Scriblings Of A GEEK

Upgrading to bind 9.3.1

This tutorial specially is for My friend Nikhil and my bro Abhinav.

You just need to follow it step by and i have tried to comment everything which might need an explanation, if anyone feels i have left out anything please comment on it. It works fine on Redhat servers, think shld work on other versions too :)

cd /usr/local

# Downloading Bind ( you can check isc.org incase the ftp link does not work below )

wget -c ftp://ftp.isc.org/isc/bind9/9.3.1/bind-9.3.1.tar.gz
tar zxf bind-9.3.1.tar.gz
cd bind-9.3.1

# specify /usr/local/bind this is the directory to which we chroot bind (you can specify any other directory but keep in mind to use that during ID creation)

./configure --prefix=/usr/local/bind

#compile bind
make

#put the binaries in required dirs
make install

#make directories as per required
mkdir -p /usr/local/bind/{etc,namedb,namedb/master,dev,var/run,var/log}

After this most of the part is done. Now is the time to write the config files and start bind :D

#now downloading the latest root.hints file , i prefer to call it as named.root

cd /usr/local/bind/namedb/master
wget ftp://ftp.internic.com/domain/named.root

#now adding group named, user named and the /dev/null et all for named chroot

groupadd named
useradd named -d /usr/local/bind -s /bin/false -g named -c "DNS Jail User"
mknod /usr/local/bind/dev/null c 1 3
mknod /usr/local/bind/dev/random c 1 8
cp /etc/localtime /usr/local/bind/etc/

Since we have installed this system into a jail environment, we will have some problems while logging
dns records. Linux perform this logging by sending records to /dev/log socket but this location is out of our
jail :( Let's make some tricks.. and change syslog behaviour. Below is an explanation about how you
can change syslogd configuration.

#Original
SYSLOGD_OPTIONS="-m 0"
#Required
SYSLOGD_OPTIONS="-m 0 -a /usr/local/bind/dev/log"

Making directories more secure :)

chown named:named /usr/local/bind
chown -R named:named /usr/local/bind/var
chmod 700 /usr/local/bind

Now is the time to remove the bind which came in with the redhat install

rpm -e caching-nameserver-7.2-7
rpm -e bind-devel-9.2.1-16
rpm -e redhat-config-bind-1.9.0-13

If you are not sure on which packages to uninstall please stop original bind which came in with the Redhat install from running by running the below command:

# Assuming you generally boot to init 3 or 5
chkconfig --level 3 named off
chkconfig --level 5 named off

Also kill the current named process :

[root@gateway bind-9.3.1]# ps -ef grep named
named 4166 1 0 Oct22 ? 00:00:08 [named]
root 16983 14978 0 14:21 pts/1 00:00:00 grep named
[root@gateway bind-9.3.1]# kill -9 4166

time to put the named.conf

// ACLs Set
acl "xfer" { none; };
acl "trusted" { 192.168.0.0/16; 203.200.229.112/28; 203.200.229.224/28; localhost; };
acl "bogon" { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 5.0.0.0/8; 7.0.0.0/8; 10.0.0.0/8; 23.0.0.0/8; 27.0.0.0/8; 31.0.0.0/8; 36.0.0.0/8; 37.0.0.0/8; 39.0.0.0/8; 42.0.0.0/8; 49.0.0.0/8; 50.0.0.0/8; 77.0.0.0/8; 78.0.0.0/8; 79.0.0.0/8; 92.0.0.0/8; 93.0.0.0/8; 94.0.0.0/8; 95.0.0.0/8; 96.0.0.0/8; 97.0.0.0/8; 98.0.0.0/8; 99.0.0.0/8; 100.0.0.0/8; 101.0.0.0/8; 102.0.0.0/8; 103.0.0.0/8; 104.0.0.0/8; 105.0.0.0/8; 106.0.0.0/8;107.0.0.0/8; 108.0.0.0/8; 109.0.0.0/8; 110.0.0.0/8; 111.0.0.0/8; 112.0.0.0/8; 113.0.0.0/8; 114.0.0.0/8; 115.0.0.0/8; 116.0.0.0/8; 117.0.0.0/8; 118.0.0.0/8; 119.0.0.0/8; 120.0.0.0/8; 121.0.0.0/8; 122.0.0.0/8; 123.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 173.0.0.0/8; 174.0.0.0/8; 175.0.0.0/8; 176.0.0.0/8; 177.0.0.0/8; 178.0.0.0/8; 179.0.0.0/8; 180.0.0.0/8; 181.0.0.0/8; 182.0.0.0/8; 183.0.0.0/8; 184.0.0.0/8; 185.0.0.0/8; 186.0.0.0/8; 187.0.0.0/8; 192.0.2.0/24; 197.0.0.0/8; 223.0.0.0/8; 224.0.0.0/3; };
//logging
logging {
channel "default_syslog" { syslog local2; severity debug; };
channel audit_log { file "/var/log/named.log"; severity debug; print-time yes; };
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
// Set options for security
options {
directory "/namedb";
version "I do not give any version info";
pid-file "/var/run/named.pid";
statistics-file "/var/named/named.stats";
dump-file "/var/log/named.dump";
zone-statistics yes;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
allow-transfer { xfer; };
allow-query { trusted; };
blackhole { bogon; };
};

view "internal-in" in {
// Our internal (trusted) view.
match-clients { trusted; };
recursion yes;
# additional-from-auth yes;
# additional-from-cache yes;

zone "." IN { type hint; file "/namedb/master/named.root"; };
#zone "0.0.127.in-addr.arpa" IN { type master; file "/namedb/master/db.127.0.0"; allow-query { any; }; allow-transfer { none; }; };
};

view "external-chaos" chaos {
match-clients { any; };
recursion no;

zone "." { type hint; file "/dev/null"; };
# zone "bind" { type master; file "/namedb/master/db.bind"; allow-query { trusted; }; allow-transfer { none; }; };
};

Put it in /usr/local/bind/etc/named.conf

Starting BIND:

service syslog restart
/usr/local/bind/sbin/named -u named -t /usr/local/bind -c /etc/named.conf
ps -ef grep -v grep grep named

Put the line below in /etc/rc.local so that it starts everytime the server reboots.

/usr/local/bind/sbin/named -u named -t /usr/local/bind -c /etc/named.conf

That should get the server running. Incase you find errors then check the log files at /usr/local/bind/var/log/named.log

Time to test the new server :

#host www.redhat.com 127.0.0.1

If this gives output you are good to go.

Nitin :)

posted by Nitin @ 10/26/2005 02:32:00 PM