Context Navigation

bind-config.xml@ 5628618e

Visit:

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v1_0 v5_0 v5_0-pre1 v5_1 v5_1-pre1 xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 5628618e was 5628618e, checked in by Larry Lawrence <larry@…>, 21 years ago

spellcheck pass

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@832 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 7.2 KB

Line
1	<sect2>
2	<title>Configuring BIND</title>
3	<para>We will configure BIND to run in a chroot jail as an unprivileged
4	user(named). This configuration is more secure in that a DNS
5	compromise can only affect a few files in the named user's $HOME
6	directory </para>
7
8	<para>First we set up some files and directories needed by
9	BIND:</para>
10	<para><screen><userinput>groupadd -g 200 named &&
11	useradd -m -g named -u 200 -s /bin/false named &&
12	cd /home/named &&
13	mkdir -p dev etc/namedb/slave var/run &&
14	mknod /home/named/dev/null c 1 3 &&
15	mknod /home/named/dev/random c 1 8 &&
16	chmod 666 /home/named/dev/{null,random} &&
17	mkdir /home/named/etc/namedb/pz &&
18	cp /etc/localtime /home/named/etc</userinput></screen></para>
19
20	<sect3><title>Config files</title>
21	<para><userinput>named.conf</userinput>,
22	<userinput>root.hints</userinput>, <userinput>127.0.0</userinput> and
23	<userinput>rndc.conf</userinput></para>
24
25	<para>Create the named.conf file with the following commands:</para>
26	<para><screen><userinput>cat > /home/named/etc/named.conf << "EOF"</userinput>
27	options {
28	directory "/etc/namedb";
29	pid-file "/var/run/named.pid";
30	statistics-file "/var/run/named.stats";
31
32	};
33	controls {
34	inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
35	};
36	key "rndc_key" {
37	algorithm hmac-md5;
38	secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
39	};
40	zone "." {
41	type hint;
42	file "root.hints";
43	};
44	zone "0.0.127.in-addr.arpa" {
45	type master;
46	file "pz/127.0.0";
47	};
48	<userinput>EOF</userinput></screen></para>
49	<para>Create a zone file with the following contents: </para>
50	<para><screen><userinput>cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"</userinput>
51	$TTL 3D
52	@ IN SOA ns.local.domain. hostmaster.local.domain. (
53	1 ; Serial
54	8H ; Refresh
55	2H ; Retry
56	4W ; Expire
57	1D) ; Minimum TTL
58	NS ns.local.domain.
59	1 PTR localhost.
60	<userinput>EOF</userinput></screen></para>
61
62	<para>Create the root.hints file with the following commands: </para>
63	<note><para>Caution must be used to insure no leading spaces in this
64	file.</para></note>
65	<para><screen><userinput>cat > /home/named/etc/namedb/root.hints << "EOF"</userinput>
66	. 6D IN NS A.ROOT-SERVERS.NET.
67	. 6D IN NS B.ROOT-SERVERS.NET.
68	. 6D IN NS C.ROOT-SERVERS.NET.
69	. 6D IN NS D.ROOT-SERVERS.NET.
70	. 6D IN NS E.ROOT-SERVERS.NET.
71	. 6D IN NS F.ROOT-SERVERS.NET.
72	. 6D IN NS G.ROOT-SERVERS.NET.
73	. 6D IN NS H.ROOT-SERVERS.NET.
74	. 6D IN NS I.ROOT-SERVERS.NET.
75	. 6D IN NS J.ROOT-SERVERS.NET.
76	. 6D IN NS K.ROOT-SERVERS.NET.
77	. 6D IN NS L.ROOT-SERVERS.NET.
78	. 6D IN NS M.ROOT-SERVERS.NET.
79	A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
80	B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107
81	C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
82	D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
83	E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
84	F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
85	G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
86	H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
87	I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
88	J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
89	K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
90	L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12
91	M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
92	<userinput>EOF</userinput></screen></para>
93
94	<para>Create the rndc.conf with the following commands:</para>
95	<para><screen><userinput>cat > /etc/rndc.conf << "EOF"</userinput>
96	key rndc_key {
97	algorithm "hmac-md5";
98	secret
99	"c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
100	};
101	options {
102	default-server localhost;
103	default-key rndc_key;
104	};
105	<userinput>EOF</userinput></screen></para>
106
107	<para>Create or modify resolv.conf to use the new name server with the
108	following commands: </para>
109	<note><para>Replace yourdomain.com with your own valid domain
110	name.</para></note>
111
112	<para><screen><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &&
113	cat > /etc/resolv.conf << "EOF"</userinput>
114	search yourdomain.com
115	nameserver 127.0.0.1
116	<userinput>EOF</userinput></screen></para>
117
118	<para>Set permissions on the chroot jail with the following
119	command:</para>
120	<para><screen><userinput>chown -R named.named /home/named</userinput></screen></para>
121
122	<para>Create the BIND boot script:</para>
123	<para><screen><userinput>cat > /etc/rc.d/init.d/bind << "EOF"</userinput>
124	#!/bin/bash
125	# Begin $rc_base/init.d/bind
126	# Based on sysklogd script from LFS-3.1 and earlier.
127	# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
128	source /etc/sysconfig/rc
129	source $rc_functions
130	case "$1" in
131	start)
132	echo "Starting named..."
133	loadproc /usr/sbin/named -u named -t /home/named -c \
134	/etc/named.conf
135	;;
136	stop)
137	echo "Stopping named..."
138	killproc /usr/sbin/named
139	;;
140	restart)
141	$0 stop
142	sleep 1
143	$0 start
144	;;
145	reload)
146	echo "Reloading named..."
147	/usr/sbin/rndc -c /etc/rndc.conf reload
148	;;
149
150	status)
151	statusproc /usr/sbin/named
152	;;
153	*)
154	echo "Usage: $0 {start\|stop\|restart\|status}"
155	exit 1
156	;;
157	esac
158	# End $rc_base/init.d/bind
159	<userinput>EOF</userinput></screen></para>
160
161	<para>Add the run level symlinks:</para>
162	<para><screen><userinput>chmod 754 /etc/rc.d/init.d/bind &&
163	ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind &&
164	ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind &&
165	ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K49bind &&
166	ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind &&
167	ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind &&
168	ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind &&
169	ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind</userinput></screen></para>
170
171	<para>Now start BIND with the new boot script: </para>
172	<para><screen><userinput>/etc/rc.d/init.d/bind start</userinput></screen></para></sect3>
173
174	<sect3><title>Testing BIND</title>
175	<para>Test out the new BIND 9 installation. First query the local
176	host address with dig:</para>
177	<para><screen><userinput>dig -x 127.0.0.1</userinput></screen></para>
178	<para>Now try an external name lookup, taking note of the speed
179	difference in repeated lookups due to the caching. Run the dig
180	command twice on the same address:</para>
181	<para><screen><userinput>dig beyond.linuxfromscratch.org &&
182	dig beyond.linuxfromscratch.org</userinput></screen>
183	You can see almost instantaneous results with the named caching
184	lookups. Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND
185	Administrator Reference Manual for further configuration options.
186	</para></sect3>
187	</sect2>
188

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: server/other/bind/bind-config.xml@ 5628618e

Download in other formats: