BIND hint

Patrick Kirk patrick at enterprise-hr.com
Thu Sep 6 13:59:42 PDT 2001


#! On Thu, Sep 06, 2001, Michenaud Laurent wrote:

>Hello,
>
>i've written the bind hint but i don't consider it as mine :)
>so you can add what you want in it and you can add u in the authors list.
>Don't forget to upgrade the version of the hint.
>
>Bye
>Laurent
>

Thanks Laurent.

Ian I wonder if you'd add these 4 lines to the top of the named.conf
that Laurent made part of his hint.

// The IP Addresses we wish to provide DNS services for
// Bad idea to let just anyone start playing with this service.
// acl means Access Control List, zerezo.org is the family LAN 
acl zerezo.org { 192.168.0.0/24; 127.0.0.0/24; };


Also there's a small typing error.  Where it lists the DNS forwarders in
line 8(?) there's a comment "DNS of your ISP here".  Please put //
before the comment or else named bombs out loading the file.

Could you update the version number to 3-RC1 please?  Actually, I'll
just make the changes and attach the file.  

I've merged Laurent's and mine.  The vast majority is from Laurent and
I've carreid on using his config files.  The main changes are:
1. Longer intro.  Cut if you think too long.
2. FHS compliance.  named is put in /usr/local and all the config files
in /etc/bind.  It took me ages to work out how to compile software to do
this so I'd like to put it in. ;-)
3. URL for named.root
4. When I messed up, I found /var/log/daemon.log to be of most help so
I've put it in.

My only concern is that neither Laurent nor myself has tested the
procedure.  Indeed I've not used rndc so I am not certain that
/etc/bind/rndc.conf is going to work but I'll try it out sometime next
week.  Otherwise, it looks straight-forward and I can only hope you guys
spot any silly mistakes.

Best regards,

Patrick


>PK> Hi,
>
>PK> I installed Bind, played about an bit and ended up writing a hint of my
>PK> own before realising that you had already done it. 
>
>PK> Your hint is better than mine but I wonder if you would consider adding
>PK> tcp wrappers to ensure greater security?  I had thought of doing a
>PK> security hint but its really much better if people secure their
>PK> applications when they first set them up rather than afterwards.
>PK> Because afterwards never comes... :-(
>
>PK> All it would take would be adding these 2 lines to the named.conf that
>PK> is on the hints site:
>
>PK> // The IP Addresses we wish to provide DNS services for
>PK> acl zerezo.org { 192.168.0.0/24; 127.0.0.0/24; };
>
>PK> I hope you don't mind my suggesting this.  It's only really important
>PK> for people with broadband connections but for them bind is the most
>PK> easily compromised service.
> 
>PK> Best regards,
>
>
>
>
>-- 
>Au revoir,
> Michenaud                            mailto:lmichenaud at free.fr

-- 

Patrick "a sig, a sig, my kingdom for a sig " Kirk

GSM: +44 7876 560 646
ICQ: 42219699
-------------- next part --------------
TITLE:		BIND
LFS VERSION:	3.0-RC1
AUTHOR:		Michenaud Laurent <lmichenaud at free.fr>
		Patrick Kirk <patrick at enterprise-hr.com>

SYNOPSIS:
	How to set up a simple DNS server with bind

HINT:
version 1.0 final
This hint explains how to set up bind on your lfs.
I am not a bind specialist, what is written is what I
have understood. Don't hesitate to correct it if you
see mistakes or have optimisations.

The Domain Name System (DNS) is used by all TCP/IP Internet software to
translate the names that we humans like to use to the IP numbers
assigned to all the computers and devices out on the Internet and your
internal network.

Under most flavours of Unix, the most commonly used software package is
Berkley Internet Name Domain, (BIND). This article will serve as an
introduction to obtaining, installing and configuring BIND under Linux,
and will include some pointers on where to go for more in-depth
information.

Be aware that some recent security vulnerabilities have been uncovered
in BIND, so be sure to get at least version 8.23. As of this writing,
the latest version is 9.1.1. BIND can be downloaded from the Internet
Software Consortium (ISC) at http://www.isc.org.

