Sunday, August 24, 2008
With CentOS 5, bind is chrooted by default. What this means is that named is started in a "chroot jail", and it cannot see or access files outside its own directory tree as user "named".
You can install bind either during OS install, or later via yum. After installation, it will install the init script "named" in /etc/init.d as usual. Make sure you do a:
chkconfig named on
So that bind will start upon reboot. The install should have added named to both /etc/passwd and /etc/group.
The file that is sourced by the init script which determins whether or not named will be chrooted is /etc/sysconfig/named, which sets the ROOTDIR among other things. By default, the chroot jail for named will be at:
/var/named/chroot
This directory will most likely be empty after the initial install. If you don't want to start everything from scratch, you can copy everything from:
/usr/share/doc/bind-<version>/sample
To:
/var/named/chroot
If not, make sure the following directory are created:
/var/named/chroot/var/named
/var/named/chroot/var/named/data
/var/named/chroot/var/run/named
/var/named/chroot/etc
Either way, the init script will expect the named.conf to reside in $ROOTDIR/etc, in this case /var/named/chroot/etc, so just make sure named.conf is there regardless if you use the sample or create from scratch.
Now, on to named.conf. First thing you'll probably want to set up is the options clause, which contains global options. Some of the useful options include:
options
{
query-source port 53;
directory "/var/named";
pid-file "/var/run/named/named.pid";
zone-statistics yes;
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
version "Get lost pal!"
};
With version 9, bind now supports "views", which allows you to set up instances of the same zone with different zone files according to the type of clients that queries the server, or limit what type of clients have access to query what zones, and control how each instance is queried/accessed. This allows you to, for example, solve the age old problem of having to have separate DNS servers for internal and external clients. Even if you are not going to set up separate views to start out with, it is always a good idea to use the view clause so if you have to support views later, you don't need to rewrite your named.conf, just add more views.
Now, remember root hints must be declared in each view. Best thing to do is to put the root hint declarations in a separate file and "include" it in each view. You should be able to just copy it from:
/usr/share/doc/bind-<version>/sample/etc/named.root.hints
To:
/var/named/chroot/etc
Then, get the latest root hints:
wget ftp://rs.internic.net/domain/named.root
And copy it to:
/var/named/chroot/var/named
Do the same for localhost TLDs and address zones unless you REALLY wanna waste time and build them manually, copy:
/usr/share/doc/bind-<version>/sample/etc/named.rfc1912.zones
To:
/var/named/chroot/etc
And the following files:
/usr/share/doc/bind-<version>/sample/var/named/named.broadcast
/usr/share/doc/bind-<version>/sample/var/named/named.local
/usr/share/doc/bind-<version>/sample/var/named/named.ip6.local
/usr/share/doc/bind-<version>/sample/var/named/named.zero
/usr/share/doc/bind-<version>/sample/var/named/localhost.zone
/usr/share/doc/bind-<version>/sample/var/named/localdomain.zone
To:
/var/named/chroot/var/named
Now, continuing with views in named.conf:
// localhost_resolver is for RFC1912
// this is all you need if you just want a local cache
// this view only serves the server this is running on
view "localhost_resolver"
{
match-clients { localhost; };
match-destinations { localhost; };
include "/etc/named.root.hints";
include "/etc/named.rfc1912.zones";
zone "example.com" {
type master;
file "data/example.com.zone";
};
};
view "internal"
{
match-clients { localnets; };
match-destinations { localnets; };
recursion yes;
include "/etc/named.root.hints";
zone "example.com" {
type master;
file "data/example.com.zone";
};
};
Now everything should be set, except for the zone file for example.com. I've included here as an example (no pun intended):
$TTL 1h
@ IN SOA ns1.example.com. hostmaster.example.com. (
2008081004 :serial
12h :refresh
15m :update retry
1d :expiry
1h :minimum
)
@ IN NS ns1.example.com.
IN MX 10 mail.example.com.
ns1 IN A 192.168.2.50
mail IN A 192.168.2.100
kickstart IN A 192.168.5.150
Now we just have to set the permissions, do the following:
chmod -R 770 /var/named/chroot
chown -R named:named /var/named/chroot
Now we're set. Simply start named with:
service named start
And off we go.
0 Comments:
Post a Comment