|
|
| (One intermediate revision by the same user not shown) |
| Line 1: |
Line 1: |
| <yambe:breadcrumb self="Step-by-step tutorial">Bind DNS server configuration | Bind DNS</yambe:breadcrumb>
| | #REDIRECT [[Configuring basic DNS service with bind]] |
| =Step by step bind configuration tutorial=
| |
| | |
| ==Introduction==
| |
| | |
| Bind (DNS server software) uses executables with name '<tt>named</tt>' and uses service name '<tt>named</tt>'. It also does chroot to folder '<tt>/var/named/chroot</tt>' after service has successfully started. Hence all the files that bind uses must be present inside some sub-folder
| |
| of '<tt>/var/named/chroot</tt>' for bind to work.
| |
| | |
| Before bind does chroot to <tt>/var/named/chroot</tt> it will use the files directly with respect to actual '<tt>/</tt>' and later on it will use the same path to access them inside '<tt>/var/named/chroot</tt>'. For example, before bind does chroot it will access '<tt>/etc/named.conf</tt>' which is actual '<tt>/etc/named.conf</tt>'. After chroot bind will continue to use <tt>/etc/named.conf</tt> but now as per filesystem (previous /) bind would end up using <tt>/var/named/chroot/etc/named.conf</tt>.
| |
| | |
| Hence for things to work we need two copies of every file that bind uses, so that bind can find the file both before and after chroot. For this copying the file is bad idea, as after copying if changes are made to a file, then same changes would have to be done in other file as well. Keeping two copies of each file consistent manually in not practical. Also this may lead to bugs which would be very hard to find or troubleshoot.
| |
| | |
| To ensure that bind gets two copies of each files without actually requiring to maintain two different copies one can use symbolic links. Hence one can create original files in <tt>/var/named/chroot/<some sub-folder></tt> and then create symbolic links in actual <tt>/</tt>. For example actual '<tt>named.conf</tt>' can be at <tt>/var/named/chroot/etc/named.conf<tt> and its symbolic link can be created at <tt>/etc/named.conf</tt> using absolute path by command:
| |
| <pre>
| |
| ln -s /var/named/chroot/etc/named.conf /etc/named.conf
| |
| </pre>
| |
|
| |
| Please also note that the same will not work in other order. For example if actual file is in <tt>/etc/named.conf</tt> and symbolic link is created at <tt>/var/named/chroot/etc</tt>, then after chroot that symbolic link would become invalid. In good server configurations <tt>/var</tt> and <tt>/etc</tt> are on separate partitions. This implies that one may not use hard-links to link <tt>/etc/named.conf} and <tt>/var/named/chroot/etc/named.conf</tt>.
| |
| | |
| Thus the only good way of configuring DNS is to have original files in <tt>/var/named/chroot</tt> and to have symbolic links that using absolute
| |
| path in <tt>/etc</tt> pointing to same files in <tt>/var/named/chroot/etc</tt>. Although the above explanation is given for <tt>/etc</tt> configuration files, the same applies to <tt>/var/named/chroot/var/named</tt> zone files. Hence original zone files should go inside folder
| |
| <tt>/var/named/chroot/var/named</tt> with proper permissions and owner etc. and symbolic link to each of these zone files using absolute paths
| |
| must be created in <tt>/var/named</tt>.
| |
| | |
| | |
| | |
| ==File structure==
| |
| By default after installation of DNS packages following is the output of running tree command in <tt>/var/named/chroot</tt> folder.
| |
| <pre>
| |
| .
| |
| |-- dev
| |
| | |-- null
| |
| | |-- random
| |
| | `-- zero
| |
| |-- etc
| |
| | |-- localtime
| |
| | |-- named
| |
| | `-- pki
| |
| | `-- dnssec-keys
| |
| |-- usr
| |
| | `-- lib64
| |
| | `-- bind
| |
| `-- var
| |
| |-- log
| |
| |-- named
| |
| |-- run
| |
| | `-- named
| |
| `-- tmp
| |
| </pre>
| |
| If you want to ensure that previous DNS related configuration on the system does not affect your work / experiments then you can delete all the files/folders inside <tt>/var/named/chroot</tt>, except the ones listed above. '''Note that the above output is for Cent-OS 6.3 and the files listed can differ from system to system. Hence for other OS instead of deleting it would be better to move the files to other location, so that they can be restored if required.'''
