Changeset 814d190


Ignore:
Timestamp:
09/29/2003 04:40:22 AM (18 years ago)
Author:
Igor Živković <igor@…>
Branches:
10.0, 10.1, 11.0, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, ken/refactor-virt, krejzi/svn, lazarus, nosym, perl-modules, qt5new, systemd-11177, systemd-13485, trunk, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/git-date, xry111/git-date-for-trunk, xry111/git-date-test
Children:
29c3363
Parents:
39f01ca
Message:

updated BIND intro

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@1236 af4574ff-66df-0310-9fd7-8a98e5e911e0

Location:
server/other
Files:
1 deleted
6 edited

Legend:

Unmodified
Added
Removed
  • server/other/bind.xml

    r39f01ca r814d190  
    1 <sect1 id="bind" xreflabel="bind-&bind-version;">
     1<sect1 id="bind" xreflabel="BIND-&bind-version;">
    22<?dbhtml filename="bind.html" dir="server"?>
    33<title><acronym>BIND</acronym>-&bind-version;</title>
     
    66&bind-inst;
    77&bind-config;
    8 &bind-config-exp;
    98&bind-desc;
    109
  • server/other/bind/bind-config.xml

    r39f01ca r814d190  
    11<sect2>
    2 <title>Configuring BIND</title>
    3 <para>We will configure BIND to run in a chroot jail as an unprivileged
    4 user(named).  This configuration is more secure in that a DNS
    5 compromise can only affect a few files in the named user's $HOME
    6 directory </para>
    7 
    8 <para>First we set up some files and directories needed by
    9 BIND:</para>
    10 <para><screen><userinput>groupadd -g 200 named &amp;&amp;
    11 useradd -m -g named -u 200 -s /bin/false named &amp;&amp;
    12 cd /home/named &amp;&amp;
     2<title>Configuring
     3<application><acronym>BIND</acronym></application></title>
     4
     5<sect3><title>Config files</title>
     6<para><filename>named.conf</filename>, <filename>root.hints</filename>,
     7<filename>127.0.0</filename>, <filename>rndc.conf</filename></para>
     8</sect3>
     9
     10<sect3><title>Configuration Information</title>
     11
     12<para>We will configure
     13<application><acronym>BIND</acronym></application> to run in a chroot
     14jail as an unprivileged user (named). This configuration is more secure
     15in that a <acronym>DNS</acronym> compromise can only affect a few files
     16in the named user's <envar>$HOME</envar> directory.</para>
     17
     18<para>First we create the unpriviledged user and group named:</para>
     19
     20<screen><userinput><command>groupadd -g 200 named &amp;&amp;
     21useradd -m -g named -u 200 -s /bin/false named</command></userinput></screen>
     22
     23<para>Then we set up some files, directories and devices needed by
     24<application><acronym>BIND</acronym></application>:</para>
     25
     26<screen><userinput><command>cd /home/named &amp;&amp;
    1327mkdir -p dev etc/namedb/slave var/run &amp;&amp;
    1428mknod /home/named/dev/null c 1 3 &amp;&amp;
     
    1630chmod 666 /home/named/dev/{null,random} &amp;&amp;
    1731mkdir /home/named/etc/namedb/pz &amp;&amp;
    18 cp /etc/localtime /home/named/etc</userinput></screen></para>
    19 
    20 <sect3><title>Config files</title>
    21 <para><filename>named.conf</filename>,
    22 <filename>root.hints</filename>, <filename>127.0.0</filename> and
    23 <filename>rndc.conf</filename></para>
    24 
    25 <para>Create the named.conf file with the following commands:</para>
    26 <para><screen><userinput>cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF"</userinput>
     32cp /etc/localtime /home/named/etc</command></userinput></screen>
     33
     34<para>Create the <filename>named.conf</filename> file from which named
     35will read the location of zone files, root name servers and secure
     36<acronym>DNS</acronym> keys:</para>
     37
     38<screen><userinput><command>cat &gt; /home/named/etc/named.conf &lt;&lt; "EOF"</command>
    2739 options {
    2840     directory "/etc/namedb";
     
    4658     file "pz/127.0.0";
    4759 };
    48 <userinput>EOF</userinput></screen></para>
    49 <para>Create a zone file with the following contents: </para>
    50 <para><screen><userinput>cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"</userinput>
     60<command>>EOF</command></userinput></screen>
     61
     62<para>Create a zone file with the following contents:</para>
     63
     64<screen><userinput><command>cat &gt; /home/named/etc/namedb/pz/127.0.0 &lt;&lt; "EOF"</command>
    5165$TTL 3D
    5266@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
     
