Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 242 • To query a new db.cache file for your DNS Server, use the following command: [root@deep]# dig @.aroot-servers.net . ns > db.cache Don’t forget to copy the db.cache file to the “/var/named/” directory on your server where you’re installing DNS server after retrieving it over the Internet. NOTE: Internal addresses like 192.168.1/24 are not included in the DNS configuration files for security reasons. It is very important that DNS doesn't exist between hosts on the corporate network and external hosts. Primary master name Server A primary master name server for a zone reads the data for the zone from a file on it’s host and are authoritative for that zone. The necessary files to setup a primary master name server are: named.conf db.127.0.0 db.208.164.186 db.openna db.cache named script Configuration of the “/etc/named.conf” file for a master name server Use this configuration for the server on your network that acts as a master name server. After compiling DNS, you need to set up a primary domain name for your server. We'll use “openna.com” as an example domain, and assume you are using IP network address of 208.164.186.0. To do this, add the following lines to your “/etc/named.conf”. Create the named.conf file (touch /etc/named.conf) and add: options { directory "/var/named"; fetch-glue no; recursion no; allow-query { 208.164.186/24; 127.0.0/8; }; allow-transfer { 208.164.186.2; }; transfer-format many-answers; }; // These files are not specific to any zone zone "." in { type hint; file "db.cache"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; // These are our primary zone files zone "openna.com" in { type master; file "db.openna "; }; Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 243 zone "186.164.208.in-addr.arpa" in { type master; file "db.208.164.186"; }; The “fetch-glue no” option can be used in conjunction with the option “recursion no” to prevent the server's cache from growing or becoming corrupted. Also, disabling recursion puts your name servers into a passive mode, telling it never to send queries on behalf of other name servers or resolvers. A non-recursive name server is very difficult to spoof, since it doesn’t send queries, and hence doesn’t cache any data. In the “allow-query” line, 208.164.186/24 and 127.0.0/8 are the IP addresses allowed to ask ordinary questions to the server. In the “allow-transfer” line, 208.164.186.2 is the IP address allowed to receive zone transfers from the server. You must ensure that only your real slave name servers can transfer zones from your name server. As the information provided is often used by spammers and IP spoofers. NOTE: The options “recursion no”, “allow-query”, and “allow-transfer” in the “named.conf” file above are security features. Configuration of the “/var/named/db.127.0.0” file for a master and slave name server This configuration file can be used by both a master name server and a slave name server. The “db.127.0.0” file covers the loopback network. Create the following files in “/var/named/”. Create the db.127.0.0 file (touch /var/named/db.127.0.0) and add: ; Revision History: April 22, 1999 - admin@mail.openna.com ; Start of Authority (SOA) records. $TTL 345600 @ IN SOA deep.openna.com. admin.mail.openna.com. ( 00 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 345600 ) ; Minimum ; Name Server (NS) records. NS deep.openna.com. NS mail.openna.com. ; only One PTR record. 