Professional Documents
Culture Documents
Setting up a caching server for client local machines will reduce the load on the site's
primary server. A caching only name server will find the answer to name queries and
remember the answer the next time we need it. This will shorten the waiting time the next
time significantly. For security reasons, it is very important that DNS doesn't exist between
hosts on the corporate network and external hosts; it is far safer to simply use IP addresses
to connect to external machines from the corporate network and vice-versa.
In our configuration and installation we'll run BIND/DNS as non root-user and in a
chrooted environment. We also provide you three different configurations;
The simple caching name server configuration will be used for your servers that don't
act as a master or slave name server, and the slave and master configurations will be used
for your servers that act as a master name server and slave name server. Usually one of
your servers acts as master, another one acts as slave and the rest act as simple caching
client name server.
This is a graphical representation of the DNS configuration we use in this book. We try
to show you different settings
on different servers. A lot of possibilities exist, and depend on your needs, and network
architecture.
Before you decompress Tarballs and install, it is a good idea to make a list of files on
the system before you install BIND, and one afterwards, and then compare them using diff
to find out what file it placed where. Simply run find /* > DNS1 before and find /* > DNS2
after you install the software, and use diff DNS1 DNS2 > DNS-Installed to get a list of what
changed.
We create a directory named bind to handle the tar archives and copy them to this
new directory.
Move into the new bind directory cd /var/tmp/bind and decompress the tar files:
Configure
Configuration files for different services are very specific depending on your needs
and your network architecture. People can install DNS Servers at home as a caching-only
server, though companies may install it with primary, secondary and caching DNS servers.
: All the configuration files required for each software described in this
book has been provided by us as a gzipped file, floppy.tgz for your convenience.
total 24
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 Caching-Only-DNS/
-rw-r--r-- 1 harrypotter harrypotter 484 Jun 8 13:00 Compile-BIND
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 Primary-Master-DNS/
drwxr-xr-x 2 harrypotter harrypotter 4096 Jun 8 13:00 Secondary-Slave-DNS/
-rwx------ 1 harrypotter harrypotter 300 Jun 8 13:00 bind.sh*
drwxr-xr-x 3 harrypotter harrypotter 4096 Jun 8 13:00 init.d/
You can either cut and paste this directly if you are faithfully following our instructions
from the begining or manually edit these to modify to your needs. This facility is there
though as a convenience but please don't forget ultimately it will be your responsibility to
check, verify, etc. before you use them whether modified or as it is.
To run a caching-only name server, the following files are required and must be created
or copied to the appropriate directories on your server.
i. Copy the named.conf file to the /etc/ directory.
ii. Copy the db.127.0.0 file to the /var/named/ directory.
iii. Copy the db.cache file to the /var/named/ directory.
iv. Copy the named script file to the /etc/rc.d/init.d/ directory.
To run a master name server, the following files are required and must be created or
copied to the appropriate directories on your server.
i. Copy the named.conf file to the /etc/ directory.
ii. Copy the db.127.0.0 file to the /var/named/ directory.
iii. Copy the db.cache file to the /var/named/ directory.
iv. Copy the db.208.164.186 file to the /var/named/ directory.
v. Copy the db.openna file to the /var/named/ directory.
vi. Copy the named script file to the /etc/rc.d/init.d/ directory.
To run a slave name server, the following files are required and must be created or
copied to the appropriate directories on your server.
: You can obtain the configuration files listed over the next few sections
on the floppy.tgz archive. Copy the following files from the decompressed floppy.tgz archive
to the appropriate places, or copy them directly from this book to the concerned file.
1. named.conf
2. db.127.0.0
3. db.cache
4. named script
To configure the /etc/named.conf file for a simple caching name server, use this for all
servers that don’t act as a master or slave name server. Setting up a simple caching server
for local client machines will reduce the load on the network's primary server. Many users
on dialup connections may use this configuration along with bind for such a purpose.
