Changeset 814d190 for server/other/bind/bind-config.xml
- Timestamp:
- 09/29/2003 04:40:22 AM (21 years ago)
- Branches:
- 10.0, 10.1, 11.0, 11.1, 11.2, 11.3, 12.0, 12.1, 6.0, 6.1, 6.2, 6.2.0, 6.2.0-rc1, 6.2.0-rc2, 6.3, 6.3-rc1, 6.3-rc2, 6.3-rc3, 7.10, 7.4, 7.5, 7.6, 7.6-blfs, 7.6-systemd, 7.7, 7.8, 7.9, 8.0, 8.1, 8.2, 8.3, 8.4, 9.0, 9.1, basic, bdubbs/svn, elogind, gnome, kde5-13430, kde5-14269, kde5-14686, kea, ken/TL2024, ken/inkscape-core-mods, ken/tuningfonts, krejzi/svn, lazarus, lxqt, nosym, perl-modules, plabs/newcss, plabs/python-mods, python3.11, qt5new, rahul/power-profiles-daemon, renodr/vulkan-addition, systemd-11177, systemd-13485, trunk, upgradedb, v5_0, v5_0-pre1, v5_1, v5_1-pre1, xry111/intltool, xry111/llvm18, xry111/soup3, xry111/test-20220226, xry111/xf86-video-removal
- Children:
- 29c3363
- Parents:
- 39f01ca
- File:
-
- 1 edited
Legend:
- Unmodified
- Added
- Removed
-
server/other/bind/bind-config.xml
r39f01ca r814d190 1 1 <sect2> 2 <title>Configuring BIND</title> 3 <para>We will configure BIND to run in a chroot jail as an unprivileged 4 user(named). This configuration is more secure in that a DNS 5 compromise can only affect a few files in the named user's $HOME 6 directory </para> 7 8 <para>First we set up some files and directories needed by 9 BIND:</para> 10 <para><screen><userinput>groupadd -g 200 named && 11 useradd -m -g named -u 200 -s /bin/false named && 12 cd /home/named && 2 <title>Configuring 3 <application><acronym>BIND</acronym></application></title> 4 5 <sect3><title>Config files</title> 6 <para><filename>named.conf</filename>, <filename>root.hints</filename>, 7 <filename>127.0.0</filename>, <filename>rndc.conf</filename></para> 8 </sect3> 9 10 <sect3><title>Configuration Information</title> 11 12 <para>We will configure 13 <application><acronym>BIND</acronym></application> to run in a chroot 14 jail as an unprivileged user (named). This configuration is more secure 15 in that a <acronym>DNS</acronym> compromise can only affect a few files 16 in the named user's <envar>$HOME</envar> directory.</para> 17 18 <para>First we create the unpriviledged user and group named:</para> 19 20 <screen><userinput><command>groupadd -g 200 named && 21 useradd -m -g named -u 200 -s /bin/false named</command></userinput></screen> 22 23 <para>Then we set up some files, directories and devices needed by 24 <application><acronym>BIND</acronym></application>:</para> 25 26 <screen><userinput><command>cd /home/named && 13 27 mkdir -p dev etc/namedb/slave var/run && 14 28 mknod /home/named/dev/null c 1 3 && … … 16 30 chmod 666 /home/named/dev/{null,random} && 17 31 mkdir /home/named/etc/namedb/pz && 18 cp /etc/localtime /home/named/etc</userinput></screen></para> 19 20 <sect3><title>Config files</title> 21 <para><filename>named.conf</filename>, 22 <filename>root.hints</filename>, <filename>127.0.0</filename> and 23 <filename>rndc.conf</filename></para> 24 25 <para>Create the named.conf file with the following commands:</para> 26 <para><screen><userinput>cat > /home/named/etc/named.conf << "EOF"</userinput> 32 cp /etc/localtime /home/named/etc</command></userinput></screen> 33 34 <para>Create the <filename>named.conf</filename> file from which named 35 will read the location of zone files, root name servers and secure 36 <acronym>DNS</acronym> keys:</para> 37 38 <screen><userinput><command>cat > /home/named/etc/named.conf << "EOF"</command> 27 39 options { 28 40 directory "/etc/namedb"; … … 46 58 file "pz/127.0.0"; 47 59 }; 48 <userinput>EOF</userinput></screen></para> 49 <para>Create a zone file with the following contents: </para> 50 <para><screen><userinput>cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"</userinput> 60 <command>>EOF</command></userinput></screen> 61 62 <para>Create a zone file with the following contents:</para> 63 64 <screen><userinput><command>cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"</command> 51 65 $TTL 3D 52 66 @ IN SOA ns.local.domain. hostmaster.local.domain. ( … … 58 72 NS ns.local.domain. 59 73 1 PTR localhost. 60 <userinput>EOF</userinput></screen></para> 61 62 <para>Create the root.hints file with the following commands: </para> 74 <command>EOF</command></userinput></screen> 75 76 <para>Create the <filename>root.hints</filename> file with the following 77 commands:</para> 78 63 79 <note><para>Caution must be used to insure no leading spaces in this 64 80 file.</para></note> 65 <para><screen><userinput>cat > /home/named/etc/namedb/root.hints << "EOF"</userinput> 81 82 <screen><userinput><command>cat > /home/named/etc/namedb/root.hints << "EOF"</command> 66 83 . 6D IN NS A.ROOT-SERVERS.NET. 67 84 . 6D IN NS B.ROOT-SERVERS.NET. … … 90 107 L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 91 108 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 92 <userinput>EOF</userinput></screen></para> 109 <command>>EOF</command></userinput></screen> 110 111 <para>The <filename>root.hints</filename> file is a list of root name 112 servers. This file must be updated periodically with the 113 <command>dig</command> utility. 