This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
build:dns [2005/11/26 13:58] 10.42.69.100 |
build:dns [2015/02/27 01:08] SLUUG Administration [Installation] Added warning that this is obsolete. |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== DNS ====== | ====== DNS ====== | ||
- | We are running a caching name server on the server, bound to the loopback interface only. | + | We are running a caching name server on the server, bound to the loopback interface only. Public nameservers use BuddyNS, for which are using: |
- | ===== Bind 9 Caching Name Server ===== | + | <code rootshell> |
+ | ;; NS (nameserver) records -- we're using BuddyNS as our primary DNS provider | ||
+ | @ IN NS b.ns.buddyns.com. | ||
+ | @ IN NS c.ns.buddyns.com. | ||
+ | @ IN NS d.ns.buddyns.com. | ||
+ | @ IN NS e.ns.buddyns.com. | ||
+ | </code> | ||
+ | |||
+ | Zone files are maintained in: | ||
+ | |||
+ | <code rootshell> | ||
+ | /etc/named/zones | ||
+ | </code> | ||
+ | |||
+ | If a change is made, be sure to update the serial in the zone file, then "rndc" to reload named. | ||
+ | |||
+ | We decided to use BIND 9, as it is well supported now. (Note that the default in Debian 5.0 is BIND 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits. | ||
+ | |||
+ | Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page. | ||
- | We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will also protect us from most bind and DNS exploits. | + | ===== Installation ===== |
- | ==== Installation ==== | + | **Everything from here to the end probably only applies to the old bud server and doesn't apply now that bud had been replaced by by amber running a different Linux configuration.** |
- | First, we install the required packages: | + | First, install the required packages: |
- | <code> | + | <code rootshell> |
- | apt-get install bind9 dnsutils bind9-doc libisccc0 libisccfg0 | + | apt-get install -y bind9 bind9-host dnsutils bind9-doc |
</code> | </code> | ||
- | Next we build out /var/lib/named to contain enough so that bind9 can run chrooted within it: | + | Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done: |
- | <code> | + | <code rootshell> |
+ | /etc/init.d/bind9 stop | ||
+ | </code> | ||
+ | |||
+ | Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it: | ||
+ | <code rootshell> | ||
mkdir -p /var/lib/named | mkdir -p /var/lib/named | ||
mkdir -p /var/lib/named/etc /var/lib/named/dev | mkdir -p /var/lib/named/etc /var/lib/named/dev | ||
mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind | mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind | ||
- | chown bind:bind /var/lib/named/var/run/bind/run | ||
chown -R bind:bind /var/lib/named/var/* | chown -R bind:bind /var/lib/named/var/* | ||
mknod /var/lib/named/dev/random c 1 8 | mknod /var/lib/named/dev/random c 1 8 | ||
mknod /var/lib/named/dev/null c 1 3 | mknod /var/lib/named/dev/null c 1 3 | ||
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random | chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random | ||
+ | ln -sf /var/lib/named/var/run/bind /var/run/bind | ||
+ | ln -sf /var/lib/named/var/cache/bind /var/cache/bind | ||
</code> | </code> | ||
+ | ===== Configuration ===== | ||
- | ==== Configuration ==== | + | Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location: |
- | + | <code rootshell> | |
- | Next we copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location: | + | mv /etc/bind /etc/bind.dist |
- | <code> | + | cp -a /etc/bind.dist /var/lib/named/etc/bind |
- | mv /etc/bind /var/lib/named/etc/bind | + | |
ln -s /var/lib/named/etc/bind /etc/bind | ln -s /var/lib/named/etc/bind /etc/bind | ||
</code> | </code> | ||
- | Next we edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named: | + | Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named: |
- | <code> | + | <code rootshell> |
- | OPTIONS="-u bind -t /var/lib/named" | + | sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9 |
</code> | </code> | ||
- | Edit /var/lib/named/etc/bind/named.conf.options and tell it which interfaces to listen on, and who to forward requests | + | Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date. |
