Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision
Previous revision
Last revision Both sides next revision
linux:bind [2006/08/21 16:17]
a Chrooted BIND9 in Debian
linux:bind [2015/08/12 14:06]
zagi
Line 1: Line 1:
 ====== BIND (is there anyting else?) ====== ====== BIND (is there anyting else?) ======
  
-**Speedup tips**+==== DNSSEC ====
  
-  > I have built local DNS server bind (Debian Sarge).The DNS should +  dnssec-keygen -7 -b 2048 -n ZONE domena.org 
-  > accelerate DNS look ups by LAN clients. +  dnssec-keygen -f KSK -a 8 -b 4096 -n ZONE domena.org
-  > But Now, in contrary the local dns is slower than a custom DNS by my +
-  > webhoster :-+
-   +
-  You should use BIND 9, disable lookups over IPv6 (OPTIONS="-u bind -4" +
-  in /etc/defaults/bind9), and you need to wait bit until the local +
-  cache has been filled.+
  
-===== Chrooting BIND9 in Sarge =====+copy generated files in /etc/bind/keys.
  
-   apt-get install bind9+if you put your keys in /etc/bind/keys do not forget about permissions and apparmor!
  
-For security reasons we want to run BIND chrooted so we have to do the following steps: 
  
-   /etc/init.d/bind9 stop+put this in zone domena.org
  
-Edit the file ''/etc/default/bind9'' so that the daemon will run as the unprivileged user 'bind', chrooted to /var/lib/namedModify the line: ''OPTS="-u bind" so that it reads OPTS="-u bind -/var/lib/named"'':+  inline-signing yes; 
 +  auto-dnssec maintain; 
 +  key-directory "/etc/bind/keys/domena.org"
 +  sig-validity-interval 3;  // default is 30D
  
-   OPTIONS="-u bind -t /var/lib/named"+use dnssec-dsfromkey to create DS DNS records from **KSK files.**
  
-Create the necessary directories under ''/var/lib'': 
  
-   mkdir -p /var/lib/named/etc +To enable add to bind.named.options:\\
-   mkdir /var/lib/named/dev +
-   mkdir -p /var/lib/named/var/cache/bind +
-   mkdir -p /var/lib/named/var/run/bind/run+
  
-Then move the config directory from ''/etc'' to ''/var/lib/named/etc'': 
  
-   mv /etc/bind /var/lib/named/etc+  dnssec-validation auto;\\ 
 +  dnssec-enable yes;\\ 
 +  dnssec-lookaside auto;\\
  
-Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):+Add DS records at your domain registrar!
  
-   ln -s /var/lib/named/etc/bind /etc/bind 
  
-Make null and random devices, and fix permissions of the directories:+check your domain with  http://dnsviz.net/
  
-   mknod /var/lib/named/dev/null c 1 3 
-   mknod /var/lib/named/dev/random c 1 8 
-   chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random 
-   chown -R bind:bind /var/lib/named/var/* 
-   chown -R bind:bind /var/lib/named/etc/bind 
  
-We need to modify the startup script ''/etc/init.d/sysklogd'' of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: ''SYSLOGD="-/var/lib/named/dev/log"'':+https://www.dns-oarc.net/files/odvr/configs/bind/trusted-keys.conf\\ 
 +\\ 
 +logging {\\ 
 +...\\ 
 +        category dnssec { null;};};\\
  
-   #! /bin/sh 
-   # /etc/init.d/sysklogd: start the system log daemon. 
-    
-   PATH=/bin:/usr/bin:/sbin:/usr/sbin 
-    
-   pidfile=/var/run/syslogd.pid 
-   binpath=/sbin/syslogd 
-    
-   test -x $binpath || exit 0 
-    
-   # Options for start/restart the daemons 
-   #   For remote UDP logging use SYSLOGD="-r" 
-   # 
-   SYSLOGD="-a /var/lib/named/dev/log" 
  
