Submitter: Doug Hunley
This document describes the process of installing Bind 9.x on
your Linux box as a Caching DNS server.
The steps to install it are as follows:
- Install Openssl
- Download the latest stable release from ISC.org
*
- Extract the tarball like so:
-
tar zxvf bind-9.x.tar.gz
cd bind-9.x
- Configure the software:
-
./configure --prefix=/usr \
--sysconfdir=/etc \
--enable-threads \
--localstatedir=/var/state \
--with-libtool \
--with-openssl=/usr/ssl
- Compile it:
-
- Remove all existing Bind software:
-
rpm -q -a | grep '^bind' | while read
line
do
rpm -e --nodeps $line
done
- Install your new Bind:
-
make install
cd doc/man/bin (not needed on 9.2.0 and
above)
for i in 1 5 8 (not needed on 9.2.0 and
above)
do (not needed on 9.2.0 and above)
install *.$i /usr/man/man$i (not needed
on 9.2.0 and above)
done (not needed on 9.2.0 and
above)
cd ../dnssec (not needed on 9.2.0 and
above)
install *.8 /usr/man/man8 (not needed on
9.2.0 and above)
- Update your library resolutions:
-
- Create the Bind user and group
-
groupadd named
useradd -d /var/named -g named -s /bin/false
named
- Adjust the group/perms on /var/run
-
vigr (add named to the 'daemon'
group)
chown root:daemon /var/run
chmod 775 /var/run
- Create the Bind rundir
-
mkdir -p /var/named/pz
chown -R named:named /var/named
chmod -R 755 /var/named
- Create a script to maintain the root.hints file
-
cat << "EOF" >
update_named
#!/bin/sh
cd /var/named
wget
http://dns./tech/rootzone/db.root
if [ -s /var/named/db.root ] ;
then
chown named:named
/var/named/db.root
/etc/rc.d/named stop
mv /var/named/root.hints
/var/named/root.hints.old
mv /var/named/db.root
/var/named/root.hints
/etc/rc.d/named start
fi
EOF
- Make the script executable, and execute it (Bind will
probably fail, but your root.hints file will get updated like
we wanted)
-
chmod 700 update_named
./update_named
- Move the script to your monthly cron directory
-
mv update_named /etc/cron.monthly
- Create /var/named/pz/127.0.0 as below,
-
$TTL 1D
@ 1D IN SOA localhost. root.localhost. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
1D IN NS localhost.
1 1D IN PTR localhost.
- Create /var/named/pz/192.168.1
-
- Create /etc/resolv.conf
-
echo "nameserver 127.0.0.1" >
/etc/resolv.conf
-
Create your rndc password (we'll use "hush" for ours)
mmencode (this command is part of the
metamail package)
hush
aHVz (mmencode returns this)
^C
- Create /etc/rndc.conf
-
// this file is used by the rndc utility
options {
// what host should rndc attempt to control by default
default-server localhost;
// and what key should it use to communicate with named
default-key "rndc-key";
};
server localhost {
// always use this key with this host
key "rndc-key";
};
key "rndc-key" {
// how was the key encoded
algorithm hmac-md5;
// what's the password
secret "aHVz";
};
// secret was generated by running mmencode on command line
// and then entering a secret phrase
- Create /etc/rndc.key
-
// this file is used when named starts up and sees that
// there is a key assigned to the control channel
key "rndc-key" {
// how was the key encoded
algorithm hmac-md5;
// what's the password
secret "aHVz" ;
};
- And finally, create /etc/named.conf as below
-
// This is a configuration file for named (from BIND 9.0 or later).
// It would normally be installed as /etc/named.conf.
//
// Changed to match secure example from LASG 5/17/00
// Changed to match Linux Journal example 9/17/00
// Added new "view' sections to stop fingerprinting of Bind 9.x per
// Bugtraq 1/31/00
// Added rndc key stuff per DNS & Bind (Rev. 4) Chapter 11
// added use-id-pool and more comments based on above chapter
options {
// Directory where bind should create files if
// not explicitly stated
directory "/var/named";
// whom do we allow to do zone tranfers
allow-transfer { 192.168.1.0/24; };
// new in Bind 9.x to allow RFC1886 -> RFC2874 conversion
// to support IPv6
// allow-v6-synthesis { 192.168.1.10; };
// OBSOLETED in 9.3.0 + !!
