https://wiki.archlinux.org/api.php?action=feedcontributions&user=Mintaka&feedformat=atomArchWiki - User contributions [en]2024-03-29T06:59:04ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=Talk:BIND&diff=146672Talk:BIND2011-06-18T19:05:12Z<p>Mintaka: /* Chroot method here no longer works as of 9.8.0 */</p>
<hr />
<div>==Chroot method here no longer works as of 9.8.0==<br />
BIND now needs a bunch of OpenSSL stuff, chrooting as explained here will not work. [[User:Pezz|Pezz]] 00:13, 09 March 2011 (AEDST)<br />
:Ok, marked as out of date, if someone could update this article it would be much appreciated. -- [[User:Kynikos|Kynikos]] 09:15, 8 March 2011 (EST)<br />
::If [[BIND (chroot)]] is the update for version 9.8.0, maybe it could be merged with this page? -- [[User:Kynikos|Kynikos]] 13:55, 15 March 2011 (EDT)<br />
:::I tested the chroot with the instructions on this page, and it works, so I've unmarked it as out of date -- [[User:Mintaka|Mintaka]] 21:04, 18 June 2011 (CEST)<br />
<br />
==Definition==<br />
What is Bind? It might be nice to explain it first. [[User:KitchM|KitchM]] 15:06, 21 August 2009 (EDT)<br />
:Copied description from its page in Arch packages. -- [[User:Kynikos|Kynikos]] 09:15, 8 March 2011 (EST)</div>Mintakahttps://wiki.archlinux.org/index.php?title=Talk:BIND&diff=146671Talk:BIND2011-06-18T19:04:21Z<p>Mintaka: /* Chroot method here no longer works as of 9.8.0 */</p>
<hr />
<div>==Chroot method here no longer works as of 9.8.0==<br />
BIND now needs a bunch of OpenSSL stuff, chrooting as explained here will not work. [[User:Pezz|Pezz]] 00:13, 09 March 2011 (AEDST)<br />
:Ok, marked as out of date, if someone could update this article it would be much appreciated. -- [[User:Kynikos|Kynikos]] 09:15, 8 March 2011 (EST)<br />
::If [[BIND (chroot)]] is the update for version 9.8.0, maybe it could be merged with this page? -- [[User:Kynikos|Kynikos]] 13:55, 15 March 2011 (EDT)<br />
:::I tested the chroot with the instructions on this page, and it works, so I've unmarked it as out of date<br />
<br />
==Definition==<br />
What is Bind? It might be nice to explain it first. [[User:KitchM|KitchM]] 15:06, 21 August 2009 (EDT)<br />
:Copied description from its page in Arch packages. -- [[User:Kynikos|Kynikos]] 09:15, 8 March 2011 (EST)</div>Mintakahttps://wiki.archlinux.org/index.php?title=BIND&diff=146670BIND2011-06-18T19:03:25Z<p>Mintaka: Tested chroot, and it works, so I removed the out of date flag</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:Daemons and system services (English)]]<br />
<br />
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.<br />
<br />
== Bind as caching only server ==<br />
These few steps show you how to install bind as a caching only server.<br />
<br />
=== Install bind ===<br />
# pacman -S bind<br />
<br />
Edit /etc/named.conf and add this under the options section<br />
listen-on { 127.0.0.1; };<br />
<br />
=== Adding named to boot process ===<br />
Edit /etc/rc.conf:<br />
DAEMONS=(.. '''named''' ..)<br />
<br />
=== Set resolv.conf for using the local dns ===<br />
Edit /etc/resolv.conf:<br />
nameserver 127.0.0.1<br />
<br />
== Automatically listen on new interfaces without chroot and root privileges ==<br />
Add<br />
interface-interval <rescan-timeout-in-minutes>;<br />
parameter into named.conf options. Then you should modify rc-script:<br />
<pre><br />
stat_busy "Starting DNS"<br />
- [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}<br />
+ setcap cap_net_bind_service=eip /usr/sbin/named<br />
+ NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`<br />
+ [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}<br />
</pre><br />
<br />
So your /etc/rc.d/named should look like this:<br />
<pre><br />
stat_busy "Starting DNS"<br />
setcap cap_net_bind_service=eip /usr/sbin/named<br />
NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`<br />
[ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}<br />
</pre><br />
<br />
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.<br />
<br />
== Running Bind in a chrooted environment ==<br />
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]] (see also [[BIND (chroot)]]).<br />
<br />
=== Preparing the chroot ===<br />
Define the chroot directory, for example:<br />
CHROOT="/chroot/named"<br />
<br />
Create chroot directories<br />
mkdir -m 700 -p ${CHROOT}<br />
mkdir -p ${CHROOT}/{dev,etc,var/run/named}<br />
<br />
To enable logging inside chroot you also need to create a log directory:<br />
mkdir ${CHROOT}/var/log<br />
<br />
and inside this a file named.log as per logging statement in named.conf:<br />
touch ${CHROOT}/var/log/named.log<br />
<br />
You may also want to access this file from /var/log:<br />
ln -sf ${CHROOT}/var/log/named.log /var/log<br />
<br />
=== Copy necessary files ===<br />
cp -v /etc/named.conf ${CHROOT}/etc/<br />
cp -v /etc/localtime ${CHROOT}/etc/<br />
cp -Rv /var/named ${CHROOT}/var/<br />
<br />
=== As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot ===<br />
mkdir -p ${CHROOT}/usr/lib/engines<br />
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/<br />
<br />
=== Create block devices ===<br />
mknod ${CHROOT}/dev/zero c 1 5<br />
mknod ${CHROOT}/dev/random c 1 8<br />
<br />
=== Set permissions ===<br />
chown -R named:named ${CHROOT}/var/{,run/}named<br />
chmod 666 ${CHROOT}/dev/{random,zero}<br />
chown root:named ${CHROOT}<br />
chmod 0750 ${CHROOT}<br />
<br />
If you enabled logging (see above):<br />
chown named:named ${CHROOT}/var/log/named.log<br />
<br />
=== Prepare the rc script ===<br />
cp /etc/rc.d/named /etc/rc.d/named-chroot<br />
<br />
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to<br />
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}<br />
so that it looks like<br />
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}<br />
Also change<br />
PIDFILE=/var/run/named/named.pid<br />
to<br />
PIDFILE=${CHROOT}/var/run/named/named.pid<br />
<br />
=== Prepare variables ===<br />
# vim /etc/conf.d/named<br />
<br />
CHROOT="/chroot/named"<br />
<br />
=== Starting named-chroot on bootup ===<br />
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this <br />
<br />
Edit /etc/rc.conf:<br />
DAEMONS=(.. '''named-chroot''' ..)<br />
<br />
=== Start the service ===<br />
/etc/rc.d/named-chroot start<br />
<br />
=== Test the service ===<br />
# host wiki.archlinux.org 127.0.0.1<br />
<br />
Output should be something like this<br />
Using domain server:<br />
Name: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
Aliases:<br />
<br />
wiki.archlinux.org is an alias for archlinux.org.<br />
archlinux.org has address 66.211.213.17<br />
archlinux.org mail is handled by 10 mail.archlinux.org.<br />
<br />
=== Script to regenerate the chroot environment === <br />
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:<br />
<br />
#!/bin/sh<br />
# Prepare or update a chroot environment for running Bind<br />
# see http://wiki.archlinux.org/index.php/Bind<br />
<br />
. /etc/conf.d/named<br />
<br />
# create chroot directories<br />
mkdir -m 700 -p ${CHROOT}<br />
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}<br />
<br />
# copy necessary files<br />
cp /etc/named.conf ${CHROOT}/etc/<br />
cp /etc/localtime ${CHROOT}/etc/<br />
cp -R /var/named ${CHROOT}/var/<br />
touch ${CHROOT}/var/log/named.log<br />
<br />
# create block devices<br />
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null<br />
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null<br />
<br />
# set permissions<br />
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}<br />
chmod 666 ${CHROOT}/dev/{random,zero}<br />
