Setting up a caching server for
client local machines will reduce the load on the site's primary server. A
caching only name server will find the answer to name queries and remember the
answer the next time we need it. This will shorten the waiting time the next
time significantly. For security reasons, it is very important that DNS doesn't
exist between hosts on the corporate network and external hosts; it is far
safer to simply use IP addresses to connect to external machines from the
corporate network and vice-versa.
In our configuration and installation we'll run BIND/DNS as
non root-user and in a chrooted environment. We also provide you three
different configurations;
- one for a simple caching name server only client
- one for a slave secondary server
- one for a master name server primary server.
The simple caching name server configuration will be used for your servers
that don't act as a master or slave name server, and the slave and master
configurations will be used for your servers that act as a master name server
and slave name server. Usually one of your servers acts as master, another one
acts as slave and the rest act as simple caching client name server.
This is a graphical representation of the DNS configuration
we use in this book. We try to show you different settings
- Caching Only DNS
- Master DNS
- Slave DNS
on different servers. A lot of
possibilities exist, and depend on your needs, and network architecture.
These installation instructions assume
- Commands are Unix-compatible.
- The source path is /var/tmp. other paths are possible.
- Installations were tested on Red Hat Linux 6.1 and 6.2.
- All steps in the installation will happen in super-user account root.
- ISC BIND version number is 8.2.2-patchlevel5
These are the Package(s) required:
|
ISC BIND Homepage:http://www.isc.org/
|
|
ISC BIND FTP Site: 204.152.184.27
|
You must be sure to download: bind-contrib.tar.gz, bind-doc.tar.gz, bind-src.tar.gz
Before you decompress Tarballs and install, it is a good
idea to make a list of files on the system before you install BIND, and one
afterwards, and then compare them using diff to find out what file it placed
where. Simply run find /* > DNS1 before and find /* >
DNS2 after you install the software, and
use diff DNS1 DNS2 > DNS-Installed to get a list of what changed.
Compile and Decompress the tarball (tar.gz).
|
[root@deep] /# mkdir
/var/tmp/bind
[root@deep] /# cp
bind-contrib.tar.gz /var/tmp/bind/
[root@deep] /# cp
bind-doc.tar.gz /var/tmp/bind/
[root@deep] /# cp
bind-src.tar.gz /var/tmp/bind/
|
We create a directory named bind to handle the tar archives
and copy them to this new directory.
Move into the new bind directory cd /var/tmp/bind and decompress the
tar files:
|
[root@deep ]/bind# tar xzpf
bind-contrib.tar.gz
[root@deep ]/bind# tar xzpf
bind-doc.tar.gz
[root@deep ]/bind# tar xzpf
bind-src.tar.gz
|
Configuration files for different services are very specific
depending on your needs and your network architecture. People can install DNS
Servers at home as a caching-only server, though companies may install it with primary, secondary and caching DNS servers.
All the configuration files required for each software described in this
book has been provided by us as a gzipped file, floppy.tgz for your convenience. This can be downloaded from this web
address: http://www.openna.com/books/floppy.tgz You can
unpack this to any location on your local machine, say for example /tmp, assuming you have done this
your directory structure will be /tmp/floppy. Within this floppy directory each configuration file has
its own directory for respective software. For example BIND-DNS
configuration file are organised like this:
|
total 24
drwxr-xr-x 2
harrypotter harrypotter 4096 Jun 8 13:00 Caching-Only-DNS/
-rw-r--r-- 1
harrypotter harrypotter 484 Jun 8 13:00 Compile-BIND
drwxr-xr-x 2
harrypotter harrypotter 4096 Jun 8 13:00 Primary-Master-DNS/
drwxr-xr-x 2
harrypotter harrypotter 4096 Jun 8 13:00 Secondary-Slave-DNS/
-rwx------ 1
harrypotter harrypotter 300 Jun 8 13:00 bind.sh*
drwxr-xr-x 3
harrypotter harrypotter 4096 Jun 8 13:00 init.d/
|
You can either cut and paste this directly if you are
faithfully following our instructions from the begining or manually edit these
to modify to your needs. This facility is there though as a convenience but
please don't forget ultimately it will be your responsibility to check, verify,
etc. before you use them whether modified or as it is.
