver 208.67.220.220 # OpenDNS public DNS server
 #nameserver 208.67.222 .222 # OpenDNS public DNS server #nameserver 208.67.222 .222 # OpenDNS public DNS server
-#nameserver 209.20.72.4 # SliceHost +EOF 
-#nameserver 209.20.72.5 # SliceHost +</code>
-</file>+
  
 We also need to delete any dns-* lines from ''/​etc/​network/​interfaces'',​ as they cause ''/​etc/​resolv.conf''​ to be updated when the interface comes up. We also need to delete any dns-* lines from ''/​etc/​network/​interfaces'',​ as they cause ''/​etc/​resolv.conf''​ to be updated when the interface comes up.
  
 <code bash> <code bash>
-sudo sed -i -e 's/^.*dns-.*//' ​/​etc/​network/​interfaces+sudo sed -i /​etc/​network/​interfaces ​-e '/​^.*dns-.*/​d'
 </​code>​ </​code>​
 +
  
 ===== Testing ===== ===== Testing =====
Line 118: Line 132:
 Check ''/​var/​log/​daemon.log''​ and ''/​var/​log/​syslog''​ for startup/​shutdown info from the bind9 daemon. Check ''/​var/​log/​daemon.log''​ and ''/​var/​log/​syslog''​ for startup/​shutdown info from the bind9 daemon.
  
-Run ''​rndc status''​ to check the status of the server.+Run ''​sudo rndc status''​ to check the status of the server
 + 
 +Run ''​sudo rndc stats''​ and then read ''/​var/​cache/​bind/​named.stats''​ to get server stats, including number of successful and failed DNS lookups.
  
-Run ''​rndc stats''​ and then read ''/​var/​lib/​named/​var/​cache/​bind/​named.stats''​ to get server stats, including number of successful and failed DNS lookups. 
  
 ===== Notes ===== ===== Notes =====
- 
-These settings are for hosting at SliceHost. Our forwarders will need to be changed if we change hosting/​ISPs. 
  
 The OpenDNS servers are publicly available for anyone to use. It probably doesn'​t make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. The OpenDNS servers are publicly available for anyone to use. It probably doesn'​t make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services.
  
 The 4.2.2.x addresses are supposedly Verizon'​s publicly-available DNS server that anyone can use. The 4.2.2.x addresses are supposedly Verizon'​s publicly-available DNS server that anyone can use.
 +
  
 ===== TODO ===== ===== TODO =====
  
-If we move the servers, we need to change the forwarders in ''/​var/​lib/​named/​etc/​bind/​named.conf.options'' ​to the upstream ISP's DNS servers, or use some of the public ​DNS servers.+We should probably hit the root servers ​instead of forwarding ​to OpenDNSOr forward ​to the DNS servers ​provided by our ISP. 
  
 ===== Credits ===== ===== Credits =====
  
-Much of this is based on the [[http://​www.howtoforge.com/​howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]].+Details using BIND under chroot ​is available ​on the [[http://​wiki.debian.org/​Bind9#​Bind_Chroot | Debian Wiki page on BIND]], as well as the [[http://​www.howtoforge.com/​howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]] ​on HowtoForge. 
build/dns.txt · Last modified: 2012/12/10 22:41 (external edit)