Primary server (master)
/etc/named.conf______________________________________________________________________
options {
version "Bind"; - Don't disclose real version to hackers
directory "/var/named";
allow-transfer { XXX.XXX.XXX.XXX; }; - IP address of secondary DNS
recursion no;
fetch-glue no; - Bind 8 only! Not used by version 9
};
zone "your-domain.com"{
type master;
file "named.your-domain.com";
notify yes;
};
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local";
allow-update { none; };
};______________________________________________________________________File: /var/named/named.your-domain.com
______________________________________________________________________
$TTL 604800 - Bind 9 (and some of the later versions of Bind 8) requires $TTL statement. Measured in seconds. This value is 7 days.______________________________________________________________________
your-domain.com. IN SOA ns1.your-domain.com. hostmaster.your-domain.com. (
2000021600 ; serial - Many people use year+month+day+integer as a system. Never greater than 2147483647 for a 32 bit processor.
86400 ; refresh - How often secondary servers (in seconds) should check in for changes in serial number. (86400 sec = 24 hrs)
7200 ; retry - How long secondary server should wait for a retry if contact failed.
1209600 ; expire - Secondary server to purge info after this length of time.
604800 ) ; default_ttl - How long data is held in cache by remote servers.
IN A XXX.XXX.XXX.XXX - Note that this is the default IP address of the domain.
I put the web server IP address here so that domain.com points to the same servers as www.domain.com
;
; Name servers for the domain
;
IN NS ns1.your-domain.com.
IN NS ns2.your-domain.com.
;
; Mail server for domain
;
IN MX 5 mail - Identify "mail" as the node handling mail for the domain. Do NOT specify an IP address!
;
; Nodes in domain
;
node1 IN A XXX.XXX.XXX.XXX - Note that this is the IP address of node1
ns1 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own primary name server. Note that this is the IP address of ns1
ns2 IN A XXX.XXX.XXX.XXX - Optional: For hosting your own secondary name server. Note that this is the IP address of ns2
mail IN A XXX.XXX.XXX.XXX - Identify the IP address for node mail.
IN MX 5 XXX.XXX.XXX.XXX - Identify the IP address for mail server named "mail".
;
; Aliases to existing nodes in domain
;
www IN CNAME node1 - Define the webserver "www" to be node1.
ftp IN CNAME node1 - Define the ftp server to be node1.
______________________________________________________________________
MX records for 3rd party off-site mail servers:
your-domain.com. IN MX 10 mail1.offsitemail.com.
your-domain.com. IN MX 20 mail2.offsitemail.com.
note: append to the above file
______________________________________________________________________
Secondary server (slave)
/etc/named.conf______________________________________________________________________
options {
version "Bind"; - Don't disclose real version to hackers
directory "/var/named";
allow-transfer { none; };
recursion no;
fetch-glue no; - Bind 8 only! Not used by version 9
};
zone "your-domain.com"{
type slave;
file "named.your-domain.com"; - Specify slaves/named.your-domain.com for RHEL4 chrooted bind
masters { XXX.XXX.XXX.XXX; }; - IP address of primary DNS
};
zone "0.0.127.in-addr.arpa"{
type master;
file "named.local";
};Bind Defaults:
- Uses port 53 if none is specified with the listen-on port statement.
- Bind will use random ports above port 1024 for queries. For use with firewalls expecting all DNS traffic on port 53, specify the following option statement in /etc/named.conf
query-source address * port 53;
Logging is to : /var/log/messages
After the configuration files have been edited, restart the name daemon.
/etc/rc.d/init.d/named restart
/var/named/named.your-domain.com
This is created for you by Bind on the slave (secondary) server when it replicates from Primary server.
Test DNS
install packages:- Red Hat / Fedora Core / SuSE: bind-utils
- Test the name server with the host command in interactive mode:
host node.domain-to-test.com your-nameserver-to-test.domain.com
- Note: The name server may also be specified by IP address.
or
Test the name server with the nslookup command in interactive mode:
nslookup
> server your-nameserver-to-test.domain.com
> node.domain-to-test.com
> exit
Test the MX record if appropriate:
nslookup -querytype=mx domain-to-test.com
OR
host -t mx domain-to-test.com
Test using the dig command:
dig @name-server domain-to-query
OR
dig @IP-address-of-name-server domain-to-query
Test your DNS with the following DNS diagnostics web site: DnsStuff.com
Extra logging to monitor Bind:
Add the following to your /etc/named.conf file.
logging {
channel bindlog {
file "/var/log/bindlog" versions 5 size 1m; - Keep five old versions of the log-file (rotates logs)
print-time yes;
print-category yes;
print-severity yes;
};
category xfer-out { bindlog; }; - Zone transfers
category xfer-in { bindlog; }; - Zone transfers
category security { bindlog; }; - Approved/unapproved requests
// The following logging statements, panic, insist and response-checks are valid for Bind 8 only. Do not user for version 9.
category panic { bindlog; }; - System shutdowns
category insist { bindlog; }; - Internal consistency check failures
category response-checks { bindlog; }; - Messages
};Chroot Bind for extra security:
Chrooted DNS configuration:
Modern releases of Linux (i.e. Fedore Core 3, Red Hat Enterprise Linux 4) come preconfigured to use "chrooted" bind. This security feature forces even an exploited version of bind to only operate within the "chrooted" jail /var/named/chroot which contains the familiar directories:
- /var/named/chroot/etc: Configuration files
- /var/named/chroot/dev: devices used by bind:
- /dev/null
- /dev/random
- /dev/zero
- /var/named/chroot/var: Zone files and configuration information.
If building from source you will have to generate this configuration manually:
- mkdir -p /var/named/chroot
- mkdir /var/named/chroot/dev
- mknod /var/named/chroot/dev/null c 1 3
- mknod /var/named/chroot/dev/zero c 1 5
- mknod /var/named/chroot/dev/random c 1 8
- chmod 666 -R /var/named/chroot/dev
- mkdir -p /var/named/chroot/etc
- ln -s /var/named/chroot/etc/named.conf /etc/named.conf
- mkdir -p /var/named/chroot/var/named
- ln -s /var/named/chroot/var/named/named.XXXX /var/named/named.XXXX
- ln -s /var/named/chroot/var/named/named.YYYY /var/named/named.YYYY
- ...
- mkdir -p /var/named/chroot/var/named/slaves
- mkdir -p /var/named/chroot/var/named/data
- mkdir -p /var/named/chroot/var/run
- mkdir -p /var/named/chroot/var/tmp
- chown -R named:named /var/named/chroot
- chown -R root:named /var/named/chroot/var/named
Load Balancing of servers using Bind: DNS Round-Robin
This will populate name servers around the world with different IP addresses for your web server www.your-domain.comwww0 IN A XXX.XXX.XXX.1
www1 IN A XXX.XXX.XXX.2
www2 IN A XXX.XXX.XXX.3
www3 IN A XXX.XXX.XXX.4
www4 IN A XXX.XXX.XXX.5
www5 IN A XXX.XXX.XXX.6
www IN CNAME www0.your-domain.com.
IN CNAME www1.your-domain.com.
IN CNAME www2.your-domain.com.
IN CNAME www3.your-domain.com.
IN CNAME www4.your-domain.com.
IN CNAME www5.your-domain.com.
IN CNAME www6.your-domain.com.
1 comment:
I have Fedora 6 proxy server and 6 client machines which can access the internet. I would like client machines to be able to ping external IP addresses. What settings do i have to configure?
Post a Comment