To run a caching-only name server, the following files are required and must be
created or copied to the appropriate directories on your server.
- Copy the named.conf file to the /etc/ directory.
- Copy the db.127.0.0 file to the /var/named/ directory.
- Copy the db.cache file to the /var/named/ directory.
- Copy the named script file to the /etc/rc.d/init.d/ directory.
To run a master name server, the following files are required and must be
created or copied to the appropriate directories on your server.
- Copy the named.conf file to the /etc/ directory.
- Copy the db.127.0.0 file to the /var/named/ directory.
- Copy the db.cache file to the /var/named/ directory.
- Copy the db.208.164.186 file to the /var/named/ directory.
- Copy the db.openna file to the /var/named/ directory.
- Copy the named script file to the /etc/rc.d/init.d/ directory.
To run a slave name server, the following files are
required and must be created or copied to the appropriate directories on your
server.
- Copy the named.conf file to the /etc/ directory.
- Copy the db.127.0.0 file to the /var/named/ directory.
- Copy the db.cache file to the /var/named/ directory.
- Copy the named script file to the /etc/rc.d/init.d/ directory.
You can obtain the configuration files listed over the next
few sections on the floppy.tgz archive. Copy the following files from the decompressed floppy.tgz archive to the
appropriate places, or copy them directly from this book to the concerned file.
Caching-only name servers are servers not authoritative for
any domains except 0.0.127.in-addr.arpa, the localhost. A caching-only name server can look up names inside and outside your
zone, as can primary and slave name servers. The difference is that when a caching-only name server
initially looks up a name within your zone, it ends up asking one of the
primary or slave names servers for your zone for the answer.
The necessary files to setup a simple caching name server
are:
- named.conf
- db.127.0.0
- db.cache
- named script
To configure the /etc/named.conf file for a simple caching name server, use this for all
servers that dont act as a master or slave name server. Setting up a simple caching server for local
client machines will reduce the load on the network's primary server. Many
users on dialup connections may use this configuration along with bind for such
a purpose. Create the named.conf file, touch /etc/named.conf and add the following lines to the file:
|
options {
directory "/var/named";
forwarders { 208.164.186.1; 208.164.186.2;
};
forward only;
};
//
// a caching only nameserver config
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
|
In the
forwarders line, 208.164.186.1 and 208.164.186.2 are the IP addresses of your Primary Master and Secondary Slave DNS
server. They can also be the IP addresses of your ISPs DNS server and another
DNS server, respectively.
: To
improve the security of your BIND/DNS server you can stop it from even trying
to contact an off-site server if their forwarder is down or doesn't respond.
With the forward only option set in your named.conf file, the name server doesn't try to contact other servers
to find out information if the forwarder doesn't give it an answer.
To configure the /var/named/db.127.0.0 file for a simple caching name server,you can use this
configuration for all machines on your network that don't act as a master or
slave name server. The db.127.0.0 file covers the loopback network. Create the following
files in /var/named/, touch /var/named/db.127.0.0 and add the following lines in the file:
|
$TTL 345600
@
IN SOA localhost. root.localhost. (
00 ;
Serial
86400 ;
Refresh
7200 ;
Retry
2592000 ;
Expire
345600 ) ;
Minimum
IN
NS localhost.
1
IN PTR localhost.
|
Configure the /var/named/db.cache file for a simple caching name server before starting your
DNS server. You must take a copy of db.cache file and copy this file to the /var/named/ directory. The db.cache tells your server where
the servers for the root zone are.
Use the following commands on another Unix computer in your
organization to query a new db.cache file for your DNS Server or pick one from your Red Hat
Linux CD-ROM source distribution:
|
[root@deep]# dig @.aroot-servers.net
. ns > db.cache
|
Don't forget to copy the db.cache file to the /var/named/ directory on your server where you're installing DNS
server after retrieving it over the Internet.
Internal addresses like 192.168.1/24 are not included in the DNS configuration files for
security reasons. It is very important that DNS doesn't exist between hosts on
the corporate network and external hosts.