    5872                NS      ns.local.domain.
    59731               PTR     localhost.
    60 <userinput>EOF</userinput></screen></para>
    61 
    62 <para>Create the root.hints file with the following commands: </para>
     74<command>EOF</command></userinput></screen>
     75
     76<para>Create the <filename>root.hints</filename> file with the following
     77commands:</para>
     78
    6379<note><para>Caution must be used to insure no leading spaces in this
    6480file.</para></note>
    65 <para><screen><userinput>cat &gt; /home/named/etc/namedb/root.hints &lt;&lt; "EOF"</userinput>
     81
     82<screen><userinput><command>cat &gt; /home/named/etc/namedb/root.hints &lt;&lt; "EOF"</command>
    6683.                       6D  IN      NS      A.ROOT-SERVERS.NET.
    6784.                       6D  IN      NS      B.ROOT-SERVERS.NET.
     
    90107L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
    91108M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
    92 <userinput>EOF</userinput></screen></para>
     109<command>>EOF</command></userinput></screen>
     110
     111<para>The <filename>root.hints</filename> file is a list of root name
     112servers. This file must be updated periodically with the
     113<command>dig</command> utility.
     114Consult the <acronym>BIND</acronym> 9 Administrator Reference Manual for
     115details.</para>
    93116
    94117<para>Create the <filename>rndc.conf</filename> with the following commands:</para>
    95 <para><screen><userinput>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"</userinput>
     118
     119<screen><userinput><command>cat &gt; /etc/rndc.conf &lt;&lt; "EOF"</command>
    96120key rndc_key {
    97121algorithm "hmac-md5";
     
    103127    default-key    rndc_key;
    104128};
    105 <userinput>EOF</userinput></screen></para>
    106 
    107 <para>Create or modify <filename>resolv.conf</filename> to use the new name server with the
    108 following commands: </para>
     129<command>EOF</command></userinput></screen>
     130
     131<para>The <filename>rndc.conf</filename> file contains information for
     132controlling named operations with the <command>rndc</command>
     133utility.</para>
     134
     135<para>Create or modify <filename>resolv.conf</filename> to use the new
     136name server with the following commands:</para>
     137
    109138<note><para>Replace yourdomain.com with your own valid domain
    110139name.</para></note>
    111140
    112 <para><screen><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
    113 cat &gt; /etc/resolv.conf &lt;&lt; "EOF"</userinput>
     141<screen><userinput><command>cp /etc/resolv.conf /etc/resolv.conf.bak &amp;&amp;
     142cat &gt; /etc/resolv.conf &lt;&lt; "EOF"</command>
    114143search yourdomain.com
    115144nameserver 127.0.0.1
    116 <userinput>EOF</userinput></screen></para>
     145<command>>EOF</command></userinput></screen>
    117146
    118147<para>Set permissions on the chroot jail with the following
    119148command:</para>
    120 <para><screen><userinput>chown -R named.named /home/named</userinput></screen></para>
    121 
    122 <para>Create the BIND boot script:</para>
    123 <para><screen><userinput>cat &gt; /etc/rc.d/init.d/bind &lt;&lt; "EOF"</userinput>
     149
     150<screen><userinput><command>chown -R named.named /home/named</command></userinput></screen>
     151
     152<para>Create the <application><acronym>BIND</acronym></application>
     153boot script:</para>
     154
     155<screen><userinput><command>cat &gt; /etc/rc.d/init.d/bind &lt;&lt; "EOF"</command>
    124156#!/bin/bash
    125157# Begin $rc_base/init.d/bind
     
    157189esac
    158190# End $rc_base/init.d/bind
    159 <userinput>EOF</userinput></screen></para>
     191<command>EOF</command></userinput></screen>
    160192
    161193<para>Add the run level symlinks:</para>
    162 <para><screen><userinput>chmod 754 /etc/rc.d/init.d/bind &amp;&amp;
     194
     195<screen><userinput><command>chmod 754 /etc/rc.d/init.d/bind &amp;&amp;
    163196ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind &amp;&amp;
    164197ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind &amp;&amp;
     
