source: server/other/bind/bind-config.xml@ d815ae3

10.0 10.1 11.0 11.1 11.2 11.3 12.0 12.1 6.0 6.1 6.2 6.2.0 6.2.0-rc1 6.2.0-rc2 6.3 6.3-rc1 6.3-rc2 6.3-rc3 7.10 7.4 7.5 7.6 7.6-blfs 7.6-systemd 7.7 7.8 7.9 8.0 8.1 8.2 8.3 8.4 9.0 9.1 basic bdubbs/svn elogind gnome kde5-13430 kde5-14269 kde5-14686 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts krejzi/svn lazarus lxqt nosym perl-modules plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition systemd-11177 systemd-13485 trunk upgradedb v1_0 v5_0 v5_0-pre1 v5_1 v5_1-pre1 xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal
Last change on this file since d815ae3 was d815ae3, checked in by Larry Lawrence <larry@…>, 22 years ago

added bind symlinks to appendix

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@308 af4574ff-66df-0310-9fd7-8a98e5e911e0
  • Property mode set to 100644
File size: 6.9 KB
Line 
1<sect2>
2<title>Configuring BIND</title>
3<para>We will configure BIND to run in a chroot jail as an unprivileged
4user(named). This configuration is more secure in that a DNS
5compromise can only affect a few files in the named user's $HOME
6directory </para>
7
8<para>First we set up some files and directories needed by
9BIND:</para>
10<para><screen><userinput>
11groupadd -g 200 named &amp;&amp;
12useradd -m -g named -u 200 -s /bin/false named &amp;&amp;
13cd /home/named &amp;&amp;
14mkdir -p dev etc/namedb/slave var/run &amp;&amp;
15mknod /home/named/dev/null c 1 3 &amp;&amp;
16mknod /home/named/dev/random c 1 8 &amp;&amp;
17chmod 666 /home/named/dev/{null,random} &amp;&amp;
18mkdir /home/named/etc/namedb/pz &amp;&amp;
19cp /etc/localtime /home/named/etc
20</userinput></screen></para>
21
22<sect3><title>Config files</title>
23<para><userinput>named.conf, root.hints, 127.0.0, rndc.conf
24</userinput></para>
25
26<para>Create the named.conf file with the following commands:</para>
27<para><screen><userinput>
28cat > /home/named/etc/named.conf << "EOF"
29 options {
30 directory "/etc/namedb";
31 pid-file "/var/run/named.pid";
32 statistics-file "/var/run/named.stats";
33
34 };
35 controls {
36 inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
37 };
38 key "rndc_key" {
39 algorithm hmac-md5;
40 secret "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
41 };
42 zone "." {
43 type hint;
44 file "root.hints";
45 };
46 zone "0.0.127.in-addr.arpa" {
47 type master;
48 file "pz/127.0.0";
49 };
50EOF
51</userinput></screen></para>
52<para>Create a zone file with the following contents: </para>
53<para><screen><userinput>
54cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt "EOF"
55$TTL 3D
56@ IN SOA ns.local.domain. hostmaster.local.domain. (
57 1 ; Serial
58 8H ; Refresh
59 2H ; Retry
60 4W ; Expire
61 1D) ; Minimum TTL
62 NS ns.local.domain.
631 PTR localhost.
64EOF
65</userinput></screen></para>
66
67<para>Create the root.hints file with the following commands: </para>
68<note><para>Caution must be used to insure no leading spaces in this
69file.</para></note>
70<para><screen><userinput>
71cat > /home/named/etc/namedb/root.hints << "EOF"
72. 6D IN NS A.ROOT-SERVERS.NET.
73. 6D IN NS B.ROOT-SERVERS.NET.
74. 6D IN NS C.ROOT-SERVERS.NET.
75. 6D IN NS D.ROOT-SERVERS.NET.
76. 6D IN NS E.ROOT-SERVERS.NET.
77. 6D IN NS F.ROOT-SERVERS.NET.
78. 6D IN NS G.ROOT-SERVERS.NET.
79. 6D IN NS H.ROOT-SERVERS.NET.
80. 6D IN NS I.ROOT-SERVERS.NET.
81. 6D IN NS J.ROOT-SERVERS.NET.
82. 6D IN NS K.ROOT-SERVERS.NET.
83. 6D IN NS L.ROOT-SERVERS.NET.
84. 6D IN NS M.ROOT-SERVERS.NET.
85A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4
86B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107
87C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12
88D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90
89E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10
90F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241