A primary master name server for a zone reads the data for the zone from a
file on it's host and are authoritative for that zone.The necessary files to
setup a primary master name server are:
- named.conf
- db.127.0.0
- db.208.164.186
- db.openna
- db.cache
- named script
To configure the /etc/named.conf file for a master name server, use this configuration for the server on your
network that acts as a master name server. After compiling DNS, you need to set
up a primary domain name
for your server. We'll use openna.com as an example domain, and assume you are using IP network
address of 208.164.186.0. To do this, add the following lines to your /etc/named.conf. Create the named.conf file touch /etc/named.conf and add:
|
options {
directory "/var/named";
fetch-glue no;
recursion no;
transfer-format many-answers;
};
// These files are not specific to any zone
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
// These are our primary zone files
zone "openna.com" in {
type master;
file "db.openna ";
};
zone "186.164.208.in-addr.arpa" in
{
type master;
file "db.208.164.186";
};
|
The fetch-glue no option can be used
in conjunction with the option recursion no to prevent the server's cache from growing or becoming
corrupted. Also, disabling recursion puts your name servers into a passive
mode, telling it never to send queries on behalf of other name servers or
resolvers. A non-recursive name server is very difficult to spoof, since it
doesn't send queries, and hence doesn't cache any data.
In the
allow-query line, 208.164.186/24 and 127.0.0/8 are the IP addresses allowed to
ask ordinary questions to the server.
In the
allow-transfer line, 208.164.186.2 is the IP address allowed to receive zone
transfers from the server. You must ensure that only your real slave name
servers can transfer zones from your name serve, as the information provided is
often used by spammers and IP spoofers.
: The options recursion no, allow-query, and allow-transfer in the named.conf file above are security features.
To configure the /var/named/db.127.0.0 file for a master and slave name server, you can use this
configuration file by both a master name server and a slave name server. The db.127.0.0 file covers the
loopback network. Create the following files in /var/named/.
Create the db.127.0.0 file, touch /var/named/db.127.0.0 and add:
|
; Revision History: April 22, 1999 -
admin@mail.openna.com
; Start of Authority (SOA) records.
$TTL 345600
@
IN SOA deep.openna.com.
admin.mail.openna.com. (
00 ;
Serial
86400 ;
Refresh
7200 ;
Retry
2592000 ;
Expire
345600 ) ;
Minimum
; Name Server (NS) records.
NS
deep.openna.com.
NS
mail.openna.com.
; only One PTR record.
1
PTR localhost.
|
To configure the /var/named/db.208.164.186 file for a master name server, Use this configuration for
the server on your network that acts as a master name server. The file db.208.164.186 maps host names to
addresses. Create the following files in /var/named/.
Create the db.208.164.186 file, touch /var/named/db.208.164.186 and add:
|
; Revision History: April 22, 1999 -
admin@mail.openna.com
; Start of Authority (SOA) records.
$TTL 345600
@
IN SOA deep.openna.com.
admin.mail.openna.com. (
00 ;
Serial
86400 ;
Refresh
7200 ;
Retry
2592000 ;
Expire
345600 ) ;
Minimum
; Name Server (NS) records.
NS
deep.openna.com.
NS
mail.openna.com.
; Addresses Point to Canonical Names (PTR)
for Reverse lookups
1
PTR deep.openna.com.
2 PTR
mail.openna.com.
3
PTR www.openna.com.
|
To configure of the /var/named/db.openna file for a master name server, use this configuration for
the server on your network that acts as a master name server. The file db.openna maps addresses to host
names. Create the following file in /var/named/.
Create the db.openna file touch /var/named/db.openna and add:
|
; Revision History: April 22, 1999 -
admin@mail.openna.com
; Start of Authority (SOA) records.
$TTL 345600
@
IN SOA deep.openna.com.
admin.mail.openna.com. (
00 ;
Serial
86400 ;
Refresh
7200 ;
Retry
2592000 ;
Expire
345600 ) ;
Minimum
; Name Server (NS) records.
NS
deep.openna.com.
NS
mail.openna.com.
; Mail Exchange (MX) records.
MX
0 mail.openna.com.
; Address (A) records.
localhost A 127.0.0.1
deep A 208.164.186.1
mail A 208.164.186.2
www A 208.164.186.3
; Aliases in Canonical Name (CNAME) records.