    167200ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind &amp;&amp;
    168201ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind &amp;&amp;
    169 ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind</userinput></screen></para>
    170 
    171 <para>Now start BIND with the new boot script: </para>
    172 <para><screen><userinput>/etc/rc.d/init.d/bind start</userinput></screen></para></sect3>
    173 
    174 <sect3><title>Testing BIND</title>
    175 <para>Test out the new BIND 9 installation.  First query the local
    176 host address with <command>dig</command>:</para>
    177 <para><screen><userinput>dig -x 127.0.0.1</userinput></screen></para>
     202ln -s  /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind</command></userinput></screen>
     203
     204<para>Now start <application><acronym>BIND</acronym></application> with
     205the new boot script:</para>
     206
     207<screen><userinput><command>/etc/rc.d/init.d/bind start</command></userinput></screen>
     208
     209</sect3>
     210
     211<sect3><title>Testing <application><acronym>BIND</acronym></application></title>
     212
     213<para>Test out the new
     214<application><acronym>BIND</acronym></application> 9 installation. First
     215query the local host address with <command>dig</command>:</para>
     216
     217<screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen>
     218
    178219<para>Now try an external name lookup, taking note of the speed
    179 difference in repeated lookups due to the caching.  Run the dig
    180 command twice on the same address:</para>
    181 <para><screen><userinput>dig beyond.linuxfromscratch.org &amp;&amp;
    182 dig beyond.linuxfromscratch.org</userinput></screen>
    183 You can see almost instantaneous results with the named caching
    184 lookups.  Consult
    185 <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>, the BIND
    186 Administrator Reference Manual for further configuration options.
    187 </para></sect3>
     220difference in repeated lookups due to the caching. Run the dig command
     221twice on the same address:</para>
     222
     223<para><screen><userinput><command>dig beyond.linuxfromscratch.org &amp;&amp;
     224dig beyond.linuxfromscratch.org</command></userinput></screen>
     225You can see almost instantaneous results with the named caching lookups.
     226Consult <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>,
     227the <application><acronym>BIND</acronym></application> Administrator
     228Reference Manual for further configuration options.</para>
     229
     230</sect3>
     231
    188232</sect2>
    189 
  • server/other/bind/bind-desc.xml

    r39f01ca r814d190  
    22<title>Contents</title>
    33
    4 <para>The BIND package contains
    5 <userinput>dig</userinput>,
    6 <userinput>host</userinput>,
    7 <userinput>rndc</userinput>,
    8 <userinput>rndc-confgen</userinput>,
    9 <userinput>named-checkconf</userinput>,
    10 <userinput>named-checkzone</userinput>,
    11 <userinput>lwresd</userinput>,
    12 <userinput>named</userinput>,
    13 <userinput>dnssec-signzone</userinput>,
    14 <userinput>dnssec-signkey</userinput>,
    15 <userinput>dnssec-keygen</userinput>,
    16 <userinput>dnssec-makekeyset</userinput> and
    17 <userinput>nsupdate</userinput>.</para>
     4<para>The <application><acronym>BIND</acronym></application> package contains
     5<command>dig</command>,
     6<command>host</command>,
     7<command>rndc</command>,
     8<command>rndc-confgen</command>,
     9<command>named-checkconf</command>,
     10<command>named-checkzone</command>,
     11<command>lwresd</command>,
     12<command>named</command>,
     13<command>dnssec-signzone</command>,
     14<command>dnssec-signkey</command>,
     15<command>dnssec-keygen</command>,
     16<command>dnssec-makekeyset</command> and
     17<command>nsupdate</command>.</para>
    1818</sect2>
    1919
     
    2121
    2222<sect3><title>dig</title>
    23 <para>dig interrogates DNS servers.</para></sect3>
     23<para><command>dig</command> interrogates <acronym>DNS</acronym>
     24servers.</para></sect3>
     25
    2426<sect3><title>host</title>
    25 <para>host is a utility for DNS lookups.</para></sect3>
     27<para><command>host</command> is a utility for <acronym>DNS</acronym>
     28lookups.</para></sect3>
     29
    2630<sect3><title>rndc</title>
    27 <para>rndc controls the operation of BIND.</para></sect3>
     31<para><command>rndc</command> controls the operation of
     32<application><acronym>BIND</acronym></application>.</para></sect3>
     33
    2834<sect3><title>rndc-confgen</title>
    29 <para>rndc-confgen generates rndc.conf files.</para></sect3>
     35<para><command>rndc-confgen</command> generates
     36<filename>rndc.conf</filename> files.</para></sect3>
     37
    3038<sect3><title>named-checkconf</title>
    31 <para>named-checkconf checks the syntax of named.conf
    32 files.</para></sect3>
     39<para><command>named-checkconf</command> checks the syntax of
     40<filename>named.conf</filename> files.</para></sect3>
     41
    3342<sect3><title>named-checkzone</title>
    34 <para>named-checkzone checks zone file validity.</para></sect3>
     43<para><command>named-checkzone</command> checks zone file
     44validity.</para></sect3>
     45
    3546<sect3><title>lwresd</title>
    36 <para>lwresd is a caching-only name server for local process
    37 use.</para></sect3>
     47<para><command>lwresd</command> is a caching-only name server for local
     48process use.</para></sect3>
     49
    3850<sect3><title>named</title>
    39 <para>named is the name server daemon.</para></sect3>
     51<para><command>named</command> is the name server daemon.</para></sect3>
     52
    4053<sect3><title>dnssec-signzone</title>
    41 <para>dnssec-signzone generates signed versions of zone
    42 files.</para></sect3>
     54<para><command>dnssec-signzone</command> generates signed versions of
     55zone files.</para></sect3>
     56
    4357<sect3><title>dnssec-signkey</title>
    44 <para>dnssec-signkey signs zone file key sets.</para></sect3>
     58<para><command>dnssec-signkey</command> signs zone file key
     59sets.</para></sect3>
     60
    4561<sect3><title>dnssec-keygen</title>
    46 <para>dnssec-keygen is a key generator for secure DNS.</para></sect3>
     62<para><command>dnssec-keygen</command> is a key generator for secure
     63<acronym>DNS</acronym>.</para></sect3>
     64
    4765<sect3><title>dnssec-makekeyset</title>
    48 <para>dnssec-makekeyset generates a key set from one or more keys
    49 created by dnssec-keygen.</para></sect3>
     66<para><command>dnssec-makekeyset</command> generates a key set from one
     67or more keys created by dnssec-keygen.</para></sect3>
     68
    5069<sect3><title>nsupdate</title>
    51 <para>nsupdate is used to submit DNS update requests.</para></sect3>
     70<para><command>nsupdate</command> is used to submit
     71<acronym>DNS</acronym> update requests.</para></sect3>
     72
    5273</sect2>
    53 
  • server/other/bind/bind-inst.xml

