BIND

From Segfault
Jump to navigation Jump to search

Installation

  • Get the latest ISC BIND tarball
  • Get the latest DLZ patch from Sourceforge/ - NOTE: DLZ is included in ISC Bind since 9.4.0
wget https://ftp.isc.org/isc/bind9/9.12.0/bind-9.12.0.tar.gz{,.sha512.asc}
gpg --keyserver pgp.mit.edu --recv-keys 0xF1B11BF05CF02E57
gpg --verify bind*.tar.gz.sha512.asc bind*tar.gz

gzip -dc bind*.tar.gz | tar -xf -
cd bind*/
 
./configure --prefix=/opt/bind --localstatedir=/var/run/named/ --enable-threads --with-dlz-mysql --with-openssl
make
sudo make install

groupadd bind
useradd -g bind -s /bin/false -d /var/run/named bind
mkdir -m0750 -p /var/run/named /var/log/named
chown -R bind:bind /var/run/named /var/log/named
echo 'OPTIONS="-u bind -c /etc/bind/named.conf"' > /etc/default/named

Configuration

Configuration of BIND is rather complex, a basic configuration might look like this:

named.conf

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

named.conf.options

options {
       directory "/var/cache/bind";
       listen-on { 127.0.0.1; 123.0.0.2; };
       listen-on-v6 { any; };
};

named.conf.local

include "/etc/bind/zones.rfc1918";

zone "example.org" IN {
       type master;
       file "/etc/bind/db.example";
};

zone "0.0.123.in-addr.arpa" IN {
       type master;
       notify yes;
       file "/etc/bind/db.123.0.0";
};

db.example

$TTL    604800
@       IN      SOA     ns1.example.org. root.example.org. (
                        2014031001     ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL

@               IN      NS      ns1.example.org.
@               IN      NS      ns2.example.org.
ns1             IN      A       123.0.0.1
ns2             IN      A       123.0.0.2
www             IN      CNAME   example.org.
example.org. IN A       123.0.0.3

db.123.0.0

$TTL    604800
@       IN      SOA     ns1.example.org. root.example.org. (
                       2014031001      ; Serial
                        604800         ; Refresh
                         86400         ; Retry
                       2419200         ; Expire
                        604800 )       ; Negative Cache TTL

@       IN      NS      ns1.example.org.
@       IN      NS      ns2.example.org.

1       IN      PTR     ns1.example.org.
2       IN      PTR     ns2.example.org.
3       IN      PTR     example.org.
4       IN      PTR     admin.example.org.

named.conf.default-zones

Here, all the default zones should be defined. These configuration files can be found in the distribution package.

  • root zone (via db.root)
  • localhost
  • 127.in-addr.arpa
  • 0.in-addr.arpa
  • 255.in-addr.arpa

Tests

A basic syntax check, loading the configuration from the chroot directory:

$ named-checkconf -t /var/chroot/bind9/ -z; echo $?
[...]
0

Checking the validity of a zone file:

$ named-checkzone example.org /var/chroot/bind9/etc/bind/db.example 
zone example.org/IN: loaded serial 2014031001
OK

Chroot

BIND is a complex beast, let's put it in a chroot to lessen the blow if something goes wrong.

Stop BIND and create the chroot directories and all the necessary bits:

service bind9 stop
mkdir -m 0770 -p /var/chroot/bind9/{etc,dev,var/log/named,var/cache/bind,var/run/named}

mknod -m 0600 /var/chroot/bind9/dev/null c 1 3
mknod -m 0600 /var/chroot/bind9/dev/random c 1 8

chgrp bind /var/chroot/bind9/var/{cache/bind,log/named,run/named} /var/chroot/bind9/dev/{null,random}
chmod 0711 /var/chroot

Add the chroot directory to BIND's start options:

$ grep ^OPTIONS /etc/default/bind9
OPTIONS="-u bind -t /var/chroot/bind9"

Add a syslog socket, e.g. for rsyslog:

$AddUnixListenSocket            /var/chroot/bind9/dev/log

Restart rsyslog:

$ service rsyslog restart
$ ls -lgo /var/chroot/bind9/dev/log 
srw-rw-rw- 1 0 Mar 13 01:10 /var/chroot/bind9/dev/log

Move configuration files to the chroot location, but keep a symlink in /etc for compatibility:

mv /etc/bind /var/chroot/bind9/etc/
ln -s /var/chroot/bind9/etc/bind /etc/bind
mv /var/log/named/* /var/chroot/bind9/var/log/named/ && rmdir /var/log/named

Now BIND should start just fine:

service bind9 start

Let's see:

$ pwdx `pgrep named`
15321: /var/chroot/bind9/var/cache/bind

Links