source: server/other/bind/bind-config.xml@ a4be499

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v5_0 v5_0-pre1 v5_1 v5_1-pre1 xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since a4be499 was a4be499, checked in by Larry Lawrence <larry@…>, 21 years ago

spelling and grammer

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1292 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 8.4 KB
Line 
1<sect2>
2<title>Configuring
3<application><acronym>BIND</acronym></application></title>
4
5<sect3><title>Config files</title>
6<para><filename>named.conf</filename>, <filename>root.hints</filename>,
7<filename>127.0.0</filename>, <filename>rndc.conf</filename></para>
8</sect3>
9
10<sect3><title>Configuration Information</title>
11
12<para>We will configure
13<application><acronym>BIND</acronym></application> to run in a chroot
14jail as an unprivileged user (named). This configuration is more secure
15in that a <acronym>DNS</acronym> compromise can only affect a few files
16in the named user's <envar>HOME</envar> directory.</para>
17
18<para>First we create the unprivileged user and group named:</para>
19
20<screen><userinput><command>groupadd -g 200 named &amp;&amp;
21useradd -m -g named -u 200 -s /bin/false named</command></userinput></screen>
22
23<para>Then we set up some files, directories and devices needed by
24<application><acronym>BIND</acronym></application>:</para>
25
26<screen><userinput><command>cd /home/named &amp;&amp;
27mkdir -p dev etc/namedb/slave var/run &amp;&amp;
28mknod /home/named/dev/null c 1 3 &amp;&amp;
29mknod /home/named/dev/random c 1 8 &amp;&amp;
30chmod 666 /home/named/dev/{null,random} &amp;&amp;
31mkdir /home/named/etc/namedb/pz &amp;&amp;
32cp /etc/localtime /home/named/etc</command></userinput></screen>
33
34<para>Create the <filename>named.conf</filename> file from which named
35will read the location of zone files, root name servers and secure
36<acronym>DNS</acronym> keys:</para>
37
38<screen><userinput><command>cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF"</command>
39 options {
40 directory "/etc/namedb";
41 pid-file "/var/run/named.pid";
42 statistics-file "/var/run/named.stats";
43
44 };
45 controls {
46 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
47 };
48 key "rndc_key" {
49 algorithm hmac-md5;
50 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
51 };
52 zone "." {
53 type hint;
54 file "root.hints";
55 };
56 zone "0.0.127.in-addr.arpa" {
57 type master;
58 file "pz/127.0.0";
59 };
60<command>EOF</command></userinput></screen>
61
62<para>Create a zone file with the following contents:</para>
63
64<screen><userinput><command>cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"</command>
65$TTL 3D
66@ IN SOA ns.local.domain. hostmaster.local.domain. (
67 1 ; Serial
68 8H ; Refresh
69 2H ; Retry
70 4W ; Expire
71 1D) ; Minimum TTL
72 NS ns.local.domain.
731 PTR localhost.
74<command>EOF</command></userinput></screen>
75
76<para>Create the <filename>root.hints</filename> file with the following
77commands:</para>
78
79<note><para>Caution must be used to insure no leading spaces in this
80file.</para></note>
81
82<screen><userinput><command>cat &gt; /home/named/etc/namedb/root.hints &lt;&lt; "EOF"</command>
83. 6D IN NS A.ROOT-SERVERS.NET.
84. 6D IN NS B.ROOT-SERVERS.NET.
85. 6D IN NS C.ROOT-SERVERS.NET.
86. 6D IN NS D.ROOT-SERVERS.NET.
87. 6D IN NS E.ROOT-SERVERS.NET.
88. 6D IN NS F.ROOT-SERVERS.NET.
89. 6D IN NS G.ROOT-SERVERS.NET.
90. 6D IN NS H.ROOT-SERVERS.NET.
91. 6D IN NS I.ROOT-SERVERS.NET.
92. 6D IN NS J.ROOT-SERVERS.NET.
93. 6D IN NS K.ROOT-SERVERS.NET.
94. 6D IN NS L.ROOT-SERVERS.NET.
95. 6D IN NS M.ROOT-SERVERS.NET.
96A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
97B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107
98C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
99D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
100E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
101F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
102G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
103H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
104I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
105J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
106K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
107L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12
108M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