chown root:named ${CHROOT}<br />
chmod 0750 ${CHROOT}<br />
<br />
I call this in /etc/rc.d/named-chroot just before running named:<br />
/usr/local/sbin/updatebindchroot<br />
<br />
Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.<br />
<br />
== Configuring BIND to serve DNSSEC signed zones ==<br />
See [[DNSSEC#Bind (serving_signed_DNS_zones)]]<br />
<br />
== A configuration template for running a domain ==<br />
In our example we use "domain.tld" as our domain.<br />
<br />
=== 1. Preparing some folder structure ===<br />
mkdir /var/named/{pri,sec}<br />
<br />
If using chroot:<br />
mkdir ${CHROOT}/var/named/{pri,sec}<br />
<br />
=== 2. Creating a zonefile ===<br />
# vim /var/named/pri/domain.tld.zone<br />
<br />
$TTL 7200<br />
; domain.tld<br />
@ IN SOA ns01.domain.tld. postmaster.domain.tld. (<br />
2007011601 ; Serial<br />
28800 ; Refresh<br />
1800 ; Retry<br />
604800 ; Expire - 1 week<br />
86400 ) ; Minimum<br />
IN NS ns01<br />
IN NS ns02<br />
ns01 IN A 0.0.0.0<br />
ns02 IN A 0.0.0.0<br />
localhost IN A 127.0.0.1<br />
@ IN MX 10 mail<br />
imap IN CNAME mail<br />
smtp IN CNAME mail<br />
@ IN A 0.0.0.0<br />
www IN A 0.0.0.0<br />
mail IN A 0.0.0.0<br />
@ IN TXT "v=spf1 mx"<br />
<br />
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.<br />
<br />
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.<br />
<br />
=== 3. Configuring master server ===<br />
Copy the zonefile if using a chroot:<br />
cp domain.tld.zone ${CHROOT}/var/named/pri/<br />
<br />
Edit /etc/named.conf:<br />
zone "domain.tld" IN {<br />
type master;<br />
file "pri/domain.tld.zone";<br />
allow-update { none; };<br />
notify no;<br />
};<br />
<br />
Copy to chroot:<br />
cp named.conf ${CHROOT}/etc/<br />
<br />
=== 4. Configuring slave server ===<br />
If using chroot:<br />
cp domain.tld.zone ${CHROOT}/var/named/sec/<br />
<br />
Edit /etc/named.conf:<br />
zone "domain.tld" IN {<br />
type slave;<br />
file "sec/domain.tld.zone";<br />
masters { 0.0.0.0; }; # ip address of the master server<br />
};<br />
<br />
If using chroot:<br />
cp named.conf ${CHROOT}/etc/<br />
<br />
Restart the services and you're done.<br />
<br />
==See also==<br />
*[[BIND (chroot)]]<br />
<br />
== BIND Resources ==<br />
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]<br />
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]<br />
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]<br />
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]</div>Mintakahttps://wiki.archlinux.org/index.php?title=BIND&diff=146664BIND2011-06-18T18:48:18Z<p>Mintaka: Without this the daemon doesn't stop correctly</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:Daemons and system services (English)]]<br />
{{Out of date}}<br />
<br />
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.<br />
<br />
== Bind as caching only server ==<br />
These few steps show you how to install bind as a caching only server.<br />
<br />
=== Install bind ===<br />
# pacman -S bind<br />
<br />
Edit /etc/named.conf and add this under the options section<br />
listen-on { 127.0.0.1; };<br />
<br />
=== Adding named to boot process ===<br />
Edit /etc/rc.conf:<br />
DAEMONS=(.. '''named''' ..)<br />
<br />
=== Set resolv.conf for using the local dns ===<br />
Edit /etc/resolv.conf:<br />
nameserver 127.0.0.1<br />
<br />
== Automatically listen on new interfaces without chroot and root privileges ==<br />
Add<br />
interface-interval <rescan-timeout-in-minutes>;<br />
parameter into named.conf options. Then you should modify rc-script:<br />
<pre><br />
stat_busy "Starting DNS"<br />
- [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}<br />
+ setcap cap_net_bind_service=eip /usr/sbin/named<br />
+ NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`<br />
+ [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}<br />
</pre><br />
<br />
So your /etc/rc.d/named should look like this:<br />
<pre><br />
stat_busy "Starting DNS"<br />
setcap cap_net_bind_service=eip /usr/sbin/named<br />
NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`<br />
[ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}<br />
</pre><br />
<br />
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.<br />
<br />
== Running Bind in a chrooted environment ==<br />
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]] (see also [[BIND (chroot)]]).<br />
<br />
=== Preparing the chroot ===<br />
Define the chroot directory, for example:<br />
CHROOT="/chroot/named"<br />
<br />
Create chroot directories<br />
mkdir -m 700 -p ${CHROOT}<br />
mkdir -p ${CHROOT}/{dev,etc,var/run/named}<br />
<br />
To enable logging inside chroot you also need to create a log directory:<br />
mkdir ${CHROOT}/var/log<br />
<br />
and inside this a file named.log as per logging statement in named.conf:<br />
touch ${CHROOT}/var/log/named.log<br />
<br />
You may also want to access this file from /var/log:<br />
ln -sf ${CHROOT}/var/log/named.log /var/log<br />
<br />
=== Copy necessary files ===<br />
cp -v /etc/named.conf ${CHROOT}/etc/<br />
cp -v /etc/localtime ${CHROOT}/etc/<br />
cp -Rv /var/named ${CHROOT}/var/<br />
<br />
=== As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot ===<br />
mkdir -p ${CHROOT}/usr/lib/engines<br />
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/<br />
<br />
=== Create block devices ===<br />
mknod ${CHROOT}/dev/zero c 1 5<br />
mknod ${CHROOT}/dev/random c 1 8<br />
<br />
=== Set permissions ===<br />
chown -R named:named ${CHROOT}/var/{,run/}named<br />
chmod 666 ${CHROOT}/dev/{random,zero}<br />
chown root:named ${CHROOT}<br />
chmod 0750 ${CHROOT}<br />
<br />
If you enabled logging (see above):<br />
chown named:named ${CHROOT}/var/log/named.log<br />
<br />
=== Prepare the rc script ===<br />
cp /etc/rc.d/named /etc/rc.d/named-chroot<br />
<br />
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to<br />
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}<br />
so that it looks like<br />
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}<br />
Also change<br />
PIDFILE=/var/run/named/named.pid<br />
to<br />
PIDFILE=${CHROOT}/var/run/named/named.pid<br />
<br />
=== Prepare variables ===<br />
# vim /etc/conf.d/named<br />
<br />
CHROOT="/chroot/named"<br />
<br />
=== Starting named-chroot on bootup ===<br />
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this <br />
<br />
Edit /etc/rc.conf:<br />
DAEMONS=(.. '''named-chroot''' ..)<br />
<br />
=== Start the service ===<br />
/etc/rc.d/named-chroot start<br />
<br />
=== Test the service ===<br />
# host wiki.archlinux.org 127.0.0.1<br />
<br />
Output should be something like this<br />
Using domain server:<br />
Name: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
Aliases:<br />
<br />
wiki.archlinux.org is an alias for archlinux.org.<br />
archlinux.org has address 66.211.213.17<br />
archlinux.org mail is handled by 10 mail.archlinux.org.<br />
<br />
=== Script to regenerate the chroot environment === <br />
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:<br />
<br />
#!/bin/sh<br />
# Prepare or update a chroot environment for running Bind<br />
# see http://wiki.archlinux.org/index.php/Bind<br />
<br />
. /etc/conf.d/named<br />
<br />
# create chroot directories<br />
mkdir -m 700 -p ${CHROOT}<br />
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}<br />
<br />
# copy necessary files<br />
cp /etc/named.conf ${CHROOT}/etc/<br />
cp /etc/localtime ${CHROOT}/etc/<br />
cp -R /var/named ${CHROOT}/var/<br />
touch ${CHROOT}/var/log/named.log<br />
<br />
# create block devices<br />
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null<br />
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null<br />
<br />
# set permissions<br />
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}<br />
chmod 666 ${CHROOT}/dev/{random,zero}<br />
chown root:named ${CHROOT}<br />
chmod 0750 ${CHROOT}<br />
<br />
I call this in /etc/rc.d/named-chroot just before running named:<br />
/usr/local/sbin/updatebindchroot<br />
<br />
Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.<br />
<br />
== Configuring BIND to serve DNSSEC signed zones ==<br />
See [[DNSSEC#Bind (serving_signed_DNS_zones)]]<br />
<br />
== A configuration template for running a domain ==<br />
In our example we use "domain.tld" as our domain.<br />
<br />
=== 1. Preparing some folder structure ===<br />
mkdir /var/named/{pri,sec}<br />
<br />
If using chroot:<br />
mkdir ${CHROOT}/var/named/{pri,sec}<br />
<br />
=== 2. Creating a zonefile ===<br />
# vim /var/named/pri/domain.tld.zone<br />
<br />
$TTL 7200<br />
; domain.tld<br />
@ IN SOA ns01.domain.tld. postmaster.domain.tld. (<br />
2007011601 ; Serial<br />
28800 ; Refresh<br />
1800 ; Retry<br />
604800 ; Expire - 1 week<br />
86400 ) ; Minimum<br />
IN NS ns01<br />
IN NS ns02<br />
ns01 IN A 0.0.0.0<br />
ns02 IN A 0.0.0.0<br />
localhost IN A 127.0.0.1<br />
@ IN MX 10 mail<br />
imap IN CNAME mail<br />
smtp IN CNAME mail<br />
@ IN A 0.0.0.0<br />
www IN A 0.0.0.0<br />
mail IN A 0.0.0.0<br />
@ IN TXT "v=spf1 mx"<br />
<br />
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.<br />
<br />
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.<br />
<br />
=== 3. Configuring master server ===<br />
Copy the zonefile if using a chroot:<br />
cp domain.tld.zone ${CHROOT}/var/named/pri/<br />
<br />
Edit /etc/named.conf:<br />
zone "domain.tld" IN {<br />
type master;<br />
file "pri/domain.tld.zone";<br />
allow-update { none; };<br />
notify no;<br />
};<br />
<br />
Copy to chroot:<br />
cp named.conf ${CHROOT}/etc/<br />
<br />
=== 4. Configuring slave server ===<br />
If using chroot:<br />
cp domain.tld.zone ${CHROOT}/var/named/sec/<br />
<br />
Edit /etc/named.conf:<br />
zone "domain.tld" IN {<br />
type slave;<br />
file "sec/domain.tld.zone";<br />
masters { 0.0.0.0; }; # ip address of the master server<br />
};<br />
<br />
If using chroot:<br />
cp named.conf ${CHROOT}/etc/<br />
<br />
Restart the services and you're done.<br />
<br />
==See also==<br />
*[[BIND (chroot)]]<br />
<br />
== BIND Resources ==<br />
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]<br />
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]<br />
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]<br />
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]</div>Mintakahttps://wiki.archlinux.org/index.php?title=BIND&diff=146650BIND2011-06-18T16:16:16Z<p>Mintaka: changed "chown -R named:named ${CHROOT}/var/{,run/}/named" to chown -R named:named ${CHROOT}/var/{,run/}named</p>
<hr />
<div>[[Category:Networking (English)]]<br />
[[Category:Daemons and system services (English)]]<br />
{{Out of date}}<br />
<br />
Berkeley Internet Name Daemon (BIND) is the reference implementation of the Domain Name System (DNS) protocols.<br />
<br />
== Bind as caching only server ==<br />
These few steps show you how to install bind as a caching only server.<br />
<br />
=== Install bind ===<br />
# pacman -S bind<br />
<br />
Edit /etc/named.conf and add this under the options section<br />
listen-on { 127.0.0.1; };<br />
<br />
=== Adding named to boot process ===<br />
Edit /etc/rc.conf:<br />
DAEMONS=(.. '''named''' ..)<br />
<br />
=== Set resolv.conf for using the local dns ===<br />
Edit /etc/resolv.conf:<br />
nameserver 127.0.0.1<br />
<br />
== Automatically listen on new interfaces without chroot and root privileges ==<br />
Add<br />
interface-interval <rescan-timeout-in-minutes>;<br />