// tell Bind to check the names in zone files
// since it no longer does this by default
// (unimplemented 9.3.0+)
check-names master warn;
// sets the size of something or other to 20Mb ;)
datasize 20M;
// sets the size of the journal to 5Mb
max-journal-size 5M;
// Bind 9.x doesn't recognize this yet :(
// deallocate-on-exit no;
// where should Bind put a dump of its cache
// if told to dump it
dump-file "named_dump.db";
// how often should bind check for new
// interfaces toi listen on. we turn
// this off by setting it to 0
interface-interval 0;
// specify what interfaces/ips to listen on
// as the default is all of them
listen-on { 192.168.1.10; 127.0.0.1; };
// define a mximum size of cached records
// new in Bind 9.x
max-cache-size 20M;
// where to right stats of memory usage
// Bind 9.x doesn't recognize this yet :(
memstatistics-file "named.memstats";
// where to put out pid file
// absolute path since we don't want
// it in /var/named
pid-file "/var/run/named.pid";
// force Bind to use port 53 for its
// network operation to other DNS
// servers (Bind 9 uses high ports
// by default). Makes firewalling easier
query-source address * port 53;
transfer-source * port 53;
notify-source * port 53;
// where to dump Bind server stats
statistics-file "named.stats";
// force Bind to be "more" random in assiging
// message ids
use-id-pool yes;
// If the chaos view below doesn't work
// for some reason, still give out a bogus
// answer for Bind version requests
version "This is not the port you're looking for.";
// keep stats on a zone basis
zone-statistics yes;
};
controls {
// this allows rndc to be used from the localhost
// to talk to bind on the loopback interface
// using the key defined as 'rndc-key'
inet 127.0.0.1 allow { localhost; } keys { rndc-key; };
};
// the rest of the key configuration is in
// /etc/rndc.conf and the key itself is in
// /etc/rndc.key
key "rndc-key" {
// how was key encoded
algorithm hmac-md5;
// what is the pass-phrase for the key
secret "aHVz" ;
};
logging {
channel named_info {
// log to syslog instead of a file
syslog;
// include the category of the event in the log
print-category yes;
// include the severity of the event in the log
print-severity yes;
// include the time of the event in the log
print-time yes;
};
// Processing of client requests
category client { named_info; };
// named.conf parsing and processing
category config { named_info; };
// Messages relating to internal memory structures
category database { named_info; };
// This is the default for any category not specifically defined
category default { named_info; };
// The catch-all. Anything without a category of its own
category general { named_info; };
// Uncomment if you dont want to know about lame server.
// Leave commented and it defaults to the
// value of default above
// category lame-servers { null; };
// The NOTIFY protocol
category notify { named_info; };
// Network operations
category network { named_info; };
// DNS resolution like recursive lookups, etc..
category resolver { named_info; };
// Approval and denial of requests
category security { named_info; };
// Dynamic updates
category update { named_info; };
// Queries. Duh.
category queries { named_info; };
// Zone transfers received
category xfer-in { named_info; };
// Zone transfers sent
category xfer-out { named_info; };
};
// this is where we define different versions
// of our zones based on where the client is
// coming from.
// the first view that matches a client is
// the one that gets used, so order can be
// important
view "external-chaos" chaos {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
recursion no;
zone "." {
type hint;
// this causes a null response to queries
// about the Bind version
file "/dev/null";
};
};
view "external" {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
zone "." {
type hint;
file "root.hints";
};
};
view "external-127" {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
allow-update {
none;
};
};
};
view "external-192" {
// you could use 'any' or even 'localnets' here
// instead of specifying each IP range
// however, it should be noted that 'localnets'
// means ANY network Bind is directly connected
// to which might include your ISP
match-clients { 192.168.1.0/24; 127/8; };
zone "1.168.192.in-addr.arpa" {
type master;
file "pz/192.168.1";
allow-update {
none;
};
};
};
- The only thing left to do is start Bind:
-
Congrats! You now have a fairly secure, caching name server
that can be controlled using rndc!
Enjoy your new Bind server!
|