3.4 DNS SECURITY - BIND
3.4 DNS SECURITY - BIND
Securing DNS services can be a tricky and time-consuming task, requiring an administrator to spend a great deal of time planning and anticipating the organization's future growth and existing needs. The use of ISC's BIND DNS server (http://www.isc.org/products/BIND) has become an industry standard, marred by frequent discoveries of security problems either inherent in the server code or its design that have permitted attackers to compromise DNS servers, poison caches of DNS information and perform other such nefarious attacks on organizations. Proper design and deployment of a DNS server, especially one exposed in any way to the Internet, is therefore a paramount concern.
Fortunately, the recent spate of DNS attacks have caused those designing and maintaining the BIND code to design new safeguards for DNS information which, although somewhat cumbersome to establish, can help secure servers against attacks that might compromise or alter DNS information. We will explore below two common configurations for a DNS server: an internal caching DNS server, and a server which hosts DNS zones.
To maintain a high degree of security, both configurations will be confined to a "jail" on the server limiting their access: using the chroot() system call, the BIND server can be instructed to confine itself to a small area of the system as if that were the entire server. Any attacks that compromise the daemon will thus leave the attacker within the restricted area, unable to access any other portions of the server. In keeping with recent developments in BIND, we will deploy version 9 of the server: be sure, when you fetch the source code for this edition, that you are obtaining the latest stable release of the code possible, and always check with references such as BUGTRAQ to be sure there are no outstanding security breaches known for that version.
An exhaustive examination of all of the possible configurations and options for DNS would be well beyond the scope of this document: the user is directed to such works as Albitz and Liu's DNS and BIND (O'Reilly Publishing), now in its fourth edition, for a more encyclopedic reference to this protocol.
For all of the examples below, the following configuration has been used:
Internal network: 1.3.5.0 / 24
External network: 2.4.6.0 / 24
Domain: example.com
1.3.5.50 is the primary DNS server, with a secondary DNS server at 2.4.6.5. This network's ISP also offers a caching DNS server at 3.5.7.10.
3.4.1 Caching-only Nameserver
This nameserver will offer DNS service to a local network. Although it does not host any DNS domains (also called "zones"), it accepts queries from the local network and resolves them against a cache of recent requests . If it finds that it cannot answer the request from its own cache of information, it will (depending on its configuration) either forward the query upstream to the ISP's caching nameserver to see if it can answer the query, or can perform recursive queries out to the Internet on its own to discover the necessary information.
3.4.1.1 Unpack Sources and Compile Binaries
tar --zxvf bind-9.2.1.tar.gz cd bind-9.2.1
Configure in OpenSSL support to enable transaction signing
./configure --with-openssl --with-randomdev=/dev/random make
Here, we're going to use the DESTDIR option for installing the binaries directly into the chroot jail, which saves time.
mkdir /usr/local/bind make install DESTDIR=/usr/local/bind
3.4.1.2 Set Up the Chroot Jail Environment
cd /usr/local/bind
Now we need to simulate the root environment, since this corner of the filesystem is all that the daemon will have access to while it is running.
mkdir -p dev etc named/local var/run
We need an unprivileged user account under which the server will run, with a separate and unique group . This permits the daemon to own files and directories to which it has to write, without overlapping those permissions with other areas of other filesystems.
useradd -s /dev/null -d /usr/local/bind dns groupadd dns
The daemon will store several volatile files in /var/run in the jail, so it will need access to write to those.
chown -R dns:dns /usr/local/bind/var/run
While chrooted , the daemon will require access to system libraries and devices to answer requests. Since this miniature root filesystem is all that it will have access to while running, we need to replicate that information within the chroot. The libraries necessary were obtained by running ldd against the BIND binaries in /usr/local/bind/sbin to determine which libraries were compiled into them.
mknod /usr/local/bind/dev/null c 1 3 mknod /usr/local/bind/dev/random c 1 8 chmod 666 /usr/local/bind/dev/null /usr/local/bind/dev/random cp /lib/libcrypto.so.2 /usr/local/bind/lib cp /lib/libnsl.so.1 /usr/local/bind/lib cp /lib/libc.so.6 /usr/local/bind/lib cp /lib/libdl.so.2 /usr/local/bind/lib cp /lib/ld-linux.so.2 /usr/local/bind/lib cp /etc/localtime /usr/local/bind/etc
Here, we inform the syslog daemon that it may receive syslog information from an additional log socket: /usr/local/bind/dev/log , which resides within the chroot. This allows us to receive syslog messages from the chrooted daemon.
