LPI Linux Certification/LPIC2 Exam 202/DNS

Section Overview

 * Basic BIND 8 configuration
 * Create and maintain DNS zones
 * Securing a DNS server

Setting up a caching-only nameserver
To speed up the cumbersome process of DNS queries, DNS servers usually cache answers from other DNS servers – even negative queries (i.e an authoritative server's answer « name does not exist » is also cached by your local DNS)

Configuring BIND as a caching-only nameserver involves setting up only a «. » zone, that is, only tell it about the root nameservers and not specifying any zones, as follows :

zone «. » in { type hint; file « named.cache »; };

The file named.cache can be generated by using dig @a.root-servers.net Logging in BIND is controlled by two main concepts : channels and categories A channel specifies where logged data goes : to syslog, to a file, etc... A category specifies what data is logged

Channels allows you to filter messages by priority, like syslog's priorities. They are essentially the same, but two more are available for BIND : debug and dynamic, which affect debug level logging Debug sets a debug level, which will be active after the first trace command is given via ndc; dynamic will increment and decrement debug levels after each trace command is given via ndc

Example of logging configuration:

logging { channel my_syslog { syslog daemon; severity info; }; channel my_file { file « log.msgs »; severity dynamic; }; category statistics { my_syslog; my_file; }; category queries { my_file; }; };

To activate logging, after bind is started, issue a command :

ndc trace

Key terms, files and utilities : /etc/named.conf /usr/sbin/ndc /usr/sbin/named-bootconf Kill

Exercises
.

Create and maintain DNS zones
DNS zone files are composed mostly by resources records (RR) Resource records must start in the first column of a line The order in which they appear is not important, but most people tend to follow the order in the DNS RFCs SOA (Start Of Authority) : indicates authority for this zone NS (NameServer) : lists a nameserver for this zone Other records :

A : name-to-address mapping PTR : address-to-name mapping CNAME (canonical name) : aliases Don't forget to create a zone for 127.0.0 ! Create and maintain DNS zones Usual zone file format :

$TTL . IN SOA. . ( serial number ; refresh value ; retry value ;  expire value ;  negative caching TTL of 1 day .  IN  NS  . .  IN  NS  . ... .  IN  A   .  IN  A   ...

Create and maintain DNS zones For reverse mappings : $TTL .in-addr.arpa. IN SOA . . ( serial number ; refresh value ; retry value ;  expire value ;  negative caching TTL of 1 day .in-addr.arpa.  IN  NS  . .in-addr.arpa.  IN  NS  . ... .in-addr.arpa.  IN  PTR  . .in-addr.arpa.  IN  PTR  . ...

Key terms, files and utilities : Content of /var/named Zone file syntax Resources record formats Dig Nslookup Host

Exercises
.

Securing a DNS server
First of all, check security mailing lists and web sites for new versions of BIND. Particularly, versions prior to 8.2.3 are vulnerable to known attacks.

Hide your version number from foreign queries – it could be used to craft a special attack against you. Since BIND 8.2, you may use in named.conf:

options { version « None of your business »; };

You can also restrict queries : Globally :

options { allow-query { address-match-list; }; };

Or per-zone (which take precedence over global ACLs) :

zone « test.com » { type slave; file « db.test »; allow-query { 192.168.0.0/24; }; };

Even more important, make sure only real slave DNS can transfer your zones from your master. Use the keyword allow-transfer : Globally (in an « options » statement), applies to all zones Per-zone On the slaves, disable zone transfers! Use « allow-transfer { none; }; »

Don't run BIND as root ! Since 8.1.2, there are options to change the user (-u ) and group (-g) under which BIND runs. Use a non-privileged user (i.e create a new one, without shell access). Make sure your zone files have their correct permission (named.conf is read while BIND is still under root's permissions, so don't change this file's permissions)

Also, run bind in a chroot jail. Since 8.1.2, there is option -t to specify the directory for the nameserver to chroot to. Make sure all the files needed by BIND (i.e log files, etc..) are under the root-jail If you plan to use ndc with a chroot'ed BIND, don't forget to pass the new pathname to the UNIX socket to ndc !

Here's a little bit on how to setup a chrooted bind9 environment in Debian. As the configuration in bind9 is very similar, the same procedure applies to bind8 for creating a chrooted environment. /etc/init.d/bind9 stop OPTIONS="-u bind -t /var/lib/named" SYSLOGD="-a /var/lib/named/dev/log" mkdir /var/lib/named mkdir -p /var/lib/named/var/run/bind/run mkdir /var/lib/named/etc mkdir /var/lib/named/dev mkdir /var/lib/named/var/cache mv /etc/bind /var/lib/named/etc/bind ln -s /var/lib/named/etc/bind /etc/bind chown -R bind:bind /var/lib/named/var/* chown -R bind:bind /var/lib/named/etc/bind mknod /var/lib/named/dev/null c 1 3 mknod /var/lib/named/dev/random c 1 8 chown 666 /var/lib/named/dev/random /var/lib/named/dev/null /etc/init.d/sysklogd restart /etc/init.d/bind9 start
 * Stop the currently running bind.
 * In order to chroot bind in a jail, we need to specify what environment in /etc/default/bind9:
 * We still want logging in our /var/log/syslog, so we change /etc/default/syslogd that it opens an extra socket to which the chrooted bind can log through into /var/log/syslog.
 * Run a couple of mkdir's for the environment
 * Move over our existing config
 * Link it
 * Change ownership in the chrooted var and etc
 * Create some devices & set permissions
 * Restart syslogd & start bind

If bind does not start and there are error messages in the syslog, keep in mind that these messages where created from inside the chrooted domain, hence a permission problem about /var/run/bind/run/named.pid would mean that it is really a problem about /var/lib/named/var/run/bind/run/named.pid

Key terms, files and utilities : SysV init files /etc/named.conf /etc/passwd