This is an old revision of the document!
Table of Contents
DNS
We are running a caching name server on the server, bound to the loopback interface only.
We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits.
Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The domain name info is documented on a separate page.
Installation
First, install the required packages:
apt-get install bind9 dnsutils bind9-doc libisccc0 libisccfg0
Next build out /var/lib/named to contain enough so that bind9 can run chrooted within it:
mkdir -p /var/lib/named mkdir -p /var/lib/named/etc /var/lib/named/dev mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind chown bind:bind /var/lib/named/var/run/bind/run chown -R bind:bind /var/lib/named/var/* mknod /var/lib/named/dev/random c 1 8 mknod /var/lib/named/dev/null c 1 3 chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random ln -s /var/lib/named/var/run/bind /var/run/ ln -s /var/lib/named/var/cache/bind /var/cache/
Configuration
Copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location:
mv /etc/bind /etc/bind.dist cp -a /etc/bind.dist /var/lib/named/etc/bind ln -s /var/lib/named/etc/bind /etc/
Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named:
OPTIONS="-u bind -t /var/lib/named"
Edit /var/lib/named/etc/bind/named.conf.options and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached:
listen-on {127.0.0.1;};
forwarders {205.242.92.2; 205.202.176.103; 4.2.2.1;};
Logging
To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the /etc/init.d/sysklogd file:
SYSLOGD="-a /var/lib/named/dev/log"
Then restart the logging daemon:
/etc/init.d/sysklogd restart
Startup
Start the named server:
/etc/init.d/bind9 start
Client Configuration
Edit /etc/resolv.conf to tell clients to use localhost to resolve DNS names:
domain sluug.info nameserver 127.0.0.1
Testing
Run nslookup and/or dig to resolve some DNS names. Make sure you get answers back from 127.0.0.1.
Run some client programs to make sure they are resolving host names properly.
Check /var/log/daemon.log and /var/log/syslog for startup/shutdown info from the bind9 daemon.
Run rndc status to check the status of the server.
Run rndc stats and then read /var/lib/named/var/cache/bind/named.stats to get server stats, including number of successful and failed DNS lookups.
Notes
These settings are for our hosting at Primary Networks. Our forwarders will need to be changed if we change hosting/ISPs.
The 4.2.2.1 address is supposedly a publicly-available DNS server that anyone can use.
TODO
Change the domain to sluug.org when appropriate, in the /etc/resolv.conf file.
When we move, change forwarders in /var/lib/named/etc/bind/named.conf.options to upstream ISP's DNS servers.
Credits
Much of this is based on the Bind-Chroot-Howto for Debian.
Comments