Create the named.conf file, touch /etc/named.conf and add the following lines to the
file:
options {
directory "/var/named";
: To improve the security of your BIND/DNS server you can stop it from
even trying to contact an off-site server if their forwarder is down or doesn't respond. With
the forward only option set in your named.conf file, the name server doesn't try to contact
other servers to find out information if the forwarder doesn't give it an answer.
To configure the /var/named/db.127.0.0 file for a simple caching name server, you
can use this configuration for all machines on your network that don't act as a master or
slave name server.
The db.127.0.0 file covers the loopback network. Create the following files in
/var/named/, touch /var/named/db.127.0.0 and add the following lines in the file:
$TTL 345600
@ IN SOA localhost. root.localhost. (
00 ; Serial
86400 ; Refresh
7200 ; Retry
2592000 ; Expire
345600 ) ; Minimum
IN NS localhost.
1 IN PTR localhost.
Configure the /var/named/db.cache file for a simple caching name server before
starting your DNS server. You must take a copy of db.cache file and copy this file to the
/var/named/ directory. The db.cache tells your server where the servers for the root
zone are.
Use the following commands on another UNIX computer in your organization to
query a new db.cache file for your DNS Server or pick one from your Red Hat Linux CD-
ROM source distribution:
Don't forget to copy the db.cache file to the /var/named/ directory on your server
where you're installing DNS server after retrieving it over the Internet.
To configure the /etc/named.conf file for a master name server, use this configuration
for the server on your network that acts as a master name server. After compiling DNS, you
need to set up a primary domain name for your server. We'll use openna.com as an
example domain, and assume you are using IP network address of 208.164.186.0.
To do this, add the following lines to your /etc/named.conf. Create the named.conf
file touch /etc/named.conf and add:
options {
directory "/var/named";
fetch-glue no;
recursion no;
allow-query { 208.164.186/24; 127.0.0/8; };
allow-transfer { 208.164.186.2; };
transfer-format many-answers;
};
// These files are not specific to any zone
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
// These are our primary zone files
zone "openna.com" in {
type master;
file "db.openna ";
};
zone "186.164.208.in-addr.arpa" in {
type master;
file "db.208.164.186";
};
The fetch-glue no option can be used in conjunction with the option recursion no to
prevent the server's cache from growing or becoming corrupted. Also, disabling recursion
puts your name servers into a passive mode, telling it never to send queries on behalf of
other name servers or resolvers. A non-recursive name server is very difficult to spoof, since
it doesn't send queries, and hence doesn't cache any data.
To configure the /var/named/db.127.0.0 file for a master and slave name server,
you can use this configuration file by both a master name server and a slave name server.
The db.127.0.0 file covers the loopback network.
To configure of the /var/named/db.openna file for a master name server, use this
configuration for the server on your network that acts as a master name server. The file
db.openna maps addresses to host names.
To configure the /var/named/db.cache file for a master and slave name servers
Before starting your DNS server you must take a copy of the db.cache file and copy it into
the /var/named/ directory. The db.cache tells your server where the servers for the root
zone are.
Use the following command on another UNIX computer in your organization to query
a new db.cache file for your DNS Server or pick one from your Red Hat Linux CD-ROM
source distribution:
Don't forget to copy the db.cache file to the /var/named/ directory on your server
where you're installing DNS server after retrieving it over the Internet.
To configure the /etc/named.conf file for a slave name server, use this configuration
for the server on your network that acts as a slave name server. You must modify the
named.conf file on the slave name server host. Change every occurrence of primary to
secondary except for 0.0.127.in-addr.arpa and add a master’s line with the IP address of
the master server as shown below.
options {
directory "/var/named";
fetch-glue no;
recursion no;
allow-query { 208.164.186/24; 127.0.0/8; };
allow-transfer { 208.164.186.1; };
transfer-format many-answers;
};
// These files are not specific to any zone
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
// These are our slave zone files
zone "openna.com" in {
type slave;
file "db.openna";
masters { 208.164.186.1; };
};
zone "186.164.208.in-addr.arpa" in {
type slave;
file "db.208.164.186";
masters { 208.164.186.1; };
};
This tells the name server that it is a slave for the zone openna.com and should
track the version of this zone that is being kept on the host 208.164.186.1.