For the purposes of this article we'll use version 9.1.1, downloadable
from
ftp://ftp.isc.org/isc/bind9/9.1.1/bind-9.1.1.tar.gz

In general terms, DNS is a very simple service that takes names like
www.yahoo.com and matches them to the machines that serve up the web
pages using dotted quad numbers along the lines of 212.19.67.5  Your ISP
provides this service for you using BIND.  If you have a single machine
connected to the Internet and wish to share that connection, running
BIND on the machine that shares the connection makes things faster and
easier.  From a security point of view, IP addresses like 192.168.0.n
and 10.n.n.n are non-routable. What this means is that your machines on
the LAN are much much safer if you use these addresses.  If you don't,
sooner or later, someting like ShareSniffer will find a shared folder or
service inside your firewall and
cause mischief.


------------------------------------------------
1) Installation of bind

To make the installation FHS compliant, we will install Bind into
/usr/local with its configuration files in /etc/bind.  This has the
advantage that if you want to back up all the configuration documents
for you system, you need only back up the /etc/ directory.

$ tar zxvf bind-9.1.3.tar.gz
$ cd bind-9.1.3
$ ./configure --prefix=/usr/local --sysconfdir=/etc/bind &&
$ make &&
$ make install &&
$ mkdir -p /etc/bind

The following configuration files are very simple. It allows you to have
a DNS server for your local network and allows you to use the DNS
server of your ISP when you're connected to internet.  For security
reasons, the service is only proided to machines that are on your local
network.

On this example,
  network address : 192.168.0.0
  domain name : zerezo.org
  machine host name : zarba
  machine ip : 192.168.0.51
  
---------------------------------------------------
2) The main configuration file: /etc/bind/named.conf

// Begin of file

// The IP Addresses we wish to provide DNS services for
// Bad idea to let just anyone start playing with this service.
// acl means Access Control List, zerezo.org is the family LAN
acl zerezo.org { 192.168.0.0/24; 127.0.0.0/24; };

// General options
options {
	auth-nxdomain yes;
	directory "/usr/local/sbin";
	forward first;
	forwarders {
		212.47.227.206;  //DNS of your ISP here
		212.47.227.207;
	};
};

// How to log
logging {
	channel warning
	{ 
		file "/var/log/dns_warnings" versions 3 size 100k;
		severity warning;
		print-category yes;
		print-severity yes;
		print-time yes;
	};
	channel general_dns
	{
		file "/var/log/dns_logs" versions 3 size 100k;
		severity info;
		print-category yes;
		print-severity yes;
		print-time yes;
	}; 
	category default { warning; } ;
	category queries { general_dns; } ;
}; 

// zone for access to Internet
zone "." {
	type hint;
	file "/etc/bind/named.ca";
};

// zone for access to localhost
zone "0.0.127.in-addr.arpa" {
	type master; 
	file "/etc/bind/named.local";
};

// zone for access to your domain
zone "zerezo.org" in {
	type master;
	notify no;
	file "/etc/bind/zerezo.org";
};

// zone for access to your domain using ip
zone "0.168.192.in-addr.arpa" in {
	type master;
	notify no;
	file "/etc/bind/db.192.168.0";
};

// End of file


------------------------------------
3) Configuration files for each zone

There is a configuration file of each zone defined in named.conf.
These files are in /etc/bind. You have to create this directory.
	
	a) /etc/bind/named.ca

This file is used when you are connected to Internet.
The up to date version can be downloaded from ftp://ftp.rs.internic.net
where it is called named.root

If you do download it, remember to rename it named.ca when you put 
it in /etc/bind

// Begin of file
;       This file holds the details on root name servers needed to
;       initialize cache of Internet domain name servers
;       (e.g. reference this file in the "cache  .  <file>"
;       configuration file of BIND domain name servers).
;
;       This file is made available by InterNIC registration services
;       under anonymous FTP as
;           file                /domain/named.root
;           on server           FTP.RS.INTERNIC.NET
;       -OR- under Gopher at    RS.INTERNIC.NET
;           under menu          InterNIC Registration Services (NSI)
;              submenu          InterNIC Registration Archives
;           file                named.root
;
;       last update:    Aug 22, 1997
;       related version of root zone:   1997082200
;
;
; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; temporarily housed at NSI (InterNIC)
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     198.41.0.10
;
; housed in LINX, operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; temporarily housed at ISI (IANA)
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; housed in Japan, operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33

// End of File


	b) /etc/bind/named.local
	
You must have an alias postmaster that points to the user root
or another one.
	
