From 1c58931b470138b05ac72e50a9597ed71caac699 Mon Sep 17 00:00:00 2001 From: Tom Rhodes Date: Sun, 21 May 2006 21:55:08 +0000 Subject: [PATCH] Begin merging the BIND8 and BIND9 sections. This pretty much kills BIND8 in the handbook and pushes BIND9. Submitted by: Daniel Gerzo Supported by: dougb, trhodes --- .../handbook/network-servers/chapter.sgml | 843 +++++------------- 1 file changed, 210 insertions(+), 633 deletions(-) diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml index 74b54df98f..62154c4da4 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml @@ -2931,6 +2931,16 @@ dhcpd_ifaces="dc0" Lee Contributed by + + + Tom + Rhodes + + + + Daniel + Gerzo + Domain Name System (DNS) @@ -2953,23 +2963,16 @@ dhcpd_ifaces="dc0" perform DNS lookups on a system. + &os; currently comes with BIND9 + DNS server software by default. Our + installation provides enhanced security features, a new file + system layout and automated &man.chroot.8; configuration. + DNS DNS is coordinated across the Internet through a somewhat - complex system of authoritative root name servers, and other - smaller-scale name servers who host and cache individual domain - information. - - - - This document refers to BIND 8.x, as it is the stable version - used in &os;. Versions of &os; 5.3 and beyond include - BIND9 and the configuration instructions - may be found later in this chapter. Users of &os; 5.2 - and other previous versions may install BIND9 - from the net/bind9 port. - - - RFC1034 and RFC1035 dictate the DNS protocol. + complex system of authoritative root, Top Level Domain + (TLD), and other smaller-scale name servers + which host and cache individual domain information. @@ -3058,22 +3061,19 @@ dhcpd_ifaces="dc0" . is the root zone - org. is a zone under the root zone + org. is a Top level Domain + (TLD) under the root zone. example.org. is a - zone under the org. zone - - - foo.example.org. is - a subdomain, a zone under the example.org. zone + zone under the org. + TLD. - 1.2.3.in-addr.arpa is a zone referencing + 1.168.192.in-addr.arpa is a zone referencing all IP addresses which fall under the 3.2.1.* IP space. + role="ipaddr">192.168.1.* IP space. @@ -3113,8 +3113,8 @@ dhcpd_ifaces="dc0" hostname). - a backup name server, called a slave, must reply to queries - when the primary is down or inaccessible. + a backup or second name server, called a slave, will + reply to queries. @@ -3125,11 +3125,6 @@ dhcpd_ifaces="dc0" a local DNS server may cache and respond more quickly than querying an outside name server. - - a reduction in overall network traffic is desired (DNS - traffic has been measured to account for 5% or more of total - Internet traffic). - When one queries for - ndc - name daemon control program + &man.rndc.8; + Name server control utility. @@ -3181,12 +3176,14 @@ dhcpd_ifaces="dc0" - - Zone files are usually contained within the - /etc/namedb - directory, and contain the DNS zone information - served by the name server. - + Depending on how a given zone is configured on the server, + the files related to that zone can be found in the master, slave, or dynamic subdirectories of the + /etc/namedb directory. + These files contain the DNS information that + will be given out by the name server in response to queries. @@ -3199,14 +3196,30 @@ dhcpd_ifaces="dc0" Since BIND is installed by default, configuring it all is relatively simple. + + The default named configuration + is that of a basic resolving name server, ran in a + &man.chroot.8; environment. To start the server one time with + this configuration, use the following command: + + &prompt.root; /etc/rc.d/named forcestart + To ensure the named daemon is - started at boot, put the following line in + started at boot each time, put the following line into the /etc/rc.conf: named_enable="YES" - To start the daemon manually (after configuring it): - &prompt.root; ndc start + + There are obviously many configuration options for + /etc/namedb/named.conf that are beyond the + scope of this document. However, if you are interested in the + startup options for named on &os;, + take a look at the + named_* flags in + /etc/defaults/rc.conf and consult the + &man.rc.conf.5; manual page. The + section is also a good read. @@ -3215,15 +3228,30 @@ dhcpd_ifaces="dc0" BIND configuration files + + Configuration files for named + currently reside in + /etc/namedb directory and + will need modification before use, unless all that is needed is + a simple resolver. This is where most of the configuration