Setting Up BIND

This section discusses the /etc/named.conf file, zone files, implementation of a DNS cache, and running DNS inside a chroot jail.

named.conf: The named Configuration File

Configuration information for named, including zone names and the names and locations of zone files, is kept in /etc/named.conf. By default, the zone files are kept in /var/named. If you are running named in a chroot jail, these files are kept in /var/named/chroot/var/named (page 750).

RHEL A sample named.conf configuration file is included with the caching-nameserver package.

FEDORA A sample configuration file, named named.caching-nameserver.conf, is included with the bind-config package. See the caution box on page 732 and "named.conf" on page 733 for information about this file and its relationship to named.conf. If you want to make changes to this file, copy it to named.conf and then make changes to the copy. This way your changes will not be overwritten when the caching-nameserver package is updated.

IP-list

In the descriptions in this section, IP-list is a semicolon-separated list of IP addresses, each optionally followed by a slash and subnet mask length (page 423). You can prefix an IP-list with an exclamation point (!) to negate it. Builtin names that you can use in IP-list include any, none, and localhost. You must enclose builtin names within double quotation marks.

Comments

Within named.conf, you can specify a comment by preceding it with a pound sign (#) as in a Perl or shell program, preceding it with a double slash (//) as in a C++ program, or enclosing it between /* and */ as in a C program.

Options Section

Option statements can appear within two sections of named.conf: Options and Zone. Option statements within the Options section apply globally. When an option statement appears in a Zone section, the option applies to the zone and overrides any corresponding global option within that zone. An Options section starts with the keyword options and continues with braces surrounding the statements. Following is a list of some option statements. Statements that can appear only in an Options section are so noted.

allow-query {IP-list}

Allows queries from IP-list only. Without this option, the server responds to all queries.

allow-recursion {IP-list}

Specifies systems that this server will perform recursive queries (page 723) for. For systems not in IP-list, the server performs iterative queries only. Without this option, the server performs recursive queries for any system. This statement may be overridden by the recursion statement.

allow-transfer {IP-list}

Specifies systems that are allowed to perform zone transfers from this server. Specify an IP-list of "none" (include the quotation marks) to prevent zone transfers.

directory path

Specifies the absolute pathname of the directory containing the zone files; under Red Hat Linux, this directory is initially /var/named. Filenames specified in this named.conf file are relative to this directory. Options section only.

forward ONLY|FIRST

ONLY forwards all queries and fails if it does not receive an answer. FIRST forwards all queries and, if a query does not receive an answer, attempts to find an answer using additional queries. Valid with the forwarders statement only.

forwarders {IP [port] [; ...]}

Specifies IP addresses and optionally port numbers that queries are forwarded to. See the forward statement.

notify YES|NO

YES sends a message to slave servers for the zone when zone information changes. Master servers only.

recursion YES|NO

YES (default) provides recursive queries (page 723) if the client requests. NO provides iterative queries only (page 723). An answer is always returned if it appears in the server's cache. This statement overrides the allow-recursion statement. Options section only.

Zone Section

A Zone section defines a zone and can include any of the statements listed for the Options section except as noted. A Zone section is introduced by the keyword zone, the name of the zone enclosed within double quotation marks, and the class (always IN). The body of the Zone section consists of a pair of braces surrounding one or more zone statements. See the listing of named.rfc1912.zones on page 743 for examples of Zone sections. Following is a list of some zone statements:

allow-update {IP-list}

Specifies systems that are allowed to update this zone dynamically. This statement may be useful when hosting a master DNS server for a domain owned by someone other than the local administrator because it allows a remote user to update the DNS entry without granting the user access to the server.

file filename

Specifies the zone file, the file that specifies the characteristics of the zone. The filename is relative to the directory specified by the directory statement in the Options section. The file statement is mandatory for master and hint zones and is a good idea for slave zones (see type).

masters (IP-list)

Specifies systems that a slave zone can use to update zone files. Slave zones only.

type ztype

Specifies the type of zone that this section defines. Specify ztype from the following list:

• forward Specifies a forward zone, which forwards queries directed to this zone. See the forward and/or forwarders statements in the Options section.

• hint Specifies a hint zone. A hint zone lists root servers that the local server queries when it starts and when it cannot find an answer in its cache.

• master Specifies the local system as a primary master server (page 724) for this zone.

• slave Specifies the local system as a slave server (page 724) for this zone.