parameter into named.conf options. Then you should modify rc-script:<br />
<pre><br />
stat_busy "Starting DNS"<br />
- [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}<br />
+ setcap cap_net_bind_service=eip /usr/sbin/named<br />
+ NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`<br />
+ [ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}<br />
</pre><br />
<br />
So your /etc/rc.d/named should look like this:<br />
<pre><br />
stat_busy "Starting DNS"<br />
setcap cap_net_bind_service=eip /usr/sbin/named<br />
NAMED_ARGS=`echo ${NAMED_ARGS} | sed 's#-u [[:alnum:]]*##'`<br />
[ -z "$PID" ] && sudo -u named /usr/sbin/named ${NAMED_ARGS}<br />
</pre><br />
<br />
Change user name in last line (with "... sudo -u named ...") if your named user is not 'named'.<br />
<br />
== Running Bind in a chrooted environment ==<br />
This is not required but improves security. If you want you may implement this feature later and skip directly to [[Bind#A_configuration_template_for_running_a_domain|configuration section]] (see also [[BIND (chroot)]]).<br />
<br />
=== Preparing the chroot ===<br />
Define the chroot directory, for example:<br />
CHROOT="/chroot/named"<br />
<br />
Create chroot directories<br />
mkdir -m 700 -p ${CHROOT}<br />
mkdir -p ${CHROOT}/{dev,etc,var/run/named}<br />
<br />
To enable logging inside chroot you also need to create a log directory:<br />
mkdir ${CHROOT}/var/log<br />
<br />
and inside this a file named.log as per logging statement in named.conf:<br />
touch ${CHROOT}/var/log/named.log<br />
<br />
You may also want to access this file from /var/log:<br />
ln -sf ${CHROOT}/var/log/named.log /var/log<br />
<br />
=== Copy necessary files ===<br />
cp -v /etc/named.conf ${CHROOT}/etc/<br />
cp -v /etc/localtime ${CHROOT}/etc/<br />
cp -Rv /var/named ${CHROOT}/var/<br />
<br />
=== As of BIND 9.8.0, you will need libgost.so to run BIND in a chroot ===<br />
mkdir -p ${CHROOT}/usr/lib/engines<br />
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/<br />
<br />
=== Create block devices ===<br />
mknod ${CHROOT}/dev/zero c 1 5<br />
mknod ${CHROOT}/dev/random c 1 8<br />
<br />
=== Set permissions ===<br />
chown -R named:named ${CHROOT}/var/{,run/}named<br />
chmod 666 ${CHROOT}/dev/{random,zero}<br />
chown root:named ${CHROOT}<br />
chmod 0750 ${CHROOT}<br />
<br />
If you enabled logging (see above):<br />
chown named:named ${CHROOT}/var/log/named.log<br />
<br />
=== Prepare the rc script ===<br />
cp /etc/rc.d/named /etc/rc.d/named-chroot<br />
<br />
Edit /etc/rc.d/named-chroot and simply add "-t ${CHROOT}" to<br />
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS}<br />
so that it looks like<br />
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}<br />
<br />
=== Prepare variables ===<br />
# vim /etc/conf.d/named<br />
<br />
CHROOT="/chroot/named"<br />
<br />
=== Starting named-chroot on bootup ===<br />
you probably followed the first section before, so you have to add '-chroot' to the existing named, so that it looks like this <br />
<br />
Edit /etc/rc.conf:<br />
DAEMONS=(.. '''named-chroot''' ..)<br />
<br />
=== Start the service ===<br />
/etc/rc.d/named-chroot start<br />
<br />
=== Test the service ===<br />
# host wiki.archlinux.org 127.0.0.1<br />
<br />
Output should be something like this<br />
Using domain server:<br />
Name: 127.0.0.1<br />
Address: 127.0.0.1#53<br />
Aliases:<br />
<br />
wiki.archlinux.org is an alias for archlinux.org.<br />
archlinux.org has address 66.211.213.17<br />
archlinux.org mail is handled by 10 mail.archlinux.org.<br />
<br />
=== Script to regenerate the chroot environment === <br />
I use this script to (re)generate Bind chroot environment. A suitable location is /usr/local/sbin/updatebindchroot:<br />
<br />
#!/bin/sh<br />