114 Consult the <acronym>BIND</acronym> 9 Administrator Reference Manual for 115 details.</para> 93 116 94 117 <para>Create the <filename>rndc.conf</filename> with the following commands:</para> 95 <para><screen><userinput>cat > /etc/rndc.conf << "EOF"</userinput> 118 119 <screen><userinput><command>cat > /etc/rndc.conf << "EOF"</command> 96 120 key rndc_key { 97 121 algorithm "hmac-md5"; … … 103 127 default-key rndc_key; 104 128 }; 105 <userinput>EOF</userinput></screen></para> 106 107 <para>Create or modify <filename>resolv.conf</filename> to use the new name server with the 108 following commands: </para> 129 <command>EOF</command></userinput></screen> 130 131 <para>The <filename>rndc.conf</filename> file contains information for 132 controlling named operations with the <command>rndc</command> 133 utility.</para> 134 135 <para>Create or modify <filename>resolv.conf</filename> to use the new 136 name server with the following commands:</para> 137 109 138 <note><para>Replace yourdomain.com with your own valid domain 110 139 name.</para></note> 111 140 112 < para><screen><userinput>cp /etc/resolv.conf /etc/resolv.conf.bak &&113 cat > /etc/resolv.conf << "EOF"</ userinput>141 <screen><userinput><command>cp /etc/resolv.conf /etc/resolv.conf.bak && 142 cat > /etc/resolv.conf << "EOF"</command> 114 143 search yourdomain.com 115 144 nameserver 127.0.0.1 116 < userinput>EOF</userinput></screen></para>145 <command>>EOF</command></userinput></screen> 117 146 118 147 <para>Set permissions on the chroot jail with the following 119 148 command:</para> 120 <para><screen><userinput>chown -R named.named /home/named</userinput></screen></para> 121 122 <para>Create the BIND boot script:</para> 123 <para><screen><userinput>cat > /etc/rc.d/init.d/bind << "EOF"</userinput> 149 150 <screen><userinput><command>chown -R named.named /home/named</command></userinput></screen> 151 152 <para>Create the <application><acronym>BIND</acronym></application> 153 boot script:</para> 154 155 <screen><userinput><command>cat > /etc/rc.d/init.d/bind << "EOF"</command> 124 156 #!/bin/bash 125 157 # Begin $rc_base/init.d/bind … … 157 189 esac 158 190 # End $rc_base/init.d/bind 159 < userinput>EOF</userinput></screen></para>191 <command>EOF</command></userinput></screen> 160 192 161 193 <para>Add the run level symlinks:</para> 162 <para><screen><userinput>chmod 754 /etc/rc.d/init.d/bind && 194 195 <screen><userinput><command>chmod 754 /etc/rc.d/init.d/bind && 163 196 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc0.d/K49bind && 164 197 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc1.d/K49bind && … … 167 200 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc4.d/S22bind && 168 201 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc5.d/S22bind && 169 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind</userinput></screen></para> 170 171 <para>Now start BIND with the new boot script: </para> 172 <para><screen><userinput>/etc/rc.d/init.d/bind start</userinput></screen></para></sect3> 173 174 <sect3><title>Testing BIND</title> 175 <para>Test out the new BIND 9 installation. First query the local 176 host address with <command>dig</command>:</para> 177 <para><screen><userinput>dig -x 127.0.0.1</userinput></screen></para> 202 ln -s /etc/rc.d/init.d/bind /etc/rc.d/rc6.d/K49bind</command></userinput></screen> 203 204 <para>Now start <application><acronym>BIND</acronym></application> with 205 the new boot script:</para> 206 207 <screen><userinput><command>/etc/rc.d/init.d/bind start</command></userinput></screen> 208 209 </sect3> 210 211 <sect3><title>Testing <application><acronym>BIND</acronym></application></title> 212 213 <para>Test out the new 214 <application><acronym>BIND</acronym></application> 9 installation. First 215 query the local host address with <command>dig</command>:</para> 216 217 <screen><userinput><command>dig -x 127.0.0.1</command></userinput></screen> 218 178 219 <para>Now try an external name lookup, taking note of the speed 179 difference in repeated lookups due to the caching. Run the dig 180 command twice on the same address:</para> 181 <para><screen><userinput>dig beyond.linuxfromscratch.org && 182 dig beyond.linuxfromscratch.org</userinput></screen> 183 You can see almost instantaneous results with the named caching 184 lookups. Consult 185 <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>, the BIND 186 Administrator Reference Manual for further configuration options. 187 </para></sect3> 220 difference in repeated lookups due to the caching. Run the dig command 221 twice on the same address:</para> 222 223 <para><screen><userinput><command>dig beyond.linuxfromscratch.org && 224 dig beyond.linuxfromscratch.org</command></userinput></screen> 225 You can see almost instantaneous results with the named caching lookups. 226 Consult <filename>bind-&bind-version;/doc/arm/Bv9ARM.html</filename>, 227 the <application><acronym>BIND</acronym></application> Administrator 228 Reference Manual for further configuration options.</para> 229 230 </sect3> 231 188 232 </sect2> 189
Note:
See TracChangeset
for help on using the changeset viewer.