This document describes the process of installing Bind 9.x onyour Linux box as a Caching DNS server.
The steps to install it are as follows:
tar zxvf bind-9.x.tar.gz
cd bind-9.x
./configure --prefix=/usr \
--sysconfdir=/etc \
--enable-threads \
--localstatedir=/var/state \
--with-libtool \
--with-openssl=/usr/ssl
make
rpm -q -a | grep '^bind' | while read line
do
rpm -e --nodeps $line
done
make install
cd doc/man/bin
(not needed on 9.2.0 and above)for i in 1 5 8
(not needed on 9.2.0 and above)do
(not needed on 9.2.0 and above)install *.$i /usr/man/man$i
(not needed on 9.2.0 and above)done
(not needed on 9.2.0 and above)cd ../dnssec
(not needed on 9.2.0 and above)install *.8 /usr/man/man8
(not needed on 9.2.0 and above)ldconfig -v
groupadd named
useradd -d /var/named -g named -s /bin/false named
vigr
(add named to the 'daemon' group)chown root:daemon /var/run
chmod 775 /var/run
mkdir -p /var/named/pz
chown -R named:named /var/named
chmod -R 755 /var/named
cat << "EOF" > update_named
#!/bin/sh
cd /var/named
wget http://dns.vrx.net/tech/rootzone/db.root
if [ -s /var/named/db.root ] ; then
chown named:named /var/named/db.root
/etc/rc.d/named stop
mv /var/named/root.hints /var/named/root.hints.old
mv /var/named/db.root /var/named/root.hints
/etc/rc.d/named start
fi
EOF
chmod 700 update_named
./update_named
mv update_named /etc/cron.monthly
$TTL 1D @ 1D IN SOA localhost. root.localhost. ( 42 ; serial (d. adams) 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum 1D IN NS localhost. 1 1D IN PTR localhost.
ln -s 127.0.0 192.168.1
echo "nameserver 127.0.0.1" > /etc/resolv.conf
mmencode
(this command is part of the metamail package)hush
aHVz
(mmencode returns this)^C
// this file is used by the rndc utility options { // what host should rndc attempt to control by default default-server localhost; // and what key should it use to communicate with named default-key "rndc-key"; }; server localhost { // always use this key with this host key "rndc-key"; }; key "rndc-key" { // how was the key encoded algorithm hmac-md5; // what's the password secret "aHVz"; }; // secret was generated by running mmencode on command line // and then entering a secret phrase
// this file is used when named starts up and sees that // there is a key assigned to the control channel key "rndc-key" { // how was the key encoded algorithm hmac-md5; // what's the password secret "aHVz" ; };
// This is a configuration file for named (from BIND 9.0 or later). // It would normally be installed as /etc/named.conf. // // Changed to match secure example from LASG 5/17/00 // Changed to match Linux Journal example 9/17/00 // Added new "view' sections to stop fingerprinting of Bind 9.x per // Bugtraq 1/31/00 // Added rndc key stuff per DNS & Bind (Rev. 4) Chapter 11 // added use-id-pool and more comments based on above chapter options { // Directory where bind should create files if // not explicitly stated directory "/var/named"; // whom do we allow to do zone tranfers allow-transfer { 192.168.1.0/24; }; // new in Bind 9.x to allow RFC1886 -> RFC2874 conversion // to support IPv6 // allow-v6-synthesis { 192.168.1.10; }; // OBSOLETED in 9.3.0 + !! // tell Bind to check the names in zone files // since it no longer does this by default // (unimplemented 9.3.0+) check-names master warn; // sets the size of something or other to 20Mb ;) datasize 20M; // sets the size of the journal to 5Mb max-journal-size 5M; // Bind 9.x doesn't recognize this yet :( // deallocate-on-exit no; // where should Bind put a dump of its cache // if told to dump it dump-file "named_dump.db"; // how often should bind check for new // interfaces toi listen on. we turn // this off by setting it to 0 interface-interval 0; // specify what interfaces/ips to listen on // as the default is all of them listen-on { 192.168.1.10; 127.0.0.1; }; // define a mximum size of cached records // new in Bind 9.x max-cache-size 20M; // where to right stats of memory usage // Bind 9.x doesn't recognize this yet :( memstatistics-file "named.memstats"; // where to put out pid file // absolute path since we don't want // it in /var/named pid-file "/var/run/named.pid"; // force Bind to use port 53 for its // network operation to other DNS // servers (Bind 9 uses high ports // by default). Makes firewalling easier query-source address * port 53; transfer-source * port 53; notify-source * port 53; // where to dump Bind server stats statistics-file "named.stats"; // force Bind to be "more" random in assiging // message ids use-id-pool yes; // If the chaos view below doesn't work // for some reason, still give out a bogus // answer for Bind version requests version "This is not the port you're looking for."; // keep stats on a zone basis zone-statistics yes; }; controls { // this allows rndc to be used from the localhost // to talk to bind on the loopback interface // using the key defined as 'rndc-key' inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; }; // the rest of the key configuration is in // /etc/rndc.conf and the key itself is in // /etc/rndc.key key "rndc-key" { // how was key encoded algorithm hmac-md5; // what is the pass-phrase for the key secret "aHVz" ; }; logging { channel named_info { // log to syslog instead of a file syslog; // include the category of the event in the log print-category yes; // include the severity of the event in the log print-severity yes; // include the time of the event in the log print-time yes; }; // Processing of client requests category client { named_info; }; // named.conf parsing and processing category config { named_info; }; // Messages relating to internal memory structures category database { named_info; }; // This is the default for any category not specifically defined category default { named_info; }; // The catch-all. Anything without a category of its own category general { named_info; }; // Uncomment if you dont want to know about lame server. // Leave commented and it defaults to the // value of default above // category lame-servers { null; }; // The NOTIFY protocol category notify { named_info; }; // Network operations category network { named_info; }; // DNS resolution like recursive lookups, etc.. category resolver { named_info; }; // Approval and denial of requests category security { named_info; }; // Dynamic updates category update { named_info; }; // Queries. Duh. category queries { named_info; }; // Zone transfers received category xfer-in { named_info; }; // Zone transfers sent category xfer-out { named_info; }; }; // this is where we define different versions // of our zones based on where the client is // coming from. // the first view that matches a client is // the one that gets used, so order can be // important view "external-chaos" chaos { // you could use 'any' or even 'localnets' here // instead of specifying each IP range // however, it should be noted that 'localnets' // means ANY network Bind is directly connected // to which might include your ISP match-clients { 192.168.1.0/24; 127/8; }; recursion no; zone "." { type hint; // this causes a null response to queries // about the Bind version file "/dev/null"; }; }; view "external" { // you could use 'any' or even 'localnets' here // instead of specifying each IP range // however, it should be noted that 'localnets' // means ANY network Bind is directly connected // to which might include your ISP match-clients { 192.168.1.0/24; 127/8; }; zone "." { type hint; file "root.hints"; }; }; view "external-127" { // you could use 'any' or even 'localnets' here // instead of specifying each IP range // however, it should be noted that 'localnets' // means ANY network Bind is directly connected // to which might include your ISP match-clients { 192.168.1.0/24; 127/8; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; allow-update { none; }; }; }; view "external-192" { // you could use 'any' or even 'localnets' here // instead of specifying each IP range // however, it should be noted that 'localnets' // means ANY network Bind is directly connected // to which might include your ISP match-clients { 192.168.1.0/24; 127/8; }; zone "1.168.192.in-addr.arpa" { type master; file "pz/192.168.1"; allow-update { none; }; }; };
/usr/sbin/named -u named
Congrats! You now have a fairly secure, caching name server that can be controlled using rndc!
Enjoy your new Bind server!
![]() | ![]() |
联系客服