will + be performed. + Using <command>make-localhost</command> - Be sure to: - - &prompt.root; cd /etc/namedb -&prompt.root; sh make-localhost - to properly create the local reverse DNS zone file in - /etc/namedb/master/localhost.rev. - + + To configure a master zone for the localhost visit the + /etc/namedb directory + and run the following command: + + &prompt.root; sh make-localhost + + If all went well, a new file should exist in the + master subdirectory. + The filenames should be localhost.rev for + the local domain name and localhost-v6.rev + for IPv6 configurations. As the default + configuration file, required information will + be present in the named.conf file. @@ -3231,14 +3259,29 @@ dhcpd_ifaces="dc0" // $FreeBSD$ // -// Refer to the named(8) manual page for details. If you are ever going -// to setup a primary server, make sure you've understood the hairy -// details of how DNS is working. Even with simple mistakes, you can -// break connectivity for affected parties, or cause huge amount of -// useless Internet traffic. +// Refer to the named.conf(5) and named(8) man pages, and the documentation +// in /usr/share/doc/bind9 for more details. +// +// If you are going to set up an authoritative server, make sure you +// understand the hairy details of how DNS works. Even with +// simple mistakes, you can break connectivity for affected parties, +// or cause huge amounts of useless Internet traffic. options { directory "/etc/namedb"; + pid-file "/var/run/named/pid"; + dump-file "/var/dump/named_dump.db"; + statistics-file "/var/stats/named.stats"; + +// If named is being used only as a local resolver, this is a safe default. +// For named to be accessible to the network, comment this option, specify +// the proper IP address, or delete this option. + listen-on { 127.0.0.1; }; + +// If you have IPv6 enabled on this system, uncomment this option for +// use as a local resolver. To give access to the network, specify +// an IPv6 address, or the keyword "any". +// listen-on-v6 { ::1; }; // In addition to the "forwarders" clause, you can force your name // server to never initiate queries of its own, but always ask its @@ -3276,30 +3319,12 @@ Internet. * If there is a firewall between you and name servers you want * to talk to, you might need to uncomment the query-source * directive below. Previous versions of BIND always asked - * questions using port 53, but BIND 8.1 uses an unprivileged - * port by default. + * questions using port 53, but BIND versions 8 and later + * use a pseudo-random unprivileged UDP port by default. */ // query-source address * port 53; - - /* - * If running in a sandbox, you may have to specify a different - * location for the dumpfile. - */ - // dump-file "s/named_dump.db"; }; -// Note: the following will be supported in a future release. -/* -host { any; } { - topology { - 127.0.0.0/8; - }; -}; -*/ - -// Setting up secondaries is way easier and the rough picture for this -// is explained below. -// // If you enable a local name server, don't forget to enter 127.0.0.1 // into your /etc/resolv.conf so this server will be queried first. // Also, make sure to enable it in /etc/rc.conf. @@ -3311,57 +3336,71 @@ zone "." { zone "0.0.127.IN-ADDR.ARPA" { type master; - file "localhost.rev"; + file "master/localhost.rev"; +}; + +// RFC 3152 +zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.IP6.ARPA" { + type master; + file "master/localhost-v6.rev"; }; // NB: Do not use the IP addresses below, they are faked, and only // serve demonstration/documentation purposes! // -// Example secondary config entries. It can be convenient to become -// a secondary at least for the zone where your own domain is in. Ask +// Example slave zone config entries. It can be convenient to become +// a slave at least for the zone your own domain is in. Ask // your network administrator for the IP address of the responsible // primary. // // Never forget to include the reverse lookup (IN-ADDR.ARPA) zone! -// (This is the first bytes of the respective IP address, in reverse +// (This is named after the first bytes of the IP address, in reverse // order, with ".IN-ADDR.ARPA" appended.) // -// Before starting to setup a primary zone, better make sure you fully -// understand how DNS and BIND works, however. There are sometimes -// unobvious pitfalls. Setting up a secondary is comparably simpler. +// Before starting to set up a primary zone, make sure you fully +// understand how DNS and BIND works. There are sometimes +// non-obvious