Zone Files

Zone files define zone characteristics. The name of the zone is typically specified in named.conf (or named.caching-nameserver.conf). Contrasted with named.conf, zone files use periods at the ends of domain names. See page 745 for sample zone files. To improve security, master and hint zone files should be kept in /var/named, which is owned by root and is not writable by processes running with a UID of named. Slave zone files should be kept in /var/named/slaves, which is owned by named and is writable by processes running with a UID of named. This configuration enables SELinux to offer better security. When you set up a chroot jail, the slaves directory is not put in the jail. Both of these setups ensure that master and hint zone files cannot be updated by dynamic DNS updates or by zone transfers. See the named man page for more information.

Time Formats

All times in BIND files are given in seconds, unless they are followed by one of these letters (uppercase or lowercase): S (seconds), M (minutes), H (hours), D (days), or W (weeks). You can combine formats: The time 2h25m30s means 2 hours, 25 minutes, and 30 seconds and is the same as 8,730 seconds.

Domain Qualification

An unqualified domain in a zone file is assumed to be in the current zone (the zone being defined by the zone file and named by the named.conf file that refers to the zone file). The name zach in the zone file for myzone.com, for example, would be expanded to the FQDN zach.myzone.com.. Use an FQDN (include the trailing period) to specify a domain that is not in the current zone. Any name that does not end with a period is regarded as a subdomain of the current zone.

Zone Name

Within a zone file, an @ is replaced with the zone name as specified by the named.conf file that refers to the zone file. The zone name is also used to complete unqualified domain names. The zone name is also referred to as the origin. See "$ORIGIN," in the next section.

Zone File Directives

The following directives can appear within a zone file. Each directive is identified by a leading dollar sign. The $TTL directive is mandatory and must be the first entry in a zone file.

$TTL

Defines the default time to live for all resource records in the zone. This directive must appear in a zone file before any resource records that it applies to. Any resource record can include a TTL value to override this value, except for the resource record in the root zone (.).

$ORIGIN

Changes the zone name from that specified in the named.conf file. This name, or the zone name if this directive does not appear in the zone file, replaces an @ sign in the Name field of a resource record.

$INCLUDE

Includes a file as though it were part of the zone file. The scope of an $ORIGIN directive within an included file is the included file. That is, an $ORIGIN directive within an included file does not affect the file that holds the $INCLUDE directive.

A DNS Cache

You install a DNS cache, also called a resolving, caching nameserver, when you install the bind-config package (see the caution box on page 732). The section "JumpStart I: Setting Up a DNS Cache" (page 733) explains how to run this server. This section explains how the files Red Hat Linux provides implement this server.

named.caching-nameserver.conf: The named Configuration File (FEDORA)

See the caution box on page 732 for more information about this file. The default named.caching-nameserver.conf file is shown here:

# cat /etc/named.caching-nameserver.conf // // named.caching-nameserver.conf // // Provided by Red Hat bind-config package to configure the // ISC BIND named(8) DNS server as a caching only nameserver // (as a localhost DNS resolver only). // // DO NOT EDIT THIS FILE - use system-config-bind or an editor // to create named.conf - edits to this file will be lost on // bind-config package upgrade. // options {         listen-on port 53 { 127.0.0.1; };         listen-on-v6 port 53 { ::1; };         directory       "/var/named";         dump-file       "/var/named/data/cache_dump.db";         statistics-file "/var/named/data/named_stats.txt";         memstatistics-file "/var/named/data/named_mem_stats.txt";         query-source     port 53;         query-source-v6 port 53;         allow-query     { localhost; }; }; logging {         channel default_debug {                 file "data/named.run";                 severity dynamic;         }; }; view localhost_resolver {         match-clients       { localhost; };         match-destinations { localhost; };         recursion yes;         include "/etc/named.rfc1912.zones"; };

Options section

The first two lines of the Options section instruct named to listen on port 53 (the default named port) on the local system for incoming queries. The directory statement specifies the directory that all relative pathnames in this file are relative to. Specifically, the files named in the Zone sections (of the included named.rfc1912.zones file) are in the /var/named directory. If you are running named in a chroot jail, this directory is located under /var/named/chroot (page 750). The file also specifies the locations of the dump-file (cache dump), statistics-file (statistics file), and memstatistics-file (memory statistics file). The query-source statement specifies the (address and) port from which the server issues queries. The allow-query statement specifies the IP addresses that are allowed to query the server. This file specifies that only localhost can query the server.