edit /etc/sysconfig/syslog: SYSLOGD_OPTIONS="-m 0"
becomes SYSLOGD_OPTIONS="-m 0 -a /usr/local/bind/dev/log"
Now we need to set fairly granular access rights to the directories in the chroot. The daemon will be writing to, reading from, and monitoring the contents of a couple of files under /usr/local/bind/named , which contains the zone files for the daemon. We'll grant it the right to read and write to things in that directory but keep it fairly restricted outside of that, even using chattr to add the immutable flag to several directories. This keeps those directories from being altered until root removes the immutable flag. /usr/local/bind/named/local will contain several zone files for the daemon dealing with the loopback interface, lo0 (127.0.0.1). Since these never need to be altered, we'll restrict them from being written to, to keep them safe, and take the same action on the main BIND configuration file, /usr/local/bind/etc/named.conf .
chown root /usr/local/bind /usr/local/bind/named/local chmod 700 /usr/local/bind chown dns:dns /usr/local/bind/named chmod 700 /usr/local/bind/named chmod 755 /usr/local/bind/named/local chmod 444 /usr/local/bind/named/local/* chown root /usr/local/bind/etc/named.conf chmod 644 /usr/local/bind/etc/named.conf chattr +i /usr/local/bind/etc/localtime /usr/local/bind/etc /usr/local/bind/var chattr +i /usr/local/bind/etc/named.conf /usr/local/bind/named/local/*
When the server does not have the answer to a query cached, it must either forward the query to another server or begin making inquiries of its own to discover the information it needs. If you choose the latter approach, the server will need to know where the root servers for the Internet are in order to begin its inquiry by asking those servers where to find the information it needs. You can obtain an up-to-the-minute (not that the information changes that often) copy of the list of these servers from the Internic: fetch ftp://rs.internic.net/domain/named.cache and you'll have what you need. Once you have it, place that file in /usr/local/bind/named so the server can find it, and restrict the permissions on it to prevent attackers from poisoning your cache.
cd /usr/local/bind/named chown root:root /usr/local/bind/named/named.cache chmod 444 /usr/local/bind/named/named.cache chattr +i /usr/local/bind/named/named.cache
3.4.1.3 Create and Edit Main Configuration File
Now we need to create the main configuration file for the BIND server, /usr/local/bind/etc/named.conf (which will become /etc/named.conf once the server is chrooted). The contents of this file are below: comments in the file may start with a pound (#) sign, or with double slashes (//).
named.conf # # named.conf file for caching-only DNS server # # First we'll establish some ACL groups that define trusted and # untrusted networks and hosts for certain actions, then we can # use those throughout the rest of the file as shorthand. # This server has no need to perform or receive zone transfers, # so restrict those completely acl "xfer" { none; }; # This is our internal network, to be trusted to perform certain # actions such as issuing queries to the server. acl "trustednets" { 1.3.5.0/24; }; # These are networks that do not exist. It includes the multicast # subnets, the subnets defined as "private" by RFC 1918 and the loopback # network. These should not be seen as source IPs at your server under # normal circumstances, unless you're using one of the RFC 1918 subnets # for your internal network. In that case, be sure to block it out of # this list or the daemon may not accept queries from it! acl "invalidnets" { 10.0.0.0/8; 127.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; 222.0.0.0/8; 223.0.0.0/8; 224.0.0.0/3; }; options { // Remember that all directory paths in this section // must be presented relative to the chroot hierarchy! // Set the named directory directory "/named"; // Declare the pid-file location for starts and stops pid-file "/var/run/named.pid"; statistics-file "/var/run/general.stats"; // Memory statistics are not implemented (yet) for v9.2.1 // memstatistics-file "/var/run/memory.stats"; dump-file "/var/run/named.dump"; zone-statistics yes; // Designate listening interface: listen on the primary adapter // and the loopback adapter listen-on { 1.3.5.50; 127.0.0.1; }; // Do not check for interface link state, since it is not a dialup adapter interface-interval 0; // Specify an external forwarder, where applicable // This is where you would specify to forward queries that are not // found in the local cache upstream to other servers. // forwarders { 3.5.7.10; }; // Permit queries from trusted nets only via "trusted" ACL allow-query { trustednets; }; // Use "xfer" ACL to define allowed zone transfers (none) allow-transfer { xfer; }; // Lock out bogus networks using the "invalidnets" ACL