;www CNAME deep.openna.com.
|
To configure the /var/named/db.cache file for a master and slave name servers Before starting
your DNS server you must take a copy of the db.cache file and copy it into the /var/named/ directory. The db.cache tells your server where the servers for the root zone are.
Use the following command on another Unix computer in your
organization to query a new db.cache file for your DNS Server or pick one from your Red Hat
Linux CD-ROM source distribution:
|
[root@deep] /# dig
@.aroot-servers.net . ns > db.cache
|
Don't forget to copy the db.cache file to the /var/named/ directory on your server where you're installing DNS
server after retrieving it over the Internet.
21.5. Secondary slave name Server
The purpose of a slave name server is to share the load with the master server, or handle the entire load if the master server is down. A slave name server loads its data over the network from another name server usually the master name server, but it can load from another slave name server too. This process is called a zone transfer. Necessary files to setup a secondary slave name server are:
i.
named.conf
ii.
db.127.0.0
iii.
db.cache
iv.
named script
To configure the /etc/named.conf
file for a slave name server,
use this configuration for the server on your network that acts as a slave name server. You must modify the named.conf file on the slave
name server host. Change every occurrence of primary to secondary except for 0.0.127.in-addr.arpa and add a masters
line with the IP address of the master server as shown below. Create the named.conf file (touch /etc/named.conf) and add:
options {
directory "/var/named";
fetch-glue no;
recursion no;
allow-query { 208.164.186/24; 127.0.0/8; };
allow-transfer { 208.164.186.1; };
transfer-format many-answers;
};
// These files are not specific to any zone
zone "." in {
type hint;
file "db.cache";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
// These are our slave zone files
zone "openna.com" in {
type slave;
file "db.openna";
masters { 208.164.186.1; };
};
zone "186.164.208.in-addr.arpa" in {
type slave;
file "db.208.164.186";
masters { 208.164.186.1; };
};
|
A slave name server doesn't need to retrieve all of its database (db) files over the network because these db files db.127.0.0 and db.cache are the same as on a primary master, so you can keep a local copy of these files on the slave name server.
i.
Copy the db.127.0.0file
from master name server to slave name server.
ii.
Copy the db.cache
file from master name server to slave name server.
21.5.1. /etc/rc.d/init.d/named script
Configure your /etc/rc.d/init.d/named script file to start and stop the BIND/DNS daemon on your Server. This configuration script file can by used for all type of name server caching, master or slave.Create the named script file touch /etc/rc.d/init.d/named and add:
#!/bin/sh
#
# named This shell script takes care of starting and stopping # named (BIND DNS server). #
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. # probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /usr/sbin/named ] || exit 0 [ -f /etc/named.conf ] || exit 0
RETVAL=0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon named
RETVAL=$?
[ $RETVAL -eq 0 ] && touch /var/lock/subsys/named
echo
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc named
RETVAL=$?
[ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named
echo
;;
status)
/usr/sbin/ndc status
exit $?
;;
restart)
$0 stop
$0 start
;;
reload)
/usr/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
esac
exit $RETVAL
|
[root@deep]# chmod 700 /etc/rc.d/init.d/named
|
[root@deep]# chkconfig --add named
|
[root@deep]# chkconfig --level 345 named on
|
[root@deep]# /etc/rc.d/init.d/named start
|
Starting named: [ OK ]
|
The main benefit of a chroot jail
is that the jail will limit the portion of the file system the DNS daemon
program can see to the root directory of the jail. Additionally, since the jail
only needs to support DNS, the programs related to ISC BIND/DNS available in
the jail can be extremely limited. Most importantly, there is no need for
setuid-root programs, which can be used to gain root access and break out of
the jail.
|
This part focuses on preventing ISC BIND/DNS from being
used as a point of break-in to the system hosting it. Since ISC BIND/DNS
performs a relatively large and complex function, the potential for bugs that
affect security is rather high with this software. In fact, there have been
exploitable bugs in the past that allowed a remote attacker to obtain root
access to hosts running ISC BIND/DNS. To minimize this risk, ISC BIND/DNS can
be run as a non-root user, which will limit any damage to what can be done as
a normal user with a local shell. Of course, this is not enough for the
security requirements of most DNS servers, so an additional step can be taken
- that is, running ISC BIND in a chroot jail.
|
: The named binary program must be in a directory listed
within your PATH
environment variable for this to work. For the rest of the documentation, I'll
assume the path of your original named program is /usr/sbin/named.