1 PTR localhost. Configuration of the “/var/named/db.208.164.186” file for a master name server Use this configuration for the server on your network that acts as a master name server. The file “db.208.164.186” maps host names to addresses. Create the following files in “/var/named/”. Create the db.208.164.186 file (touch /var/named/db.208.164.186) and add: ; Revision History: April 22, 1999 - admin@mail.openna.com ; Start of Authority (SOA) records. $TTL 345600 @ IN SOA deep.openna.com. admin.mail.openna.com. ( Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 244 00 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 345600 ) ; Minimum ; Name Server (NS) records. NS deep.openna.com. NS mail.openna.com. ; Addresses Point to Canonical Names (PTR) for Reverse lookups 1 PTR deep.openna.com. 2 PTR mail.openna.com. 3 PTR www.openna.com. Configuration of the “/var/named/db.openna” file for a master name server Use this configuration for the server on your network that acts as a master name server. The file “db.openna” maps addresses to host names. Create the following file in “/var/named/”. Create the db.openna file (touch /var/named/db.openna) and add: ; Revision History: April 22, 1999 - admin@mail.openna.com ; Start of Authority (SOA) records. $TTL 345600 @ IN SOA deep.openna.com. admin.mail.openna.com. ( 00 ; Serial 86400 ; Refresh 7200 ; Retry 2592000 ; Expire 345600 ) ; Minimum ; Name Server (NS) records. NS deep.openna.com. NS mail.openna.com. ; Mail Exchange (MX) records. MX 0 mail.openna.com. ; Address (A) records. localhost A 127.0.0.1 deep A 208.164.186.1 mail A 208.164.186.2 www A 208.164.186.3 ; Aliases in Canonical Name (CNAME) records. ;www CNAME deep.openna.com. Configuration of the “/var/named/db.cache” file for a master and slave name servers Before starting your DNS server you must take a copy of the “db.cache” file and copy it into the “/var/named/” directory. The “db.cache” tells your server where the servers for the “root” zone are. Use the following command on another Unix computer in your organization to query a new db.cache file for your DNS Server or pick one from your Red Hat Linux CD-ROM source distribution: Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 245 • To query a new db.cache file for your DNS Server, use the following command: [root@deep /]# dig @.aroot-servers.net . ns > db.cache Don’t forget to copy the “db.cache” file to the “/var/named/” directory on your server where you’re installing DNS server after retrieving it over the Internet. Secondary slave name Server The purpose of a slave name server is to share the load with the master server, or handle the entire load if the master server is down. A slave name server loads its data over the network from another name server (usually the master name server, but it can load from another slave name server too). This process is called a zone transfer. Necessary files to setup a secondary slave name server are: named.conf db.127.0.0 db.cache named script Configuration of the “/etc/named.conf” file for a slave name server Use this configuration for the server on your network that acts as a slave name server. You must modify the “named.conf” file on the slave name server host. Change every occurrence of primary to secondary except for “0.0.127.in-addr.arpa” and add a masters line with the IP address of the master server as shown below. Create the named.conf file (touch /etc/named.conf) and add: options { directory "/var/named"; fetch-glue no; recursion no; allow-query { 208.164.186/24; 127.0.0/8; }; allow-transfer { 208.164.186.1; }; transfer-format many-answers; }; // These files are not specific to any zone zone "." in { type hint; file "db.cache"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; // These are our slave zone files zone "openna.com" in { type slave; file "db.openna"; masters { 208.164.186.1; }; }; zone "186.164.208.in-addr.arpa" in { type slave; file "db.208.164.186"; masters { 208.164.186.1; }; Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 246 }; This tells the name server that it is a slave for the zone “openna.com” and should track the version of this zone that is being kept on the host “208.164.186.1”. A slave name server doesn’t need to retrieve all of its database (db) files over the network because these db files “db.127.0.0” and “db.cache” are the same as on a primary master, so you can keep a local copy of these files on the slave name server. Copy the “db.127.0.0” file from master name server to slave name server. Copy the “db.cache” file from master name server to slave name server. Configuration of the “/etc/rc.d/init.d/named” script file for all type of name server Configure your “/etc/rc.d/init.d/named” script file to start and stop the BIND/DNS daemon on your Server. This configuration script file can by used for all type of name server (caching, master or slave). Create the named script file (touch /etc/rc.d/init.d/named) and add: #!