source: server/other/bind/bind-config.xml@ a8d6ef3

10.0 10.1 11.0 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 ken/refactor-virt krejzi/svn lazarus nosym perl-modules qt5new systemd-11177 systemd-13485 trunk v5_1 xry111/git-date xry111/git-date-for-trunk xry111/git-date-test
Last change on this file since a8d6ef3 was a8d6ef3, checked in by Bruce Dubbs <bdubbs@…>, 17 years ago

More grammer

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@2243 af4574ff-66df-0310-9fd7-8a98e5e911e0

  • Property mode set to 100644
File size: 7.3 KB
Line 
1<sect2>
2<title>Configuring
3<application><acronym>BIND</acronym></application></title>
4
5<sect3><title>Config files</title>
6<para><filename>named.conf</filename>, <filename>root.hints</filename>,
7<filename>127.0.0</filename>, <filename>rndc.conf</filename></para>
8</sect3>
9
10<sect3><title>Configuration Information</title>
11
12<para>We will configure
13<application><acronym>BIND</acronym></application> to run in a chroot
14jail as an unprivileged user (named). This configuration is more secure
15in that a <acronym>DNS</acronym> compromise can only affect a few files
16in the named user's <envar>HOME</envar> directory.</para>
17
18<para>First we create the unprivileged user and group named:</para>
19
20<screen><userinput><command>groupadd named &amp;&amp;
21useradd -m -g named -s /bin/false named</command></userinput></screen>
22
23<para>Then we set up some files, directories and devices needed by
24<application><acronym>BIND</acronym></application>:</para>
25
26<screen><userinput><command>cd /home/named &amp;&amp;
27mkdir -p dev etc/namedb/slave var/run &amp;&amp;
28mknod /home/named/dev/null c 1 3 &amp;&amp;
29mknod /home/named/dev/random c 1 8 &amp;&amp;
30chmod 666 /home/named/dev/{null,random} &amp;&amp;
31mkdir /home/named/etc/namedb/pz &amp;&amp;
32cp /etc/localtime /home/named/etc</command></userinput></screen>
33
34<para>Create the <filename>named.conf</filename> file from which named
35will read the location of zone files, root name servers and secure
36<acronym>DNS</acronym> keys:</para>
37
38<screen><userinput><command>cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF"</command>
39 options {
40 directory "/etc/namedb";
41 pid-file "/var/run/named.pid";
42 statistics-file "/var/run/named.stats";
43
44 };
45 controls {
46 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
47 };
48 key "rndc_key" {
49 algorithm hmac-md5;
50 secret "<replaceable>[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]</replaceable>";
51 };
52 zone "." {
53 type hint;
54 file "root.hints";
55 };
56 zone "0.0.127.in-addr.arpa" {
57 type master;
58 file "pz/127.0.0";
59 };
60<command>EOF</command></userinput></screen>
61
62<para>Create a zone file with the following contents:</para>
63
64<screen><userinput><command>cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"</command>
65$TTL 3D
66@ IN SOA ns.local.domain. hostmaster.local.domain. (
67 1 ; Serial
68 8H ; Refresh
69 2H ; Retry
70 4W ; Expire
71 1D) ; Minimum TTL
72 NS ns.local.domain.
731 PTR localhost.
74<command>EOF</command></userinput></screen>
75
76<para>Create the <filename>root.hints</filename> file with the following
77commands:</para>
78
79<note><para>Caution must be used to ensure no leading spaces in this
80file.</para></note>
81
82<screen><userinput><command>cat &gt; /home/named/etc/namedb/root.hints &lt;&lt; "EOF"</command>
83. 6D IN NS A.ROOT-SERVERS.NET.
84. 6D IN NS B.ROOT-SERVERS.NET.
85. 6D IN NS C.ROOT-SERVERS.NET.
86. 6D IN NS D.ROOT-SERVERS.NET.
87. 6D IN NS E.ROOT-SERVERS.NET.
88. 6D IN NS F.ROOT-SERVERS.NET.
89. 6D IN NS G.ROOT-SERVERS.NET.
90. 6D IN NS H.ROOT-SERVERS.NET.
91. 6D IN NS I.ROOT-SERVERS.NET.
92. 6D IN NS J.ROOT-SERVERS.NET.
93. 6D IN NS K.ROOT-SERVERS.NET.
94. 6D IN NS L.ROOT-SERVERS.NET.
95. 6D IN NS M.ROOT-SERVERS.NET.
96A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
97B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107
98C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
99D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
100E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
101F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
102G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
103H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
104I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
105J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30
106K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
107L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12
108M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
109<command>EOF</command></userinput></screen>
110
111<para>The <filename>root.hints</filename> file is a list of root name
112servers. This file must be updated periodically with the
113<command>dig</command> utility.
114Consult the <application><acronym>BIND</acronym></application> 9 Administrator Reference Manual for
115details.</para>
116
117<para>Create the <filename>rndc.conf</filename> with the following commands:</para>
118
119<screen><userinput><command>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"</command>
120key rndc_key {
121algorithm "hmac-md5";
122 secret
123 "<replaceable>[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]</replaceable>";
124 };
125options {
126 default-server localhost;
127 default-key rndc_key;
128};
129<command>EOF</command></userinput></screen>
130
131<para>The <filename>rndc.conf</filename> file contains information for
132controlling named operations with the <command>rndc</command>
133utility.</para>
134
135<para>Create or modify <filename>resolv.conf</filename> to use the new
136name server with the following commands:</para>
137
138<note><para>Replace yourdomain.com with your own valid domain
139name.</para></note>
140
141<screen><userinput><command>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
142cat &gt; /etc/resolv.conf &lt;&lt; "EOF"</command>
143search yourdomain.com
144nameserver 127.0.0.1
145<command>EOF</command></userinput></screen>
146
147<para>Set permissions on the chroot jail with the following
148command:</para>
149
150<screen><userinput><command>chown -R named.named /home/named</command></userinput></screen>
151
152<para>To start the DNS server at boot, install <filename>/etc/rc.d/init.d/bind</filename>
153init script included in the <xref linkend="intro-important-bootscripts"/> package.</para>
154
155<screen><userinput><command>make install-bind</command></userinput></screen>
156
157<para>Now start <application><acronym>BIND</acronym></application> with
158the new boot script:</para>
159
160<screen><userinput><command>/etc/rc.d/init.d/bind start</command></userinput></screen>
161
162</sect3>
163
164<sect3><title>Testing <application><acronym>BIND</acronym></application></title>
165
166<para>Test out the new
167<application><acronym>BIND</acronym></application> 9 installation. First
168query the local host address with <command>dig</command>:</para>
169
170<screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen>
171
172<para>Now try an external name lookup, taking note of the speed
173difference in repeated lookups due to the caching. Run the dig command
174twice on the same address:</para>
175
176<para><screen><userinput><command>dig beyond.linuxfromscratch.org &amp;&amp;
177dig beyond.linuxfromscratch.org</command></userinput></screen>
178You can see almost instantaneous results with the named caching lookups.
179Consult <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>,
180the <application><acronym>BIND</acronym></application> Administrator
181Reference Manual for further configuration options.</para>
182
183</sect3>
184
185</sect2>
Note: See TracBrowser for help on using the repository browser.