A slave name server doesn't need to retrieve all of its database (db) files over the network
because these db files db.127.0.0 and db.cache are the same as on a primary master, so
you can keep a local copy of these files on the slave name server.
i. Copy the db.127.0.0file from master name server to slave name server.
ii. Copy the db.cache file from master name server to slave name server.
/etc/rc.d/init.d/named script
Configure your /etc/rc.d/init.d/named script file to start and stop the BIND/DNS
daemon on your Server. This configuration script file can by used for all type of name
server caching, master or slave.
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/sbin/named ] || exit 0
[ -f /etc/named.conf ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon named
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc named
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
echo
;;
status)
/usr/sbin/ndc status
exit $?
;;
restart)
$0 stop
$0 start
;;
reload)
/usr/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
Now, make this script executable and change its default permissions:
Create the symbolic rc.d links for BIND/DNS with the command:
Starting named: [ OK ]
The following are the necessary steps to run ISC BIND/DNS software in a chroot jail:
We must find the shared library dependencies of named, named is the DNS daemon. These
will need to be copied into the chroot jail later.
1. To find the shared library dependencies of named, execute the following command:
2. Make a note of the files listed above; you will need these later in our steps.
Now we must set up the chroot environment, and create the root directory of the jail.
We've chosen /chroot/named because we want to put this on its own separate file system
to prevent file system attacks. Early in our Linux installation procedure we created a
special partition /chroot for this purpose.
1.
[root@deep] /# /etc/rc.d/init.d/named stop
5. Now copy the main configuration file, the zone files, the named and the named-xfer
programs into the appropriate places in the chroot jail directory:
Copy the shared libraries identified above to the chrooted lib directory:
Copy the localtime and nsswitch.conf files to the chrooted etc directory so that log
entries are adjusted for your local timezone properly:
We must set some files under the /chroot/named/etc directory with the immutable bit
enabled for better security:
[root@deep] /# cd /chroot/named/etc/
[root@deep etc]# chattr +i nsswitch.conf
[root@deep] /# cd /chroot/named/etc/
[root@deep etc]# chattr +i named.conf
3. A file with the +i attribute cannot be modified, deleted or renamed; no link can be
created to this file and no data can be written to it. Only the super user can set or
clear this attribute.
Add a new UID and a new GID for running the daemon named if this is not already set.
This is important because running it as root defeats the purpose of the jail, and using a
different user id that already exists on the system can allow your services to access each
others' resources. Check the /etc/passwd and /etc/group files for a free UID/GID
number available. In our example we'll use the number 53 and the name named.
Edit the syslog script file vi +24 /etc/rc.d/init.d/syslog and change the line:
daemon syslogd -m 0
To read:
The default named script file of ISC BIND/DNS starts the daemon named outside the chroot
jail. We must change it to start named from the chroot jail. Edit the named script file
vi /etc/rc.d/init.d/named and change the lines:
[ -f /usr/sbin/named ] || exit 0
To read:
[ -f /chroot/named/usr/sbin/named ] || exit 0
[ -f /etc/named.conf ] || exit 0
To read:
[ -f /chroot/named/etc/named.conf ] || exit 0
daemon named
To read:
The -t
option tells named to start up using the new chroot environment.
The -u
option specifies the user to run as.
The -g
option specifies the group to run as.
In BIND 8.2 version, the ndc command of ISC BIND/DNS software became a binary
file; before, it was a script file, which renders the shipped ndc useless in this setting. To fix
it, the ISC BIND/DNS package must be compiled again from source. To do this, in the top
level of ISC BIND/DNS source directory.
