Installing Bind 9.x from source - Linux StepByStep

sailorhzr 2011-04-02

展开全文

Submitter: Doug Hunley

This document describes the process of installing Bind 9.x on your Linux box as a Caching DNS server.

The steps to install it are as follows:

Install Openssl

Download the latest stable release from ISC.org ^*

Extract the tarball like so:

tar zxvf bind-9.x.tar.gz
cd bind-9.x

Configure the software:

./configure --prefix=/usr \
--sysconfdir=/etc \
--enable-threads \
--localstatedir=/var/state \
--with-libtool \
--with-openssl=/usr/ssl

Compile it:

make

Remove all existing Bind software:

rpm -q -a | grep '^bind' | while read line
do
rpm -e --nodeps $line
done

Install your new Bind:

make install
cd doc/man/bin (not needed on 9.2.0 and above)
for i in 1 5 8 (not needed on 9.2.0 and above)
do (not needed on 9.2.0 and above)
install *.$i /usr/man/man$i (not needed on 9.2.0 and above)
done (not needed on 9.2.0 and above)
cd ../dnssec (not needed on 9.2.0 and above)
install *.8 /usr/man/man8 (not needed on 9.2.0 and above)

Update your library resolutions:

ldconfig -v

Create the Bind user and group

groupadd named
useradd -d /var/named -g named -s /bin/false named

Adjust the group/perms on /var/run

vigr (add named to the 'daemon' group)
chown root:daemon /var/run
chmod 775 /var/run

Create the Bind rundir

mkdir -p /var/named/pz
chown -R named:named /var/named
chmod -R 755 /var/named

Create a script to maintain the root.hints file

cat << "EOF" > update_named
#!/bin/sh
cd /var/named
wget http://dns./tech/rootzone/db.root
if [ -s /var/named/db.root ] ; then
chown named:named /var/named/db.root
/etc/rc.d/named stop
mv /var/named/root.hints /var/named/root.hints.old
mv /var/named/db.root /var/named/root.hints
/etc/rc.d/named start
fi
EOF

Make the script executable, and execute it (Bind will probably fail, but your root.hints file will get updated like we wanted)

chmod 700 update_named
./update_named

Move the script to your monthly cron directory

mv update_named /etc/cron.monthly

Create /var/named/pz/127.0.0 as below,

$TTL 1D
    @           1D IN SOA   localhost. root.localhost. (
    42      ; serial (d. adams)
    3H      ; refresh
    15M     ; retry
    1W      ; expiry
    1D )        ; minimum
    1D IN NS    localhost.
    1           1D IN PTR   localhost.

Create /var/named/pz/192.168.1

ln -s 127.0.0 192.168.1

Create /etc/resolv.conf

echo "nameserver 127.0.0.1" > /etc/resolv.conf

Create your rndc password (we'll use "hush" for ours)

mmencode (this command is part of the metamail package)
hush
aHVz (mmencode returns this)
^C

Create /etc/rndc.conf

   // this file is used by the rndc utility
    options {
    // what host should rndc attempt to control by default
    default-server localhost;
    // and what key should it use to communicate with named
    default-key "rndc-key";
    };
    server localhost {
    // always use this key with this host
    key "rndc-key";
    };
    key "rndc-key" {
    // how was the key encoded
    algorithm hmac-md5;
    // what's the password
    secret "aHVz";
    };
    // secret was generated by running mmencode on command line
    // and then entering a secret phrase

Create /etc/rndc.key

   // this file is used when named starts up and sees that
    // there is a key assigned to the control channel
    key "rndc-key" {
    // how was the key encoded
    algorithm hmac-md5;
    // what's the password
    secret "aHVz" ;
    };

