1 / 21

BIND

BIND. THE DNS SERVER TO USE !. DNS. Domain Name Services Name to IP resolving /etc/hosts /etc/resolv.conf. Why Bind ?. Berkeley Internet Name Daemon Because its in the book ...  It’s the best ...  Its incorporated by superior appliance vendors Robust. TLD & ROOT Servers. .be

yank
Télécharger la présentation

BIND

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. BIND THE DNS SERVER TO USE !

  2. DNS • Domain Name Services • Name to IP resolving • /etc/hosts • /etc/resolv.conf

  3. Why Bind ? Berkeley Internet Name Daemon Because its in the book ...  It’s the best ...  Its incorporated by superior appliance vendors Robust

  4. TLD & ROOT Servers .be .com .org .nu .nl .net ...

  5. Types of DNS records A AAAA MX CNAME PTR ...

  6. Begin installation ... Take a fresh copy of your debian server Remove unnecessary services # apt-get remove lpr nfs-common portmap pidentd pcmcia-cs pppoe pppoeconf ppp pppconfig

  7. Snip INETD services # update-inetd --remove daytime # update-inetd --remove telnet # update-inetd --remove time # update-inetd --remove finger # update-inetd --remove talk # update-inetd --remove ntalk # update-inetd --remove ftp # update-inetd --remove discard # /etc/init.d/inetd reload

  8. Install Bind9 #apt-get update && apt-get upgrade # apt-get install bind9 Setting up bind9 (9.2.4-1) Adding group `bind' (104) Done. Adding system user `bind' Adding new user `bind' (104) with group `bind'. Not creating home directory. Starting domain name service: named.=bind9

  9. A local DNS server’s purpose ! Caching Forwarding Resolv local domain(s) - records

  10. CHROOT environment Security !!! Seperate directory System in a system

  11. Setup CHROOT for BIND # /etc/init.d/bind9 stop Next, edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named Change the line OPTS="-u bind" so that it reads: OPTIONS="-u bind -t /var/lib/named"

  12. Complete Chroot environment (1) To provide a complete environment for running BIND, create the necessary directories under /var/lib: # mkdir -p /var/lib/named/etc # mkdir /var/lib/named/dev # mkdir -p /var/lib/named/var/cache/bind # mkdir -p /var/lib/named/var/run/bind/run Then move the config directory from /etc to /var/lib/named/etc: # mv /etc/bind /var/lib/named/etc Now create a symbolic link to the new config directory from the old location, to avoid problems when BIND is upgraded in the future: # ln -s /var/lib/named/etc/bind /etc/bind Make null and random devices for use by BIND, and fix the directory permissions: # mknod /var/lib/named/dev/null c 1 3 # mknod /var/lib/named/dev/random c 1 8

  13. Complete Chroot environment (2) Then change the permissions and ownership of the files: # chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random # chown -R bind:bind /var/lib/named/var/* # chown -R bind:bind /var/lib/named/etc/bind You’ll also need to change the startup script /etc/init.d/sysklogd!!!!!!!! so that you can still see messages in the system logs. Change the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log" Now restart the logging process with the command: # /etc/init.d/sysklogd restart # /etc/init.d/bind9 start Check /var/log/syslog for any errors. You can page through the file using: # less /var/log/syslog

