DNS Server¶

The system is up and running. It is not automated, and requires logging into the bridge to update DNS. Not optimal, but easily fixed once we figure out how we want to structure things.

Overview¶

• bridge.dev.ru.is is the primary DNS server (for now)
• gryla.dev.ru.is is a secondary DNS server, updated via zone transfer.

Guides/Links¶

• http://www.howtoforge.com/creating-your-own-webserver-with-bind-and-apache-centos5
• Simple (Web) Management for BIND (SMBIND) http://sourceforge.net/projects/smbind/
• Bind9 Chroot Jail http://www.unixwiz.net/techtips/bind9-chroot.html
• Secure BIND conf template http://www.cymru.com/Documents/secure-bind-template.html
• Ibibilio AD and BIND http://ibiblio.org/gferg/ldp/BIND+AD-HOWTO/BIND+AD-HOWTO-2.html#ss2.3

Instructions¶

• Install the packages on CentOS
  

  yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y

• chroot makes things a little complicated, but more secure
  • Go into the chroot config and move the standardized zone files into the data jail
    

    cd /var/named
    mv named.* chroot/var/named/.
    

  • Copy the new zone file there too. You will need to checkout the devnet repository from SVN. Copy the dev.objid.net.zone file until the RU dns is fixed also.
  • We will be delegating the dev.objid.net subdomain as soon as foley gets it working
    

     cd devnet/Machines/Bridge
    cp named.* /var/named/chroot/var/named/.
    cp dev.ru.is.zone /var/named/chroot/var/named/.
    

  • Edit the /etc/named.conf and add this line
    

    include "/etc/named.conf.local";

  • Restart named and check for errors

Reverse DNS lookup¶

• Install mkrdns
  

   wget http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/mkrdns-3.3-1.el6.rf.noarch.rpm
  rpm -ihv mkrdns-3.3-1.el6.rf.noarch.rpm

• Create a file that looks like this called 209.208.130.in-addr.arpa
  

  209.208.130.in-addr.arpa. 3600    IN    SOA    NS1.DEV.RU.IS. ROOT.DEV.RU.IS. 2012041504 3600 600 86400 60
  209.208.130.in-addr.arpa. 3600    IN    NS    NS1.DEV.RU.IS.
  209.208.130.in-addr.arpa. 3600    IN    NS    NS2.DEV.RU.IS.
  209.208.130.in-addr.arpa. 3600    IN    PTR    EIR.DEV.RU.IS.
  33.209.208.130.in-addr.arpa. 3600 IN    PTR    BALDUR.DEV.RU.IS.
  34.209.208.130.in-addr.arpa. 3600 IN    PTR    HOD.DEV.RU.IS.
  35.209.208.130.in-addr.arpa. 3600 IN    PTR    EIR.DEV.RU.IS.
  36.209.208.130.in-addr.arpa. 3600 IN    PTR    CENTIPEDE.DEV.RU.IS.
  37.209.208.130.in-addr.arpa. 3600 IN    PTR    GRYLA.DEV.RU.IS.
  38.209.208.130.in-addr.arpa. 3600 IN    PTR    ODIN.DEV.RU.IS.
  39.209.208.130.in-addr.arpa. 3600 IN    PTR    STEKKJARSTAUR.DEV.RU.IS.
  40.209.208.130.in-addr.arpa. 3600 IN    PTR    GILJAGAUR.DEV.RU.IS.
  41.209.208.130.in-addr.arpa. 3600 IN    PTR    STUFUR.DEV.RU.IS.
  42.209.208.130.in-addr.arpa. 3600 IN    PTR    POTTASLEIKIR.DEV.RU.IS.
  43.209.208.130.in-addr.arpa. 3600 IN    PTR    ASKASLEIKIR.DEV.RU.IS.
  44.209.208.130.in-addr.arpa. 3600 IN    PTR    KETKROKUR.DEV.RU.IS.
  45.209.208.130.in-addr.arpa. 3600 IN    PTR    LOKI.DEV.RU.IS.
  46.209.208.130.in-addr.arpa. 3600 IN    PTR    FRIGGA.DEV.RU.IS.
  47.209.208.130.in-addr.arpa. 3600 IN    PTR    BROADCAST.DEV.RU.IS.
  

• update the named.conf.local file to make the server be a master
• Login to the slave server and put a zone-transfer slave entry also.