pitfalls. Setting up a slave zone is simpler. // // NB: Don't blindly enable the examples below. :-) Use actual names // and addresses instead. -// -// NOTE!!! FreeBSD runs BIND in a sandbox (see named_flags in rc.conf). -// The directory containing the secondary zones must be write accessible -// to BIND. The following sequence is suggested: -// -// mkdir /etc/namedb/s -// chown bind:bind /etc/namedb/s -// chmod 750 /etc/namedb/s - For more information on running BIND in a sandbox, see - Running named in a sandbox. - +/* An example master zone +zone "example.net" { + type master; + file "master/example.net"; +}; +*/ - /* +/* An example dynamic zone +key "exampleorgkey" { + algorithm hmac-md5; + secret "sf87HJqjkqh8ac87a02lla=="; +}; +zone "example.org" { + type master; + allow-update { + key "exampleorgkey"; + }; + file "dynamic/example.org"; +}; +*/ + +/* Examples of forward and reverse slave zones zone "example.com" { - type slave; - file "s/example.com.bak"; - masters { - 192.168.1.1; - }; + type slave; + file "slave/example.com"; + masters { + 192.168.1.1; + }; }; - -zone "0.168.192.in-addr.arpa" { - type slave; - file "s/0.168.192.in-addr.arpa.bak"; - masters { - 192.168.1.1; - }; +zone "1.168.192.in-addr.arpa" { + type slave; + file "slave/1.168.192.in-addr.arpa"; + masters { + 192.168.1.1; + }; }; -*/ +*/ In named.conf, these are examples of slave entries for a forward and reverse zone. @@ -3373,17 +3412,17 @@ zone "0.168.192.in-addr.arpa" { zone "example.org" { type master; - file "example.org"; + file "master/example.org"; }; The zone is a master, as indicated by the statement, holding its zone information in - /etc/namedb/example.org indicated by + /etc/namedb/master/example.org indicated by the statement. zone "example.org" { type slave; - file "example.org"; + file "slave/example.org"; }; In the slave case, the zone information is transferred from @@ -3395,37 +3434,44 @@ zone "0.168.192.in-addr.arpa" { Zone Files + + BIND + zone files + + An example master zone file for example.org (existing within - /etc/namedb/example.org) is as follows: + /etc/namedb/master/example.org) is as follows: $TTL 3600 example.org. IN SOA ns1.example.org. admin.example.org. ( - 5 ; Serial + 2006051501 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ; Minimum TTL ; DNS Servers -@ IN NS ns1.example.org. -@ IN NS ns2.example.org. + IN NS ns1.example.org. + IN NS ns2.example.org. +; MX Records + IN MX 10 mx.example.org. + IN MX 20 mail.example.org. + + IN A 192.168.1.1 ; Machine Names localhost IN A 127.0.0.1 -ns1 IN A 3.2.1.2 -ns2 IN A 3.2.1.3 -mail IN A 3.2.1.10 -@ IN A 3.2.1.30 +ns1 IN A 192.168.1.2 +ns2 IN A 192.168.1.3 +mx IN A 192.168.1.4 +mail IN A 192.168.1.5 ; Aliases -www IN CNAME @ - -; MX Record -@ IN MX 10 mail.example.org. +www IN CNAME localhost Note that every hostname ending in a . is an @@ -3492,7 +3538,7 @@ www IN CNAME @ example.org. IN SOA ns1.example.org. admin.example.org. ( - 5 ; Serial + 2006051501 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week @@ -3526,15 +3572,15 @@ example.org. IN SOA ns1.example.org. admin.example.org. ( - 5 + 2006051501 the serial number of the file. This must be incremented each time the zone file is modified. Nowadays, many admins prefer a yyyymmddrr format for the serial - number. 2001041002 would mean - last modified 04/10/2001, the latter - 02 being the second time the zone + number. 2006051501 would mean + last modified 05/15/2006, the latter + 01 being the first time the zone file has been modified this day. The serial number is important as it alerts slave name servers for a zone when it is updated. @@ -3543,41 +3589,35 @@ example.org. IN SOA ns1.example.org. admin.example.org. ( -@ IN NS ns1.example.org. + IN NS ns1.example.org. This is an NS entry. Every name server that is going to reply authoritatively for the zone must have one of these entries. - The @ as seen here could have been - example.org. - The @ translates to the origin. localhost IN A 127.0.0.1 -ns1 IN A 3.2.1.2 -ns2 IN A 3.2.1.3 -mail IN A 3.2.1.10 -@ IN A 3.2.1.30 +ns1 IN A 192.168.1.2 +ns2 IN A 192.168.1.3 +mx IN A 192.168.1.4 +mail IN A 192.168.1.5 The A record indicates machine names. As seen above, ns1.example.org would resolve - to 3.2.1.2. Again, the - origin symbol, @, is used here, thus - meaning example.org would - resolve to 3.2.1.30. + to 192.168.1.2. -www IN CNAME @ +www IN CNAME localhost The canonical name record is usually used for giving aliases to a machine. In the example, www is - aliased