Other Server Software

Here you will find many ways to share your machine with the rest of the world or your local network. Before installing any packages in this chapter, you need to be sure you understand what the package does and how to set it up correctly. It might also be helpful to learn about the consequences of an improper setup so that you can analyze the risks.

BIND-9.2.3

Introduction to BIND

The BIND package provides a DNS server and client utilities. If you are only interested in the utilities, refer to the BIND Utilities-9.2.3.

Package information

BIND dependencies

Installation of BIND

Install BIND by running the following commands:

./configure --prefix=/usr --sysconfdir=/etc &&
make &&
make install

Configuring BIND

Config files

named.conf, root.hints, 127.0.0, rndc.conf

Configuration Information

We will configure BIND to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory.

First we create the unprivileged user and group named:

groupadd named &&
useradd -m -g named -s /bin/false named

Then we set up some files, directories and devices needed by BIND:

cd /home/named &&
mkdir -p dev etc/namedb/slave var/run &&
mknod /home/named/dev/null c 1 3 &&
mknod /home/named/dev/random c 1 8 &&
chmod 666 /home/named/dev/{null,random} &&
mkdir /home/named/etc/namedb/pz &&
cp /etc/localtime /home/named/etc

Create the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys:

cat > /home/named/etc/named.conf << "EOF"
 options {
     directory "/etc/namedb";
    pid-file "/var/run/named.pid";
    statistics-file "/var/run/named.stats";
       
 };
 controls {
     inet 127.0.0.1 allow { localhost; } keys { rndc_key; };
 };
 key "rndc_key" {
     algorithm hmac-md5;
     secret "[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]";
 };
 zone "." {
     type hint;
     file "root.hints";
 };
 zone "0.0.127.in-addr.arpa" {
     type master;
     file "pz/127.0.0";
 };
EOF

Create a zone file with the following contents:

cat > /home/named/etc/namedb/pz/127.0.0 << "EOF"
$TTL 3D
@      IN      SOA     ns.local.domain. hostmaster.local.domain. (
                        1       ; Serial
                        8H      ; Refresh
                        2H      ; Retry
                        4W      ; Expire
                        1D)     ; Minimum TTL
                NS      ns.local.domain.
1               PTR     localhost.
EOF

Create the root.hints file with the following commands:

[Note]

Note

Caution must be used to insure no leading spaces in this file.

cat > /home/named/etc/namedb/root.hints << "EOF"
.                       6D  IN      NS      A.ROOT-SERVERS.NET.
.                       6D  IN      NS      B.ROOT-SERVERS.NET.
.                       6D  IN      NS      C.ROOT-SERVERS.NET.
.                       6D  IN      NS      D.ROOT-SERVERS.NET.
.                       6D  IN      NS      E.ROOT-SERVERS.NET.
.                       6D  IN      NS      F.ROOT-SERVERS.NET.
.                       6D  IN      NS      G.ROOT-SERVERS.NET.
.                       6D  IN      NS      H.ROOT-SERVERS.NET.
.                       6D  IN      NS      I.ROOT-SERVERS.NET.
.                       6D  IN      NS      J.ROOT-SERVERS.NET.
.                       6D  IN      NS      K.ROOT-SERVERS.NET.
.                       6D  IN      NS      L.ROOT-SERVERS.NET.
.                       6D  IN      NS      M.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.     6D  IN      A       198.41.0.4
B.ROOT-SERVERS.NET.     6D  IN      A       128.9.0.107
C.ROOT-SERVERS.NET.     6D  IN      A       192.33.4.12
D.ROOT-SERVERS.NET.     6D  IN      A       128.8.10.90
E.ROOT-SERVERS.NET.     6D  IN      A       192.203.230.10
F.ROOT-SERVERS.NET.     6D  IN      A       192.5.5.241
G.ROOT-SERVERS.NET.     6D  IN      A       192.112.36.4
H.ROOT-SERVERS.NET.     6D  IN      A       128.63.2.53
I.ROOT-SERVERS.NET.     6D  IN      A       192.36.148.17
J.ROOT-SERVERS.NET.     6D  IN      A       192.58.128.30
K.ROOT-SERVERS.NET.     6D  IN      A       193.0.14.129
L.ROOT-SERVERS.NET.     6D  IN      A       198.32.64.12
M.ROOT-SERVERS.NET.     6D  IN      A       202.12.27.33
EOF

The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. Consult the BIND 9 Administrator Reference Manual for details.

Create the rndc.conf with the following commands:

cat > /etc/rndc.conf << "EOF"
key rndc_key {
algorithm "hmac-md5";
    secret
    "[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]";
    };
options {
    default-server localhost;
    default-key    rndc_key;
};
EOF

The rndc.conf file contains information for controlling named operations with the rndc utility.

Create or modify resolv.conf to use the new name server with the following commands:

[Note]

Note

Replace yourdomain.com with your own valid domain name.

cp /etc/resolv.conf /etc/resolv.conf.bak &&
cat > /etc/resolv.conf << "EOF"
search yourdomain.com
nameserver 127.0.0.1
EOF

Set permissions on the chroot jail with the following command:

chown -R named.named /home/named

To start the DNS server at boot, install /etc/rc.d/init.d/bind init script included in the blfs-bootscripts-5.1 package.

make install-bind

Now start BIND with the new boot script:

/etc/rc.d/init.d/bind start

Testing BIND

Test out the new BIND 9 installation. First query the local host address with dig:

dig -x 127.0.0.1

Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address:

dig beyond.linuxfromscratch.org &&
dig beyond.linuxfromscratch.org

You can see almost instantaneous results with the named caching lookups. Consult bind-9.2.3/doc/arm/Bv9ARM.html, the BIND Administrator Reference Manual for further configuration options.

Contents

The BIND package contains dig, host, isc-config.sh, nslookup, rndc, rndc-confgen, named-checkconf, named-checkzone, lwresd, named, dnssec-signzone, dnssec-signkey, dnssec-keygen, dnssec-makekeyset and nsupdate.

Description

dig

dig interrogates DNS servers.

host

host is a utility for DNS lookups.

nslookup

nslookup is a program used to query Internet domain nameservers.

rndc

rndc controls the operation of BIND.

rndc-confgen

rndc-confgen generates rndc.conf files.

named-checkconf

named-checkconf checks the syntax of named.conf files.

named-checkzone

named-checkzone checks zone file validity.

lwresd

lwresd is a caching-only name server for local process use.

named

named is the name server daemon.

dnssec-signzone

dnssec-signzone generates signed versions of zone files.

dnssec-signkey

dnssec-signkey signs zone file key sets.

dnssec-keygen

dnssec-keygen is a key generator for secure DNS.

dnssec-makekeyset

dnssec-makekeyset generates a key set from one or more keys created by dnssec-keygen.

nsupdate

nsupdate is used to submit DNS update requests.