More chroot adjustments¶

1. /etc/named.conf
   

   options {
           listen-on port 53 {
                   127.0.0.1;
                   172.16.0.254;
                   130.208.209.35;
           };
   #       listen-on-v6 port 53 { ::1; };
           directory       "/var/named";
           dump-file       "/var/named/data/cache_dump.db";
           statistics-file "/var/named/data/named_stats.txt";
           memstatistics-file "/var/named/data/named_mem_stats.txt";
           allow-query {
    #               127.0.0.1;  #localhost only
    #               130.208.209.32/24;  #DEVNET only
                   any;  # this is a public nameserver
           };
           recursion yes;
   
           dnssec-enable yes;
           dnssec-validation no;
   #       dnssec-lookaside auto;
   
           /* Path to ISC DLV key */
           bindkeys-file "/etc/named.iscdlv.key";
           managed-keys-directory "/var/named/dynamic";
   };
   
   logging {
   
           channel info_log {
                   file "/var/log/named.info.run" versions 3 size 5m;
                   severity info;
                   print-time yes;
                   print-severity yes;
                   print-category yes;
           };
           channel warning_log {
                   file "/var/log/named.warn.run" versions 3 size 5m;
                   severity warning;
                   print-time yes;
                   print-severity yes;
                   print-category yes;
           };
           category default {
              info_log;
              warning_log;
           };
   };
   
   zone "." IN {
           type hint;
           file "named.ca";
   };
   
   include "/etc/named.rfc1912.zones";
   include "/etc/named.conf.local";
    

2. Now run the setup
   

   #!/bin/bash
   #
   # named.perms
   #
   #   Set the ownership and permissions on the named directory
   #
   
   cd /var/named/chroot
   
   # By default, root owns everything and only root can write, but dirs
   # have to be executable too. Note that some platforms use a dot
   # instead of a colon between user/group in the chown parameters}
   
   chown -R root:named .
   
   find . -type f -print | xargs chmod u=rw,og=r     # regular files
   find . -type d -print | xargs chmod u=rwx,og=rx   # directories
   
   # the named.conf and rndc.conf must protect their keys
   chmod o= etc/*.conf
   
   # the "secondaries" directory is where we park files from
   # master nameservers, and named needs to be able to update
   # these files and create new ones.
   
   touch var/named/dynamic/.empty  # placeholder
   find var/named/dynamic/ -type f -print | xargs chown named:named
   find var/named/dynamic/ -type f -print | xargs chmod ug=r,o=
   
   touch var/named/dynamic/managed-keys.bind
   
   # the var/run business is for the PID file
   chown root:root  var/
   chmod u=rwx,og=x var/
   
   find var/run/ -type f -print | xargs chown named:named
   find var/run/ -type f -print | xargs chmod ug=rw,o=
   find var/run/ -type d -print | xargs chown named:named
   find var/run/ -type d -print | xargs chmod ug=rwx,o=
   
   # named has to be able to create logfiles
   touch var/log/named.info.run
   touch var/log/named.warn.run
   find var/log/ -type f -print | xargs chown named:named
   find var/log/ -type f -print | xargs chmod ug=rw,o=
   find var/named/dynamic/ -type f -print | xargs chmod ug=r,o=
   
   touch var/named/dynamic/managed-keys.bind
   
   # the var/run business is for the PID file
   chown root:root  var/
   chmod u=rwx,og=x var/
   
   find var/run/ -type f -print | xargs chown named:named
   find var/run/ -type f -print | xargs chmod ug=rw,o=
   find var/run/ -type d -print | xargs chown named:named
   find var/run/ -type d -print | xargs chmod ug=rwx,o=
   
   # named has to be able to create logfiles
   touch var/log/named.info.run
   touch var/log/named.warn.run
   find var/log/ -type f -print | xargs chown named:named
   find var/log/ -type f -print | xargs chmod ug=rw,o=
   find var/log/ -type d -print | xargs chown named:named
   find var/log/ -type d -print | xargs chmod ug=rwx,o=
   chown root:named     var/log/named.run
   chmod ug=rw,o=r      var/log/named.run
   chmod ug=rwx,o=rx    var/log/
   

Testing¶

Linux¶

• Edit your /etc/resolv.conf
  

  domain dev.ru.is
  search dev.ru.is
  nameserver 130.208.209.35