Logging section

The Logging section causes debugging messages to be sent to data/named.run. For more information refer to "Logging" on page 753

View section

The single View section specifies that this server respond to queries from the local system (localhost) and perform recursive queries. The include statement includes the /etc/named.rfc1912.zones file (discussed in the next section) as though it were present in the View section. For more information refer to "View sections" on page 757.

named.rfc1912.zones: The Zone Configuration File (FEDORA)

As explained in the previous section, the named.caching-nameserver.conf file incorporates the /etc/named.rfc1912.zones file by naming it in an include statement:

#  cat /etc/named.rfc1912.zones // named.rfc1912.zones: // // Provided by Red Hat bind-config package // // ISC BIND named zone configuration for zones recommended by // RFC 1912 section 4.1 : localhost TLDs and address zones // zone "." IN {         type hint;         file "named.ca"; }; zone "localdomain" IN {          type master;          file "localdomain.zone";          allow-update { none; }; }; zone "localhost" IN {          type master;          file "localhost.zone";          allow-update { none; }; }; zone "0.0.127.in-addr.arpa" IN {          type master;          file "named.local";          allow-update { none; }; }; zone "0.0.0.0.0.0.0. ... .0.0.0.0.0.0.0.0.0.ip6.arpa" IN {          type master;          file "named.ip6.local";          allow-update { none; }; }; zone "255.in-addr.arpa" IN {          type master;          file "named.broadcast";          allow-update { none; }; }; zone "0.in-addr.arpa" IN {          type master;          file "named.zero";          allow-update { none; }; };

Zone sections

This file holds seven Zone sections, each of which has an allow-update statement that specifies dynamic updates of the zone are not allowed. All filenames in this file are relative to the directory statement in the Options section of named.caching-nameserver.conf.

• . (The name of the zone is a period.) The hint zone. Specifies that when the server starts or when it does not know which server to query, it should look in the /var/named/named.ca (ca stands for cache) file to find the addresses of authoritative servers for the root domain.

• localdomain Specifies that localhost.localdomain points to 127.0.0.1, preventing the local server from looking upstream for this information.

• localhost Sets up the normal server on the local system.

• 0.0.127.in-addr.arpa Sets up IPv4 reverse name resolution.

• 0.0 ... 0.0.ip6.arpa Sets up IPv6 reverse name resolution.

• 255.in-addr.arpa Specifies that IP addresses that start with 255 have their reverse lookup handled by the local server, preventing the local server from looking upstream for this information.

• 0.in-addr.arpa Specifies that IP addresses that start with 0 have their reverse lookup handled by the local server, preventing the local server from looking upstream for this information.

Zone Files

There are seven zone files in /var/named, each corresponding to one of the Zone sections in named.rfc1912.zones. This section describes three of these zone files.

The root zone: named.ca

The hint zone file, named.ca, is a copy of ftp.internic.net/domain/named.cache, which does not change frequently. The named.ca file specifies authoritative servers for the root domain. The DNS server initializes its cache from this file and can determine an authoritative server for any domain from this information.

The root zone is required only for servers that answer recursive queries: If a server responds to recursive queries, it needs to perform a series of iterative queries starting at the root domain. Without the root domain hint file, it would not know the location of the root domain servers.

$ cat /var/named/named.ca ;        This file holds the information on root name servers needed to ;        initialize cache of Internet domain name servers ;        (e.g. reference this file in the "cache  .  <file>" ;        configuration file of BIND domain name servers). ; ;        This file is made available by InterNIC ;        under anonymous FTP as ;           file                /domain/named.cache ;           on server           FTP.INTERNIC.NET ;        -OR-                     RS.INTERNIC.NET ; ;        last update:    Jan 29, 2004 ;        related version of root zone:   2004012900 ; ; ; formerly NS.INTERNIC.NET ; .                        3600000  IN  NS     A.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET.      3600000      A      198.41.0.4 ; ; formerly NS1.ISI.EDU ; .                        3600000      NS     B.ROOT-SERVERS.NET. B.ROOT-SERVERS.NET.      3600000      A      192.228.79.201 ; ; formerly C.PSI.NET ; .                        3600000      NS     C.ROOT-SERVERS.NET. C.ROOT-SERVERS.NET.      3600000      A      192.33.4.12 ; ... ; End of File

localhost.zone

The localhost.zone zone file defines the localhost zone, the normal server on the local system. It starts with a $TTL directive and holds three resource records: SOA, NS, and A. The $TTL directive in the following file specifies that the default time to live for the resource records specified in this file is 86,400 seconds (24 hours):

