Wednesday, December 8, 2010

Debian Lenny Chroot'ed BIND9 DNS

I've been looking a simplest way to create and secure DNS server on a chroot'ed environment for my private network. and I found this good documentation link.

This guide will show you how to get DNS working on your Debian server using BIND 9. I will show you how to setup the network interface, and how to maximize security by running BIND 9 inside a chroot environment. You will need to register a domain name so there will be no conflicts between internet domains and the domain(s) used on your LAN.



Setting up BIND 9

This will install BIND 9 and dnsutils which contains dig, nslookup and nsupdate DNS tools.
# aptitude install bind9 dnsutils
You will need to modify these settings to suit your network.
# vim /etc/bind/named.conf.options 
options {
directory "/var/cache/bind";

auth-nxdomain no;    # conform to RFC1035

allow-query { 192.168.1.0/24; } ; # network(s) which are allowed DNS queries
allow-transfer { none; } ;
allow-recursion { 192.168.1.0/24; } ; # restrict which clients resolve DNS queries
listen-on { 192.168.1.20; } ; # interface BIND 9 listens on
forward only;
forwarders {
  208.67.222.222; # specify your ISP name servers
  208.67.220.220;
  };
};

Configuring Authoratative DNS

Make sure you replace ‘example.com’ with your own registered domain name. Make sure ‘1.168.192.in-addr.arpa’ contains the first 3 digits of your static IP in reverse order, ie. 192.168.0.20 will be ‘0.168.192.in-addr.arpa’ or 192.168.1.20 will be ‘1.168.192.in-addr.arpa’.
# vim /etc/bind/named.conf.local 
zone "example.com" {
type master;
file "/etc/bind/zones/example.com.db";
};

zone "1.168.192.in-addr.arpa" {
type master;
file "/etc/bind/zones/1.168.192.in-addr.arpa";
};

Adding a New Zone

You will need to edit this example with your network details and domain name. I have added some extra A records at the end so you can access your desktop via desktop.example.com, etc.
# mkdir /etc/bind/zones
# vim /etc/bind/zones/example.com.db 
;
; SOA
;
$TTL    1h
@               IN      SOA     ns1.example.com. hostmaster.example.com. (
                        0000000001      ; Serial number
                        1h              ; Slave refresh
                        15m             ; Slave retry
                        2w              ; Slave expire
                        1h              ; Negative Cache TTL
                        )
;
; NS RECORDS
;
@               IN      NS              ns1.example.com.
@               IN      NS              ns2.example.com.
;
; MX RECORD
;
@               IN      MX      10      mx.example.com.

;
; A RECORDS
;
@               IN      A               192.168.1.20
www             IN      A               192.168.1.20
ns1             IN      A               192.168.1.20
ns2             IN      A               192.168.1.20
mx              IN      A               192.168.1.20
desktop         IN      A               192.168.1.21
laptop          IN      A               192.168.1.22
router          IN      A               192.168.1.254

Reverse DNS

Make sure you change ‘20′ on the bottom left hand corner of the configuration into the last digit of your IP address.
# vim /etc/bind/zones/1.168.192.in-addr.arpa 
$TTL    1h
@ IN SOA ns1.example.com. hostmaster.example.com. (
                        0000000001;
                        1h;
                        15m;
                        2w;
                        1h
                        )

                     IN    NS     ns1.example.com.
20                   IN    PTR    example.com.

Setting up Chroot Enviroment

Set BIND 9 to run as a unprivileged user and chroot to /var/lib/named
# vim /etc/default/bind9 
# run resolvconf?
RESOLVCONF=yes
# startup options for the server
OPTIONS="-u bind -t /var/lib/named"
We need to create the directories BIND 9 will chroot to.
# mkdir -p /var/lib/named/etc
# mkdir -p /var/lib/named/dev
# mkdir -p /var/lib/named/var/cache/bind
# mkdir -p /var/lib/named/var/run/bind/run
Move BIND 9 configuration directory to /var/lib/named/etc
# mv /etc/bind /var/lib/named/etc
Create a symlink from the new location to the old location.
# ln -s /var/lib/named/etc/bind /etc/bind
Create null and random devices.
# mknod /var/lib/named/dev/null c 1 3
# mknod /var/lib/named/dev/random c 1 8
Set the permissions of the directories.
# chmod 666 /var/lib/named/dev/null
# chmod 666 /var/lib/named/dev/random
# chown -R bind:bind /var/lib/named/var/*
# chown -R bind:bind /var/lib/named/etc/bind
We need to add this line to sysklogd so we get important messages logged.
# vim /etc/default/syslogd 
SYSLOGD="-a /var/lib/named/dev/log"
Restart sysklogd and start BIND 9
# /etc/init.d/sysklogd restart
# /etc/init.d/bind9 start

Configure Network Settings

The server needs a static IP address, if DHCP is used, and the server IP keeps on changing, DNS would stop working because BIND 9 would be trying to resolve to a IP what doesn’t exist. Here are my network interface settings, you will probably need to modify them to suit your network.
# aptitude remove dhcp3-common
# vim /etc/network/interfaces 
# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
auto eth0
allow-hotplug eth0
iface eth0 inet static

address 192.168.1.20
netmask 255.255.255.0
network 192.168.1.0
broadcast 192.168.1.255
gateway 192.168.1.254
# dns-* options are implemented by the resolvconf package, if installed
dns-nameservers 192.168.1.20
Edit resolv.conf so DNS queries will point to BIND 9, change the IP accordingly.
# vim /etc/resolv.conf 
nameserver 192.168.1.20
Restart the network.
# /etc/init.d/networking restart

Check DNS is Working

Make sure you change the IP accordingly.
You can also check subdomains: dig @192.168.1.20 desktop.example.com
and MX mail records: dig MX @192.168.1.20 example.com
# dig @192.168.1.20 example.com 
; <<>> DiG 9.5.0-P2 <<>> @192.168.1.20 example.com
; (1 server found)
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42726
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;example.com.   IN A

;; ANSWER SECTION:
example.com.  3600 IN A 192.168.1.20

;; AUTHORITY SECTION:
example.com.  3600 IN NS ns1.example.com.
example.com.  3600 IN NS ns2.example.com.

;; ADDITIONAL SECTION:
ns1.example.com. 3600 IN A 192.168.1.20
ns2.example.com. 3600 IN A 192.168.1.20

;; Query time: 0 msec
;; SERVER: 192.168.1.20#53(192.168.1.20)
;; WHEN: Sun Jan 11 07:53:47 2009
;; MSG SIZE  rcvd: 116
Check reverse DNS is working
# host 192.168.1.20 
20.1.168.192.in-addr.arpa domain name pointer example.com.
 
Reference:
at 2:17 PM
Labels: debian,windows,centos,tool

No comments:

Post a Comment

If you have any suggestion or clarification you send it via on this form.

Subscribe to: Post Comments (Atom)