This shows you the differences between two versions of the page.
Both sides previous revision Previous revision Next revision | Previous revision | ||
build:dns [2006/01/16 21:08] 70.230.174.183 Changed forwarders for move to Primary Networks. (CMB) |
build:dns [2015/02/27 01:08] (current) SLUUG Administration [Installation] Added warning that this is obsolete. |
||
---|---|---|---|
Line 1: | Line 1: | ||
====== DNS ====== | ====== DNS ====== | ||
- | We are running a caching name server on the server, bound to the loopback interface only. | + | We are running a caching name server on the server, bound to the loopback interface only. Public nameservers use BuddyNS, for which are using: |
- | We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits. | + | <code rootshell> |
+ | ;; NS (nameserver) records -- we're using BuddyNS as our primary DNS provider | ||
+ | @ IN NS b.ns.buddyns.com. | ||
+ | @ IN NS c.ns.buddyns.com. | ||
+ | @ IN NS d.ns.buddyns.com. | ||
+ | @ IN NS e.ns.buddyns.com. | ||
+ | </code> | ||
+ | |||
+ | Zone files are maintained in: | ||
+ | |||
+ | <code rootshell> | ||
+ | /etc/named/zones | ||
+ | </code> | ||
+ | |||
+ | If a change is made, be sure to update the serial in the zone file, then "rndc" to reload named. | ||
+ | |||
+ | We decided to use BIND 9, as it is well supported now. (Note that the default in Debian 5.0 is BIND 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most BIND and DNS exploits. | ||
Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page. | Note that we do not cover in this document the DNS services that maintain the SLUUG.ORG domain name. The [[domains | domain name info]] is documented on a separate page. | ||
===== Installation ===== | ===== Installation ===== | ||
+ | |||
+ | **Everything from here to the end probably only applies to the old bud server and doesn't apply now that bud had been replaced by by amber running a different Linux configuration.** | ||
First, install the required packages: | First, install the required packages: | ||
<code rootshell> | <code rootshell> | ||
- | apt-get install bind9 dnsutils bind9-doc libisccc0 libisccfg0 | + | apt-get install -y bind9 bind9-host dnsutils bind9-doc |
+ | </code> | ||
+ | |||
+ | Debian automatically starts the daemon, but we're going to change a lot of its config, so we should stop the daemon until we're done: | ||
+ | <code rootshell> | ||
+ | /etc/init.d/bind9 stop | ||
</code> | </code> | ||
Line 19: | Line 42: | ||
mkdir -p /var/lib/named/etc /var/lib/named/dev | mkdir -p /var/lib/named/etc /var/lib/named/dev | ||
mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind | mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind | ||
- | chown bind:bind /var/lib/named/var/run/bind/run | ||
chown -R bind:bind /var/lib/named/var/* | chown -R bind:bind /var/lib/named/var/* | ||
mknod /var/lib/named/dev/random c 1 8 | mknod /var/lib/named/dev/random c 1 8 | ||
mknod /var/lib/named/dev/null c 1 3 | mknod /var/lib/named/dev/null c 1 3 | ||
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random | chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random | ||
- | ln -s /var/lib/named/var/run/bind /var/run/ | + | ln -sf /var/lib/named/var/run/bind /var/run/bind |
- | ln -s /var/lib/named/var/cache/bind /var/cache/ | + | ln -sf /var/lib/named/var/cache/bind /var/cache/bind |
</code> | </code> | ||
- | |||
===== Configuration ===== | ===== Configuration ===== | ||
Line 34: | Line 55: | ||
mv /etc/bind /etc/bind.dist | mv /etc/bind /etc/bind.dist | ||
cp -a /etc/bind.dist /var/lib/named/etc/bind | cp -a /etc/bind.dist /var/lib/named/etc/bind | ||
- | ln -s /var/lib/named/etc/bind /etc/ | + | ln -s /var/lib/named/etc/bind /etc/bind |
</code> | </code> | ||
Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named: | Next edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named: | ||
- | <code> | + | <code rootshell> |
- | OPTIONS="-u bind -t /var/lib/named" | + | sed -i -e 's:OPTIONS="-u bind":OPTIONS="-u bind -t /var/lib/named":' /etc/default/bind9 |
