Differences

This shows you the differences between two versions of the page.

--- build:dns [2005/07/30 16:05]
206.197.251.61 Updated with full chroot info (jmuse/CMB)
+++ build:dns [2015/02/27 01:08] (current)
SLUUG Administration [Installation] Added warning that this is obsolete.
@@ Line 1: / Line 1: @@
-===== Bind9 caching name server =====
+====== DNS ======
-We are running a caching name server on the server, chroot'ed to /var/lib/named, running as user "bind", and bound to the loopback interface only. This was installed via:
+We are running a caching name server on the server, bound to the loopback interface only. Public nameservers use BuddyNS, for which are using:
-  # apt-get install bind9 dnsutils bind9-doc
+<code rootshell>
-  # mkdir -p /var/lib/named /var/lib/named/etc /var/lib/named/var/cache/bind /var/lib/dev
+;; NS (nameserver) records -- we're using BuddyNS as our primary DNS provider
-  # mkdir -p /var/lib/named/var/run/bind/run
+@           IN  NS      b.ns.buddyns.com.
-  # cp -a /etc/bind /var/lib/named/etc/
+@           IN  NS      c.ns.buddyns.com.
-  # mknod /var/lib/named/dev/random c 1 8
+@           IN  NS      d.ns.buddyns.com.
-  # chown bind:bind /var/lib/named/var/run/bind/run
+@           IN  NS      e.ns.buddyns.com.
-  # /etc/init.d/bind9 start
+</code>
-Edit /etc/default/bind9:
+Zone files are maintained in:
-  OPTIONS="-u bind -t /var/lib/named"
-Edit /var/lib/named/etc/bind/named.conf.options and add the following:
+<code rootshell>
-  listen-on {127.0.0.1;};
+/etc/named/zones
-  forwarders {24.217.0.3;};
+</code>
-TODO: Our forwarder will need to change to whoever our upstream ISP is. This is Charter.
+If a change is made, be sure to update the serial in the zone file, then "rndc" to reload named.
-Edit /etc/resolv.conf:
+We decided to use BIND 9, as it is well supported now. (Note that the default in Debian 5.0 is BIND 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits.
-  domain sluug.info
-  nameserver 127.0.0.1
-TODO: Change the domain to sluug.org when appropriate.
+Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page.
-This shouldn't require any further configuration, as we only need caching DNS to support the mail server. If it does, named options are set in /etc/default/bind9.
+===== Installation =====
-==== Old Server Info ====
+**Everything from here to the end probably only applies to the old bud server and doesn't apply now that bud had been replaced by by amber running a different Linux configuration.**
-Unfortunately, I had previously run "apt-get install bind", not realizing that the default was Bind8. I think I've removed all traces of Bind8 - "apt-get remove bind" didn't take everything with it, such as the startup script.
+First, install the required packages:
+<code rootshell>
+apt-get install -y bind9 bind9-host dnsutils bind9-doc
+</code>
+Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done:
+<code rootshell>
+/etc/init.d/bind9 stop
+</code>
+Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it:
+<code rootshell>
+mkdir -p /var/lib/named
+mkdir -p /var/lib/named/etc /var/lib/named/dev
+mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind
+chown -R bind:bind /var/lib/named/var/*
+mknod /var/lib/named/dev/random c 1 8
+mknod /var/lib/named/dev/null c 1 3
+chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
+ln -sf /var/lib/named/var/run/bind /var/run/bind
+ln -sf /var/lib/named/var/cache/bind /var/cache/bind
+</code>
+===== Configuration =====
+Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location:
+<code rootshell>
+mv /etc/bind /etc/bind.dist
+cp -a /etc/bind.dist /var/lib/named/etc/bind
+ln -s /var/lib/named/etc/bind /etc/bind
+</code>
+Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named:
+<code rootshell>
+sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9
+</code>
+Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date.
+<file>
+options {
+	directory "/var/cache/bind";
+	listen-on {127.0.0.1;}; # only act as a DNS cache for localhost
+	forwarders {205.242.92.2; 205.242.176.103;}; # ns1.primary.net, ns2.primary.net
+	#forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers
+	#forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers
+	auth-nxdomain no; # conform to RFC1035
+};
+</file>
+===== Logging =====
+To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the ''/etc/init.d/sysklogd'' file:
+<code rootshell>
+sed -i -e 's:^SYSLOGD=""$:SYSLOGD="-a /var/lib/named/dev/log":' /etc/default/syslogd
+</code>
+Then restart the logging daemon:
+<code rootshell>
+/etc/init.d/sysklogd restart
+</code>
+===== Startup =====
+Start the named server:
+<code rootshell>
+/etc/init.d/bind9 start
+</code>
+If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file.
+===== Client Configuration =====
+Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation.
+<file>
+domain sluug.org
+nameserver 127.0.0.1
+#nameserver 205.242.92.2 # ns1.primary.net
+#nameserver 205.242.176.103 # ns2.primary.net
+#nameserver 208.67.220.220 # OpenDNS public DNS server
+#nameserver 208.67.222 .222 # OpenDNS public DNS server
+</file>
+We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up.
+<code rootshell>
+sed -i -e 's/^.*dns-.*//' /etc/network/interfaces
+</code>
+===== Testing =====
+Run ''nslookup'' and/or ''dig'' to resolve some DNS names. Make sure you get answers back from 127.0.0.1.
+Run some client programs to make sure they are resolving host names properly.
+Check ''/var/log/daemon.log'' and ''/var/log/syslog'' for startup/shutdown info from the bind9 daemon.
+Run ''rndc status'' to check the status of the server.
+Run ''rndc stats'' and then read ''/var/lib/named/var/cache/bind/named.stats'' to get server stats, including number of successful and failed DNS lookups.
+===== Notes =====
+These settings are for our hosting at Primary Networks. Our forwarders will need to be changed if we change hosting/ISPs.
+The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services.
+The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use.
+===== TODO =====
+If we move the servers, we need to change the forwarders in ''/var/lib/named/etc/bind/named.conf.options'' to the upstream ISP's DNS servers, or use some of the public DNS servers.
+===== Credits =====
+Much of this is based on the [[http://www.howtoforge.com/howto_bind_chroot_debian | Bind-Chroot-Howto for Debian]].
+===== Comments =====

SLUUG Wiki

User Tools

Site Tools

Differences

Page Tools