Differences

This shows you the differences between two versions of the page.

--- linux:bind [2006/08/21 16:17]
a Chrooted BIND9 in Debian
+++ linux:bind [2011/08/01 13:31]
193.164.137.40 [audit dns]
@@ Line 1: / Line 1: @@
 ====== BIND (is there anyting else?) ======
+==== DNSSEC ====
-**Speedup tips**
+To enable add to bind.named.options:\\
+dnssec-enable yes;\\
+dnssec-validation yes;\\
+dnssec-lookaside . trust-anchor dlv.isc.org.;\\
+include "/etc/bind/trusted.key";
+https://www.dns-oarc.net/files/odvr/configs/bind/trusted-keys.conf\\
+\\
+logging {\\
+...\\
+        category dnssec { null;};};\\
+==== Speedup tips ====
   > I have built a local DNS server bind (Debian Sarge).The DNS should
@@ Line 12: / Line 29: @@
   cache has been filled.
-===== Chrooting BIND9 in Sarge =====
+==== Letting bind/named query a specific DNS server for only one specific domain ====
-   apt-get install bind9
+Add to the file **''/etc/bind/named.conf.local''**:
-For security reasons we want to run BIND chrooted so we have to do the following steps:
+<code>
+zone "mydomain.com" {
+	type forward;
+	forward only;
+	forwarders { 192.168.0.2; 192.168.0.6; };
+};
+</code>
-   /etc/init.d/bind9 stop
+Of course you need to replace 'mydomain.com' as well as the 2 ip addresses in the 'forwarders'-line.
-Edit the file ''/etc/default/bind9'' so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/named. Modify the line: ''OPTS="-u bind" so that it reads OPTS="-u bind -t /var/lib/named"'':
-   OPTIONS="-u bind -t /var/lib/named"
+==== Unsorted ====
-Create the necessary directories under ''/var/lib'':
-   mkdir -p /var/lib/named/etc
+host -t txt -c CHAOS version.bind localhost
-   mkdir /var/lib/named/dev
-   mkdir -p /var/lib/named/var/cache/bind
-   mkdir -p /var/lib/named/var/run/bind/run
-Then move the config directory from ''/etc'' to ''/var/lib/named/etc'':
+named - options {version "DNS daemon";};
-   mv /etc/bind /var/lib/named/etc
+host -t txt -c CHAOS hostname.bind localhost
-Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):
+gethostbyname()
-   ln -s /var/lib/named/etc/bind /etc/bind
-Make null and random devices, and fix permissions of the directories:
+==== audit dns ====
+<code>
+kernel: audit(1209076817.081:16): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/xxxxx.com.hosts.jnl" pid=16561 profile="/usr/sbin/named" namespace="default"
+</code>
-   mknod /var/lib/named/dev/null c 1 3
+So I had a look in:
-   mknod /var/lib/named/dev/random c 1 8
+''/etc/apparmor.d/usr.sbin.named''
-   chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
-   chown -R bind:bind /var/lib/named/var/*
-   chown -R bind:bind /var/lib/named/etc/bind
-We need to modify the startup script ''/etc/init.d/sysklogd'' of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: ''SYSLOGD="-a /var/lib/named/dev/log"'':
-   #! /bin/sh
-   # /etc/init.d/sysklogd: start the system log daemon.
-   PATH=/bin:/usr/bin:/sbin:/usr/sbin
-   pidfile=/var/run/syslogd.pid
-   binpath=/sbin/syslogd
-   test -x $binpath || exit 0
-   # Options for start/restart the daemons
-   #   For remote UDP logging use SYSLOGD="-r"
-   #
-   SYSLOGD="-a /var/lib/named/dev/log"
-   create_xconsole()
-   {
-       if [ ! -e /dev/xconsole ]; then
-           mknod -m 640 /dev/xconsole p
-       else
-           chmod 0640 /dev/xconsole
-       fi
-       chown root:adm /dev/xconsole
-   }
-   running()
-   {
-       # No pidfile, probably no daemon present
-       #
-       if [ ! -f $pidfile ]
-       then
-           return 1
-      fi
-       pid=`cat $pidfile`
-       # No pid, probably no daemon present
-       #
-       if [ -z "$pid" ]
-       then
-          return 1
-       fi
-       if [ ! -d /proc/$pid ]
-       then
-           return 1
-       fi
-       cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1`
-       # No syslogd?
-       #
-       if [ "$cmd" != "$binpath" ]
-       then
-           return 1
-       fi
-       return 0
-   }
-   case "$1" in
-     start)
-       echo -n "Starting system log daemon: syslogd"
-       create_xconsole
-       start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
-       echo "."
-       ;;
-     stop)
-       echo -n "Stopping system log daemon: syslogd"
-       start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
-       echo "."
-      ;;
-    reload|force-reload)
-      echo -n "Reloading system log daemon: syslogd"
-      start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
-      echo "."
-      ;;
-    restart)
-      echo -n "Restarting system log daemon: syslogd"
-      start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile
-      sleep 1
-      start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
-      echo "."
-      ;;
-    reload-or-restart)
-      if running
-      then
-          echo -n "Reloading system log daemon: syslogd"
-          start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile
-      else
-           echo -n "Restarting system log daemon: syslogd"
-           start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD
-      fi
-      echo "."
-    ;;
-    *)
-      echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}"
-      exit 1
-  esac
-  exit 0
-Restart the logging daemon:
+and changed this line:
+</code>
+/etc/bind/** r,
+</code>
-   /etc/init.d/sysklogd restart
+to this:
+<code>
+/etc/bind/** rw,
+</code>
-Start up BIND, and check ''/var/log/syslog'' for any errors:
+==== Fixing syntax highlighting in VIM ====
-   /etc/init.d/bind9 start
+**~/.vimrc**
+<code>
+" BIND zone
+au BufNewFile,BufRead */named/db.*,*/bind/master/*,*/bind/slave/*,*/bind/arpa/* call s:StarSetf('bindzone')
+" BIND configuration
+au BufNewFile,BufRead named.conf,rndc.conf,arpa.conf,named*,master.conf,slave.conf      setf named
+</code>