109<command>EOF</command></userinput></screen>
110
111<para>The <filename>root.hints</filename> file is a list of root name
112servers. This file must be updated periodically with the
113<command>dig</command> utility.
114Consult the <application><acronym>BIND</acronym></application> 9 Administrator Reference Manual for
115details.</para>
116
117<para>Create the <filename>rndc.conf</filename> with the following commands:</para>
118
119<screen><userinput><command>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"</command>
120key rndc_key {
121algorithm "hmac-md5";
122 secret
123 "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
124 };
125options {
126 default-server localhost;
127 default-key rndc_key;
128};
129<command>EOF</command></userinput></screen>
130
131<para>The <filename>rndc.conf</filename> file contains information for
132controlling named operations with the <command>rndc</command>
133utility.</para>
134
135<para>Create or modify <filename>resolv.conf</filename> to use the new
136name server with the following commands:</para>
137
138<note><para>Replace yourdomain.com with your own valid domain
139name.</para></note>
140
141<screen><userinput><command>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
142cat &gt; /etc/resolv.conf &lt;&lt; "EOF"</command>
143search yourdomain.com
144nameserver 127.0.0.1
145<command>EOF</command></userinput></screen>
146
147<para>Set permissions on the chroot jail with the following
148command:</para>
149
150<screen><userinput><command>chown -R named.named /home/named</command></userinput></screen>
151
152<para>Create the <application><acronym>BIND</acronym></application>
153boot script:</para>
154
155<screen><userinput><command>cat &gt; /etc/rc.d/init.d/bind &lt;&lt; "EOF"</command>
156#!/bin/bash
157# Begin $rc_base/init.d/bind
158# Based on sysklogd script from LFS-3.1 and earlier.
159# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
160source /etc/sysconfig/rc
161source $rc_functions
162case "$1" in
163 start)
164 echo "Starting named..."
165 loadproc /usr/sbin/named -u named -t /home/named -c \
166 /etc/named.conf
167 ;;
168 stop)
169 echo "Stopping named..."
170 killproc /usr/sbin/named
171 ;;
172 restart)
173 $0 stop
174 sleep 1
175 $0 start
176 ;;
177 reload)
178 echo "Reloading named..."
179 /usr/sbin/rndc -c /etc/rndc.conf reload
180 ;;
181
182 status)
183 statusproc /usr/sbin/named
184 ;;
185 *)
186 echo "Usage: $0 {start|stop|restart|status}"
187 exit 1
188 ;;
189esac
190# End $rc_base/init.d/bind
191<command>EOF</command></userinput></screen>
192
193<para>Add the run level symlinks:</para>
194
195<screen><userinput><command>chmod 754 /etc/rc.d/init.d/bind &amp;&amp;
196ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind &amp;&amp;
197ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind &amp;&amp;
198ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K49bind &amp;&amp;
199ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind &amp;&amp;
200ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind &amp;&amp;
201ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind &amp;&amp;
202ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind</command></userinput></screen>
203
204<para>Now start <application><acronym>BIND</acronym></application> with
205the new boot script:</para>
206
207<screen><userinput><command>/etc/rc.d/init.d/bind start</command></userinput></screen>
208
209</sect3>
210
211<sect3><title>Testing <application><acronym>BIND</acronym></application></title>
212
213<para>Test out the new
214<application><acronym>BIND</acronym></application> 9 installation. First
215query the local host address with <command>dig</command>:</para>
216
217<screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen>
218
219<para>Now try an external name lookup, taking note of the speed
220difference in repeated lookups due to the caching. Run the dig command
221twice on the same address:</para>
222
223<para><screen><userinput><command>dig beyond.linuxfromscratch.org &amp;&amp;
224dig beyond.linuxfromscratch.org</command></userinput></screen>
225You can see almost instantaneous results with the named caching lookups.
226Consult <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>,
227the <application><acronym>BIND</acronym></application> Administrator
228Reference Manual for further configuration options.</para>
229
230</sect3>
231
232</sect2>
Note: See TracBrowser for help on using the repository browser.