Академический Документы
Профессиональный Документы
Культура Документы
Guide to the BIND9 DNS of Red Hat Enterprise Linux 5 / CentOS Linux 5.
by Vivek Gite <vivek@nixcraft.com>, © 2008 nixCraft. All rights reserved. <http://www.cyberciti.biz>
Warnings
• Do not attempt to implement any of the recommendations in this guide without first testing
in a nonproduction environment.
• This document is only a guide containing recommended security settings for BIND
software. It is not meant to replace well structured policy or sound judgment. Furthermore
this guide does not address site-specific configuration concerns.
• Configuration changes described in this document apply only to Red Hat Enterprise Linux
5.x or CentOS Linux 5.x. They may or may not translate gracefully to other operating
systems.
Required packages
You need to install the following packages.
1. bind - BIND includes a DNS server (named), which resolves host names to IP addresses; a
resolver library (routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating properly.
2. bind-chroot - A chroot runtime environment for the ISC BIND DNS server, named. This
package contains a tree of files which can be used as a chroot jail for the named program
from the BIND package.
3. bind-utils - Bind-utils contains a collection of utilities for querying DNS (Domain Name
System) name servers to find out information about Internet hosts. These tools will provide
you with the IP addresses for given host names, as well as other information about registered
domains and network addresses. You should install bind-utils if you need to get information
from DNS name servers.
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
; Name servers
@ 3600 IN NS ns1.nixcraft.com.
@ 3600 IN NS ns2.nixcraft.com.
; SPF for mx
@ 3600 IN TXT "v=spf1 mx ~all"
; Domain IP
@ 3600 IN A 75.126.168.153
www 3600 IN A 75.126.168.153
; Cname alias
feeds 3600 IN CNAME ghs.google.com.
; ipv6 address
@ 3600 IN AAAA 2607:f0d0:1002:11::5
www 3600 IN AAAA 2607:f0d0:1002:11::5
include "/etc/rndc.key";
include "/etc/tsig.key";
/* Our own zone */
include "/etc/named.conf.local";
OR
# service named restart
How it works?
1. Each name server adds a TSIG record the data section of a dns server-to-server queries and
message.
2. The TSIG record signs the DNS message, proving that the message's sender had a
cryptographic key shared with the receiver and that the message wasn't modified after it left
the sender.
3. TSIG uses a one-way hash function to provide authentication and data integrity.
Our sample setup:
• Master nameserver: ns1.nixcraft.com - 202.54.1.1
• Slave nameserver: ns2.nixcraft.com - 190.5.1.1
• BIND configuration is stored in /etc/bind/ directory.
• Zone data is stored in /etc/bind/named.conf file.
How Do I Configure TSIG?
Type the following command on master nameserver (ns1.theos.in) to create the shared keys, using
the dnssec-keygen program, which creates two files, both containing the key generated. #
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key Sample output:
Krndc-key.+157+64252
Where,
• -a Specify the encryption algorithm.
• -b Specify the key size.
• -n Specify the nametype. A nametype can be a ZONE, HOST, ENTITY, or USER. Usually,
you need to use HOST or ZONE such as theos.in
The above dnssec-keygen program created two files as follows. Both .key and .private files are
generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and
private key are equivalent:
• Krndc-key.+157+64252.key - Contains the public key. The .key file contains a DNS KEY
record that can be inserted into a zone file.
• Krndc-key.+157+64252.private - Contains the private key. The .private file contains
algorithm-specific fields.
First block is nothing but keys. TSIG keys are configured using the keys substatements. The keys
substatements inform a name server to sign queries and zone transfer requests sent to a particular
remote name server. In our case the above substatement informs the master server, to sign all
requests to the host slave server 75.55.2.100 with the key called TRANSFER. The server
statement's keys clause to tell the slave name server to sign all zone transfer requests and queries
sent to its master server and vice verse. Save and close the file. Open named.conf file, enter: #
vi /var/named/chroot/etc/named.conf Append the following line:
include "/etc/tsig.key";
Save and close the file. Restart named: # rndc reload OR # service named restart
Restart / reload the bind server: # rndc reload OR # service named restart
Verify TSGI
Watch your master BIND dns server log file or system log file, enter: # tail -f
/var/log/messages OR # tail -f /var/log/syslog OR # grep
'theos.in/IN' /var/log/syslog
Further Resources
The following resources provide more detailed information about the BIND9 software:
1. man pages - bind, named.conf
2. Bind9 Project
3. Bind from Wikipedia, the free encyclopedia
Copyright © 2008-2009 nixCraft. All rights reserved. This pdf version is for personal use only. Please use all
information, commands and configuration with care. nixCraft website (http://www.cyberciti.biz/) and its contributors
will not be responsible for damages of any kind resulting from its use. The use of this information is your OWN sole
responsibility. All trademark within are property of their respective holders. Although the author and its contributors
believes the contents to be accurate at the time of publication, no liability is assumed for them, their application or any
consequences thereof. If any misrepresentations, errors or other need of clarification is found, please contact the us
immediately at vivek@nixcraft.com.