blackhole { invalidnets; }; // Set version string to something non-revealing // This is a quick fix solution to an query that will reveal the // version of BIND your server is running, allowing an attacker to // tailor attacks accordingly. Setting the version string here will // not log attempts to query this information however, which might // prove useful from an attack detection standpoint. A slightly more // complex fix is implemented below, which will log these attempts; // should you choose not to employ it, simply comment those lines and // uncomment this one. // version { "No version here"; }; }; // Now we need to establish how the server will log information logging { channel "default_syslog" { // By default, use syslog for logging syslog local5; severity debug; }; channel "audit_log" { // Segregate security-related messages to a separate log file file "/usr/local/bind/var/security.log"; severity debug; // Include a timestamp print-time yes; }; category default { default_syslog; }; category general { default_syslog; }; category security { audit_log; default_syslog; }; category config { default_syslog; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { audit_log; }; category lame-servers { audit_log; }; }; // Access view for trusted networks // This tells the server how to handle queries from internal networks. view "trusted-query" in { // This view will be used for queries matching the "trusted-nets" ACL match-clients { trustednets; }; recursion yes; additional-from-auth yes; additional-from-cache yes; // Enable caching of DNS information zone "." in { type hint; file "named.cache"; }; // Permit queries for the localhost network, for which // every server must be a master zone "0.0.127.in-addr.arpa" in { type master; file "local/reverse.127.0.0"; allow-query { any; }; allow-transfer { none; }; }; }; // Access view for "chaos" records // This is an old trick but still valid: "chaos" records allow remote machines // to query the version string from a DNS server running BIND software (they're // a type of legacy record no longer really used any more). With the following // settings, we establish a "chaos" record in the zone file local/chaos that // establishes a completely different set of version and authoring information // for BIND, and then prevent any queries against it from anywhere, thus creating // two layers of security. In addition, any queries made against these records // will be logged by the daemon, because they will get flagged as not allowed. view "attempt-chaos" chaos { match-clients { any; }; recursion no; // Send back empty replies to queries for other CHAOS records zone "." { type hint; file "/dev/null"; }; // Prevent anyone from making queries against our special CHAOS records. zone "bind" { type master; file "local/chaos"; // You may choose to change the "allow-query" field to "trusted", // permitting trusted hosts the right to query your server for its // version information. This can be handy for keeping track of // the software versions on your DNS servers, but treat it carefully! // If you choose to do that, you should alter the local/chaos file // to contain the correct version string, possibly with additional // comments for your admins. allow-query { none; }; allow-transfer { none; }; }; }; You'll need to create some zone files as well: /usr/local/bind/named/local/chaos and /usr/local/bind/named/local/reverse.127.0.0 . Examples of these files appear at the end of this document.
3.4.1.4 Check Configuration Files for Syntax Errors
BIND provides us with a pair of tools that will permit us to check our configuration files for validity before deploying them: this ensures that no one has left out a stray }: anywhere. First, check the main configuration file for errors using named-checkconf . We'll have to specify the chroot directory ( -t /usr/local/bind ) and the name of the configuration file as it's seen once the server is chrooted ( /etc/named.conf ):
/usr/local/bind/sbin/named-checkconf -t /usr/local/bind /etc/named.conf
Now check each of the zone files, using the following syntax:
/usr/local/bind/sbin/named-checkzone 0.0.127.in-addr.arpa /usr/local/bind/named/local/
You should see in response:
zone 0.0.127.in-addr.arpa/IN: loaded serial 42 OK
Note that the serial number will vary according to what's in the zone file. Now check the chaos zone we're using (if you've opted to use it):
/usr/local/bind/sbin/named-checkzone -c chaos bind /usr/local/bind/named/local/chaos
You should see in response:
zone bind/CH: loaded serial 42 OK
3.4.1.5 Start Daemon with Chroot Manually and Test Lookups
Test that everything is working by manually loading the server and testing to ensure you can look up records. You may need to connect your system to the network at this point if you want to verify that you can look up actual Internet records.
