Scriblings Of A GEEK: October 2005

Wednesday, October 26, 2005

Upgrading to bind 9.3.1

This tutorial specially is for My friend Nikhil and my bro Abhinav.

You just need to follow it step by and i have tried to comment everything which might need an explanation, if anyone feels i have left out anything please comment on it. It works fine on Redhat servers, think shld work on other versions too :)

cd /usr/local

# Downloading Bind ( you can check isc.org incase the ftp link does not work below )

wget -c ftp://ftp.isc.org/isc/bind9/9.3.1/bind-9.3.1.tar.gz
tar zxf bind-9.3.1.tar.gz
cd bind-9.3.1

# specify /usr/local/bind this is the directory to which we chroot bind (you can specify any other directory but keep in mind to use that during ID creation)

./configure --prefix=/usr/local/bind

#compile bind
make

#put the binaries in required dirs
make install

#make directories as per required
mkdir -p /usr/local/bind/{etc,namedb,namedb/master,dev,var/run,var/log}

After this most of the part is done. Now is the time to write the config files and start bind :D

#now downloading the latest root.hints file , i prefer to call it as named.root

cd /usr/local/bind/namedb/master
wget ftp://ftp.internic.com/domain/named.root

#now adding group named, user named and the /dev/null et all for named chroot

groupadd named
useradd named -d /usr/local/bind -s /bin/false -g named -c "DNS Jail User"
mknod /usr/local/bind/dev/null c 1 3
mknod /usr/local/bind/dev/random c 1 8
cp /etc/localtime /usr/local/bind/etc/

Since we have installed this system into a jail environment, we will have some problems while logging
dns records. Linux perform this logging by sending records to /dev/log socket but this location is out of our
jail :( Let's make some tricks.. and change syslog behaviour. Below is an explanation about how you
can change syslogd configuration.

#Original
SYSLOGD_OPTIONS="-m 0"
#Required
SYSLOGD_OPTIONS="-m 0 -a /usr/local/bind/dev/log"

Making directories more secure :)

chown named:named /usr/local/bind
chown -R named:named /usr/local/bind/var
chmod 700 /usr/local/bind

Now is the time to remove the bind which came in with the redhat install

rpm -e caching-nameserver-7.2-7
rpm -e bind-devel-9.2.1-16
rpm -e redhat-config-bind-1.9.0-13

If you are not sure on which packages to uninstall please stop original bind which came in with the Redhat install from running by running the below command:

# Assuming you generally boot to init 3 or 5
chkconfig --level 3 named off
chkconfig --level 5 named off

Also kill the current named process :

[root@gateway bind-9.3.1]# ps -ef grep named
named 4166 1 0 Oct22 ? 00:00:08 [named]
root 16983 14978 0 14:21 pts/1 00:00:00 grep named
[root@gateway bind-9.3.1]# kill -9 4166

time to put the named.conf

// ACLs Set
acl "xfer" { none; };
acl "trusted" { 192.168.0.0/16; 203.200.229.112/28; 203.200.229.224/28; localhost; };
acl "bogon" { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 5.0.0.0/8; 7.0.0.0/8; 10.0.0.0/8; 23.0.0.0/8; 27.0.0.0/8; 31.0.0.0/8; 36.0.0.0/8; 37.0.0.0/8; 39.0.0.0/8; 42.0.0.0/8; 49.0.0.0/8; 50.0.0.0/8; 77.0.0.0/8; 78.0.0.0/8; 79.0.0.0/8; 92.0.0.0/8; 93.0.0.0/8; 94.0.0.0/8; 95.0.0.0/8; 96.0.0.0/8; 97.0.0.0/8; 98.0.0.0/8; 99.0.0.0/8; 100.0.0.0/8; 101.0.0.0/8; 102.0.0.0/8; 103.0.0.0/8; 104.0.0.0/8; 105.0.0.0/8; 106.0.0.0/8;107.0.0.0/8; 108.0.0.0/8; 109.0.0.0/8; 110.0.0.0/8; 111.0.0.0/8; 112.0.0.0/8; 113.0.0.0/8; 114.0.0.0/8; 115.0.0.0/8; 116.0.0.0/8; 117.0.0.0/8; 118.0.0.0/8; 119.0.0.0/8; 120.0.0.0/8; 121.0.0.0/8; 122.0.0.0/8; 123.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 173.0.0.0/8; 174.0.0.0/8; 175.0.0.0/8; 176.0.0.0/8; 177.0.0.0/8; 178.0.0.0/8; 179.0.0.0/8; 180.0.0.0/8; 181.0.0.0/8; 182.0.0.0/8; 183.0.0.0/8; 184.0.0.0/8; 185.0.0.0/8; 186.0.0.0/8; 187.0.0.0/8; 192.0.2.0/24; 197.0.0.0/8; 223.0.0.0/8; 224.0.0.0/3; };
//logging
logging {
channel "default_syslog" { syslog local2; severity debug; };
channel audit_log { file "/var/log/named.log"; severity debug; print-time yes; };
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { audit_log; };
category lame-servers { audit_log; };
};
// Set options for security
options {
directory "/namedb";
version "I do not give any version info";
pid-file "/var/run/named.pid";
statistics-file "/var/named/named.stats";
dump-file "/var/log/named.dump";
zone-statistics yes;
transfer-format many-answers;
max-transfer-time-in 60;
interface-interval 0;
allow-transfer { xfer; };
allow-query { trusted; };
blackhole { bogon; };
};