/bin/sh # # named This shell script takes care of starting and stopping # named (BIND DNS server). # # chkconfig: - 55 45 # description: named (BIND) is a Domain Name Server (DNS) \ # that is used to resolve host names to IP addresses. # probe: true # Source function library. . /etc/rc.d/init.d/functions # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ ${NETWORKING} = "no" ] && exit 0 [ -f /usr/sbin/named ] || exit 0 [ -f /etc/named.conf ] || exit 0 RETVAL=0 # See how we were called. case "$1" in start) # Start daemons. echo -n "Starting named: " daemon named RETVAL=$? [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named echo ;; stop) # Stop daemons. echo -n "Shutting down named: " killproc named Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 247 RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named echo ;; status) /usr/sbin/ndc status exit $? ;; restart) $0 stop $0 start ;; reload) /usr/sbin/ndc reload exit $? ;; probe) # named knows how to reload intelligently; we don't want linuxconf # to offer to restart every time /usr/sbin/ndc reload >/dev/null 2>&1 || echo start exit 0 ;; *) echo "Usage: named {start|stop|status|restart}" exit 1 esac exit $RETVAL Now, make this script executable and change its default permissions: [root@deep]# chmod 700 /etc/rc.d/init.d/named Create the symbolic rc.d links for BIND/DNS with the command: [root@deep]# chkconfig add named The BIND/DNS script will not automatically start the named daemon when you reboot the server. You can change its default by executing the following command: [root@deep]# chkconfig level 345 named on Start your DNS Server manually with the following command: [root@deep]# /etc/rc.d/init.d/named start Starting named: [ OK ] Securing ISC BIND/DNS Running ISC BIND/DNS in a chroot jail This part focuses on preventing ISC BIND/DNS from being used as a point of break-in to the system hosting it. Since ISC BIND/DNS performs a relatively large and complex function, the potential for bugs that affect security is rather high with this software. In fact, there have been exploitable bugs in the past that allowed a remote attacker to obtain root access to hosts running ISC BIND/DNS. To minimize this risk, ISC BIND/DNS can be run as a non-root user, which will limit any damage to what can be done as a normal user with a local shell. Of course, this is not enough for the security requirements of most DNS servers, so an additional step can be taken - that is, running ISC BIND in a chroot jail. Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 248 The main benefit of a chroot jail is that the jail will limit the portion of the file system the DNS daemon program can see to the root directory of the jail. Additionally, since the jail only needs to support DNS, the programs related to ISC BIND/DNS available in the jail can be extremely limited. Most importantly, there is no need for setuid-root programs, which can be used to gain root access and break out of the jail. NOTE: The “named” binary program must be in a directory listed within your PATH environment variable for this to work. For the rest of the documentation, I'll assume the path of your original named program is “/usr/sbin/named”. The following are the necessary steps to run ISC BIND/DNS software in a chroot jail: Step 1 We must find the shared library dependencies of named (named is the DNS daemon). These will need to be copied into the chroot jail later. • To find the shared library dependencies of named, execute the following command: [root@deep /]# ldd /usr/sbin/named libc.so.6 => /lib/libc.so.6 (0x40017000) /lib/ld-linux.so.2 => /lib/ld-linux.so.2 (0x40000000) Make a note of the files listed above; you will need these later in our steps. Step 2 Now we must set up the chroot environment, and create the root directory of the jail. We've