to the machine addressed to the origin, or - example.org - (3.2.1.30). + aliased to the machine known as + localhost.example.org + (127.0.0.1). CNAMEs can be used to provide alias hostnames, or round robin one hostname among multiple machines. @@ -3588,7 +3628,7 @@ www IN CNAME @ -@ IN MX 10 mail.example.org. + IN MX 10 mail.example.org. The MX record indicates which mail @@ -3599,11 +3639,12 @@ www IN CNAME @ - One can have several mail servers, with priorities of 3, 2, - 1. A mail server attempting to deliver to example.org would first try the - highest priority MX, then the second highest, etc, until the - mail can be properly delivered. + highest priority MX (the record with the lowest priority + number), then the second highest, etc, until the mail can be + properly delivered. @@ -3614,20 +3655,21 @@ www IN CNAME @ $TTL 3600 -1.2.3.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( - 5 ; Serial +1.168.192.in-addr.arpa. IN SOA ns1.example.org. admin.example.org. ( + 2006051501 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 3600 ) ; Minimum -@ IN NS ns1.example.org. -@ IN NS ns2.example.org. + IN NS ns1.example.org. + IN NS ns2.example.org. +1 IN PTR example.org. 2 IN PTR ns1.example.org. 3 IN PTR ns2.example.org. -10 IN PTR mail.example.org. -30 IN PTR example.org. +4 IN PTR mx.example.org. +5 IN PTR mail.example.org. This file gives the proper IP address to hostname mappings of our above fictitious domain. @@ -3648,291 +3690,6 @@ www IN CNAME @ zones. - - Running <application>named</application> in a Sandbox - - BIND - running in a sandbox - - - - chroot - - For added security you may want to run &man.named.8; as an - unprivileged user, and configure it to &man.chroot.8; into a - sandbox directory. This makes everything outside of the - sandbox inaccessible to the named - daemon. Should named be - compromised, this will help to reduce the damage that can be - caused. By default, FreeBSD has a user and a group called - bind, intended for this use. - - Various people would recommend that instead of configuring - named to chroot, you - should run named inside a &man.jail.8;. - This section does not attempt to cover this situation. - - - Since named will not be able to - access anything outside of the sandbox (such as shared - libraries, log sockets, and so on), there are a number of steps - that need to be followed in order to allow - named to function correctly. In the - following checklist, it is assumed that the path to the sandbox - is /etc/namedb and that you have made no - prior modifications to the contents of this directory. Perform - the following steps as root: - - - - Create all directories that named - expects to see: - - &prompt.root; cd /etc/namedb -&prompt.root; mkdir -p bin dev etc var/tmp var/run master slave -&prompt.root; chown bind:bind slave var/* - - - - - - named only needs write access to - these directories, so that is all we give it. - - - - - - Rearrange and create basic zone and configuration files: - &prompt.root; cp /etc/localtime etc -&prompt.root; mv named.conf etc && ln -sf etc/named.conf -&prompt.root; mv named.root master - -&prompt.root; sh make-localhost -&prompt.root; cat > master/named.localhost -$ORIGIN localhost. -$TTL 6h -@ IN SOA localhost. postmaster.localhost. ( - 1 ; serial - 3600 ; refresh - 1800 ; retry - 604800 ; expiration - 3600 ) ; minimum - IN NS localhost. - IN A 127.0.0.1 -^D - - - - This allows named to log the - correct time to &man.syslogd.8;. - - - - - - - syslog - log files - named - - If you are running a version of &os; prior to 4.9-RELEASE, build a statically linked copy of - named-xfer, and copy it into the sandbox: - - &prompt.root; cd /usr/src/lib/libisc -&prompt.root; make cleandir && make cleandir && make depend && make all -&prompt.root; cd /usr/src/lib/libbind -&prompt.root; make cleandir && make cleandir && make depend && make all -&prompt.root; cd /usr/src/libexec/named-xfer -&prompt.root; make cleandir && make cleandir && make depend && make NOSHARED=yes all -&prompt.root; cp named-xfer /etc/namedb/bin && chmod 555 /etc/namedb/bin/named-xfer - - After your statically linked - named-xfer is installed some cleaning up - is required, to avoid leaving stale copies of libraries or - programs in your source tree: - - &prompt.root; cd /usr/src/lib/libisc -&prompt.root; make cleandir -&prompt.root; cd /usr/src/lib/libbind -&prompt.root; make cleandir -&prompt.root; cd /usr/src/libexec/named-xfer -&prompt.root; make cleandir - - - - This step has been reported