2009-03-06

BIND on OpenSolaris

This is how I implemented BIND. I could have written a lot of information about BIND and security but I'll keep it simple. (And I'm not going to explain a chroot environment). It works for me ™ - NO guarantees! In this "howto" I'm going to use 192.168.0.0/24 as the local network.
First, create a new OpenSolaris zone (see previous post), the new virtual server is called "dns-zone". If you want to know more about BIND, Google is your friend! I'm not going to explain my settings! (NB: I'm not a HTML-guru as you can see. DNS-zonez should be "tabbed")

Log in to dns-zone as root.

# pkg install SUNWbind

# svcs -a | grep dns
disabled 17:54:34 svc:/network/dns/server:default
online 21:09:48 svc:/network/dns/client:default

Create a new group for BIND called "named"

# vi /etc/group
named::53:

Create a new user called named

# vi /etc/passwd
named:x:53:53:BIND:/:

Create a new "home" for named

# mkdir -p /var/named
# mkdir -p /var/named/pz

Edit your private zones (pz) - and don't forget the dots!

# cd /var/named/pz
# vi 127.0.0
$TTL 1D
@ IN SOA localhost. root.localhost. (
1; serial
8H; refresh
2H; retry
4W; expire
1D); Minimum TTL
;
IN NS localhost.
1 IN PTR localhost.


# vi db.0.168.192
$TTL 1D
@ IN SOA dns-zone.YOURDOMAIN.BOGUS. postmaster.YOURDOMAIN.BOGUS. (
200902191 ; serial
8H ; refresh
2H ; retry
4W ; expire
1D ) ; Minimum TTL
;
IN NS dns-zone.YOURDOMAIN.BOGUS.
1 IN PTR gw.YOURDOMAIN.BOGUS.
5 IN PTR pc5.YOURDOMAIN.BOGUS.
4 IN PTR pc4.YOURDOMAIN.BOGUS.
2 IN PTR pc2.YOURDOMAIN.BOGUS.
3 IN PTR pc3.YOURDOMAIN.BOGUS.
6 IN PTR dns-zone.YOURDOMAIN.BOGUS.
7 IN PTR mailz.YOURDOMAIN.BOGUS.


# vi db.YOURDOMAIN.BOGUS
$TTL 1D
@ IN SOA dns-zone.YOURDOMAIN.BOGUS. postmaster.YOURDOMAIN.BOGUS. (
200902191 ; serial
8H ; refresh
2H ; retry
4W ; expire
1D ) ; Minimum TTL
; Nameservers
IN NS dns-zone.YOURDOMAIN.BOGUS.
IN NS YOUR_ISP_DOMAIN1.com
IN NS YOUR_ISP_DOMAIN2.com
IN NS YOUR_ISP_DOMAIN3.com
; Mailservers
IN MX 5 mailz.YOURDOMAIN.BOGUS. ; Mail eXchanger
; Machine names
gw IN A 192.168.0.1
pc5 IN A 192.168.0.5
pc4 IN A 192.168.0.4
pc2 IN A 192.168.0.2
pc3 IN A 192.168.0.3
dns-zone IN A 192.168.0.6
mailz IN A 192.168.0.7
localhost IN A 127.0.0.1
; Aliases
ns1 IN CNAME dns-zone
mail IN CNAME mailz


Get a fresh root server list

# cd /var/named
# dig @e.root-servers.net . ns > root.hints.new
# cp root.hints.new root.hints

Change the owner

# chown -R named:named /var/named

Add dns-zones to your hosts file

# vi /etc/inet/hosts
::1 localhost
127.0.0.1 localhost
192.168.0.6 dns-zone.YOURDOMAIN.BOGUS dns-zone loghost
# chmod u-w /etc/inet/hosts

Edit your resolver

# vi /etc/resolv.conf
domain YOURDOMAIN.BOGUS
nameserver 127.0.0.1

# vi /etc/nsswitch.conf
ipnodes: files dns

# vi /etc/nsswitch.dns
hosts: files dns

Now, it's time for the secrets (fake of course)!

# dnssec-keygen -a HMAC-MD5 -b 256 -n HOST rndc
Krndc.+123+45678

# cat Krndc.+123+45678.private
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: abcdefghijklmnopqrst

Save the key

# vi rndc.conf
key "rndc-key" {
algorithm "hmac-md5";
secret "abcdefghijklmnopqrst";
};

options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};

Configure named

# vi /etc/named.conf
options {
directory "/var/named";
pid-file "/var/named/named.pid";
forward only;
forwarders {
123.45.678.39; <- Your ISP or opendns.com
123.45.678.40; <- Your ISP or opendns.com
123.45.678.41; <- Your ISP or opendns.com
};
allow-query { 192.168.0.0/24; localhost; };
allow-recursion {192.168.0.0/24; localhost; };
};

zone "." {
type hint;
file "root.hints";
};

zone "0.0.127.in-addr.arpa" {
type master;
file "pz/127.0.0";
allow-query { 192.168.0.0/24; localhost; };
};

zone "YOURDOMAIN.BOGUS" {
type master;
file "pz/db.YOURDOMAIN.BOGUS";
allow-query { 192.168.0.0/24; localhost; };
};

zone "0.168.192.in-addr.arpa" {
type master;
file "pz/db.0.168.192";
allow-query { 192.168.0.0/24; localhost; };
};

key "rndc-key" {
algorithm "hmac-md5";
secret "abcdefghijklmnopqrst";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

Check your configuration

# cd /var/named/pz
# named-checkzone YOURDOMAIN.BOGUS db.0.168.192
# named-checkzone YOURDOMAIN.BOGUS db.YOURDOMAIN.BOGUS
# named-checkzone YOURDOMAIN.BOGUS 127.0.0

Edit the "manifest"

# cp /var/svc/manifest/network/dns/server.xml /var/svc/manifest/network/dns/server.xml.ORI
# chmod u+w /var/svc/manifest/network/dns/server.xml
# vi /var/svc/manifest/network/dns/server.xml

user='root' <- replace this
group='root' <- replace this

user='named' <- with this
group='named' <- with this

# chmod u-w /var/svc/manifest/network/dns/server.xml

# svccfg import /var/svc/manifest/network/dns/server.xml

Now, lounch your new DNS-server!

# svcadm enable dns/server

Restart everything

# svcadm restart dns/server
# svcadm restart dns/client

Test your setup

# netstat -r
# rndc status

Try a lookup on fx Swedish Univerity Computer Network

# nslookup www.sunet.se
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: www.sunet.se
Address: 130.239.8.25

Enjoy!

Upplagd av kl.

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)