# cat /var/named/localhost.zone $TTL    86400 @          IN    SOA     @        root (                                           42              ; serial (d. adams)                                           3H              ; refresh                                           15M             ; retry                                           1W              ; expiry                                           1D )            ; minimum            IN NS                  @            IN A                   127.0.0.1            IN AAAA                ::1

As explained earlier, the @ at the start of the SOA resource record stands for the origin (the name of the zone), which is localhost. The last three lines in the preceding file are the NS resource record that specifies the nameserver for the zone as localhost (@), the A resource record that specifies the IPv4 address of the host as 127.0.0.1, and the AAAA resource record that specifies the IPv6 address of the host as ::1. Because these three records have blank Name fields, each inherits this value from the preceding resource recordin this case, @.

named.local

The named.local zone file provides information about the 0.0.127.in-addr.arpa reverse lookup zone. It follows the same pattern as the localhost zone file, except that instead of the A resource record, this file has a PTR record that provides the name that the zone associates with the IP address. The PTR resource record specifies the name 1, which equates the system at address 1 in the zone (0.0.127.in-addr.arpa) with the name localhost, which has an IP address of 127.0.0.1:

$ cat /var/named/named.local $TTL       86400 @        IN      SOA     localhost. root.localhost.      (                                  1997022700      ; Serial                                  28800           ; Refresh                                  14400           ; Retry                                  3600000         ; Expire                                  86400)          ; Minimum          IN      NS      localhost. 1        IN      PTR     localhost.

The other zone files perform similar functions as described under "Zone sections" on page 744. Once you start named (page 731), you can use the tests described under "Troubleshooting" on page 751 to make sure the server is working.

The named.conf Configuration File (RHEL)

The named.conf file holds the same zones as the named.caching-nameserver.conf file described in the previous section. The comments in the Options section of the named.conf file are dated and do not apply in most cases. In addition, the named.conf file has a Controls section and an Include section that includes the file /etc/rndc.key.

Controls section

The Controls section contains two statements that set up rndc control: inet and keys. The inet statement opens a control channel on 127.0.0.1, allowing local, non-privileged users to manage the nameserver. The keys statement allows a key to be defined so as to secure rndc communications.

include/rndc

The rndc (Remote Name Daemon Control) utility allows the system administrator to control BIND remotely (from the local or a remote system). You can use rndc to start and stop the daemon, force the daemon to reread the configuration files, and view diagnostic information. See the rndc man page for more information.

The Include section of named.conf on the nameserver incorporates the /etc/rndc.key file as though it appeared within named.conf. By putting the rndc key information in a file kept separate from the named.conf file, the rndc key information can be kept private using file permissions, while the named.conf file can be read by anyone. The rndc key is a secret shared between the nameserver and the remote control program. The /etc/rndc.key file must also be included in the /etc/rndc.conf file on the controlling system. If you wish to use rndc on a system other than the local one, you must copy rndc.key to the remote system and add the remote host to the Controls section in the named.conf file on the server.

DNS Glue Records

It is common practice to put the nameserver for a zone inside the zone it serves. For example, you might put the nameserver for the zone starting at site1.example.com (Figure 24-3, page 723) in ns.site1.example.com. When a DNS cache tries to resolve www.site1.example.com, the authoritative server for example.com gives it the NS record pointing to ns.site1.example.com. In an attempt to resolve ns.site1.example.com, the DNS cache again queries the authoritative server for example.com, which points back to ns.site1.example.com. This loop does not allow ns.site1.example.com to be resolved.

The simplest solution to this problem is not to allow any nameserver to reside inside the zone it points to. Because every zone is a child of the root zone, this solution means that every domain would be served by the root server and would not scale at all. A better solution is glue records. A glue record is an A record for a nameserver that is returned in addition to the NS record when an NS query is performed. Because the A record provides an IP address for the nameserver, it does not need to be resolved and does not create the problematic loop.

The nameserver setup for redhat.com illustrates the use of glue records. When you query for NS records for redhat.com, DNS returns three NS records. In addition, it returns three A records that provide the IP addresses for the hosts that the NS records point to:

$ dig -t NS redhat.com ... ;; QUESTION SECTION: ;redhat.com.                    IN      NS ;; ANSWER SECTION: redhat.com.             28      IN      NS       ns2.redhat.com. redhat.com.             28      IN      NS       ns3.redhat.com. redhat.com.             28      IN      NS       ns1.redhat.com. ;; ADDITIONAL SECTION: ns1.redhat.com.         5633    IN      A        66.187.233.210 ns2.redhat.com.         151369  IN      A        66.187.224.210 ns3.redhat.com.         80180   IN      A        66.187.229.10 ...

