BIND THE DNS SERVER TO USE !. DNS Domain Name Services Name to IP resolving /etc/hosts...
-
Upload
emmeline-fleming -
Category
Documents
-
view
226 -
download
4
Transcript of BIND THE DNS SERVER TO USE !. DNS Domain Name Services Name to IP resolving /etc/hosts...
BIND
THE DNS SERVER TO USE !
DNS Domain Name Services Name to IP resolving /etc/hosts /etc/resolv.conf
Why Bind ?
Berkeley Internet Name Daemon Because its in the book ... It’s the best ... Its incorporated by superior appliance
vendors Robust
TLD & ROOT Servers .be .com .org .nu .nl .net ...
Types of DNS records
A AAAA MX CNAME PTR ...
Begin installation ...
Take a fresh copy of your debian server Remove unnecessary services# apt-get remove lpr nfs-common portmap pidentd
pcmcia-cs pppoe pppoeconf ppp pppconfig
Snip INETD services# update-inetd --remove daytime
# update-inetd --remove telnet
# update-inetd --remove time
# update-inetd --remove finger
# update-inetd --remove talk
# update-inetd --remove ntalk
# update-inetd --remove ftp
# update-inetd --remove discard
# /etc/init.d/inetd reload
Install Bind9#apt-get update && apt-get upgrade
# apt-get install bind9
Setting up bind9 (9.2.4-1)
Adding group `bind' (104)
Done.
Adding system user `bind'
Adding new user `bind' (104) with group `bind'.
Not creating home directory.
Starting domain name service: named.=bind9
A local DNS server’s purpose !
Caching Forwarding Resolv local domain(s) - records
CHROOT environment
Security !!! Seperate directory System in a system
Setup CHROOT for BIND
# /etc/init.d/bind9 stop Next, edit the file /etc/default/bind9 so that the daemon
will run as the unprivileged user bind, chrooted to /var/lib/named
Change the line
OPTS="-u bind" so that it reads:
OPTIONS="-u bind -t /var/lib/named"
Complete Chroot environment (1) To provide a complete environment for running BIND, create the necessary directories
under /var/lib:
# mkdir -p /var/lib/named/etc
# mkdir /var/lib/named/dev
# mkdir -p /var/lib/named/var/cache/bind
# mkdir -p /var/lib/named/var/run/bind/run Then move the config directory from /etc to /var/lib/named/etc:
# mv /etc/bind /var/lib/named/etc Now create a symbolic link to the new config directory from the old location, to avoid problems when BIND is upgraded in the future:
# ln -s /var/lib/named/etc/bind /etc/bind Make null and random devices for use by BIND, and fix the directory permissions:
# mknod /var/lib/named/dev/null c 1 3
# mknod /var/lib/named/dev/random c 1 8
Complete Chroot environment (2) Then change the permissions and ownership of the files:
# chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
# chown -R bind:bind /var/lib/named/var/*
# chown -R bind:bind /var/lib/named/etc/bind You’ll also need to change the startup script /etc/init.d/sysklogd!!!!!!!! so that you can still see messages in the system logs. Change the line:
SYSLOGD="" so that it reads:
SYSLOGD="-a /var/lib/named/dev/log" Now restart the logging process with the command:
# /etc/init.d/sysklogd restart
# /etc/init.d/bind9 start Check /var/log/syslog for any errors. You can page through the file using:
# less /var/log/syslog
/etc/bind/named.conf// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local
acl internals {
127.0.0.0/8;
10.10.10.0/24;
10.10.30.0/24;
};
include "/etc/bind/named.conf.options";
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "30.10.10.in-addr.arpa" {
type master;
file "/etc/bind/pri.30.10.10.in-addr.arpa";
};
zone "10.10.10.in-addr.arpa" {
type master;
file "/etc/bind/pri.10.10.10.in-addr.arpa";
};
zone "middle-earth" {
type master;
file "/etc/bind/pri.middle-earth";
};
zone "michiels.nu" {
type master;
file "/etc/bind/pri.michiels.nu";
};
include "/etc/bind/named.conf.local";
/etc/bind/named.conf.optionsoptions {
directory "/var/cache/bind";
// If there is a firewall between you and nameservers you want
// to talk to, you may need to fix the firewall to allow multiple
// ports to talk. See http://www.kb.cert.org/vuls/id/800113
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
195.238.2.21;
195.238.2.22;
};
auth-nxdomain no; # conform to RFC1035
//listen-on-v6 { any; };
allow-recursion { internals; };
allow-query { internals; };
allow-query-cache { internals; };
};
/etc/bind/named.conf.local
//
// Do any local configuration here
//
// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
Files ~ # cd /etc/bind
bind # ls -l
total 60
-rw-r--r-- 1 root root 237 2009-12-20 21:21 db.0
-rw-r--r-- 1 root root 271 2009-12-20 21:21 db.127
-rw-r--r-- 1 root root 237 2009-12-20 21:21 db.255
-rw-r--r-- 1 root root 353 2009-12-20 21:21 db.empty
-rw-r--r-- 1 root root 270 2009-12-20 21:21 db.local
-rw-r--r-- 1 root root 2878 2009-12-20 21:21 db.root
-rw-r--r-- 1 root bind 1387 2010-03-13 19:03 named.conf
-rw-r--r-- 1 root bind 165 2010-03-13 19:03 named.conf.local
-rw-r--r-- 1 root bind 729 2010-03-13 19:03 named.conf.options
-rw-r--r-- 1 root bind 619 2010-03-13 19:05 pri.10.10.10.in-addr.arpa
-rw-r--r-- 1 root bind 719 2010-03-13 19:05 pri.30.10.10.in-addr.arpa
-rw-r--r-- 1 root bind 1090 2010-03-14 16:33 pri.michiels.nu
-rw-r--r-- 1 root bind 1290 2010-03-14 16:33 pri.middle-earth
-rw-r----- 1 bind bind 77 2010-03-13 19:02 rndc.key
-rw-r--r-- 1 root root 1317 2009-12-20 21:21 zones.rfc1918
/etc/pri.michiels.nu$TTL 86400
@ IN SOA ns1.afraid.org. root.michiels.nu. (
2007122801 ; serial, todays date + todays serial #
28800 ; refresh, seconds
7200 ; retry, seconds
604800 ; expire, seconds
86400 ) ; minimum, seconds
;
NS ns1.afraid.org. ;
NS ns2.afraid.org. ;
;
michiels.nu. A 10.10.30.2
www A 10.10.30.2
minas-morgul A 10.10.30.4
mines-of-moria CNAME moria.middle-earth.
;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;
Restart DNS Server
#/etc/init.d/bind restart
Troubleshooting
#less /var/log/syslog
#nslookup
#dig
#netstat –edapu | grep LISTEN