// Begin of file
$TTL    604800
@	IN	SOA	zarba.zerezo.org. postmaster.zarba.zerezo.org. (
			1999112002 ;
			28800 ;
			14400 ;
			604800 ;
			86400 );
		NS	zarba.zerezo.org.
1	PTR	localhost. ;
// End of file


	c) /etc/bind/zerezo.org
	
// Begin of file
$TTL    604800
@	IN	SOA	zarba.zerezo.org. postmaster.zarba.zerezo.org. (
			1999112002 ;  serial number
			28800 ;       rafraichissement
			14400 ;       nouvel essais
			604800 ;      expiration
			86400 );      temps de vie minimum

// NS = name server
@	IN	NS	zarba
@	IN	NS	zarba.zerezo.org.

// MX = mail server, the number is the priority
@	IN	MX	10 zarba
@	IN	MX	20 zarba.zerezo.org.

// local DNS server
@	IN A	127.0.0.1
@	IN A	192.168.0.51

// IP server
localhost	IN A	127.0.0.1
zarba		IN A	192.168.0.51

// IP of others machines of the network
karine	IN A	192.168.0.52
yaf	IN A	192.168.0.7

// aliases
www	IN CNAME	zarba
ftp	IN CNAME	zarba
mail	IN CNAME	zarba

// End of file


	d) /etc/bind/db.192.168.0

// Begin of file
$TTL    604800
@	IN	SOA	zarba.zerezo.org. postmaster.zarba.zerezo.org. (
			1999112002 ; numero de serie
			28800 ;	     rafraichissement
			14400 ;	     nouvel essais
			604800 ;     expiration
			86400 );    temps de vie

// nameserver
	IN	NS	zarba.zerezo.org.

// IP Reverses adresses
1	IN	PTR	zarba.zerezo.org.
2	IN	PTR	karine.zerezo.org.
3	IN	PTR	yaf.zerezo.org.

// End of file
	

------------------------
4) rndc configuration

rndc is used to administrate bind. It development is not
finished but I prefer to put it in this hint rather than
the obsolete nslookup utility.
	
	a) Creation of a key

You have to get a key so rndc can communicate with bind :
dnssec-keygen -a hmac-md5 -b 128 -n user rndc
	
It will create you two files. Get the value of the key in the .key one.


	b) /etc/bind/rdnc.conf

Create the file and edit the key please.

// Begin of file
options {
        default-server  localhost;
        default-key     rndc_key;
};

server localhost {
        key     rndc_key;
};

key rndc_key {
        algorithm hmac-md5;
        secret "Xd3zz2FgxvkML4V/BlVG8Q==";
};
// End of file


	c) Edit again /etc/bind/named.conf and add the following lines :
	
key rndc_key {
        algorithm       hmac-md5;
        secret		
"Xd3zz2FgxvkML4V/BlVG8Q==";
};

controls {
    inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
};


--------------------
5) /etc/init.d/named

	a) Here is the boot script

#!/bin/sh
# Begin /etc/init.d/
#
# Include the functions declared in the /etc/init.d/functions file
#

source /etc/init.d/functions

case "$1" in
        start)
                echo -n "Starting DNS server..."
                loadproc /usr/sbin/named
                ;;

        stop)
                echo -n "Stopping DNS server..."
                /usr/sbin/rndc stop
                evaluate_retval
                ;;

        reload)
                echo -n "Reloading DNS server..."
                /usr/sbin/rndc reload
		            evaluate_retval
                ;;

        restart)
                $0 stop
                /usr/sbin/sleep 1
                $0 start
                ;;

        status)
                /usr/sbin/rndc status
		            evalute_retval
                ;;

        *)
                echo "Usage: $0 {start|stop|reload|restart|status}"
                exit 1
        ;;

esac

# End /etc/init.d/


	b) Create the links
	
	cd /etc/rc0.d
	ln -s ../init.d/named K600named
  cd /etc/rc1.d
	ln -s ../init.d/named K600named
	cd /etc/rc6.d
	ln -s ../init.d/named K600named
	cd /etc/rc3.d
	ln -s ../init.d/named S300named
	cd /etc/rc5.d
	ln -s ../init.d/named S300named


--------------------------
6) Edit /etc/resolv.conf so it use your DNS server

search zerezo.org
nameserver 127.0.0.1
nameserver 192.168.0.51


--------------------------
6) Test your configuration

Some tests :
	dig -x 127.0.0.1
	
	if you have a ftp server :
		ftp ftp.zerezo.org
		ftp zarba.zerezo.org
		
	if you have apache, launch your browser and use as url :
	  http://www.zerezo.org
	  http://zarba.zerezo.org
		
	If problems, look at the logs /var/log/dns* and
/var/log/daemon.log
	




More information about the hints mailing list