    r39f01ca r814d190  
    11<sect2>
    2 <title>Installation of <application>BIND</application></title>
     2<title>Installation of <application><acronym>BIND</acronym></application></title>
    33
    4 <para>Install <application>BIND</application> by running the following commands:</para>
     4<para>Install <application><acronym>BIND</acronym></application> by
     5running the following commands:</para>
    56
    67<screen><userinput><command>./configure --prefix=/usr --sysconfdir=/etc &amp;&amp;
    78make &amp;&amp;
    89make install</command></userinput></screen>
     10
    911</sect2>
    10 
  • server/other/bind/bind-intro.xml

    r39f01ca r814d190  
    11<sect2>
    2 <title>Introduction to BIND &bind-version;</title>
     2<title>Introduction to <application><acronym>BIND</acronym></application></title>
    33
    4 <screen>Download location (HTTP):       <ulink url="&bind-download-http;"/>
    5 Download location (FTP):        <ulink url="&bind-download-ftp;"/>
    6 Version used:                   &bind-version;
    7 Package size:                   &bind-size;
    8 Estimated Disk space required:  &bind-buildsize;</screen>
     4<para>The <application><acronym>BIND</acronym></application> package
     5provides a <acronym>DNS</acronym> server and client utilities.</para>
    96
    10 <para>The Bind package provides a DNS server and client
    11 utilities.</para></sect2>
     7<sect3><title>Package information</title>
     8<itemizedlist spacing='compact'>
     9<listitem><para>Download (HTTP): <ulink url="&bind-download-http;"/></para></listitem>
     10<listitem><para>Download (FTP): <ulink url="&bind-download-ftp;"/></para></listitem>
     11<listitem><para>Download size: &bind-size;</para></listitem>
     12<listitem><para>Estimated Disk space required: &bind-buildsize;</para></listitem>
     13<listitem><para>Estimated build time: &bind-time;</para></listitem></itemizedlist>
     14</sect3>
    1215
     16</sect2>
  • server/other/bind/bind.ent

    r39f01ca r814d190  
    22<!ENTITY bind-intro SYSTEM "bind-intro.xml">
    33<!ENTITY bind-inst SYSTEM "bind-inst.xml">
    4 <!ENTITY bind-exp SYSTEM "bind-exp.xml">
    5 <!ENTITY bind-config-exp SYSTEM "bind-config-exp.xml">
     4<!ENTITY bind-config SYSTEM "bind-config.xml">
    65<!ENTITY bind-desc SYSTEM "bind-desc.xml">
    7 <!ENTITY bind-config SYSTEM "bind-config.xml">
    8 <!ENTITY bind-buildsize "38 MB">
     6<!ENTITY bind-buildsize "90 MB">
    97<!ENTITY bind-version "9.2.2">
    108<!ENTITY bind-download-http "">
    119<!ENTITY bind-download-ftp "ftp://ftp.isc.org/isc/bind9/&bind-version;/bind-&bind-version;.tar.gz">
    1210<!ENTITY bind-size "4.8 MB">
    13 <!ENTITY bind-time "">
     11<!ENTITY bind-time "0.89 SBU">
Note: See TracChangeset for help on using the changeset viewer.