/usr/local/bind/sbin/named -u dns -t /usr/local/bind -c /etc/named.conf
You can test the server by specifying it on the command line as a second argument to the host command (note that "nslookup" is deprecated, and may be removed from future releases of BIND, so now's the time to get in the habit of using something else instead!):
host 127.0.0.1 1.3.5.50
You should see in response:
Using domain server: Name: 1.3.5.50 Address: 1.3.5.50#53 Aliases: 1.0.0.127.in-addr.arpa domain name pointer localhost
3.4.1.6 Create Startup Files and Add to rc.d Hierarchy
Copy the sample named startup script that appears at the end of this section to /etc/init.d (or write your own), and add it into the startup hierarchy using chkconfig :
/sbin/chkconfig ---level 2345 ---add named
3.4.2 Zone Hosting Service
This configuration will differ only a little from the previous, so comments have been included only where commands or instructions differ from what's been provided above. The primary difference with this configuration is that this server will not cache entries: its only job is to answer queries from other servers for domains it knows about, but not to make recursive queries to other servers. This server might live on a DMZ and be exposed to the Internet for incoming queries about the domains it hosts, and thus should never be simultaneously used to query out to the Internet for other domains on behalf of clients. This separation of duties will help keep attacks on your primary nameservers from affecting your inbound clients, possibly subjecting them to cache poisoning attacks that could lead to further breaches.
Many organizations choose to layer their DNS servers with a core DNS server that is configured as primary for all of the organization's domains. This master server is never exposed to the Internet, however: it will answer queries only from the perimeter DNS servers controlled by the organizations. These perimeter hosts are then configured to be secondary servers (they perform zone transfers against the master) but are listed on the Internet as primary for the organization: machines on the Internet will query them for information about the organization's domains. This setup can help minimize the damage from an attack, since the compromised secondary can be replaced with a duplicate machine and simply instructed to zone-transfer its information from the master, allowing it to be placed in service more quickly. This also means that an attack that changes a record will only do so on the secondary server: the change will be overwritten by the next zone transfer that occurs.
3.4.2.1 Unpack Sources and Compile
tar --zxvf bind-9.2.1.tar.gz cd bind-9.2.1 mkdir /usr/local/bind ./configure ---with-openssl ---with-randomdev=/dev/random make make install DESTDIR=/usr/local/bind
3.4.2.2 Set Up Chroot Jail Environment
cd /usr/local/bind
Notice the addition of the master and slave directories to contain zone files: master will contain zone files for domains for which this is the primary DNS server, and slave will contain the files for those domains for which this is a secondary server.
mkdir -p dev etc named/local named/master named/slave var/run useradd -s /dev/null -d /usr/local/bind dns groupadd dns
In order to facilitate zone transfers, the server will need to be able to write zones into the slave directory, and to make changes to those files when adding or removing entries as a result of a zone transfer.
chown -R dns:dns /usr/local/bind/named/slave chown -R dns:dns /usr/local/bind/named/var/run mknod /usr/local/bind/dev/null c 1 3 mknod /usr/local/bind/dev/random c 1 8 chmod 666 /usr/local/bind/dev/null /usr/local/bind/dev/random cp /lib/libcrypto.so.2 /usr/local/bind/lib cp /lib/libnsl.so.1 /usr/local/bind/lib cp /lib/libc.so.6 /usr/local/bind/lib cp /lib/libdl.so.2 /usr/local/bind/lib cp /lib/ld-linux.so.2 /usr/local/bind/lib cp /etc/localtime /usr/local/bind/etc edit /etc/sysconfig/syslog: SYSLOGD_OPTIONS="-m 0" becomes SYSLOGD_OPTIONS="-m 0 -a /usr/local/bind/dev/log" chown root /usr/local/bind /usr/local/bind/named/local chmod 700 /usr/local/bind chown dns:dns /usr/local/bind/named chmod 700 /usr/local/bind/named chmod 755 /usr/local/bind/named/local chmod 444 /usr/local/bind/named/local/* chown root /usr/local/bind/etc/named.conf chmod 644 /usr/local/bind/etc/named.conf chattr +i /usr/local/bind/etc/localtime /usr/local/bind/etc /usr/local/bind/var chattr +i /usr/local/bind/etc/named.conf /usr/local/bind/named/local/* chattr +i /usr/local/bind/etc/named.conf /usr/local/bind/named/local/*
3.4.2.3 Create and Edit Main Configuration File
