* chaos, internal and external zone
* TSIG updates/zonetransfers for master/slave
apt-get install bind9
/etc/init.d/bind9 stop
/etc/default/bind9: OPTIONS="-u bind -t /var/lib/named"
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
mkdir -p /var/lib/named/var/log
cp /etc/localtime /var/lib/named/etc
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
/etc/default/syslogd: SYSLOGD="-a /var/lib/named/dev/log"
dnssec-keygen -a hmac-md5 -b 512 -n host linux.lan
/etc/bind/named.conf on master AND slave:
include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
/etc/bind/named.conf.options on master AND slave:
acl "internal" { 192.168.0.2; 127.0.0.1; };
acl "trusted" { internal; };
acl "bogon" {
// Filter out the bogon networks. These are networks
// listed by IANA as test, RFC1918, Multicast, experi-
// mental, etc. If you see DNS queries or updates with
// a source address within these networks, this is likely
// of malicious origin. CAUTION: If you are using RFC1918
// netblocks on your network, remove those netblocks from
// this list of blackhole ACLs!
0.0.0.0/8;
1.0.0.0/8;
2.0.0.0/8;
5.0.0.0/8;
10.0.0.0/8;
23.0.0.0/8;
27.0.0.0/8;
31.0.0.0/8;
36.0.0.0/8;
37.0.0.0/8;
39.0.0.0/8;
42.0.0.0/8;
46.0.0.0/8;
49.0.0.0/8;
50.0.0.0/8;
100.0.0.0/8;
101.0.0.0/8;
102.0.0.0/8;
103.0.0.0/8;
104.0.0.0/8;
105.0.0.0/8;
106.0.0.0/8;
107.0.0.0/8;
108.0.0.0/8;
109.0.0.0/8;
110.0.0.0/8;
111.0.0.0/8;
112.0.0.0/8;
113.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
173.0.0.0/8;
174.0.0.0/8;
175.0.0.0/8;
176.0.0.0/8;
177.0.0.0/8;
178.0.0.0/8;
179.0.0.0/8;
180.0.0.0/8;
181.0.0.0/8;
182.0.0.0/8;
183.0.0.0/8;
184.0.0.0/8;
185.0.0.0/8;
192.0.2.0/24;
! 192.168.0.2; 192.168.0.0/16;
197.0.0.0/8;
198.18.0.0/15;
223.0.0.0/8;
224.0.0.0/3;
};
logging {
channel default_syslog {
// Send most of the named messages to syslog.
syslog local2;
severity info;
};
channel audit_log {
// Send the security related messages to a separate file.
file "/var/log/named.log" versions 5 size 20m;
severity debug;
print-time yes;
};
category default { default_syslog; };
category general { default_syslog; };
category security { audit_log; default_syslog; };
category config { default_syslog; };
category resolver { audit_log; };
category xfer-in { audit_log; };
category xfer-out { audit_log; };
category notify { audit_log; };
category client { audit_log; };
category network { audit_log; };
category update { audit_log; };
category queries { default_syslog; };
category lame-servers { audit_log; };
};
key "masterslave" {
algorithm hmac-md5;
secret "---HASHKEY---";
};
server IP_OF_OTHER_SIDE(/etc/bind/slave) {
keys {
masterslave;
};
};
options {
directory "/var/cache/bind";
statistics-file "/var/log/named.stats";
memstatistics-file "/var/log/named.memstats";
dump-file "/var/log/named.dump";
zone-statistics yes;
// Prevent DoS attacks by generating bogus zone transfer
// requests. This will result in slower updates to the
// slave servers (e.g. they will await the poll interval
// before checking for updates).
notify no;
// Generate more efficient zone transfers. This will place
// multiple DNS records in a DNS message, instead of one per
// DNS message.
transfer-format many-answers;
// Set the maximum zone transfer time to something more
// reasonable. In this case, we state that any zone transfer
// that takes longer than 60 minutes is unlikely to ever
// complete. WARNING: If you have very large zone files,
// adjust this to fit your requirements.
max-transfer-time-in 60;
// We have no dynamic interfaces, so BIND shouldn't need to
// poll for interface state {UP|DOWN}.
interface-interval 0;
allow-transfer { key masterslave; };
// rndc reload won't work because of dynamic updates enabled with
// allow-update { key masterslave; };
allow-recursion { trusted; };
allow-query {
// Accept queries from our "trusted" ACL. We will
// allow anyone to query our master zones below.
// This prevents us from becoming a free DNS server
// to the masses.
trusted;
};
allow-query-cache {
// Accept queries of our cache from our "trusted" ACL.
trusted;
};
blackhole {
// Deny anything from the bogon networks as
// detailed in the "bogon" ACL.
bogon;
};
// If there is a firewall between you and nameservers you want
// to talk to, you might need to uncomment the query-source
// directive below. Previous versions of BIND always asked
// questions using port 53, but BIND 8.1 and later use an unprivileged
// port by default.