view "internal-in" in {
// Our internal (trusted) view.
match-clients { trusted; };
recursion yes;
# additional-from-auth yes;
# additional-from-cache yes;

zone "." IN { type hint; file "/namedb/master/named.root"; };
#zone "0.0.127.in-addr.arpa" IN { type master; file "/namedb/master/db.127.0.0"; allow-query { any; }; allow-transfer { none; }; };
};

view "external-chaos" chaos {
match-clients { any; };
recursion no;

zone "." { type hint; file "/dev/null"; };
# zone "bind" { type master; file "/namedb/master/db.bind"; allow-query { trusted; }; allow-transfer { none; }; };
};

Put it in /usr/local/bind/etc/named.conf

Starting BIND:

service syslog restart
/usr/local/bind/sbin/named -u named -t /usr/local/bind -c /etc/named.conf
ps -ef grep -v grep grep named

Put the line below in /etc/rc.local so that it starts everytime the server reboots.

/usr/local/bind/sbin/named -u named -t /usr/local/bind -c /etc/named.conf

That should get the server running. Incase you find errors then check the log files at /usr/local/bind/var/log/named.log

Time to test the new server :

#host www.redhat.com 127.0.0.1

If this gives output you are good to go.

Nitin :)

Monday, October 24, 2005

Happy 10th anniversary to Cisco and PIX

PIX stood for Private Internet Exchangeand was one of Cisco's first purchases on Oct 27, 1995.

Cisco bought over PIX from Network Translation, Inc. (NTI), a networking manufacturer of cost-effective, low maintenance network address translation (NAT) and Internet firewall equipment.

You can access the complete story from the cisco website here.

As an added feature, I have added some scans of the first PIX brochure and manual pages. I picked it from the c-nsp mailing list.

The cisco nsp mailing list can be accessed via here for those who wanna join in :)/.

Just for the records i too am PIX certified.

Nitin :)

Like Google Desktop Search .... wanna get something similar on Linux

Well Here is an appln that does almost the similar purpose as Windows application Google Desktop Search and the Mac OSX utility Spotlight.

It is called KAT . It has a slew of supported file types including PDF and OpenOffice files.

I am yet to try it out on my test machine at home but by what i read from the site looks exiting.

You can read more on the KAT environment at kat.mandriva.com

Nitin :)

Hey Nikhil Welcome to blogging dude

As i mentioned in my previos post bout Nikhil Parva, the most gentleman in our group, hes started writing a blog after me pestering him all the more about it :p

A lill back ground bout him. He is the IT manager of a big time shipping company in India and it is really awsome to see him saving money for the company from all the corners.

You can read his blog here.

Below is an expert from his first post titled " Cost Centres and profit centres "

In any organization, the role of a department can either be divided into cost centre or profit centre. A cost centre is a department that adds to the cost of the company. A profit centre is a centre that creates profit for the company.The aim of both the departments is to add something to the bottomline. The profit centre achieves this by generating profits for the company. The cost department tries to reduce costs which effects the bottomline indirectly( A penny saved is a penny earned).

You can read more on his post here and to all the girls who wanna read on nikhil hes already steady with a girl ( wont give out the name ;) )

To end the post on a serious note ..... Nikhil's come up with a wonderful Idea of free s/w consultancy which either of us might elaborate in our next post.

Till then take care and be laaazy.

Nitin :)

Monday, October 17, 2005

Yahoo! and MSN to partner on IM

Group hug! Friends on Yahoo! and MSN can soon share instant messages.

That is what Yahoo! is terming it as.

Now with this what they say is that you can share your IM friend over clients. You can refer to it over here.

Nitin :)

Saturday, October 15, 2005

Loong time no posts

Hey friends ..... yups it has been long time since there was no post .... i was kinda bored from writing .....

The good news is that one of my college friends Varun Agrawal has joined a web hosting company as a senior sysad and wants to start writing and mebe co-author this blog. Mebe this gets to start putting more posts.

Till then take care and live good

Nitin

PS : Nikhil Parva (the most gentle man in our group of friends send us this in the morning).

It is a nice comedy video .available here.

Nitin :)