The following are the necessary steps to run ISC BIND/DNS
software in a chroot jail:
We must find the shared library dependencies of named, named
is the DNS daemon. These will need to be copied into the chroot jail later.
- To find the shared library dependencies of named, execute the following command:
|
[root@deep] /# ldd /usr/sbin/named
libc.so.6 => /lib/libc.so.6 (0x40017000)
/lib/ld-linux.so.2 => /lib/ld-linux.so.2
(0x40000000)
|
- Make a note of the files listed above; you will need these later in our steps.
Now we must set up the chroot environment, and create the
root directory of the jail. We've chosen /chroot/named because we want to put this on its own separate file
system to prevent file system attacks. Early in our Linux installation
procedure we created a special partition /chroot for this purpose.
|
[root@deep] /# /etc/rc.d/init.d/named
stop
|
- Require only if an existing named daemon is running.
|
Shutting down named: [ OK ]
|
|
[root@deep] /# mkdir -p /chroot/named
|
- Next, create the rest of directories as follows:
|
[root@deep] /# mkdir
/chroot/named/dev
[root@deep] /# mkdir
/chroot/named/lib
[root@deep] /# mkdir
/chroot/named/etc
[root@deep] /# mkdir -p
/chroot/named/usr/sbin
[root@deep] /# mkdir -p
/chroot/named/var/run
[root@deep] /# mkdir
/chroot/named/var/named
|
- Now copy the main configuration file, the zone files, the named and the named-xfer programs into the appropriate places in the chroot jail directory:
|
[root@deep] /# cp /etc/named.conf
/chroot/named/etc/
[root@deep] /# cd /var/named ; cp -a
. /chroot/named/var/named/
[root@deep] /# mknod
/chroot/named/dev/null c 1 3
[root@deep] /# chmod 666
/chroot/named/dev/null
[root@deep] /# cp /usr/sbin/named
/chroot/named/usr/sbin/
[root@deep] /# cp
/usr/sbin/named-xfer /chroot/named/usr/sbin/
|
7.
: The owner of the /chroot/named/var/named directory and all files in this directory must be the
process name named under the slave server and only the slave server or you wouldn't be able to make a zone transfer.
- To make the named directory and all its files own by the named process name under the slave server, use the command:
|
[root@deep] /# chown -R named.named
/chroot/named/var/named/
|
Copy the shared libraries identified above to the chrooted
lib directory:
|
[root@deep] /# cp /lib/libc.so.6
/chroot/named/lib/
[root@deep] /# cp /lib/ld-linux.so.2
/chroot/named/lib/
|
Copy the localtime and nsswitch.conf files to the chrooted etc directory so that log entries are adjusted for your local
timezone properly:
|
[root@deep] /# cp /etc/localtime
/chroot/named/etc/
[root@deep] /# cp /etc/nsswitch.conf
/chroot/named/etc/
|
We must set some files under the /chroot/named/etc directory with
the immutable bit enabled for better security:
- Set the immutable bit on nsswitch.conf file:
|
[root@deep] /# cd /chroot/named/etc/
[root@deep etc]# chattr +i nsswitch.conf
|
- Set the immutable bit on named.conf file:
|
[root@deep] /# cd /chroot/named/etc/
[root@deep etc]# chattr +i named.conf
|
- A file with the +i attribute cannot be modified, deleted or renamed; no link can be created to this file and no data can be written to it. Only the superuser can set or clear this attribute.
Add a new UID and a new GID for running the daemon named if this is not already set.
This is important because running it as root defeats the purpose of the jail,
and using a different user id that already exists on the system can allow your
services to access each others' resources. Check the /etc/passwd and /etc/group files for a free
UID/GID number available. In our example we'll use the number 53 and the name
named.
|
[root@deep] /#useradd -c DNS Server
-u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null || :
|
No comments:
Post a Comment