| |
| | |
| Different types of DNS configuration files can be categorized broadly into two different categories:
| |
| # Config files
| |
| # Zone files
| |
| | |
| Config files usually go in folder <tt>/etc</tt> and zone files in <tt>/var/named</tt>. We can always specify different path for zone files in /etc/named.conf file by using <tt>directory</tt> configuration option.
| |
| | |
| | |
| | |
| ==Hello World DNS==
| |
| In this subsection we will try to create minimalist configuration
| |
| for DNS using defaults wherever possible. Then we will add more
| |
| and more configuration options / zones to this minimum DNS server
| |
| and try to go as close as possible to sample configuration
| |
| given in actual lab handout.
| |
| | |
| Minimal <tt>/var/named/chroot/etc/named.conf</tt> can contain
| |
| <pre>
| |
| options
| |
| {
| |
| directory "/var/named";
| |
| //empty, going to use all defaults for rest
| |
| };
| |
| | |
| include "/etc/named.root.hints"; //Need location of
| |
| // . or root servers
| |
| //for recursion
| |
| include "/etc/named.rfc1912.zones"; //A proper DNS
| |
| //must have these zones
| |
| </pre>
| |
| | |
| You must do following things after adding above contents to <tt>/var/named/chroot/etc/named.conf</tt> file:
| |
| # Create symbolic link in /etc/ using command:
| |
| #:<pre>
| |
| #::ln -s /var/named/chroot/etc/named.conf /etc/named.conf
| |
| #:</pre>
| |
| # Copy sample <tt>named.root.hints</tt> file that comes with Bind to <tt>/var/named/chroot/etc</tt> and then create symbolic link of this file in /etc. Please note that since the file has been included in <tt>/etc/named.conf</tt> it will also go in <tt>/etc</tt> folders. The files that are not included but are referred like zone files go inside <tt>/var/named</tt> folders.
| |
| #:You can use linux locate command to search for <tt>named.root.hints</tt> file.
| |
| #Copy sample <tt>named.rfc1912.zones</tt> file that comes with Bind to <tt>/var/named/chroot/etc</tt> and then create symbolic link of this file in /etc. The reasons and method being same as used for <tt>named.root.hints</tt> file.
| |
| #Use command `<tt>named-checkconf /etc/named.conf</tt>' to check the current configuration file and ensure that everything so far is fine. If everything so far is correct then `<tt>named-checkconf</tt>' will not show any output (error messages).
| |
| | |
| | |
| Now if we look inside contents of <tt>named.root.hints</tt> file that we have used above, we find lines
| |
| <pre>
| |
| zone "." IN {
| |
| type hint;
| |
| file "named.root";
| |
| };
| |
| </pre>
| |
| Here one zone with named dot (`.') which is parent most zone possible is being defined and it is mentioned that it is of type hint. It is also mentioned that hints related to this zone, which basically means list
| |
| of dot nameservers is mentioned in file `<tt>named.root</tt>'
| |
| | |
| So we must have file with name `<tt>named.root</tt>' in `<tt>/var/named/named.root</tt>' files. Note that here <tt>named.root</tt> is being referred and is not included. Hence this file would go in <tt>/var/named</tt> and not in <tt>/etc</tt>.
| |
| | |
| Fortunately for us default Bind server comes with file <tt>named.root</tt> and we only need to copy it to <tt>/var/named/chroot/var/named</tt> folder. Then we need to create symbolic link of file from <tt>/var/named/chroot/var/named</tt> folder to <tt>/var/named</tt> folder. The exact command would be:
| |
| <pre>
| |
| ln -s /var/named/chroot/var/named/named.root /var/named/named.root
| |
| </pre>
| |
| | |
| Similarly if we look inside <tt>named.rfc1912.zones</tt> file we can see that it refers to files:
| |
| * <tt>localdomain.zone</tt>
| |
| * <tt>localhost.zone</tt>
| |
| * <tt>named.local</tt>
| |
| * <tt>named.ip6.local</tt>
| |
| * <tt>named.broadcast</tt>
| |
| * <tt>named.zero</tt>
| |
| | |
| | |
| Now we have to use default files that come with Bind with above names by copying
| |
| them to folder <tt>/var/named/chroot/var/named</tt> and creating their corresponding
| |
| symbolic links inside folder <tt>/var/named</tt>.
| |
| | |
| ''If you find more than one file with same name on system you can copy any one of them to <tt>/var/named/chroot/var/named</tt> without worrying about which file is correct.''
| |
| | |
| After doing all this if you run <tt>tree</tt> command in folder <tt>/var/named</tt>, you should see output like:
| |
| <pre>
| |
| .
| |
| |-- chroot
| |
| | |-- dev
| |
| | | |-- null
| |
| | | |-- random
| |
| | | `-- zero
| |
| | |-- etc
| |
| | | |-- localtime
| |
| | | |-- named.conf
| |
| | | |-- named.rfc1912.zones
| |
| | | |-- named.root.hints
| |
| | | `-- rndc.key
| |
| | `-- var
| |
| | |-- log
| |
| | |-- named
| |
| | | |-- data
| |
| | | |-- localdomain.zone
| |
| | | |-- localhost.zone
| |
| | | |-- named.broadcast
| |
| | | |-- named.ip6.local
| |
| | | |-- named.local
| |
| | | |-- named.root
| |
| | | |-- named.zero
| |
| | | `-- slaves
| |
| | |-- run
| |
| | | `-- named
| |
| | `-- tmp
| |
| |-- data
| |
| |-- localdomain.zone -> /var/named/chroot/var/named/localdomain.zone
| |
| |-- localhost.zone -> /var/named/chroot/var/named/localhost.zone
| |
| |-- named.broadcast -> /var/named/chroot/var/named/named.broadcast
| |
| |-- named.ip6.local -> /var/named/chroot/var/named/named.ip6.local
| |
| |-- named.local -> /var/named/chroot/var/named/named.local
| |
| |-- named.root -> /var/named/chroot/var/named/named.root
| |
| |-- named.zero -> /var/named/chroot/var/named/named.zero
| |
| `-- slaves
| |
| </pre>
| |
| Please note that important information that symbolic link to named.conf, named.root.hints and named.rfc1912.zones file exist in /etc cannot be verified by using above output. For verifying that use command:
| |
| <pre>
| |
| ls -l /etc/named.* | grep -o '\/.*\$'
| |
| </pre>
| |
| which should give following output:
| |
| <pre>
| |
| /etc/named.conf -> /var/named/chroot/etc/named.conf
| |
| /etc/named.rfc1912.zones -> /var/named/chroot/etc/named.rfc1912.zones
| |
| /etc/named.root.hints -> /var/named/chroot/etc/named.root.hints
| |
| </pre>
| |
| | |
| As one final step use `<tt>chown named:named *</tt>' in both
| |
| `<tt>/var/named</tt>' and `<tt>/var/named/chroot/var/named</tt> folder
| |
| to give named permission to read files that we have copied just now
| |
| from root user.
| |
| | |
| After this use '<tt>service named start</tt>' to check DNS configuration
| |
| done so far and to verify that we can start Bind with this much
| |
| configuration. If you are not able to start Bind then verify all the
| |
| above things mentioned in handout very carefully.
| |
| | |
| It can be noted that this is considerably more than minimal Bind
| |
| configuration. But if we do minimal configuration then Bind may
| |
| not be able to handle recursive queries because of absence of
| |
| . zone or it may not confirm to RFC1912 as it would miss some
| |
| zones which every DNS must have as per RFC. Hence the current
| |
| configuration is minimal correct DNS configuration.
| |
| | |
| Please also note that if you try commands like:
| |
| <tt>nslookup www.google.com 127.0.0.1</tt>
| |
| then your DNS will not be able to resolve the query and will give
| |
| `connection timed out' error after waiting for few seconds.
| |
| | |
| This is because all machines in LAN cannot by default send UDP packets
| |
| outside campus. Hence your DNS server is not able to query dot (`.')
| |
| servers for address of .com servers to resolve above query and hence
| |
| nslookup fails. You can verify that your DNS server is trying to
| |
| query dot(`.') servers using wireshark.
| |
| | |
| A simple resolution of this problem is by
| |
| adding following option in /etc/named.conf:
| |
| <pre>
| |
| forwarders { 192.168.36.222; 192.168.36.204; };
| |
| forward only;
| |
| </pre>
| |
| This means that DNS server should forward the queries that it
| |
| receives to 192.168.36.222 or 192.168.36.204. Since port number
| |
| has not been defined the queries would be sent to other DNS servers
| |
| on default DNS port. The `<tt>forward only</tt>' option indicates
| |
| that DNS should always forward query and never try to do contact
| |
| other DNS directly.
| |
| | |
| The complete /etc/named.conf config file now has (excluding comments)
| |
| <pre>
| |
| options
| |
| {
| |
| directory "/var/named";
| |
| forwarders { 192.168.36.222; 192.168.36.204; };
| |
| forward only;
| |
| };
| |
| | |
| include "/etc/named.root.hints";
| |
| include "/etc/named.rfc1912.zones";
| |
| </pre>
| |
| | |
| Now use `<tt>service named reload</tt>' and again try <tt>nslookup</tt>
| |
| or <tt>dig</tt> for www.google.co.in etc. and the DNS server should now
| |
| be able to resolve queries. You can verify that current setup is working
| |
| because DNS is forwarding queries to 222 or 204 DNS servers.
| |
| | |
| ''Prefer to use <tt>dig</tt> command instead of <tt>nslookup</tt> for all your
| |
| DNS queries. <tt>dig</tt> is way more powerful than <tt>nslookup</tt>''
| |
| | |
| | |
| ==Our own zone==
| |
| Now that DNS is up and running including resolution of outside zones,
| |
| the next best thing to do is to create our own zones.
| |
| For purpose of this handout we will create test.iiit.ac.in
| |
| zone.
| |
| | |
| Please note that we can create any zone, even `google.com' and anyone who uses
| |
| our DNS server when they query for google.com, the replies would depend on
| |
| our configuration and not actual google.com servers. Hence it is very
| |
| important to use only trusted DNS servers to avoid DNS spoofing based attacks.
| |
| | |
| To create zone we need to append following lines at end of
| |
| <tt>/etc/named.conf</tt> file:
| |
| <pre>
| |
| zone "test.iiit.ac.in."
| |
| {
| |
| type master;
| |
| file "test.iiit.ac.in.forward";
| |
| };
| |
| </pre>
| |
| This means that we are going to create a new zone with name `test.iiit.ac.in' and
| |
| that information of that zone is present in file <tt>test.iiit.ac.in.forward</tt>.
| |
| As should be clear by now the file <tt>test.iiit.ac.in.forward</tt> must be
| |
| created / present in <tt>/var/named</tt> folders for DNS to work.
| |
| | |
| Contents of <tt>test.iiit.ac.in.forward</tt> file can be
| |
| </pre>
| |
| $TTL 3600
| |
| @ SOA ns.test.iiit.ac.in. root.test.iiit.ac.in. (1 15m 5m 30d 1h)
| |
| NS ns.test.iiit.ac.in.
| |
| A 10.3.3.157
| |
| ns IN A 10.3.3.157
| |
| lab320pc1 IN A 10.3.3.157
| |
| </pre>
| |
| Here, meaning of various options in SOA field was explained in DNS lecture and is
| |
| also mentioned in slides on DNS lecture. Basically we have created a new
| |
| zone with name test.iiit.ac.in. Nameserver for that zone is ns.test.iiit.ac.in.
| |
| IP address of test.iiit.ac.in zone itself is 10.3.3.157. There are two hosts
| |
| in this zone ns and lab320pc1. Both of them also have address 10.3.3.157.
| |
| | |
| To verify whether zone file is correct or not use command:
| |
| <pre>
| |
| named-checkzone test.iiit.ac.in test.iiit.ac.in.forward
| |
| </pre>
| |
| If you do not see any error being output by above command then zone file
| |
| is created correctly.
| |
| | |
| Now create symbolic link to above zone file in <tt>/var/named</tt> folder and also
| |
| ownership of file in both places (actual file and link) to named:named. Now try
| |
| <tt>service named restart</tt> command and the command should be able to stop
| |
| and start DNS server without any problem.
| |
| | |
| You can now check working of zone by querying your server using command:
| |
| <pre>
| |
| dig @127.0.0.1 lab320pc1.test.iiit.ac.in
| |
| </pre>
| |
| | |
| | |
| <yambe:breadcrumb self="Step-by-step tutorial">Bind DNS server configuration | Bind DNS</yambe:breadcrumb>
| |