chosen “/chroot/named” because we want to put this on its own separate file system to prevent file system attacks. Early in our Linux installation procedure we created a special partition “/chroot” for this exact purpose. [root@deep /]# /etc/rc.d/init.d/named stop (require only if an existing named daemon is running) Shutting down named: [ OK ] [root@deep /]# mkdir -p /chroot/named Next, create the rest of directories as follows: Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 249 [root@deep /]# mkdir /chroot/named/dev [root@deep /]# mkdir /chroot/named/lib [root@deep /]# mkdir /chroot/named/etc [root@deep /]# mkdir -p /chroot/named/usr/sbin [root@deep /]# mkdir -p /chroot/named/var/run [root@deep /]# mkdir /chroot/named/var/named Now copy the main configuration file, the zone files, the named and the named-xfer programs into the appropriate places in the chroot jail directory: [root@deep /]# cp /etc/named.conf /chroot/named/etc/ [root@deep /]# cd /var/named ; cp -a . /chroot/named/var/named/ [root@deep /]# mknod /chroot/named/dev/null c 1 3 [root@deep /]# chmod 666 /chroot/named/dev/null [root@deep /]# cp /usr/sbin/named /chroot/named/usr/sbin/ [root@deep /]# cp /usr/sbin/named-xfer /chroot/named/usr/sbin/ IMPORTANT NOTE: The owner of the “/chroot/named/var/named” directory and all files in this directory must be the process name “named” under the slave server and only the slave server or you wouldn’t be able to make a zone transfer. • To make the “named” directory and all its files own by the “named” process name under the slave server, use the command: [root@deep /]# chown -R named.named /chroot/named/var/named/ Step 3 Copy the shared libraries identified in step 1 above to the chrooted lib directory: [root@deep /]# cp /lib/libc.so.6 /chroot/named/lib/ [root@deep /]# cp /lib/ld-linux.so.2 /chroot/named/lib/ Step 4 Copy the “localtime” and “nsswitch.conf” files to the chrooted etc directory so that log entries are adjusted for your local timezone properly: [root@deep /]# cp /etc/localtime /chroot/named/etc/ [root@deep /]# cp /etc/nsswitch.conf /chroot/named/etc/ Step 5 We must set some files under the “/chroot/named/etc” directory with the immutable bit enabled for better security: • Set the immutable bit on “nsswitch.conf” file: [root@deep /]# cd /chroot/named/etc/ [root@deep etc]# chattr +i nsswitch.conf • Set the immutable bit on “named.conf” file: [root@deep /]# cd /chroot/named/etc/ [root@deep etc]# chattr +i named.conf A file with the “+i” attribute cannot be modified, deleted or renamed; no link can be created to this file and no data can be written to it. Only the superuser can set or clear this attribute. Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 250 Step 6 Add a new UID and a new GID for running the daemon “named” if this is not already set. This is important because running it as root defeats the purpose of the jail, and using a different user id that already exists on the system can allow your services to access each others' resources. Check the “/etc/passwd” and “/etc/group” files for a free UID/GID number available. In our example we'll use the number “53” and the name “named”. [root@deep /]# useradd -c “DNS Server” -u 53 -s /bin/false -r -d /chroot/named named 2>/dev/null || : Step 7 We must tell syslogd (the syslog daemon program) about the new chrooted service: Normally, processes talk to syslogd through “/dev/log”. As a result of the chroot jail, this won't be possible, so syslogd needs to be told to listen to “/chroot/named/dev/log” instead of the default “dev/log”. To do this, edit the syslog startup script file to specify additional places to listen. Edit the syslog script file (vi +24 /etc/rc.d/init.d/syslog) and change the line: daemon syslogd -m 0 To read: daemon syslogd -m 0 -a /chroot/named/dev/log Step 8 The default named script file of ISC BIND/DNS starts the daemon “named” outside the chroot jail. We must change it to start named from the chroot jail. Edit the named script file (vi /etc/rc.d/init.d/named) and change the lines: [ -f /usr/sbin/named ] || exit 0 To