'CC=egcs -D_GNU_SOURCE'
'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -
march=pentiumpro -fomit-frame-pointer -fno-exceptions -g
'DESTBIN=/usr/bin'
'DESTSBIN=/chroot/named/usr/sbin'
'DESTEXEC=/chroot/named/usr/sbin'
'DESTMAN=/usr/man'
'DESTHELP=/usr/lib'
'DESTETC=/etc'
'DESTRUN=/chroot/named/var/run'
'DESTLIB=/usr/lib/bind/lib'
'DESTINC=/usr/lib/bind/include'
'LEX=flex -8 -I'
'YACC=yacc -d'
'SYSLIBS=-lfl'
'INSTALL=install'
'MANDIR=man'
'MANROFF=cat'
'CATEXT=$$N'
'PS=ps p'
'AR=ar crus'
'RANLIB=:'
3. The difference between the Make file we used before and this one is that we modify
the DESTSBIN=, DESTEXEC=, and DESTRUN= lines to point to the chrooted
directory of BIND/DNS. With this modification, the ndc program knows where to
find named.
[root@deep ]/src# make clean
[root@deep ]/src# make
[root@deep ]/src# cp bin/ndc/ndc /usr/sbin/
[root@deep ]/src# cp: overwrite `/usr/sbin/ndc'? y
[root@deep ]/src# strip /usr/sbin/ndc
4. We build the binary file, then copy the result of ndc program to /usr/sbin and
overwrite the old one. We don’t forget to strip our new ndc binary for better
performance.
We remove the named and named-xfer binaries from the /usr/sbin directory, since
the ones we'll work with now on a daily basis are located under the chroot directory. The
same applies for the named.conf file and /var/named directory.
We must test the new chrooted jail configuration of our ISC BIND/DNS software.
1. The first thing to do is to restart our syslogd daemon with the following command:
3. Make sure it's running as user named and with the new arguments. To verify that
ISC BIND/DNS is running as user named with the new arguments, use the following
command:
4. The first column should be named, which is the UID named daemon is running
under. The end of the line should be named -t /chroot/named/ -unamed -gnamed,
which are the new arguments.
5. This will remove the source file and tar archive we used to compile and install ISC
BIND/DNS.
Further documentation, for more details there are several man pages you can read:
dnsdomainname (1)
- show the system's DNS domain name
dnskeygen (1)
- generate public, private, and shared secret keys for DNS Security
dnsquery (1)
- query domain name servers using resolver
named (8)
- Internet domain name server DNS
ldconfig (8)
- determine run-time link bindings
lesskey (1)
- specify key bindings for less
raw (8)
- bind a Linux raw character device
mkfifo (1)
- make FIFOs named pipes
named-bootconf (8)
- convert name server configuration files
named-xfer (8)
- ancillary agent for inbound zone transfers
Opcode (3)
- Disable named opcodes when compiling perl code
dig (1)
- send domain name query packets to name servers
nslookup (8)
- query Internet name servers interactively
ndc (8)
- name daemon control program
Use the following command to query a new db.cache file for your DNS Server:
Where @a.root-servers.net is the address of the root server for querying the new
db.cache file and db.cache file is the name of your new db.cache file.
ndc. The ndc command utility of ISC BIND/DNS allows the system administrator to
control interactively via a terminal the operation of a name server. Type ndc on your
terminal and then help to see help on different command.
[root@deep] /# ndc
Type help -or- /h if you need help.
ndc> help
getpid
status
stop
exec
reload [zone] ...
reconfig (just sees new/gone zones)
dumpdb
stats
trace [level]
notrace
querylog
qrylog
help
quit
ndc> /e
nslookup. The nslookup program allows the user to query Internet domain name
servers interactively or non-interactively. In interactive mode the user can query name
servers for information about various hosts and domains, and print a list of hosts in a
domain. In non-interactive mode the user can just print the name and request information
for a host or domain. Interactive mode has a lot of options and commands; it is
recommended that you see the man page for nslookup, or the help under nslookup
Interactive mode.