# Prepare or update a chroot environment for running Bind<br />
# see http://wiki.archlinux.org/index.php/Bind<br />
<br />
. /etc/conf.d/named<br />
<br />
# create chroot directories<br />
mkdir -m 700 -p ${CHROOT}<br />
mkdir -p ${CHROOT}/{dev,etc,var/{log,run/named}}<br />
<br />
# copy necessary files<br />
cp /etc/named.conf ${CHROOT}/etc/<br />
cp /etc/localtime ${CHROOT}/etc/<br />
cp -R /var/named ${CHROOT}/var/<br />
touch ${CHROOT}/var/log/named.log<br />
<br />
# create block devices<br />
mknod ${CHROOT}/dev/zero c 1 5 2>/dev/null<br />
mknod ${CHROOT}/dev/random c 1 8 2>/dev/null<br />
<br />
# set permissions<br />
chown -R named:named ${CHROOT}/var/{log/named.log,{,run/}named}<br />
chmod 666 ${CHROOT}/dev/{random,zero}<br />
chown root:named ${CHROOT}<br />
chmod 0750 ${CHROOT}<br />
<br />
I call this in /etc/rc.d/named-chroot just before running named:<br />
/usr/local/sbin/updatebindchroot<br />
<br />
Now you can edit configuration in /etc/named.conf and mappings in /var/named. Then both named and named-chroot can be used (one at a time of course). Restarting named-chroot recreates the chroot applying configuration changes. You should never edit config files residing in the chroot. This should be considered essentially as read-only.<br />
<br />
== Configuring BIND to serve DNSSEC signed zones ==<br />
See [[DNSSEC#Bind (serving_signed_DNS_zones)]]<br />
<br />
== A configuration template for running a domain ==<br />
In our example we use "domain.tld" as our domain.<br />
<br />
=== 1. Preparing some folder structure ===<br />
mkdir /var/named/{pri,sec}<br />
<br />
If using chroot:<br />
mkdir ${CHROOT}/var/named/{pri,sec}<br />
<br />
=== 2. Creating a zonefile ===<br />
# vim /var/named/pri/domain.tld.zone<br />
<br />
$TTL 7200<br />
; domain.tld<br />
@ IN SOA ns01.domain.tld. postmaster.domain.tld. (<br />
2007011601 ; Serial<br />
28800 ; Refresh<br />
1800 ; Retry<br />
604800 ; Expire - 1 week<br />
86400 ) ; Minimum<br />
IN NS ns01<br />
IN NS ns02<br />
ns01 IN A 0.0.0.0<br />
ns02 IN A 0.0.0.0<br />
localhost IN A 127.0.0.1<br />
@ IN MX 10 mail<br />
imap IN CNAME mail<br />
smtp IN CNAME mail<br />
@ IN A 0.0.0.0<br />
www IN A 0.0.0.0<br />
mail IN A 0.0.0.0<br />
@ IN TXT "v=spf1 mx"<br />
<br />
$TTL defines the default time-to-live for all record types. 7200 are seconds so its 2 hours.<br />
<br />
Serial must be incremented manually before restarting named every time you change a resource record for the zone. If you forget to do it slaves won't retransfer the zone: they only do it if the serial is greater than that of the last time they transferred the zone.<br />
<br />
=== 3. Configuring master server ===<br />
Copy the zonefile if using a chroot:<br />
cp domain.tld.zone ${CHROOT}/var/named/pri/<br />
<br />
Edit /etc/named.conf:<br />
zone "domain.tld" IN {<br />
type master;<br />
file "pri/domain.tld.zone";<br />
allow-update { none; };<br />
notify no;<br />
};<br />
<br />
Copy to chroot:<br />
cp named.conf ${CHROOT}/etc/<br />
<br />
=== 4. Configuring slave server ===<br />
If using chroot:<br />
cp domain.tld.zone ${CHROOT}/var/named/sec/<br />
<br />
Edit /etc/named.conf:<br />
zone "domain.tld" IN {<br />
type slave;<br />
file "sec/domain.tld.zone";<br />
masters { 0.0.0.0; }; # ip address of the master server<br />
};<br />
<br />
If using chroot:<br />
cp named.conf ${CHROOT}/etc/<br />
<br />
Restart the services and you're done.<br />
<br />
==See also==<br />
*[[BIND (chroot)]]<br />
<br />
== BIND Resources ==<br />
* [http://www.reedmedia.net/books/bind-dns/ BIND 9 DNS Administration Reference Book]<br />
* [http://www.netwidget.net/books/apress/dns/intro.html Pro DNS and BIND]<br />
* [http://www.isc.org/ Internet Systems Consortium, Inc. (ISC)]<br />
* [http://www.menandmice.com/knowledgehub/dnsglossary DNS Glossary]</div>Mintaka