- | to if we don't know the answer: | + | <file> |
- | <code> | + | options { |
- | listen-on {127.0.0.1;}; | + | directory "/var/cache/bind"; |
- | forwarders {24.217.0.3;}; | + | listen-on {127.0.0.1;}; # only act as a DNS cache for localhost |
+ | forwarders {205.242.92.2; 205.242.176.103;}; # ns1.primary.net, ns2.primary.net | ||
+ | #forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers | ||
+ | #forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers | ||
+ | auth-nxdomain no; # conform to RFC1035 | ||
+ | }; | ||
+ | </file> | ||
+ | |||
+ | ===== Logging ===== | ||
+ | |||
+ | To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the ''/etc/init.d/sysklogd'' file: | ||
+ | <code rootshell> | ||
+ | sed -i -e 's:^SYSLOGD=""$:SYSLOGD="-a /var/lib/named/dev/log":' /etc/default/syslogd | ||
</code> | </code> | ||
- | TODO: Our forwarder will need to change to whoever our upstream ISP is. This is Charter. | + | Then restart the logging daemon: |
+ | <code rootshell> | ||
+ | /etc/init.d/sysklogd restart | ||
+ | </code> | ||
+ | |||
+ | ===== Startup ===== | ||
Start the named server: | Start the named server: | ||
- | <code> | + | <code rootshell> |
/etc/init.d/bind9 start | /etc/init.d/bind9 start | ||
</code> | </code> | ||
- | Edit /etc/resolv.conf: | + | If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. |
- | <code> | + | |
- | domain sluug.info | + | ===== Client Configuration ===== |
+ | |||
+ | Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation. | ||
+ | <file> | ||
+ | domain sluug.org | ||
nameserver 127.0.0.1 | nameserver 127.0.0.1 | ||
+ | #nameserver 205.242.92.2 # ns1.primary.net | ||
+ | #nameserver 205.242.176.103 # ns2.primary.net | ||
+ | #nameserver 208.67.220.220 # OpenDNS public DNS server | ||
+ | #nameserver 208.67.222 .222 # OpenDNS public DNS server | ||
+ | </file> | ||
+ | |||
+ | We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up. | ||
+ | <code rootshell> | ||
+ | sed -i -e 's/^.*dns-.*//' /etc/network/interfaces | ||
</code> | </code> | ||
- | This shouldn't require any further configuration, as we only need caching DNS to support the mail server. If it does, named options are set in /etc/default/bind9. | + | ===== Testing ===== |
- | ===== TODO ===== | + | Run ''nslookup'' and/or ''dig'' to resolve some DNS names. Make sure you get answers back from 127.0.0.1. |
- | Need to re-run the entire thing again (except the apt-get install) as several changes have been made since then. | + | Run some client programs to make sure they are resolving host names properly. |
- | Change the domain to sluug.org when appropriate. | + | Check ''/var/log/daemon.log'' and ''/var/log/syslog'' for startup/shutdown info from the bind9 daemon. |
- | Make logging changes per HOWTO below. | + | Run ''rndc status'' to check the status of the server. |
- | ==== Old Server Info ==== | + | Run ''rndc stats'' and then read ''/var/lib/named/var/cache/bind/named.stats'' to get server stats, including number of successful and failed DNS lookups. |
+ | |||
+ | ===== Notes ===== | ||
+ | |||
+ | These settings are for our hosting at Primary Networks. Our forwarders will need to be changed if we change hosting/ISPs. | ||
+ | |||
+ | The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. | ||
+ | |||
+ | The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use. | ||
+ | |||
+ | ===== TODO ===== | ||
- | Unfortunately, I had previously run "apt-get install bind", not realizing that the default was Bind8. I think I've removed all traces of Bind8 - "apt-get remove bind" didn't take everything with it, such as the startup script. (Jeff Muse) | + | If we move the servers, we need to change the forwarders in ''/var/lib/named/etc/bind/named.conf.options'' to the upstream ISP's DNS servers, or use some of the public DNS servers. |
+ | ===== Credits ===== | ||
- | ==== NOTES ==== | + | Much of this is based on the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]]. |
- | Got some of this from the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto]]. | + | ===== Comments ===== |