You can create a glue record by providing an A record for the nameserver inside the delegating domain's zone file:

site1.example.com               IN      NS      ns.site1.example.com ns.site1.example.com            IN      A       1.2.3.4

TSIGs: Transaction Signatures

Interaction between DNS components is based on the queryresponse model: One part queries another and receives a reply. Traditionally a server determines whether and how to reply to a query based on the IP client's address. IP spoofing (page 1038) is relatively easy to carry out, making this situation less than ideal. Recent versions of BIND support transaction signatures (TSIGs), which allow two systems to establish a trust relationship by using a shared secret key.

TSIGs provide an additional layer of authentication between master and slave servers for a zone. When a slave server is located at a different site than the master server (as it should be), a malicious person operating a router between the sites can spoof the IP address of the master server and change the DNS data on the slave (a man-in-the-middle scenario). With TSIGs, this person would need to know the secret key to change the DNS data on the slave.

Creating a Secret Key

A secret key is an encoded string of up to 512 bits. The dnssec-keygen utility, included with BIND, generates this key. The following command generates a 512-bit random key using MD5, a one-way hash function (page 1046):

$ /usr/sbin/dnssec-keygen -a hmac-md5 -b 512 -n HOST keyname Kkeyname.+157+47586

In the preceding command, replace keyname with something unique yet meaningful. This command creates a key in a file whose name is similar to Kkeyname.+157+47586.private, where keyname is replaced by the name of the key, +157 indicates the algorithm used, and +47586 is a hash of the key. If you run the same command again, the hash part will be different. The key file is not used directly. Use cat with an argument of the private filename to display the algorithm and key information you will need in the next step:

$ cat Kkeyname.+157+47586.private Private-key-format: v1.2 Algorithm: 157 (HMAC_MD5) Key: uNPDouqVwR7fvo/zFyjkqKbQhcTd6Prm...

Using the Shared Secret

The next step is to tell the nameservers about the shared secret by inserting the following code in the /etc/named.conf file on both servers. This code is a top-level section in named.conf; insert it following the Options section:

key keyname {     algorithm "hmac-md5";     secret "uNPDouqVwR7fvo/zFyjkqKbQhcTd6Prm..."; };

The keyname is the name of the key you created. The algorithm is the string that appears within parentheses in the output from cat. The secret is the string that follows Key: in the preceding output. You must enclose each string within double quotation marks. Be careful when you copy the key; although it is long, do not break it into multiple lines.

Because key names are unique, you can insert any number of key sections into named.conf. To keep the key a secret, make sure users other than root cannot read it: Either give named.conf permissions such that no one except root has access to it or put the key in a file that only root can read and incorporate it in named.conf using an include statement.

Once both servers know about the key, use the server statement in named.conf to tell them when to use it:

server 1.2.3.4 { # 1.2.3.4 is the IP address of the other server using this key     keys {         "keyname";     }; };

Each server must have a server section, each containing the IP address of the other server. The servers will now communicate with each other only if they first authenticate each other using the secret key.

Running BIND in a chroot Jail

To increase security, you can run BIND in a chroot jail. See page 428 for information about the security advantages of and ways to set up a chroot jail. See also the note about SELinux on page 732 and the named man page for information about BIND, SELinux, and chroot jails. The bind-chroot package, which sets up BIND to run in a chroot jail, creates a directory named /var/named/chroot that takes the place of the root directory (/) for all BIND files. With this package installed, all files that control BIND are located within this chroot jail and the filenames used in this chapter are symbolic links to the files in the chroot jail:

# ls -l /var/named /etc/named ... /etc/named.caching-nameserver.conf -> /var/named/chroot//etc/named.caching nameserver.conf ... /etc/named.rfc1912.zones -> /var/named/chroot//etc/named.rfc1912.zones /var/named: total 52 ... chroot ... data ... localdomain.zone -> /var/named/chroot//var/named/localdomain.zone ... localhost.zone -> /var/named/chroot//var/named/localhost.zone ... named.broadcast -> /var/named/chroot//var/named/named.broadcast ... named.ca -> /var/named/chroot//var/named/named.ca ... named.ip6.local -> /var/named/chroot//var/named/named.ip6.local ... named.local -> /var/named/chroot//var/named/named.local ... named.zero -> /var/named/chroot//var/named/named.zero ... slaves

With the bind-chroot package installed, the ROOTDIR shell variable is set to /var/named/chroot in the /etc/sysconfig/named file, which is executed by the named init script.