91G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4
92H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53
93I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17
94J.ROOT-SERVERS.NET. 6D IN A 198.41.0.10
95K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129
96L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12
97M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33
98EOF
99</userinput></screen></para>
100
101<para>Create the rndc.conf with the following commands:</para>
102<para><screen><userinput>
103cat > /etc/rndc.conf << "EOF"
104key rndc_key {
105algorithm "hmac-md5";
106 secret
107 "c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K";
108 };
109options {
110 default-server localhost;
111 default-key rndc_key;
112};
113EOF
114</userinput></screen></para>
115
116<para>Create or modify resolv.conf to use the new nameserver with the
117following commands: </para>
118<note><para>Replace yourdomain.com with your own valid domain
119name.</para></note>
120
121<para><screen><userinput>
122cp /etc/resolv.conf /etc/resolv.conf.bak
123cat > /etc/resolv.conf << "EOF"
124search yourdomain.com
125nameserver 127.0.0.1
126EOF
127</userinput></screen></para>
128
129<para>Set permissions on the chroot jail with the following
130command:</para>
131<para><screen><userinput>
132chown -R named.named /home/named
133</userinput></screen></para>
134
135<para>Create the BIND boot script:</para>
136<para><screen><userinput>
137cat &gt; /etc/rc.d/init.d/bind &lt;&lt; "EOF"
138#!/bin/bash
139# Begin $rc_base/init.d/bind
140# Based on sysklogd script from LFS-3.1 and earlier.
141# Rewritten by Gerard Beekmans - gerard@linuxfromscratch.org
142source /etc/sysconfig/rc
143source $rc_functions
144case "$1" in
145 start)
146 echo "Starting named..."
147 loadproc /usr/sbin/named -u named -t /home/named -c \
148 /etc/named.conf
149 ;;
150 stop)
151 echo "Stopping named..."
152 killproc /usr/sbin/named
153 ;;
154 restart)
155 $0 stop
156 sleep 1
157 $0 start
158 ;;
159 reload)
160 echo "Reloading named..."
161 /usr/sbin/rndc -c /etc/rndc.conf reload
162 ;;
163
164 status)
165 statusproc /usr/sbin/named
166 ;;
167 *)
168 echo "Usage: $0 {start|stop|restart|status}"
169 exit 1
170 ;;
171esac
172# End $rc_base/init.d/bind
173EOF
174</userinput></screen></para>
175
176<para>Add the run level symlinks:</para>
177<para><screen><userinput>
178chmod 754 /etc/rc.d/init.d/bind &&
179ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind &&
180ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind &&
181ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc2.d/K49bind &&
182ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc3.d/S22bind &&
183ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind &&
184ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind &&
185ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind
186</userinput></screen></para>
187
188<para>Now start BIND with the new boot script: </para>
189<para><screen><userinput>
190/etc/rc.d/init.d/bind start
191</userinput></screen></para></sect3>
192
193<sect3><title>Testing BIND</title>
194<para>Test out the new BIND 9 installation. First query the local
195host address with dig:</para>
196<para><screen><userinput>
197dig -x 127.0.0.1
198</userinput></screen></para>
199<para>Now try an external name lookup, taking note of the speed
200difference in repeated lookups due to the caching. Run the dig
201command twice on the same address:</para>
202<para><screen><userinput>
203dig beyond.linuxfromscratch.org &amp;&amp;
204dig beyond.linuxfromscratch.org
205</userinput></screen>
206You can see almost instantaneous results with the named caching
207lookups. Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND
208Administrator Reference Manual for further configuration options.
209</para></sect3>
210</sect2>
211
Note: See TracBrowser for help on using the repository browser.