Nethence Newdoc Olddoc Lab Your IP BBDock  

Setting up BIND v9

Introduction

You can either run this into a docker container or use the CentOS7 named-chroot-setup.service service that takes care of populating and destroying the chrooted env.

Requirements

Check your time setup (using date +%s as serial),

ntpdate ...
vi /etc/ntp.conf
systemctl status ntpd
ntpq -p

Install the daemon e.g. on CentOS7,

yum search bind|grep ^bind
yum install bind-chroot bind-utils

and make sure it’s the v9 you’re having,

named -v
named -V

Identify conf file and zone folder location

On CentOS7,

/etc/named.* and rndc.key
/var/named/*
/var/named/data/
/var/named/dynamic/
/run/named/

(named-chroot-setup.service does the job of copying/destroying files)

/var/named/chroot/etc/named* and rndc.key
/var/named/chroot/var/named/*
/var/named/chroot/var/named/data/
/var/named/chroot/var/named/dynamic/
/var/named/chroot/run/named/

cd ~/
ln -s /etc/named.conf
ln -s /var/named

On Slackware,

/etc/named.conf
/var/named/

On FreeBSD (chroot),

/etc/namedb --> /var/named/etc/namedb/
/etc/namedb/working/
/etc/namedb/master/localhost-forward.db
/etc/namedb/master/localhost-reverse.db

Authoritative on local network

On CentOS7,

cd /etc/
mv named.conf named.conf.dist
cp -pi /usr/share/doc/bind-9.9.4/sample/etc/named.conf named.conf.sample
vi named.conf

options {
        directory               "/var/named";
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        listen-on port 53       { any; };
        listen-on-v6 port 53    { any; };

        allow-query             { localhost; 192.168.2.0/28; };
        allow-query-cache       { localhost; 192.168.2.0/28; };

        recursion no;
        dnssec-enable no;
        dnssec-validation no;

        pid-file "/run/named/named.pid";
        //session-keyfile "/run/named/session.key";
        //managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.rfc1912.zones";

zone "example.local" {
        type master;
        file "example.local.db";
        allow-update { none; };
};

zone "2.168.192.in-addr.arpa" {
        file "192.168.2.db";
        type master;
        allow-update { none; };
};

write your authoritative zone files,

cd /var/named/chroot/var/named/
date +%s # for serial

vi example.local.db

$TTL 86400
@               IN      SOA     ns.example.local. abuse.example.local. (
                        1496230362 ; serial
                        21600      ; refresh after 6 hours
                        3600       ; retry after 1 hour
                        604800     ; expire after 1 week
                        86400 )    ; minimum TTL of 1 day
;
                IN NS      ns.example.local.
host1           IN A       192.168.2.1
host2           IN A       192.168.2.2
ns      IN A       192.168.2.253
alias1          IN CNAME   host1

vi 192.168.2.db

$TTL 86400
@       IN      SOA     ns.example.local. abuse.example.local. (
                        1496230362 ; serial
                        21600      ; refresh after 6 hours
                        3600       ; retry after 1 hour
                        604800     ; expire after 1 week
                        86400 )    ; minimum TTL of 1 day
;
@       IN NS      ns.example.local.
1       IN PTR     host1.example.local.
2       IN PTR     host2.example.local.
253     IN PTR     ns.example.local.

Note. replace both serial numbers accordingly.

Enable Forwarding

Add this to the main options stanza,

forwarders {
    <nameserver1>;
    <nameserver2>;
};

TODO: is that also enough to enable caching against the forwarded servers?

Enable DNSSEC

Source: https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server–2

Add this to the options stanza,

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

Install and run Haveged in case your random generator is weak,

cat /proc/sys/kernel/random/entropy_avail
yum install haveged
service haveged start
chkconfig haveged on

Create the Zone Signing Key (ZSK) and Key Signing Key (KSK) pairs for every zone,

grep zone /etc/named.conf
domain=example.local
network=192.168.2
arpa=2.168.192.in-addr.arpa

cd /var/named/

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $domain
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $domain
for key in `ls K$domain*.key`; do
    echo adding this DNSKEY record:
    grep DNSKEY $key
    echo -n to $domain.db...
    echo "\$INCLUDE $key" >> $domain.db && echo done
done; unset key
dnssec-signzone -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -A -N increment -o $domain -t $domain.db
ls -lhF $domain.db.signed
ls -lhF /var/named/dsset-$domain.

dnssec-keygen -a NSEC3RSASHA1 -b 2048 -n ZONE $arpa
dnssec-keygen -f KSK -a NSEC3RSASHA1 -b 4096 -n ZONE $arpa
for key in `ls K$arpa*.key`; do
    echo adding this DNSKEY record:
    grep DNSKEY $key
    echo -n to $network.db...
    echo "\$INCLUDE $key" >> $network.db && echo done
done; unset key
dnssec-signzone -3 $(head -c 1000 /dev/random | sha1sum | cut -b 1-16) -A -N increment -o $arpa -t $network.db
ls -lhF $network.db.signed
ls -lhF /var/named/dsset-$arpa.

Point to those new *.signed zone files within named.conf and reload named,

vi /etc/named.conf
service named-chroot reload

and check,

host -t DNSKEY $domain localhost
host -t DNSKEY $arpa localhost

Ready to go

Check the logs while starting the non-chrooted daemon at first,

tail -F /var/log/messages /var/named/data/* /var/named/chroot/var/named/data/*

systemctl start named
systemctl status named

Is everything’s fine? Then switch to named-chroot-setup,

systemctl stop named
systemctl list-unit-files | grep named
less /usr/lib/systemd/system/named-chroot-setup.service
less /usr/libexec/setup-named-chroot.sh
systemctl start named-chroot-setup.service
systemctl status named-chroot-setup.service
systemctl status named-chroot.service

ls -lhF /etc/rndc.key
ls -lhF /var/named/chroot/etc/rndc.key

ls -lhF /etc/named.*
ls -lhF /var/named/chroot/etc/named.*

ls -lhF /var/named/chroot/var/named/data/
ls -lhF /var/named/chroot/var/named/dynamic/
ls -lhF /var/named/chroot/run/named/

Check that named is listening both on udp/53 and tcp/53,

netstat -antupe --inet --inet6

Check that the service (name resolution) works,

host host1.example.local localhost
host host2.example.local localhost
host alias1.example.local localhost
host ns.example.local localhost

host 192.168.2.1 localhost
host 192.168.2.2 localhost
host 192.168.2.253 localhost

host file scripting (includes signing)

fetch a fun script to convert static name resolution to zone files,

cd ~/bin/
wget http://doc.nethence.com/input/server/named/named.ksh
vi named.ksh

(edit accordingly esp. the vars at the top)

chmod +x named.ksh

run, apply (reload named-chroot not named-chroot-setup) and check,

named.ksh
service named-chroot reload
service named-chroot-setup status
service named-chroot status

host somethingreal.example.local localhost
host somerealip localhost

References


Home | GitHub | Donate | Contact