Wednesday, October 26, 2005

Upgrading to bind 9.3.1

This tutorial specially is for My friend Nikhil and my bro Abhinav.

You just need to follow it step by and i have tried to comment everything which might need an explanation, if anyone feels i have left out anything please comment on it. It works fine on Redhat servers, think shld work on other versions too :)

cd /usr/local

# Downloading Bind ( you can check incase the ftp link does not work below )

wget -c
tar zxf bind-9.3.1.tar.gz
cd bind-9.3.1

# specify /usr/local/bind this is the directory to which we chroot bind (you can specify any other directory but keep in mind to use that during ID creation)

./configure --prefix=/usr/local/bind

#compile bind

#put the binaries in required dirs
make install

#make directories as per required
mkdir -p /usr/local/bind/{etc,namedb,namedb/master,dev,var/run,var/log}

After this most of the part is done. Now is the time to write the config files and start bind :D

#now downloading the latest root.hints file , i prefer to call it as named.root

cd /usr/local/bind/namedb/master

#now adding group named, user named and the /dev/null et all for named chroot

groupadd named
useradd named -d /usr/local/bind -s /bin/false -g named -c "DNS Jail User"
mknod /usr/local/bind/dev/null c 1 3
mknod /usr/local/bind/dev/random c 1 8
cp /etc/localtime /usr/local/bind/etc/

Since we have installed this system into a jail environment, we will have some problems while logging
dns records. Linux perform this logging by sending records to /dev/log socket but this location is out of our
jail :( Let's make some tricks.. and change syslog behaviour. Below is an explanation about how you
can change syslogd configuration.

SYSLOGD_OPTIONS="-m 0 -a /usr/local/bind/dev/log"

Making directories more secure :)
chown named:named /usr/local/bind
chown -R named:named /usr/local/bind/var
chmod 700 /usr/local/bind

Now is the time to remove the bind which came in with the redhat install
rpm -e caching-nameserver-7.2-7
rpm -e bind-devel-9.2.1-16
rpm -e redhat-config-bind-1.9.0-13

If you are not sure on which packages to uninstall please stop original bind which came in with the Redhat install from running by running the below command:
# Assuming you generally boot to init 3 or 5
chkconfig --level 3 named off
chkconfig --level 5 named off

Also kill the current named process :
[root@gateway bind-9.3.1]# ps -ef grep named
named 4166 1 0 Oct22 ? 00:00:08 [named]
root 16983 14978 0 14:21 pts/1 00:00:00 grep named
[root@gateway bind-9.3.1]# kill -9 4166

time to put the named.conf
// ACLs Set
acl "xfer" { none; };
acl "trusted" {;;; localhost; };
acl "bogon" {;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;; };
logging {
channel "default_syslog" { syslog local2; severity debug; };
channel audit_log { file "/var/log/named.log"; severity debug; print-time yes; };
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
// Set options for security
options {
directory "/namedb";
version "I do not give any version info";
pid-file "/var/run/";
statistics-file "/var/named/named.stats";
dump-file "/var/log/named.dump";
zone-statistics yes;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
allow-transfer { xfer; };
allow-query { trusted; };
blackhole { bogon; };

view "internal-in" in {
// Our internal (trusted) view.
match-clients { trusted; };
recursion yes;
# additional-from-auth yes;
# additional-from-cache yes;

zone "." IN { type hint; file "/namedb/master/named.root"; };
#zone "" IN { type master; file "/namedb/master/db.127.0.0"; allow-query { any; }; allow-transfer { none; }; };

view "external-chaos" chaos {
match-clients { any; };
recursion no;

zone "." { type hint; file "/dev/null"; };
# zone "bind" { type master; file "/namedb/master/db.bind"; allow-query { trusted; }; allow-transfer { none; }; };

Put it in /usr/local/bind/etc/named.conf

Starting BIND:

service syslog restart
/usr/local/bind/sbin/named -u named -t /usr/local/bind -c /etc/named.conf
ps -ef grep -v grep grep named

Put the line below in /etc/rc.local so that it starts everytime the server reboots.
/usr/local/bind/sbin/named -u named -t /usr/local/bind -c /etc/named.conf

That should get the server running. Incase you find errors then check the log files at /usr/local/bind/var/log/named.log

Time to test the new server :


If this gives output you are good to go.

Nitin :)


At 12/19/2005 01:27:00 AM, Anonymous Anonymous said...

on starting bind, I'm receiving the following message.
Help !

Aug 31 09:27:10 gateway named[23760]: none:0: open: /usr/local/bind/etc/rndc.key: file not found
Aug 31 09:27:10 gateway named[23760]: couldn't add command channel file not found
Aug 31 09:27:10 gateway named[23760]: none:0: open: /usr/local/bind/etc/rndc.key: file not found
Aug 31 09:27:10 gateway named[23760]: couldn't add command channel ::1#953: file not found
Aug 31 09:27:10 gateway named[23760]: logging channel 'audit_log' file '/var/log/named.log': file not found
Aug 31 09:27:10 gateway named[23760]: couldn't open pid file '/var/run/': No such file or directory
Aug 31 09:27:10 gateway named[23760]: exiting (due to early fatal error)


Post a Comment

<< Home