to fail occasionally. If this - happens to you, then issue the command: - - &prompt.root; cd /usr/src && make cleandir && make cleandir - - and delete your /usr/obj tree: - - &prompt.root; rm -fr /usr/obj && mkdir /usr/obj - - This will clean out any cruft from your - source tree, and retrying the steps above should then work. - - - - If you are running &os; version 4.9-RELEASE or later, - then the copy of named-xfer in - /usr/libexec is statically linked by - default, and you can simply use &man.cp.1; to copy it into - your sandbox. - - - - Make a dev/null that - named can see and write to: - - &prompt.root; cd /etc/namedb/dev && mknod null c 2 2 -&prompt.root; chmod 666 null - - - - Symlink /var/run/ndc to - /etc/namedb/var/run/ndc: - - &prompt.root; ln -sf /etc/namedb/var/run/ndc /var/run/ndc - - - This simply avoids having to specify the - option to &man.ndc.8; every time you - run it. Since the contents of - /var/run are deleted on boot, it may - be useful to add this command to - root's &man.crontab.5;, using the - option. - - - - - - - syslog - log files - named - - Configure &man.syslogd.8; to create an extra - log socket that - named can write to. To do this, - add -l /etc/namedb/dev/log to the - syslogd_flags variable in - /etc/rc.conf. - - - - - chroot - - Arrange to have named start - and chroot itself to the sandbox by - adding the following to - /etc/rc.conf: - - named_enable="YES" -named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf" - - - Note that the configuration file - /etc/named.conf is denoted by a full - pathname relative to the sandbox, i.e. in - the line above, the file referred to is actually - /etc/namedb/etc/named.conf. - - - - - The next step is to edit - /etc/namedb/etc/named.conf so that - named knows which zones to load and - where to find them on the disk. There follows a commented - example (anything not specifically commented here is no - different from the setup for a DNS server not running in a - sandbox): - - options { - directory "/"; - named-xfer "/bin/named-xfer"; - version ""; // Don't reveal BIND version - query-source address * port 53; -}; -// ndc control socket -controls { - unix "/var/run/ndc" perm 0600 owner 0 group 0; -}; -// Zones follow: -zone "localhost" IN { - type master; - file "master/named.localhost"; - allow-transfer { localhost; }; - notify no; -}; -zone "0.0.127.in-addr.arpa" IN { - type master; - file "master/localhost.rev"; - allow-transfer { localhost; }; - notify no; -}; -zone "." IN { - type hint; - file "master/named.root"; -}; -zone "private.example.net" in { - type master; - file "master/private.example.net.db"; - allow-transfer { 192.168.10.0/24; }; -}; -zone "10.168.192.in-addr.arpa" in { - type slave; - masters { 192.168.10.2; }; - file "slave/192.168.10.db"; -}; - - - - The - directory statement is specified as - /, since all files that - named needs are within this - directory (recall that this is equivalent to a - normal user's - /etc/namedb). - - - - Specifies the full path - to the named-xfer binary (from - named's frame of reference). This - is necessary since named is - compiled to look for named-xfer in - /usr/libexec by default. - - Specifies the filename (relative - to the directory statement above) where - named can find the zone file for this - zone. - - Specifies the filename - (relative to the directory statement above) - where named should write a copy of - the zone file for this zone after successfully transferring it - from the master server. This is why we needed to change the - ownership of the directory slave to - bind in the setup stages above. - - - - After completing the steps above, either reboot your - server or restart &man.syslogd.8; and start &man.named.8;, making - sure to use the new options specified in - syslogd_flags and - named_flags. You should now be running a - sandboxed copy of named! - - - Security @@ -3941,6 +3698,12 @@ zone "10.168.192.in-addr.arpa" in { exploitable security holes are sometimes found. + While &os; automatically drops + named into a &man.chroot.8; + environment; there are several other security mechanisms in + place which could help to lure off possible + DNS service attacks. + It is a good idea to read CERT's security advisories and @@ -3958,7 +3721,7 @@ zone "10.168.192.in-addr.arpa" in { Further Reading BIND/named manual pages: - &man.ndc.8; &man.named.8; &man.named.conf.5; + &man.rndc.8; &man.named.8; &man.named.conf.5; @@ -3967,6 +3730,12 @@ zone "10.168.192.in-addr.arpa" in { Page + + Official