And finally, create /etc/named.conf as below

   // This is a configuration file for named (from BIND 9.0 or later).
    // It would normally be installed as /etc/named.conf.
    //
    // Changed to match secure example from LASG 5/17/00
    // Changed to match Linux Journal example 9/17/00
    // Added new "view' sections to stop fingerprinting of Bind 9.x per
    // Bugtraq 1/31/00
    // Added rndc key stuff per DNS & Bind (Rev. 4) Chapter 11
    // added use-id-pool and more comments based on above chapter
    options {
    // Directory where bind should create files if
    // not explicitly stated
    directory "/var/named";
    // whom do we allow to do zone tranfers
    allow-transfer { 192.168.1.0/24; };
    // new in Bind 9.x to allow RFC1886 -> RFC2874 conversion
    // to support IPv6
    // allow-v6-synthesis { 192.168.1.10; };
    // OBSOLETED in 9.3.0 + !!
    // tell Bind to check the names in zone files
    // since it no longer does this by default
    // (unimplemented 9.3.0+)
    check-names master warn;
    // sets the size of something or other to 20Mb ;)
    datasize 20M;
    // sets the size of the journal to 5Mb
    max-journal-size 5M;
    // Bind 9.x doesn't recognize this yet :(
    // deallocate-on-exit no;
    // where should Bind put a dump of its cache
    // if told to dump it
    dump-file "named_dump.db";
    // how often should bind check for new
    // interfaces toi listen on. we turn
    // this off by setting it to 0
    interface-interval 0;
    // specify what interfaces/ips to listen on
    // as the default is all of them
    listen-on { 192.168.1.10; 127.0.0.1; };
    // define a mximum size of cached records
    // new in Bind 9.x
    max-cache-size 20M;
    // where to right stats of memory usage
    // Bind 9.x doesn't recognize this yet :(
    memstatistics-file "named.memstats";
    // where to put out pid file
    // absolute path since we don't want
    // it in /var/named
    pid-file "/var/run/named.pid";
    // force Bind to use port 53 for its
    // network operation to other DNS
    // servers (Bind 9 uses high ports
    // by default). Makes firewalling easier
    query-source address * port 53;
    transfer-source * port 53;
    notify-source * port 53;
    // where to dump Bind server stats
    statistics-file "named.stats";
    // force Bind to be "more" random in assiging
    // message ids
    use-id-pool yes;
    // If the chaos view below doesn't work
    // for some reason, still give out a bogus
    // answer for Bind version requests
    version "This is not the port you're looking for.";
    // keep stats on a zone basis
    zone-statistics yes;
    };
    controls {
    // this allows rndc to be used from the localhost
    // to talk to bind on the loopback interface
    // using the key defined as 'rndc-key'
    inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
    };
    // the rest of the key configuration is in
    // /etc/rndc.conf and the key itself is in
    // /etc/rndc.key
    key "rndc-key" {
    // how was key encoded
    algorithm hmac-md5;
    // what is the pass-phrase for the key
    secret "aHVz" ;
    };
    logging {
    channel named_info {
    // log to syslog instead of a file
    syslog;
    // include the category of the event in the log
    print-category yes;
    // include the severity of the event in the log
    print-severity yes;
    // include the time of the event in the log
    print-time yes;
    };
    // Processing of client requests
    category client { named_info; };
    // named.conf parsing and processing
    category config { named_info; };
    // Messages relating to internal memory structures
    category database { named_info; };
    // This is the default for any category not specifically defined
    category default { named_info; };
    // The catch-all. Anything without a category of its own
    category general { named_info; };
    // Uncomment if you dont want to know about lame server.
    // Leave commented and it defaults to the
    // value of default above
    // category lame-servers { null; };
    // The NOTIFY protocol
    category notify { named_info; };
    // Network operations
    category network { named_info; };
    // DNS resolution like recursive lookups, etc..
    category resolver { named_info; };
    // Approval and denial of requests
    category security { named_info; };
    // Dynamic updates
    category update { named_info; };
    // Queries. Duh.
    category queries { named_info; };
    // Zone transfers received
    category xfer-in { named_info; };
    // Zone transfers sent
    category xfer-out { named_info; };
    };
    // this is where we define different versions
    // of our zones based on where the client is
    // coming from.
    // the first view that matches a client is
    // the one that gets used, so order can be
    // important
    view "external-chaos" chaos {
    // you could use 'any' or even 'localnets' here
    // instead of specifying each IP range
    // however, it should be noted that 'localnets'
    // means ANY network Bind is directly connected
    // to which might include your ISP
    match-clients { 192.168.1.0/24; 127/8; };
    recursion no;
    zone "." {
    type hint;
    // this causes a null response to queries
    // about the Bind version
    file "/dev/null";
    };
    };
    view "external" {
    // you could use 'any' or even 'localnets' here
    // instead of specifying each IP range
    // however, it should be noted that 'localnets'
    // means ANY network Bind is directly connected
    // to which might include your ISP
    match-clients { 192.168.1.0/24; 127/8; };
    zone "." {
    type hint;
    file "root.hints";
    };
    };
    view "external-127" {
    // you could use 'any' or even 'localnets' here
    // instead of specifying each IP range
    // however, it should be noted that 'localnets'
    // means ANY network Bind is directly connected
    // to which might include your ISP
    match-clients { 192.168.1.0/24; 127/8; };
    zone "0.0.127.in-addr.arpa" {
    type master;
    file "pz/127.0.0";
    allow-update {
    none;
    };
    };
    };
    view "external-192" {
    // you could use 'any' or even 'localnets' here
    // instead of specifying each IP range
    // however, it should be noted that 'localnets'
    // means ANY network Bind is directly connected
    // to which might include your ISP
    match-clients { 192.168.1.0/24; 127/8; };
    zone "1.168.192.in-addr.arpa" {
    type master;
    file "pz/192.168.1";
    allow-update {
    none;
    };
    };
    };

The only thing left to do is start Bind: