diff options
author | Tom Rhodes <trhodes@FreeBSD.org> | 2004-10-08 15:22:40 +0000 |
---|---|---|
committer | Tom Rhodes <trhodes@FreeBSD.org> | 2004-10-08 15:22:40 +0000 |
commit | 9ebdeea29e815502e1fc14773b7c9fcc50594777 (patch) | |
tree | 6b448425b5e8695c5790497c30ecd08762a60c49 | |
parent | 24da267c321b6aae3fb4fd956f0eee517a6fc30e (diff) | |
download | doc-9ebdeea29e815502e1fc14773b7c9fcc50594777.tar.gz doc-9ebdeea29e815502e1fc14773b7c9fcc50594777.zip |
Add a section covering BIND9, more work is needed here.
Notes
Notes:
svn path=/head/; revision=22566
-rw-r--r-- | en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml | 182 |
1 files changed, 182 insertions, 0 deletions
diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml index 0f79337cc2..ac42b388f6 100644 --- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml +++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml @@ -4010,6 +4010,188 @@ zone "10.168.192.in-addr.arpa" in { </sect2> </sect1> + <sect1 id="network-bind9"> + <sect1info> + <authorgroup> + <author> + <firstname>Tom</firstname> + <surname>Rhodes</surname> + <contrib>Written by </contrib> + </author> + </authorgroup> + </sect1info> + <title><acronym>BIND</acronym>9 and &os;</title> + +<!-- This section is here to get users up with BIND9 configurations! It + does not cover the terminology, theoretical discussion (why run a name + server) or the further reading which is still in the previous section. + I did things this way to avoid repetition of content and obviously we + cannot just remove the previous section since other supported releases + use it. When the previous section is removed then those comments + should be moved here. // Tom Rhodes --> + + <indexterm><primary>bind9</primary> + <secondary>setting up</secondary></indexterm> + + <para>The release of &os; 5.3 brought the + <acronym>BIND</acronym>9 <acronym>DNS</acronym> server software + into the distribution. New security features, a new file system + layout and automated &man.chroot.8; configuration came with the + import. This section has been written in two parts, the first + will discuss new features and their configuration; the latter + will cover upgrades to aid in move to &os; 5.3. From this + moment on, the server will be referred to simply as + &man.named.8; in place of <acronym>BIND</acronym>. This section + skips over the terminology described in the previous section as + well as some of the theoretical discussions; thus, it is + recommended that the previous section be consulted before reading + any further here.</para> + + <para>Configuration files for <command>named</command> currently + reside in + <filename role="directory">/var/named/etc/namedb/</filename> and + will need modification before use. This is where most of the + configuration will be performed.</para> + + <sect2> + <title>Configuration of a Master Zone</title> + + <para>To configure a master zone visit + <filename role="directory">/var/named/etc/namedb/</filename> + and run the following command:</para> + + <screen>&prompt.root; <userinput>sh make-localhost</userinput></screen> + + <para>If all went well a new file should exist in the + <filename role="directory">master</filename> directory. The + filenames should be <filename>localhost.rev</filename> for + the local domain name and <filename>localhost-v6.rev</filename> + for <acronym>IPv6</acronym> configurations. As the default + configuration file, configuration for its use will already + be present in the <filename>named.conf</filename> file.</para> + </sect2> + + <sect2> + <title>Configuration of a Slave Zone</title> + + <para>Configuration for extra domains or sub domains may be + done properly by setting them as a slave zone. In most cases, + the <filename>master/localhost.rev</filename> could just be + copied over into the <filename role="directory">slave</filename> + directory and modified. Once completed, the files need + to be properly added in <filename>named.conf</filename> such + as in the following configuration for + <hostid role="fqdn">example.com</hostid>:</para> + + <programlisting>zone "example.com" { + type slave; + file "slave/example.com"; + masters { + 10.0.0.1; + }; +}; + +zone "0.168.192.in-addr.arpa" { + type slave; + file "slave/0.168.192.in-addr.arpa"; + masters { + 10.0.0.1; + }; +};</programlisting> + + <para>Note well that in this example, the master + <acronym>IP</acronym> address is the primary domain server + from which the zones are transferred; it does not necessary serve + as <acronym>DNS</acronym> server itself.</para> + </sect2> + + <sect2> + <title>System Initialization Configuration</title> + + <para>In order for the <command>named</command> daemon to start + when the system is booted, the following option must be present + in the <filename>rc.conf</filename> file:</para> + + <programlisting>named_enable="YES"</programlisting> + + <para>While other options exist, this is the bare minimal + requirement. Consult the &man.rc.conf.5; manual page for + a list of the other options. If nothing is entered in the + <filename>rc.conf</filename> file then <command>named</command> + may be started on the command line by invoking:</para> + + <screen>&prompt.root; <userinput>/etc/rc.d/named start</userinput></screen> + </sect2> + + <sect2> + <title><acronym>BIND</acronym>9 Security</title> + + <para>While &os automatically drops <command>named</command> + into a &man.chroot.8; environment; there are several other + security mechanisms in place which could help to lure off + possible <acronym>DNS</acronym> service attacks. + + <sect3> + <title>Query Access Control Lists</title> + + <para>A query access control list can be used to restrict + queries against the zones. The configuration works by + defining the network inside of the <literal>acl</literal> + token and then listing <acronym>IP</acronym> addresses in + the zone configuration. To permit domains to query the + example host, just define it like this:</para> + + <programlisting>acl "example.com" { + 192.168.0.0/24; +}; + +zone "example.com" { + type slave; + file "slave/example.com"; + masters { + 10.0.0.1; + }; + allow-query { example.com; }; +}; + +zone "0.168.192.in-addr.arpa" { + type slave; + file "slave/0.168.192.in-addr.arpa"; + masters { + 10.0.0.1; + }; + allow-query { example.com; }; +};</programlisting> + </sect3> + + <sect3> + <title>Restrict Version</title> + + <para>Permitting version lookups on the <acronym>DNS</acronym> + server could be opening the doors for an attacker. A + malicious user may use this information to hunt up known + exploits or bugs to utilize against the host. A false version + string can be placed the <literal>options</literal> section of + <filename>named.conf</filename>:</para> + + <programlisting>options { + directory "/etc/namedb"; + pid-file "/var/run/named/pid"; + dump-file "/var/dump/named_dump.db"; + statistics-file "/var/stats/named.stats"; + version "None of your business";</programlisting> + </sect3> +<!-- Here is where I stopped for now + <sect3> + <title>Authentication</title> + + <para> ... </para> + +--> + </sect2> + </sect1> + + <sect1 id="network-apache"> <sect1info> <authorgroup> |