named.conf # # named.conf file for zone hosting DNS server # // Permit zone transfers from trusted hosts. Most organizations choose to have // another organization host a secondary replica of their zone information, so that in the event // of a catastrophe, their servers' information will still be available to the // Internet from someone else. acl "xfer" { 2.4.6.5; }; acl "trustednets" { 1.3.5.0/24; }; acl "invalidnets" { 10.0.0.0/8; 127.0.0.0/8; 169.254.0.0/16; 172.16.0.0/12; 192.168.0.0/16; 222.0.0.0/8; 223.0.0.0/8; 224.0.0.0/3; }; options { // Remember that all directory paths in this section // must be presented relative to the chroot hierarchy! // Set the named directory directory "/named"; // Declare the pid-file location for starts and stops pid-file "/var/run/named.pid"; statistics-file "/var/run/general.stats"; // memstatistics-file "/var/run/memory.stats"; dump-file "/var/run/named.dump"; zone-statistics yes; // Designate listening interface listen-on { 1.3.5.50; }; // Do not check for interface link state, since it is not a dialup adapter interface-interval 0; // Permit queries from trusted nets only via "trusted" ACL // If this is a primary server for your domains on the Internet, this will // need to change to "any". allow-query { trustednets; }; // Use "xfer" ACL to define allowed zone transfers allow-transfer { xfer; }; // Lock out bogus networks using the "invalidnets" ACL blackhole { invalidnets; }; // Set version string to something non-revealing --- this will not log attempts // to query CHAOS information, however. // version { "No version here"; }; }; logging { channel "default_syslog" { // Default logging to syslog syslog local5; severity debug; }; channel "audit_log" { // Segregate security messages to a separate log file "/var/run/security.log"; severity debug; // Include a timestamp print-time yes; }; category default { default_syslog; }; category general { default_syslog; }; category security { audit_log; default_syslog; }; category config { default_syslog; }; category resolver { audit_log; }; category xfer-in { audit_log; }; category xfer-out { audit_log; }; category notify { audit_log; }; category client { audit_log; }; category network { audit_log; }; category update { audit_log; }; category queries { audit_log; }; category lame-servers { audit_log; }; }; // Create the access view for internal trusted networks // Here, we're creating the first of two "views" of the data on this server. This one // will present different information to internal clients than to external clients, a // configuration known colloquially as "split-brain DNS". ISC recommends splitting // this configuration up into a separate internal and external DNS server, but not // every organization can afford two machines for this. If that's the case, this // split configuration will come in handy. If you can afford two machines, you can // divide this configuration up and use this internal view for your internal DNS server // and the external view below for the external. view "trusted-query" in { match-clients { trustednets; }; // Remember that this server is not caching at all: that should be the job of a // separate machine in your organization, for security and performance reasons, // particularly if this machine is already doing double duty presenting internal // and external DNS information to both sets of clients. If you need this machine // to also cache DNS queries and forward them on behalf of your clients, turn on // the "forwarders" option in the options{} block above, and set "recursion" and // "additional-from-cache" to "yes" below. Then activate the caching "hint" block // below. recursion no; additional-from-auth yes; additional-from-cache no; // Enable the cache --- disabled since this machine is not caching. // zone "." in { // type hint; // file "named.cache"; // }; // Permit queries for the localhost network, for which // every server must be a master zone "0.0.127.in-addr.arpa" in { type master; file "local/reverse.127.0.0"; allow-query { any; }; allow-transfer { none; }; }; // Send internal-only data to trusted internal networks zone "example.com" in { type master; file "master/example.com_internal"; }; // Don't forget reverse records zone "5.3.1.in-addr.arpa" in { type master; file "master/reverse.1.3.5"; }; }; view "external-query" in { match-clients { any; }; recursion no; additional-from-auth no; additional-from-cache no; // Enable the cache zone "." in { type hint; file "named.cache"; }; // Permit queries for the localhost network, for which // every server must be a master zone "0.0.127.in-addr.arpa" in { type master; file "local/reverse.127.0.0"; allow-query { any; }; allow-transfer { none; }; }; // Send external data only zone "mydomain.com" in { type master; file "master/mydomain.com_external"; allow-query { any; }; }; // Send reverse records for external subnet zone "6.4.2.in-addr.arpa" in { type master; file "master/reverse.2.4.6"; allow-query { any; }; }; }; view "attempt-chaos" chaos { match-clients { any; }; recursion no; zone "." { type hint; file "/dev/null"; }; zone "bind" { type master; file "local/chaos"; allow-query { none; }; allow-transfer { none; }; }; }; 3.4.2.4 Check Configuration Files for Syntax Errors
BIND provides us with a pair of tools that will permit us to check our configuration files for validity before deploying them: this ensures that no one has left out a stray }: anywhere. First, check the main configuration file for errors using named-checkconf . We'll have to specify the chroot directory( -t /usr/local/bind ) and the name of the configuration file as it's seen once the server is chrooted ( /etc/named.conf ):
/usr/local/bind/sbin/named-checkconf -t /usr/local/bind /etc/named.conf
Now check each of the zone files, using the following syntax:
/usr/local/bind/sbin/named-checkzone 0.0.127.in-addr.arpa /usr/local/bind/named/local/
You should see in response:
zone 0.0.127.in-addr.arpa/IN: loaded serial 42 OK
Note that the serial number will vary according to what's in the zone file. Repeat this process for each of the other zone files you've created.
