aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTom Rhodes <trhodes@FreeBSD.org>2004-10-08 15:22:40 +0000
committerTom Rhodes <trhodes@FreeBSD.org>2004-10-08 15:22:40 +0000
commit9ebdeea29e815502e1fc14773b7c9fcc50594777 (patch)
tree6b448425b5e8695c5790497c30ecd08762a60c49
parent24da267c321b6aae3fb4fd956f0eee517a6fc30e (diff)
downloaddoc-9ebdeea29e815502e1fc14773b7c9fcc50594777.tar.gz
doc-9ebdeea29e815502e1fc14773b7c9fcc50594777.zip
Add a section covering BIND9, more work is needed here.
Notes
Notes: svn path=/head/; revision=22566
-rw-r--r--en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml182
1 files changed, 182 insertions, 0 deletions
diff --git a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
index 0f79337cc2..ac42b388f6 100644
--- a/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
+++ b/en_US.ISO8859-1/books/handbook/network-servers/chapter.sgml
@@ -4010,6 +4010,188 @@ zone "10.168.192.in-addr.arpa" in {
</sect2>
</sect1>
+ <sect1 id="network-bind9">
+ <sect1info>
+ <authorgroup>
+ <author>
+ <firstname>Tom</firstname>
+ <surname>Rhodes</surname>
+ <contrib>Written by </contrib>
+ </author>
+ </authorgroup>
+ </sect1info>
+ <title><acronym>BIND</acronym>9 and &os;</title>
+
+<!-- This section is here to get users up with BIND9 configurations! It
+ does not cover the terminology, theoretical discussion (why run a name
+ server) or the further reading which is still in the previous section.
+ I did things this way to avoid repetition of content and obviously we
+ cannot just remove the previous section since other supported releases
+ use it. When the previous section is removed then those comments
+ should be moved here. // Tom Rhodes -->
+
+ <indexterm><primary>bind9</primary>
+ <secondary>setting up</secondary></indexterm>
+
+ <para>The release of &os;&nbsp;5.3 brought the
+ <acronym>BIND</acronym>9 <acronym>DNS</acronym> server software
+ into the distribution. New security features, a new file system
+ layout and automated &man.chroot.8; configuration came with the
+ import. This section has been written in two parts, the first
+ will discuss new features and their configuration; the latter
+ will cover upgrades to aid in move to &os;&nbsp;5.3. From this
+ moment on, the server will be referred to simply as
+ &man.named.8; in place of <acronym>BIND</acronym>. This section
+ skips over the terminology described in the previous section as
+ well as some of the theoretical discussions; thus, it is
+ recommended that the previous section be consulted before reading
+ any further here.</para>
+
+ <para>Configuration files for <command>named</command> currently
+ reside in
+ <filename role="directory">/var/named/etc/namedb/</filename> and
+ will need modification before use. This is where most of the
+ configuration will be performed.</para>
+
+ <sect2>
+ <title>Configuration of a Master Zone</title>
+
+ <para>To configure a master zone visit
+ <filename role="directory">/var/named/etc/namedb/</filename>
+ and run the following command:</para>
+
+ <screen>&prompt.root; <userinput>sh make-localhost</userinput></screen>
+
+ <para>If all went well a new file should exist in the
+ <filename role="directory">master</filename> directory. The
+ filenames should be <filename>localhost.rev</filename> for
+ the local domain name and <filename>localhost-v6.rev</filename>
+ for <acronym>IPv6</acronym> configurations. As the default
+ configuration file, configuration for its use will already
+ be present in the <filename>named.conf</filename> file.</para>
+ </sect2>
+
+ <sect2>
+ <title>Configuration of a Slave Zone</title>
+
+ <para>Configuration for extra domains or sub domains may be
+ done properly by setting them as a slave zone. In most cases,
+ the <filename>master/localhost.rev</filename> could just be
+ copied over into the <filename role="directory">slave</filename>
+ directory and modified. Once completed, the files need
+ to be properly added in <filename>named.conf</filename> such
+ as in the following configuration for
+ <hostid role="fqdn">example.com</hostid>:</para>
+
+ <programlisting>zone "example.com" {
+ type slave;
+ file "slave/example.com";
+ masters {
+ 10.0.0.1;
+ };
+};
+
+zone "0.168.192.in-addr.arpa" {
+ type slave;
+ file "slave/0.168.192.in-addr.arpa";
+ masters {
+ 10.0.0.1;
+ };
+};</programlisting>
+
+ <para>Note well that in this example, the master
+ <acronym>IP</acronym> address is the primary domain server
+ from which the zones are transferred; it does not necessary serve
+ as <acronym>DNS</acronym> server itself.</para>
+ </sect2>
+
+ <sect2>
+ <title>System Initialization Configuration</title>
+
+ <para>In order for the <command>named</command> daemon to start
+ when the system is booted, the following option must be present
+ in the <filename>rc.conf</filename> file:</para>
+
+ <programlisting>named_enable="YES"</programlisting>
+
+ <para>While other options exist, this is the bare minimal
+ requirement. Consult the &man.rc.conf.5; manual page for
+ a list of the other options. If nothing is entered in the
+ <filename>rc.conf</filename> file then <command>named</command>
+ may be started on the command line by invoking:</para>
+
+ <screen>&prompt.root; <userinput>/etc/rc.d/named start</userinput></screen>
+ </sect2>
+
+ <sect2>
+ <title><acronym>BIND</acronym>9 Security</title>
+
+ <para>While &os automatically drops <command>named</command>
+ into a &man.chroot.8; environment; there are several other
+ security mechanisms in place which could help to lure off
+ possible <acronym>DNS</acronym> service attacks.
+
+ <sect3>
+ <title>Query Access Control Lists</title>
+
+ <para>A query access control list can be used to restrict
+ queries against the zones. The configuration works by
+ defining the network inside of the <literal>acl</literal>
+ token and then listing <acronym>IP</acronym> addresses in
+ the zone configuration. To permit domains to query the
+ example host, just define it like this:</para>
+
+ <programlisting>acl "example.com" {
+ 192.168.0.0/24;
+};
+
+zone "example.com" {
+ type slave;
+ file "slave/example.com";
+ masters {
+ 10.0.0.1;
+ };
+ allow-query { example.com; };
+};
+
+zone "0.168.192.in-addr.arpa" {
+ type slave;
+ file "slave/0.168.192.in-addr.arpa";
+ masters {
+ 10.0.0.1;
+ };
+ allow-query { example.com; };
+};</programlisting>
+ </sect3>
+
+ <sect3>
+ <title>Restrict Version</title>
+
+ <para>Permitting version lookups on the <acronym>DNS</acronym>
+ server could be opening the doors for an attacker. A
+ malicious user may use this information to hunt up known
+ exploits or bugs to utilize against the host. A false version
+ string can be placed the <literal>options</literal> section of
+ <filename>named.conf</filename>:</para>
+
+ <programlisting>options {
+ directory "/etc/namedb";
+ pid-file "/var/run/named/pid";
+ dump-file "/var/dump/named_dump.db";
+ statistics-file "/var/stats/named.stats";
+ version "None of your business";</programlisting>
+ </sect3>
+<!-- Here is where I stopped for now
+ <sect3>
+ <title>Authentication</title>
+
+ <para> ... </para>
+
+-->
+ </sect2>
+ </sect1>
+
+
<sect1 id="network-apache">
<sect1info>
<authorgroup>