We continue with our series of articles and in this one we will deal with the following aspects:
- Installation
- Directories and main files
Before continuing, we recommend that you do not stop reading:
Installation
In a Console and as the user root we installed the bind9:
aptitude install bind9
We must also install the package dnsutils which has the necessary tools to make DNS queries and diagnose the operation:
aptitude install dnsutils
If you want to consult the documentation that comes in the repository:
aptitude install bind9-doc
The documentation will be stored in the directory / usr / share / doc / bind9-doc / arm and the index file or the Table of Contents is the bv9ARM.html. To open it run:
firefox / usr / share / doc / bind9-doc / arm / Bv9ARM.html
When we install the bind9 on Debian, so does the package bind9utils which provides us with several very useful tools to maintain a working installation of a BIND. Among them we will find rndc, named-checkconf and named-checkzone. Moreover, the package dnsutils provides a whole series of BIND client programs, including the you and nslookup. We will use all these tools or commands in the following articles.
To know all the programs of each package we must execute as the user root:
dpkg -L bind9utils dpkg -L dnsutils
Or go to Synaptic, look for the package, and see which files are installed. Especially those that are installed in folders / usr / bin o / usr / sbin.
If we want to know more about how to use each tool or program installed, we must execute:
man
Directories and main files
When we install Debian the file is created / Etc / resolv.conf. This file or "Resolver service configuration file", It contains several options that by default are the domain name and the IP address of the DNS server declared during the installation. As the content of the file's help is in Spanish and is very clear, we recommend reading it using the command man resolv.conf.
After installing the bind9 In Squeeze, at least the following directories are created:
/ etc / bind / var / cache / bind / var / lib / bind
In the address book / etc / bind we find, among others, the following configuration files:
named.conf named.conf.options named.conf.default-zones named.conf.local rndc.key
In the address book / var / cache / bind we will create the files of the Local Areas which we will deal with later. Out of curiosity, run the following commands in a Console as the user root:
ls -l / etc / bind ls -l / var / cache / bind
Of course, the last directory will not contain anything, as we have not yet created a Local Zone.
Dividing the BIND settings into multiple files is done for convenience and clarity. Each file has a specific function as we will see below:
named.conf: Main configuration file. It includes the filesnamed.conf.options, named.conf.local y named.conf.default-zones.
named.conf.options: General DNS service options. Directive: directory "/ var / cache / bind" it will tell bind9 where to look for the files of the created Local Zones. We also declare here the servers “forwarders"Or in an approximate translation" Advances "up to a maximum number of 3, which are nothing more than external DNS servers that we can consult from our network (through a Firewall of course) that will respond to the questions or requests that our DNS local is not able to respond.
For example, if we are configuring a DNS for the LAN192.168.10.0/24, and we want one of our forwarders to be a UCI Name Server, we must declare the directive forwarders {200.55.140.178; }; IP address corresponding to the server ns1.uci.cu.
In this way we will be able to consult our local DNS server which is the IP address of the yahoo.es host (which is obviously not in our LAN), since our DNS will ask the UCI if it knows which is the IP address of yahoo.es, and then it will give us a satisfactory result or not. Also and in the file itself named.conf.option We will declare other important aspects of the configuration as we will see later.
named.conf.default-zones: As the name implies, they are the Default Zones. Here you configure the BIND the name of the file that contains the information of the Root Servers or Root Servers necessary to start the DNS cache, more specifically the filedb.root. The BIND is also instructed to have full Authority (to be Authoritarian) in the resolution of names for the localhost, both in direct and reverse queries, and the same for the “Broadcast” areas.
named.conf.local: File where we declare the local configuration of our DNS server by the name of each of the Local Areas, and which will be the DNS Records Files that will map the names of the computers connected to our LAN with their IP address and vice versa.
rndc.key: Generated file containing the Key to control the BIND. Using the BIND server control utility rndc, we will be able to reload the DNS configuration without having to restart it with the command rndc reload. Very useful when we make changes in the files of the Local Zones.
In Debian the Local Zones files can also be located in / var / lib / bind; while in other distributions like Red Hat and CentOS they are usually located in / var / lib / named or other directories depending on the degree of security implemented.
We select the directory / var / cache / bind it is the one suggested by default Debian in the file named.conf.options. We can use any other directory as long as we tell the bind9 where to look for the files of the zones, or we give the absolute path of each one of them in the file named.conf.local. It is very healthy to use the directories recommended by the distribution we are using.
It is beyond the scope of this article to discuss the additional security involved in creating a Cage or Chroot for the BIND. So is the issue of security through the SELinux context. Those who need to implement such features should turn to manuals or specialized literature. Remember that the documentation package bind9-doc is installed in the directory / usr / share / doc / bind9-doc.
Well Sirs, so far the 2nd Part. We do not want to dwell on a single article due to the good recommendations of our Chief. Finally! we'll get into the nitty-gritty of BIND Setup and Testing… in the next chapter.
congratulations very good article!
Thank you very much ..
This is less important for security reasons: Do not leave a dns open (open resolver)
References:
1) http://www.google.com/search?hl=en&q=spamhaus+ataque
2) http://www.hackplayers.com/2013/03/el-ataque-ddos-spamhaus-y-la-amenaza-de-dns-abiertos.html
I quote:
«… For example, the Open DNS Resolver Project (openresolverproject.org), the effort of a group of security experts to fix this, estimates that there are currently 27 million" Open Recursive Resolvers ", and 25 million of them are a significant threat. , latent, waiting to unleash its fury again against a new target .. »
regards
Very good to get people into such an important service today as DNS.
What I do, if I can point something out, is your sorry translation of "forwarders", which looks like it was pulled from google translate. The correct translation is "Forwarding Servers" or "Forwarders."
Everything else, great.
regards
Semantics problem. If you forward a request to another to obtain a response, you are not Advancing a request to another level. I thought that the best treatment in Cuban Spanish was Adelantadores because I was referring to Pass or Advance a question that I (the local DNS) could not answer. Simple. It would have been easier for me to write the article in English. However, I always clarify about My Translations. Thank you for your timely comment.
Luxury;)!
Regards!
And for OpenSUSE?
CREO works for any distro. Zones file location varies, I think. no?
Thank you all for commenting .. and I gladly accept your suggestions .. 😉