  14. /etc/bind/named.conf zone "127.in-addr.arpa" { type master; file "/etc/bind/db.127"; }; zone "0.in-addr.arpa" { type master; file "/etc/bind/db.0"; }; zone "255.in-addr.arpa" { type master; file "/etc/bind/db.255"; }; zone "30.10.10.in-addr.arpa" { type master; file "/etc/bind/pri.30.10.10.in-addr.arpa"; }; zone "10.10.10.in-addr.arpa" { type master; file "/etc/bind/pri.10.10.10.in-addr.arpa"; }; zone "middle-earth" { type master; file "/etc/bind/pri.middle-earth"; }; zone "michiels.nu" { type master; file "/etc/bind/pri.michiels.nu"; }; include "/etc/bind/named.conf.local"; // This is the primary configuration file for the BIND DNS server named. // // Please read /usr/share/doc/bind9/README.Debian.gz for information on the // structure of BIND configuration files in Debian, *BEFORE* you customize // this configuration file. // // If you are just adding zones, please do that in /etc/bind/named.conf.local acl internals { 127.0.0.0/8; 10.10.10.0/24; 10.10.30.0/24; }; include "/etc/bind/named.conf.options"; // prime the server with knowledge of the root servers zone "." { type hint; file "/etc/bind/db.root"; }; // be authoritative for the localhost forward and reverse zones, and for // broadcast zones as per RFC 1912 zone "localhost" { type master; file "/etc/bind/db.local"; };

  15. /etc/bind/named.conf.options options { directory "/var/cache/bind"; // If there is a firewall between you and nameservers you want // to talk to, you may need to fix the firewall to allow multiple // ports to talk. See http://www.kb.cert.org/vuls/id/800113 // If your ISP provided one or more IP addresses for stable // nameservers, you probably want to use them as forwarders. // Uncomment the following block, and insert the addresses replacing // the all-0's placeholder. forwarders { 195.238.2.21; 195.238.2.22; }; auth-nxdomain no; # conform to RFC1035 //listen-on-v6 { any; }; allow-recursion { internals; }; allow-query { internals; }; allow-query-cache { internals; }; };

  16. /etc/bind/named.conf.local // // Do any local configuration here // // Consider adding the 1918 zones here, if they are not used in your // organization //include "/etc/bind/zones.rfc1918";

  17. Files ~ # cd /etc/bind bind # ls -l total 60 -rw-r--r-- 1 root root 237 2009-12-20 21:21 db.0 -rw-r--r-- 1 root root 271 2009-12-20 21:21 db.127 -rw-r--r-- 1 root root 237 2009-12-20 21:21 db.255 -rw-r--r-- 1 root root 353 2009-12-20 21:21 db.empty -rw-r--r-- 1 root root 270 2009-12-20 21:21 db.local -rw-r--r-- 1 root root 2878 2009-12-20 21:21 db.root -rw-r--r-- 1 root bind 1387 2010-03-13 19:03 named.conf -rw-r--r-- 1 root bind 165 2010-03-13 19:03 named.conf.local -rw-r--r-- 1 root bind 729 2010-03-13 19:03 named.conf.options -rw-r--r-- 1 root bind 619 2010-03-13 19:05 pri.10.10.10.in-addr.arpa -rw-r--r-- 1 root bind 719 2010-03-13 19:05 pri.30.10.10.in-addr.arpa -rw-r--r-- 1 root bind 1090 2010-03-14 16:33 pri.michiels.nu -rw-r--r-- 1 root bind 1290 2010-03-14 16:33 pri.middle-earth -rw-r----- 1 bind bind 77 2010-03-13 19:02 rndc.key -rw-r--r-- 1 root root 1317 2009-12-20 21:21 zones.rfc1918

  18. /etc/pri.michiels.nu $TTL 86400 @ IN SOA ns1.afraid.org. root.michiels.nu. ( 2007122801 ; serial, todays date + todays serial # 28800 ; refresh, seconds 7200 ; retry, seconds 604800 ; expire, seconds 86400 ) ; minimum, seconds ; NS ns1.afraid.org. ; NS ns2.afraid.org. ; ; michiels.nu. A 10.10.30.2 www A 10.10.30.2 minas-morgul A 10.10.30.4 mines-of-moria CNAME moria.middle-earth. ;;;; MAKE MANUAL ENTRIES BELOW THIS LINE! ;;;;

  19. Restart DNS Server #/etc/init.d/bind restart

  20. Troubleshooting #less /var/log/syslog #nslookup #dig #netstat –edapu | grep LISTEN

More Related