Installing An Ubuntu Hardy 8.04 LTS DNS Server With BIND - Page 4

Submitted by msghaleb (Contact Author) (Forums) on Tue, 2008-06-03 11:44. ::

10 Install the DNS Server

Run

apt-get install bind9

For security reasons we want to run BIND chrooted so we have to do the following steps:

/etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":

vi /etc/default/bind9

OPTIONS="-u bind -t /var/lib/named"
# Set RESOLVCONF=no to not run resolvconf
RESOLVCONF=yes

Create the necessary directories under /var/lib:

mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when bind gets updated in the future):

ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

We need to modify /etc/default/syslogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="" so that it reads: SYSLOGD="-a /var/lib/named/dev/log":

vi /etc/default/syslogd

#
# Top configuration file for syslogd
#

#
# Full documentation of possible arguments are found in the manpage
# syslogd(8).
#

#
# For remote UDP logging use SYSLOGD="-r"
#
SYSLOGD="-a /var/lib/named/dev/log"

Restart the logging daemon:

/etc/init.d/sysklogd restart

Start up BIND, and check /var/log/syslog for errors:

/etc/init.d/bind9 start

 

11 Configure BIND

Now the main configuration file in BIND is named.conf, however named.conf.local is already included in named.conf and its there for customized configuration, so we will edit named.conf.local and we will add our zones, here I added a zone camed tm.local as well as a reverse zone for 192.168.0.0:

vi /etc/bind/named.conf.local

zone "tm.local" {
        type master;
        file "/etc/bind/zones/tm.local.db";
        };


zone "3.13.10.in-addr.arpa" {
     type master;
     file "/etc/bind/zones/rev.0.168.192.in-addr.arpa";
};

Please note that if you want to add a comment in named.conf or named.conf.local use //, also you can see above the zone file for tm.local is called tm.local.db and is located in /etc/bind/zone, the most important thing that the zone file uses as the prefix for a comment and not //, as I saw confusions in a lot of forums so I thought to add it here - (same for the reverse zone).

 

12 Configure the Zones

We will start with the zone tm.local

mkdir /etc/bind/zones

vi /etc/bind/zones/tm.local.db

$TTL 1500
@  IN SOA server1.tm.local. root (
                             2007062703        ;serial
                             28800             ;refresh
                             3600              ;retry
                             604800            ;expire
                             38400 )           ;minimum 25 minutes
tm.local.      IN      NS      server1.tm.local.
server1        IN      A       192.168.0.100
webserver1     IN      A       192.168.0.103
webserver2     IN      A       192.168.0.104
loadb1         IN      A       192.168.0.101
loadb2         IN      A       192.168.0.102
tm.local.      IN      MX      10    server1.tm.local.

Feel free to replace the above zone name (tm.local) or your dns server name (server1) as needed,  just note the DOT after the zone name.

Now let's go ahead with the reverse zone.

vi /etc/bind/zones/rev.3.13.10.in-addr.arpa

$TTL 1500
@  IN SOA server1.tm.local. root (
                             2007062703        ;serial
                             28800             ;refresh
                             3600              ;retry
                             604800            ;expire
                             38400 )           ;minimum 25 minutes

                     IN    NS     server1.tm.local.
100                  IN    PTR    server1.tm.local.
103                  IN    PTR    webserver1.tm.local.
104                  IN    PTR    webserver2.tm.local.
101                  IN    PTR    load1.tm.local.
102                  IN    PTR    load2.tm.local.

Now configure the server to forward any requests to your ISP server so it case resolve external IPs.

vi /etc/bind/named.conf.options

Uncomment the forwarder section to look like this:

forwarders {
      # Replace the address below with the address of your ISP DNS server
      123.123.123.123;
};

 

13 Configure the server to use itself as DNS

vi /etc/resolv.conf

search tm.local
nameserver 192.168.0.100

 

14 References and Sources

up

Copyright © 2008 GHALEB
All Rights Reserved.
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf | print: this | all page(s)

Comment viewing options

Select your preferred way to display the comments and click "Save settings" to activate your changes.
Please do not use the comment function to ask for help! If you need help, please use our forum: http://www.howtoforge.com/forums
Comments will be published after administrator approval.
There is no need to disable apparmor
Submitted by spauldingsmails (Contact Author) (Forums) on Mon, 2008-06-16 02:24.

There is absolutely no reason to disable apparmor and the fact that this howto not only shows you how to disable it but actively encourages it is irresponsible.

Apparmor is much easier to configure than SELinux. With apparmor enabled you will not really need to chroot bind but if you would like to, you could use the default /var/lib/bind directory instead of chrooting in /var/lib/named or alternatively, you could edit /etc/apparmor.d/usr.sbin.named and change the path /var/lib/bind/** to /var/lib/named/**, then restart apparmor; /etc/init.d/apparmor restart.

login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf
Actually, there IS a reason
Submitted by arturgajowy (Contact Author) (Forums) on Sat, 2008-07-05 19:36.
Actually, there IS a reason to disable AppArmor:
If you don't do this, the whole procedure above simply DOESN'T WORK.
You just keep getting

rndc: connect failed: 127.0.0.1#953: connection refused

error whenever you try to access your DNS server with rndc. [it also occurs when you use /etc/init.d/bind9 which - I suppose - uses rndc]

There should be a neater way to work this around - maybe some AppArmor settings?
login or register to post comments | Email this page to a friend email this page | view as pdf view as pdf