Research and Development Network

h1. DNS Server

The system is up and running.  It is not automated, and requires logging into the bridge to update DNS.  Not optimal, but easily fixed once we figure out how we want to structure things.

h2. Overview

* @bridge.dev.ru.is@ is the primary DNS server (for now)

* @gryla.dev.ru.is@ is a secondary DNS server, updated via zone transfer.

h2. Guides/Links

* http://www.howtoforge.com/creating-your-own-webserver-with-bind-and-apache-centos5

* Simple (Web) Management for BIND (SMBIND) http://sourceforge.net/projects/smbind/

* Bind9 Chroot Jail http://www.unixwiz.net/techtips/bind9-chroot.html

* Secure BIND conf template http://www.cymru.com/Documents/secure-bind-template.html

* Ibibilio AD and BIND http://ibiblio.org/gferg/ldp/BIND+AD-HOWTO/BIND+AD-HOWTO-2.html#ss2.3

h2. Instructions

* Install the packages on CentOS

<pre>yum install bind bind-chroot bind-libs bind-utils caching-nameserver -y</pre>

* chroot makes things a little complicated, but more secure

** Go into the chroot config and move the standardized zone files into the data jail

<pre>cd /var/named

mv named.* chroot/var/named/.

</pre>

** Copy the new zone file there too.  You will need to checkout the devnet repository from SVN.  Copy the dev.objid.net.zone file until the RU dns is fixed also.

** We will be delegating the dev.objid.net subdomain as soon as foley gets it working

<pre> cd devnet/Machines/Bridge

cp named.* /var/named/chroot/var/named/.

cp dev.ru.is.zone /var/named/chroot/var/named/.

</pre>

** Edit the /etc/named.conf and add this line

<pre>include "/etc/named.conf.local";</pre>

** Restart named and check for errors

h3. Reverse DNS lookup

* Install mkrdns

<pre> wget http://apt.sw.be/redhat/el6/en/i386/rpmforge/RPMS/mkrdns-3.3-1.el6.rf.noarch.rpm

rpm -ihv mkrdns-3.3-1.el6.rf.noarch.rpm</pre>

* Create a file that looks like this called @209.208.130.in-addr.arpa@

<pre>

209.208.130.in-addr.arpa. 3600	IN	SOA	NS1.DEV.RU.IS. ROOT.DEV.RU.IS. 2012041504 3600 600 86400 60

209.208.130.in-addr.arpa. 3600	IN	NS	NS1.DEV.RU.IS.

209.208.130.in-addr.arpa. 3600	IN	NS	NS2.DEV.RU.IS.

209.208.130.in-addr.arpa. 3600	IN	PTR	EIR.DEV.RU.IS.

33.209.208.130.in-addr.arpa. 3600 IN	PTR	BALDUR.DEV.RU.IS.

34.209.208.130.in-addr.arpa. 3600 IN	PTR	HOD.DEV.RU.IS.

35.209.208.130.in-addr.arpa. 3600 IN	PTR	EIR.DEV.RU.IS.

36.209.208.130.in-addr.arpa. 3600 IN	PTR	CENTIPEDE.DEV.RU.IS.

37.209.208.130.in-addr.arpa. 3600 IN	PTR	GRYLA.DEV.RU.IS.

38.209.208.130.in-addr.arpa. 3600 IN	PTR	ODIN.DEV.RU.IS.

39.209.208.130.in-addr.arpa. 3600 IN	PTR	STEKKJARSTAUR.DEV.RU.IS.

40.209.208.130.in-addr.arpa. 3600 IN	PTR	GILJAGAUR.DEV.RU.IS.

41.209.208.130.in-addr.arpa. 3600 IN	PTR	STUFUR.DEV.RU.IS.

42.209.208.130.in-addr.arpa. 3600 IN	PTR	POTTASLEIKIR.DEV.RU.IS.

43.209.208.130.in-addr.arpa. 3600 IN	PTR	ASKASLEIKIR.DEV.RU.IS.

44.209.208.130.in-addr.arpa. 3600 IN	PTR	KETKROKUR.DEV.RU.IS.

45.209.208.130.in-addr.arpa. 3600 IN	PTR	LOKI.DEV.RU.IS.