ISC BIND + Forum + + @@ -3974,8 +3743,8 @@ zone "10.168.192.in-addr.arpa" in { - O'Reilly - DNS and BIND 4th Edition + O'Reilly + DNS and BIND 5th Edition @@ -3993,198 +3762,6 @@ zone "10.168.192.in-addr.arpa" in { - - - - - Tom - Rhodes - Written by - - - - <acronym>BIND</acronym>9 and &os; - - - - bind9 - setting up - - The release of &os; 5.3 brought the - BIND9 DNS server software - into the distribution. New security features, a new file system - layout and automated &man.chroot.8; configuration came with the - import. This section has been written in two parts, the first - will discuss new features and their configuration; the latter - will cover upgrades to aid in move to &os; 5.3. From this - moment on, the server will be referred to simply as - &man.named.8; in place of BIND. This section - skips over the terminology described in the previous section as - well as some of the theoretical discussions; thus, it is - recommended that the previous section be consulted before reading - any further here. - - Configuration files for named currently - reside in - /var/named/etc/namedb/ and - will need modification before use. This is where most of the - configuration will be performed. - - - Configuration of a Master Zone - - To configure a master zone visit - /var/named/etc/namedb/ - and run the following command: - - &prompt.root; sh make-localhost - - If all went well a new file should exist in the - master directory. The - filenames should be localhost.rev for - the local domain name and localhost-v6.rev - for IPv6 configurations. As the default - configuration file, configuration for its use will already - be present in the named.conf file. - - - - Configuration of a Slave Zone - - Configuration for extra domains or sub domains may be - done properly by setting them as a slave zone. In most cases, - the master/localhost.rev file could just be - copied over into the slave - directory and modified. Once completed, the files need - to be properly added in named.conf such - as in the following configuration for - example.com: - - zone "example.com" { - type slave; - file "slave/example.com"; - masters { - 10.0.0.1; - }; -}; - -zone "0.168.192.in-addr.arpa" { - type slave; - file "slave/0.168.192.in-addr.arpa"; - masters { - 10.0.0.1; - }; -}; - - Note well that in this example, the master - IP address is the primary domain server - from which the zones are transferred; it does not necessary serve - as DNS server itself. - - - - System Initialization Configuration - - In order for the named daemon to start - when the system is booted, the following option must be present - in the rc.conf file: - - named_enable="YES" - - While other options exist, this is the bare minimal - requirement. Consult the &man.rc.conf.5; manual page for - a list of the other options. If nothing is entered in the - rc.conf file then named - may be started on the command line by invoking: - - &prompt.root; /etc/rc.d/named start - - - - <acronym>BIND</acronym>9 Security - - While &os; automatically drops named - into a &man.chroot.8; environment; there are several other - security mechanisms in place which could help to lure off - possible DNS service attacks. - - - Query Access Control Lists - - A query access control list can be used to restrict - queries against the zones. The configuration works by - defining the network inside of the acl - token and then listing IP addresses in - the zone configuration. To permit domains to query the - example host, just define it like this: - - acl "example.com" { - 192.168.0.0/24; -}; - -zone "example.com" { - type slave; - file "slave/example.com"; - masters { - 10.0.0.1; - }; - allow-query { example.com; }; -}; - -zone "0.168.192.in-addr.arpa" { - type slave; - file "slave/0.168.192.in-addr.arpa"; - masters { - 10.0.0.1; - }; - allow-query { example.com; }; -}; - - - - Restrict Version - - Permitting version lookups on the DNS - server could be opening the doors for an attacker. A - malicious user may use this information to hunt up known - exploits or bugs to utilize against the host. - - - Setting a false version will not protect the server - from exploits. Only upgrading to a version that is not - vulnerable will protect your server. - - - A false version string can be placed the - options section of - named.conf: - - options { - directory "/etc/namedb"; - pid-file "/var/run/named/pid"; - dump-file "/var/dump/named_dump.db"; - statistics-file "/var/stats/named.stats"; - version "None of your business"; -}; - - - - - - -