Finally, check the chaos zone we're using, if you've opted to use it:
/usr/local/bind/sbin/named-checkzone -c chaos bind /usr/local/bind/named/local/chaos
You should see in response:
zone bind/CH: loaded serial 42 OK
3.4.2.5 Start Daemon with Chroot Manually and Test Lookups
Test that everything is working by manually loading the server and testing to ensure you can look up records. You may need to connect your system to the network at this point if you want to verify that you can look up actual Internet records.
/usr/local/bind/sbin/named -u dns -t /usr/local/bind -c /etc/named.conf
You can test the server by specifying it on the command line as a second argument to the host command (note that "nslookup" is deprecated, and may be removed from future releases of BIND, so now's the time to get in the habit of using something else instead!):
host 127.0.0.1 1.3.5.50
You should see in response:
Using domain server: Name: 1.3.5.50 Address: 1.3.5.50#53 Aliases: 1.0.0.127.in-addr.arpa domain name pointer localhost
3.4.2.6 Create Startup Files and Add to rc.d Hierarchy
Copy the sample named startup script that appears at the end of this section to /etc/init.d (or write your own), and add it into the startup hierarchy using chkconfig:
/sbin/chkconfig ---level 2345 ---add named
3.4.3 Sample BIND Configuration Files
/usr/local/bind/named/local/chaos $TTL 1D $ORIGIN bind. @ CHAOS SOA localhost. root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum @ CHAOS NS localhost. version.bind. CH TXT "No version here" authors.bind. CH TXT "No authors here" /usr/local/bind/named/local/reverse.127.0.0 $TTL 1D $ORIGIN 0.0.127.in-addr.arpa @ 1D IN SOA localhost. root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS localhost. 1 1D IN PTR localhost. /usr/local/bind/named/local/localhost $TTL 1D @ 1D IN SOA @ root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ 1 1D IN A 127.0.0.1 /usr/local/bind/named/master/mydomain.com_internal $TTL 1D @ 1D IN SOA @ root.mydomain.com. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ ns IN A 1.3.5.50 www IN A 1.3.5.20 /usr/local/bind/named/master/mydomain_external $TTL 1D @ 1D IN SOA @ root.mydomain.com. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ ns IN A 2.4.6.5 www IN A 2.4.6.20 /usr/local/bind/named/master/reverse.1.3.5 $TTL 1D $ORIGIN 5.3.1.in-addr.arpa @ 1D IN SOA mydomain.com. root.mydomain.com. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns. 20 IN PTR www. 50 IN PTR ns. /usr/local/bind/named/master/reverse.2.4.6 $TTL 1D $ORIGIN 6.4.2.in-addr.arpa @ 1D IN SOA localhost. root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns. 5 IN PTR ns. 20 IN PTR www. /etc/init.d/named #!/bin/sh # named This file will start and stop the BIND named daemon # # chkconfig: 2345 99 99 # description: named is the daemon responsible for mapping IP addresses \ # to names and vice versa in response to queries from other hosts. # processname: /usr/local/bind/sbin/named # config: /usr/local/bind/etc/named.conf # Source function library . /etc/rc.d/init.d/functions # Source networking functionality and ensure that the network has been started if [ -f /etc/sysconfig/network ]; then . /etc/sysconfig/network [ ${NETWORKING} = "no" ] && exit 0 fi [ -x /usr/local/bind/sbin/named ] exit 0 RETVAL=0 prog="named" # Set variables for the chroot CHROOT_USER=dns CHROOT_DIR=/usr/local/bind CHROOT_CONFIG=/etc/named.conf start() { echo -n $"Starting $prog: " daemon /usr/local/bind/sbin/named -u $CHROOT_USER -t $CHROOT_DIR -c $CHROOT_CONFIG RETVAL=$? echo touch /var/lock/subsys/named return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc /usr/local/bind/sbin/named RETVAL=$? echo rm -f /var/lock/subsys/named return $RETVAL } restart() { stop start } reload() { /usr/local/bind/sbin/ndc reload } condrestart() { [ -e /var/lock/subsys/named ] && restart return 0 } case "" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; condrestart) condrestart ;; status) status named RETVAL=$? ;; *) echo $"Usage: /usr/local/bind/named/local/chaos $TTL 1D $ORIGIN bind. @ CHAOS SOA localhost. root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum @ CHAOS NS localhost. version.bind. CH TXT "No version here" authors.bind. CH TXT "No authors here" /usr/local/bind/named/local/reverse.127.0.0 $TTL 1D $ORIGIN 0.0.127.in-addr.arpa @ 1D IN SOA localhost. root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS localhost. 1 1D IN PTR localhost. /usr/local/bind/named/local/localhost $TTL 1D @ 1D IN SOA @ root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ 1 1D IN A 127.0.0.1 /usr/local/bind/named/master/mydomain.com_internal $TTL 1D @ 1D IN SOA @ root.mydomain.com. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ ns IN A 1.3.5.50 www IN A 1.3.5.20 /usr/local/bind/named/master/mydomain_external $TTL 1D @ 1D IN SOA @ root.mydomain.com. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS @ ns IN A 2.4.6.5 www IN A 2.4.6.20 /usr/local/bind/named/master/reverse.1.3.5 $TTL 1D $ORIGIN 5.3.1.in-addr.arpa @ 1D IN SOA mydomain.com. root.mydomain.com. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns. 20 IN PTR www. 50 IN PTR ns. /usr/local/bind/named/master/reverse.2.4.6 $TTL 1D $ORIGIN 6.4.2.in-addr.arpa @ 1D IN SOA localhost. root.localhost. ( 42 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS ns. 5 IN PTR ns. 20 IN PTR www. /etc/init.d/named #!/bin/sh # named This file will start and stop the BIND named daemon # # chkconfig: 2345 99 99 # description: named is the daemon responsible for mapping IP addresses \ # to names and vice versa in response to queries from other hosts. # processname: /usr/local/bind/sbin/named # config: /usr/local/bind/etc/named.conf # Source function library . /etc/rc.d/init.d/functions # Source networking functionality and ensure that the network has been started if [ -f /etc/sysconfig/network ]; then . /etc/sysconfig/network [ ${NETWORKING} = "no" ] && exit 0 fi [ -x /usr/local/bind/sbin/named ] exit 0 RETVAL=0 prog="named" # Set variables for the chroot CHROOT_USER=dns CHROOT_DIR=/usr/local/bind CHROOT_CONFIG=/etc/named.conf start() { echo -n $"Starting $prog: " daemon /usr/local/bind/sbin/named -u $CHROOT_USER -t $CHROOT_DIR -c $CHROOT_CONFIG RETVAL=$? echo touch /var/lock/subsys/named return $RETVAL } stop() { echo -n $"Stopping $prog: " killproc /usr/local/bind/sbin/named RETVAL=$? echo rm -f /var/lock/subsys/named return $RETVAL } restart() { stop start } reload() { /usr/local/bind/sbin/ndc reload } condrestart() { [ -e /var/lock/subsys/named ] && restart return 0 } case "$1" in start) start ;; stop) stop ;; restart) restart ;; reload) reload ;; condrestart) condrestart ;; status) status named RETVAL=$? ;; *) echo $"Usage: $0 {startstopstatusrestartcondrestartreload}" RETVAL=1 ;; esac exit $RETVAL {startstopstatusrestartcondrestartreload}" RETVAL=1 ;; esac exit $RETVAL 
EAN: 2147483647
Pages: 39