</code> | </code> | ||
- | Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached: | + | Edit ''/var/lib/named/etc/bind/named.conf.options'' and tell it which interfaces to listen on, and who to forward requests to if we don't have the answer cached. We also include a few backup forwarders commented out, in case we decide to use them at a later date. |
- | <code> | + | <file> |
- | listen-on {127.0.0.1;}; | + | options { |
- | + | directory "/var/cache/bind"; | |
- | forwarders {205.242.92.2; 205.202.176.103; 4.2.2.1;}; | + | listen-on {127.0.0.1;}; # only act as a DNS cache for localhost |
- | </code> | + | forwarders {205.242.92.2; 205.242.176.103;}; # ns1.primary.net, ns2.primary.net |
+ | #forwarders {4.2.2.1; 4.2.2.2; 4.2.2.3; 4.2.2.4; 4.2.2.5; 4.2.2.6;}; # Verizon public DNS servers | ||
+ | #forwarders {208.67.220.220; 208.67.222.222;}; # OpenDNS public DNS servers | ||
+ | auth-nxdomain no; # conform to RFC1035 | ||
+ | }; | ||
+ | </file> | ||
===== Logging ===== | ===== Logging ===== | ||
To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the ''/etc/init.d/sysklogd'' file: | To get logging out of the chroot jail, we need to set up a socket within the jail, and have the syslog daemon listen to it. We configure syslog by specifying the name of the socket in a '-a' option. This is set in the SYSLOGD parameter in the ''/etc/init.d/sysklogd'' file: | ||
- | <code> | + | <code rootshell> |
- | SYSLOGD="-a /var/lib/named/dev/log" | + | sed -i -e 's:^SYSLOGD=""$:SYSLOGD="-a /var/lib/named/dev/log":' /etc/default/syslogd |
</code> | </code> | ||
Line 67: | Line 93: | ||
/etc/init.d/bind9 start | /etc/init.d/bind9 start | ||
</code> | </code> | ||
+ | |||
+ | If startup fails, tail the ''/var/log/syslog'' file to look for errors. The most likely error is forgetting a semi-colon somewhere in the config file. | ||
===== Client Configuration ===== | ===== Client Configuration ===== | ||
- | Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names: | + | Edit ''/etc/resolv.conf'' to tell clients to use localhost to resolve DNS names. Again, we include a few other servers just as documentation. |
- | <code> | + | <file> |
- | domain sluug.info | + | domain sluug.org |
nameserver 127.0.0.1 | nameserver 127.0.0.1 | ||
+ | #nameserver 205.242.92.2 # ns1.primary.net | ||
+ | #nameserver 205.242.176.103 # ns2.primary.net | ||
+ | #nameserver 208.67.220.220 # OpenDNS public DNS server | ||
+ | #nameserver 208.67.222 .222 # OpenDNS public DNS server | ||
+ | </file> | ||
+ | |||
+ | We also need to delete any dns-* lines from ''/etc/network/interfaces'', as they cause ''/etc/resolv.conf'' to be updated when the interface comes up. | ||
+ | <code rootshell> | ||
+ | sed -i -e 's/^.*dns-.*//' /etc/network/interfaces | ||
</code> | </code> | ||
Line 92: | Line 129: | ||
These settings are for our hosting at Primary Networks. Our forwarders will need to be changed if we change hosting/ISPs. | These settings are for our hosting at Primary Networks. Our forwarders will need to be changed if we change hosting/ISPs. | ||
- | The 4.2.2.1 address is supposedly a publicly-available DNS server that anyone can use. | + | The OpenDNS servers are publicly available for anyone to use. It probably doesn't make sense to use them on a server though, because they send unknown addresses to their own servers. Their servers contain search pages for web access; I'm not sure what happens with other services. |
- | ===== TODO ===== | + | The 4.2.2.x addresses are supposedly Verizon's publicly-available DNS server that anyone can use. |
- | Change the domain to sluug.org when appropriate, in the /etc/resolv.conf file. | + | ===== TODO ===== |
- | When we move, change forwarders in /var/lib/named/etc/bind/named.conf.options to upstream ISP's DNS servers. | + | If we move the servers, we need to change the forwarders in ''/var/lib/named/etc/bind/named.conf.options'' to the upstream ISP's DNS servers, or use some of the public DNS servers. |
===== Credits ===== | ===== Credits ===== |