46.209.208.130.in-addr.arpa. 3600 IN	PTR	FRIGGA.DEV.RU.IS.

47.209.208.130.in-addr.arpa. 3600 IN	PTR	BROADCAST.DEV.RU.IS.

</pre>

* update the named.conf.local file to make the server be a master

* Login to the slave server and put a zone-transfer slave entry also.

h3. More chroot adjustments

# @/etc/named.conf@

<pre>options {

        listen-on port 53 {

                127.0.0.1;

                172.16.0.254;

                130.208.209.35;

        };

#       listen-on-v6 port 53 { ::1; };

        directory       "/var/named";

        dump-file       "/var/named/data/cache_dump.db";

        statistics-file "/var/named/data/named_stats.txt";

        memstatistics-file "/var/named/data/named_mem_stats.txt";

        allow-query {

 #               127.0.0.1;  #localhost only

 #               130.208.209.32/24;  #DEVNET only

                any;  # this is a public nameserver

        };

        recursion yes;

        dnssec-enable yes;

        dnssec-validation no;

#       dnssec-lookaside auto;

        /* Path to ISC DLV key */

        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

};

logging {

        channel info_log {

                file "/var/log/named.info.run" versions 3 size 5m;

                severity info;

                print-time yes;

                print-severity yes;

                print-category yes;

        };

        channel warning_log {

                file "/var/log/named.warn.run" versions 3 size 5m;

                severity warning;

                print-time yes;

                print-severity yes;

                print-category yes;

        };

        category default {

           info_log;

           warning_log;

        };

};

zone "." IN {

        type hint;

        file "named.ca";

};

include "/etc/named.rfc1912.zones";

include "/etc/named.conf.local";

 </pre>

# Now run the setup

<pre>#!/bin/bash

#

# named.perms

#

#   Set the ownership and permissions on the named directory

#

cd /var/named/chroot

# By default, root owns everything and only root can write, but dirs

# have to be executable too. Note that some platforms use a dot

# instead of a colon between user/group in the chown parameters}

chown -R root:named .

find . -type f -print | xargs chmod u=rw,og=r     # regular files

find . -type d -print | xargs chmod u=rwx,og=rx   # directories

# the named.conf and rndc.conf must protect their keys

chmod o= etc/*.conf

# the "secondaries" directory is where we park files from

# master nameservers, and named needs to be able to update

# these files and create new ones.

touch var/named/dynamic/.empty  # placeholder

find var/named/dynamic/ -type f -print | xargs chown named:named

find var/named/dynamic/ -type f -print | xargs chmod ug=r,o=

touch var/named/dynamic/managed-keys.bind

# the var/run business is for the PID file

chown root:root  var/

chmod u=rwx,og=x var/

find var/run/ -type f -print | xargs chown named:named

find var/run/ -type f -print | xargs chmod ug=rw,o=

find var/run/ -type d -print | xargs chown named:named

find var/run/ -type d -print | xargs chmod ug=rwx,o=

# named has to be able to create logfiles

touch var/log/named.info.run

touch var/log/named.warn.run

find var/log/ -type f -print | xargs chown named:named

find var/log/ -type f -print | xargs chmod ug=rw,o=

find var/named/dynamic/ -type f -print | xargs chmod ug=r,o=

touch var/named/dynamic/managed-keys.bind

# the var/run business is for the PID file

chown root:root  var/

chmod u=rwx,og=x var/

find var/run/ -type f -print | xargs chown named:named

find var/run/ -type f -print | xargs chmod ug=rw,o=

find var/run/ -type d -print | xargs chown named:named

find var/run/ -type d -print | xargs chmod ug=rwx,o=

# named has to be able to create logfiles

touch var/log/named.info.run

touch var/log/named.warn.run

find var/log/ -type f -print | xargs chown named:named

find var/log/ -type f -print | xargs chmod ug=rw,o=

find var/log/ -type d -print | xargs chown named:named

find var/log/ -type d -print | xargs chmod ug=rwx,o=

chown root:named     var/log/named.run

chmod ug=rw,o=r      var/log/named.run

chmod ug=rwx,o=rx    var/log/

</pre>

h2. Testing

h3. Linux

* Edit your @/etc/resolv.conf@

<pre>domain dev.ru.is

search dev.ru.is

nameserver 130.208.209.35

</pre>