[root@deep] /# nslookup
Default Server: deep.openna.com
Address: 208.164.186.1
> help
$Id: nslookup.help,v 8.4 1996/10/25 18:09:41 vixie Exp $
Non-authoritative answer:
Name: www.portal.redhat.com
Addresses: 206.132.41.202, 206.132.41.203
Aliases: www.redhat.com
Where www.redhat.com is the host name or Internet address of the name server to
be looked up.
dnsquery. The dnsquery program queries domain name servers via the resolver
library calls /etc/resolv.conf. To query domain name servers using resolver, use the
command:
host. The host program looks up host names using DNS. To look up host names
using domain server, use the command:
Where <FQDN, domain names, host names, or host numbers> is either FDQN
www.redhat.com, domain names redhat.com, host names www or host numbers
207.175.42.154.
To find all of the information about a host maintained by the DNS, use the command:
This option can be used to find all of the information that is maintained by the
domain server about this host, in our example redhat.com.
This option, in the official master file format, will give a complete download of the
zone data for the domain name openna.com. This command should be used only if it is
absolutely necessary.
21.11. Installed files
/etc/rc.d/init.d/named /usr/lib/bind/include/hesiod.h
/etc/rc.d/rc0.d/K45named /usr/lib/bind/include/sys
/etc/rc.d/rc1.d/K45named /usr/lib/bind/include/net
/etc/rc.d/rc2.d/K45named /usr/lib/bind/lib
/etc/rc.d/rc3.d/K45named /usr/lib/bind/lib/libbind.a
/etc/rc.d/rc4.d/K45named /usr/lib/bind/lib/libbind_r.a
/etc/rc.d/rc5.d/K45named /usr/lib/nslookup.help
/etc/rc.d/rc6.d/K45named /usr/man/man1/dig.1
/etc/named.conf /usr/man/man1/host.1
/usr/bin/addr /usr/man/man1/dnsquery.1
/usr/bin/nslookup /usr/man/man1/dnskeygen.1
/usr/bin/dig /usr/man/man3/hesiod.3
/usr/bin/dnsquery /usr/man/man3/gethostbyname.3
/usr/bin/host /usr/man/man3/inet_cidr.3
/usr/bin/nsupdate /usr/man/man3/resolver.3
/usr/bin/mkservdb /usr/man/man3/getnetent.3
/usr/lib/bind /usr/man/man3/tsig.3
/usr/lib/bind/include /usr/man/man3/getaddrinfo.3
/usr/lib/bind/include/arpa /usr/man/man3/getipnodebyname.3
/usr/lib/bind/include/arpa/inet.h /usr/man/man5/resolver.5
/usr/lib/bind/include/arpa/nameser.h /usr/man/man5/irs.conf.5
/usr/lib/bind/include/arpa/nameser_compat.h /usr/man/man5/named.conf.5
/usr/lib/bind/include/isc /usr/man/man7/hostname.7
/usr/lib/bind/include/isc/eventlib.h /usr/man/man7/mailaddr.7
/usr/lib/bind/include/isc/misc.h /usr/man/man8/named.8
/usr/lib/bind/include/isc/tree.h /usr/man/man8/ndc.8
/usr/lib/bind/include/isc/logging.h /usr/man/man8/named-xfer.8
/usr/lib/bind/include/isc/heap.h /usr/man/man8/named-bootconf.8
/usr/lib/bind/include/isc/memcluster.h /usr/man/man8/nslookup.8
/usr/lib/bind/include/isc/assertions.h /usr/man/man8/nsupdate.8
/usr/lib/bind/include/isc/list.h /usr/sbin/ndc
/usr/lib/bind/include/isc/dst.h /usr/sbin/named
/usr/lib/bind/include/isc/irpmarshall.h /usr/sbin/named-xfer
/usr/lib/bind/include/netdb.h /usr/sbin/irpd
/usr/lib/bind/include/resolv.h /usr/sbin/dnskeygen
/usr/lib/bind/include/res_update.h /usr/sbin/named-bootconf
/usr/lib/bind/include/irs.h /var/named
/usr/lib/bind/include/irp.h
Uç
atéxxÜ T{Åxw (IT Support)