read: [ -f /chroot/named/usr/sbin/named ] || exit 0 [ -f /etc/named.conf ] || exit 0 To read: [ -f /chroot/named/etc/named.conf ] || exit 0 daemon named To read: daemon /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed The “-t” option tells “named” to start up using the new chroot environment. The “-u” option specifies the user to run as. The “-g” option specifies the group to run as. Step 9 In BIND 8.2 version, the “ndc” command of ISC BIND/DNS software became a binary file (before, it was a script file), which renders the shipped “ndc” useless in this setting. To fix it, the ISC BIND/DNS package must be compiled again from source. To do this, in the top level of ISC BIND/DNS source directory. For ndc utility: [root@deep /]# cp bind-src.tar.gz /vat/tmp [root@deep /]# cd /var/tmp/ Server Software (BIND/DNS Network Services) 1 CHAPTER 4 Copyright 1999 - 2000 Gerhard Mourani, Open Network Architecture ® and OpenDocs Publishing 251 [root@deep tmp]# tar xzpf bind-src.tar.gz [root@deep tmp]# cd src [root@deep src]# cp port/linux/Makefile.set port/linux/Makefile.set-orig Edit the Makefile.set file (vi port/linux/Makefile.set) to make the changes listed below: 'CC=egcs -D_GNU_SOURCE' 'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro - fomit-frame-pointer -fno-exceptions -g’ 'DESTBIN=/usr/bin' 'DESTSBIN=/chroot/named/usr/sbin' 'DESTEXEC=/chroot/named/usr/sbin' 'DESTMAN=/usr/man' 'DESTHELP=/usr/lib' 'DESTETC=/etc' 'DESTRUN=/chroot/named/var/run' 'DESTLIB=/usr/lib/bind/lib' 'DESTINC=/usr/lib/bind/include' 'LEX=flex -8 -I' 'YACC=yacc -d' 'SYSLIBS=-lfl' 'INSTALL=install' 'MANDIR=man' 'MANROFF=cat' 'CATEXT=$$N' 'PS=ps p' 'AR=ar crus' 'RANLIB=:' The difference between the Makefile we used before and this one is that we modify the “DESTSBIN=”, “DESTEXEC=”, and “DESTRUN=” lines to point to the chrooted directory of BIND/DNS. With this modification, the “ndc” program knows where to find “named”. [root@deep src]# make clean [root@deep src]# make [root@deep src]# cp bin/ndc/ndc /usr/sbin/ [root@deep src]# cp: overwrite `/usr/sbin/ndc’? y [root@deep src]# strip /usr/sbin/ndc We build the binary file, then copy the result of “ndc” program to “/usr/sbin” and overwrite the old one. We don’t forget to strip our new “ndc” binary for better performance. Step 10 It is a good idea to also build new “named”, and “named-xfer” binaries now to ensure the same version is used for both “named” and “ndc”. For named program: [root@deep /]# cd /var/tmp/src [root@deep src]# cp port/linux/Makefile.set-orig port/linux/Makefile.set [root@deep src]# cp: overwrite `port/linux/Makefile.set’? y Edit the Makefile.set file (vi port/linux/Makefile.set) to make the changes listed below: 'CC=egcs -D_GNU_SOURCE' 'CDEBUG=-O9 -funroll-loops -ffast-math -malign-double -mcpu=pentiumpro -march=pentiumpro - fomit-frame-pointer -fno-exceptions -g’ 'DESTBIN=/usr/bin' 'DESTSBIN=/usr/sbin' 'DESTEXEC=/usr/sbin' [...]... redhat. com redhat. com redhat. com redhat. com redhat. com 8112 IN NS ns2 .redhat. com 8112 IN NS ns3 .redhat. com 8112 IN NS speedy .redhat. com 8112 IN A 207.175.42.154 11891 IN SOA ns .redhat. com noc .redhat. com( 2000021402 ;serial (version) 360 0 ;refresh period 1800 ;retry refresh this often 60 4800 ;expiration period 864 00 ;minimum TTL ) For authoritative answers, see: redhat. com 8112 IN NS ns .redhat. com redhat. com... command: [root@deep /]# dnsquery For example: [root@deep /]# dnsquery www .redhat. com ;; ->>HEADER . ;; www .redhat. com, type = ANY, class = IN www .redhat. com. 2h19m46s IN CNAME www.portal .redhat. com. redhat. com. 2h18m13s IN NS ns .redhat. com. redhat. com. 2h18m13s IN NS ns2 .redhat. com. redhat. com IN NS ns2 .redhat. com redhat. com 8112 IN NS ns3 .redhat. com redhat. com 8112 IN NS speedy .redhat. com redhat. com 8112 IN A 207.175.42.154 redhat. com 11891 IN SOA ns .redhat. com noc .redhat. com(. ns3 .redhat. com. redhat. com. 2h18m13s IN NS speedy .redhat. com. ns .redhat. com. 1d2h18m8s IN A 207.175.42.153 ns2 .redhat. com. 1d2h18m8s IN A 208.178. 165 .229 ns3 .redhat. com. 1d2h18m8s IN A 2 06. 132.41.213