-   create_xconsole() +==== Letting bind/named query a specific DNS server for only one specific domain ====
-   { +
-       if [ ! -e /dev/xconsole ]; then +
-           mknod -m 640 /dev/xconsole p +
-       else +
-           chmod 0640 /dev/xconsole +
-       fi +
-       chown root:adm /dev/xconsole +
-   } +
-    +
-   running() +
-   { +
-       # No pidfile, probably no daemon present +
-       # +
-       if [ ! -f $pidfile ] +
-       then +
-           return 1 +
-      fi +
-   +
-       pid=`cat $pidfile` +
-    +
-       # No pid, probably no daemon present +
-       # +
-       if [ -z "$pid"+
-       then +
-          return 1 +
-       fi +
-   +
-       if [ ! -d /proc/$pid ] +
-       then +
-           return 1 +
-       fi +
-    +
-       cmd=`cat /proc/$pid/cmdline | tr "\000" "\n"|head -n 1` +
-    +
-       # No syslogd? +
-       # +
-       if [ "$cmd" !"$binpath"+
-       then +
-           return 1 +
-       fi +
-    +
-       return 0 +
-   } +
-   +
-   case "$1" in +
-     start) +
-       echo -n "Starting system log daemon: syslogd" +
-       create_xconsole +
-       start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD +
-       echo "." +
-       ;; +
-     stop) +
-       echo -n "Stopping system log daemon: syslogd" +
-       start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile +
-       echo "." +
-      ;; +
-    reload|force-reload) +
-      echo -n "Reloading system log daemon: syslogd" +
-      start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile +
-      echo "." +
-      ;; +
-    restart) +
-      echo -n "Restarting system log daemon: syslogd" +
-      start-stop-daemon --stop --quiet --exec $binpath --pidfile $pidfile +
-      sleep 1 +
-      start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD +
-      echo "." +
-      ;; +
-    reload-or-restart) +
-      if running +
-      then +
-          echo -n "Reloading system log daemon: syslogd" +
-          start-stop-daemon --stop --quiet --signal 1 --exec $binpath --pidfile $pidfile +
-      else +
-           echo -n "Restarting system log daemon: syslogd" +
-           start-stop-daemon --start --quiet --exec $binpath -- $SYSLOGD +
-      fi +
-      echo "." +
-    ;; +
-    *) +
-      echo "Usage: /etc/init.d/sysklogd {start|stop|reload|restart|force-reload|reload-or-restart}" +
-      exit 1 +
-  esac +
-   +
-  exit 0+
  
-Restart the logging daemon:+Add to the file **''/etc/bind/named.conf.local''**:
  
-   /etc/init.d/sysklogd restart+<code> 
 +zone "mydomain.com"
 + type forward; 
 + forward only; 
 + forwarders { 192.168.0.2; 192.168.0.6; }; 
 +}; 
 +</code>
  
-Start up BIND, and check ''/var/log/syslog'' for any errors:+Of course you need to replace 'mydomain.comas well as the 2 ip addresses in the 'forwarders'-line.
  
-   /etc/init.d/bind9 start+ 
 +==== Unsorted ==== 
 + 
 + 
 +host -t txt -c CHAOS version.bind localhost 
 + 
 +named - options {version "DNS daemon";}; 
 + 
 +host -t txt -c CHAOS hostname.bind localhost 
 + 
 +gethostbyname() 
 + 
 + 
 +==== audit dns ==== 
 +<code> 
 +kernel: audit(1209076817.081:16): type=1503 operation="inode_create" requested_mask="w::" denied_mask="w::" name="/etc/bind/xxxxx.com.hosts.jnl" pid=16561 profile="/usr/sbin/named" namespace="default" 
 +</code> 
 + 
 +So I had a look in: 
 +''/etc/apparmor.d/usr.sbin.named'' 
 + 
 +and changed this line: 
 +<code> 
 +/etc/bind/** r, 
 +</code> 
 + 
 +to this: 
 +<code> 
 +/etc/bind/** rw, 
 +</code> 
 + 
 +==== Fixing syntax highlighting in VIM ==== 
 + 
 +**~/.vimrc** 
 +<code> 
 +" BIND zone 
 +au BufNewFile,BufRead */named/db.*,*/bind/master/*,*/bind/slave/*,*/bind/arpa/* call s:StarSetf('bindzone'
 +" BIND configuration 
 +au BufNewFile,BufRead named.conf,rndc.conf,arpa.conf,named*,master.conf,slave.conf      setf named 
 +</code>
  
linux/bind.txt · Last modified: 2015/08/12 14:46 by zagi
CC Attribution-Share Alike 4.0 International
Driven by DokuWiki Recent changes RSS feed Valid CSS Valid XHTML 1.0 ipv6 ready