//disabled for random prorts query-source address * port 53;
transfer-source * port 53;
// If your ISP provided one or more IP addresses for stable
// nameservers, you probably want to use them as forwarders.
// Uncomment the following block, and insert the addresses replacing
// the all-0's placeholder.
forwarders {
PROVIDER_DNS1;
PROVIDER_DNS2;
};
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { none; };
};
master:
/etc/bind/master_linux.lan
$TTL 3D
@ IN SOA ns1.linux.lan. hostmaster.linux.lan. (
200710131 ; serial, todays date + todays serial #
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds
;
TXT "Linux.LAN, serving YOUR domain :)"
NS ns1 ; Inet Address of name server
NS ns2
MX 10 mail ; Primary Mail Exchanger
localhost A 127.0.0.1
ns1 A MASTER_IP
ns2 A SLAVE_IP
mail A MAIL_IP
/etc/bind/named.conf.local
zone "linux.lan" {
type master;
file "/etc/bind/master_linux.lan";
};slave:
/etc/bind/named.conf.local:
zone "linux.lan" {
type slave;
file "/etc/bind/slave_linux.lan";
masters { MASTER_IP; };
allow-notify { key masterslave; };
};rndc-confgen > /etc/rndc.conf
copy parts to /etc/bind/named.conf.options on master AND slave:
key "rndc-key" {
algorithm hmac-md5;
secret "---HASHKEY---";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};master:
/etc/bind/named.conf.local
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "/etc/bind/db.bind";
allow-query { trusted; };
allow-transfer { none; };
};
allow-recursion { none; };
};
view "internal-in" in {
// Our internal (trusted) view. We permit the internal networks
// to freely access this view. We perform recursion for our
// internal hosts, and retrieve data from the cache for them.
match-clients { internal; };
recursion yes;
additional-from-auth yes;
additional-from-cache yes;
include "/etc/bind/zones.rfc1918";
zone "internal.ournetwork.com" in {
// Our internal A RR zone. There may be several of these.
type master;
file "/etc/bind/db.internal";
};
zone "7.7.7.in-addr.arpa" in {
// Our internal PTR RR zone. Again, there may be several of these.
type master;
file "/etc/bind/db.7.7.7";
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
allow-recursion { none; };
include "/etc/bind/zones.rfc1918";
include "/etc/bind/zones.local";
};
master and slave /etc/bind/zones.local:
// prime the server with knowledge of the root servers
zone "." {
type hint;
file "/etc/bind/db.root";
};
// be authoritative for the localhost forward and reverse zones, and for
// broadcast zones as per RFC 1912
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
zone "ournetwork.net" in {
type master;
file "/etc/bind/db.ournetwork";
allow-query { any; };
};
zone "8.8.8.in-addr.arpa" in {
type master;
file "/etc/bind/db.8.8.8";
allow-query { any; };
};
master and slave /etc/bind/db.bind:
$TTL 1D
$ORIGIN bind.
@ 1D CHAOS SOA localhost. root.localhost. (
2001013101 ; serial
3H ; refresh
1H ; retry
1W ; expiry
1D ) ; minimum
CHAOS NS localhost.
version.bind. CHAOS TXT "BIND 9.1.3+robhacks"
authors.bind. CHAOS TXT "are better coders than I. :)"
slave:
/etc/bind/named.conf.local
// Create a view for all clients perusing the CHAOS class.
// We allow internal hosts to query our version number.
// This is a good idea from a support point of view.
view "external-chaos" chaos {
match-clients { any; };
recursion no;
zone "." {
type hint;
file "/dev/null";
};
zone "bind" {
type master;
file "/etc/bind/db.bind";
allow-query { trusted; };
allow-transfer { none; };
};
};
// Create a view for external DNS clients.
view "external-in" in {
// Our external (untrusted) view. We permit any client to access
// portions of this view. We do not perform recursion or cache
// access for hosts using this view.
match-clients { any; };
recursion no;
additional-from-auth no;
additional-from-cache no;
include "/etc/bind/zones.local";
include "/etc/bind/zones.rfc1918";
zone "ournetwork.net" in {
type slave;
file "/etc/bind/db.ournetwork";
allow-query { any; };
masters { MASTER_IP; };
};
zone "8.8.8.in-addr.arpa" in {
type slave;
file "/etc/bind/db.8.8.8";
allow-query { any; };
masters { MASTER_IP; };
};
};
References:
secure-bind-template
Bind9 Administration
bin9 hardening
[ view entry ] ( 824 views ) | print article
<<First <Back | 14 | 15 | 16 | 17 | 18 | 19 | 20 | 21 | 22 | 23 | Next> Last>>