24. DNS: Acquiring and configuring a CHROOTed and SPLIT master/slave DNS servers

The Linux daemon called "named" is the DNS or "Domain Name Server" service that converts the name "www.yahoo.com" to the IP address 204.71.177.71 (one of Yahoo's MANY TCP/IP addresses). Though there are other DNS server alternatives to BIND, it is the most common and best maintained version available. As you might have already figured out, this is a CRITICAL service for the Internet.

TrinityOS documents how to setup multiple Internet domains for full TCP/IP address subnets using both Bind9 and Bind8. It also also covers advanced redundancy and security topics such as remote secondary (backup) DNS servers and both "CHROOTed Jails" and "Split Zone" files. For the time being, TrinityOS does NOT currently cover Dynamic DNS or DNSSEC. These topics will be covered in future revisions.

What are some of these advanced topics?

• The CHROOTed feature means that the named daemon which runs as "root" will run in its own isolated area. This behavior is very similar to the access that an anonymous FTP user logs in and can only see a subset of the entire remote file system. The reason to implement this is that if some new named security exploit comes out and a hostile user (cracker) finds your machine, they will be extreamly limited to what they -can- and -can not- do. This is a GOOD thing in the name of Security. CHROOTing daemons like named isn't perfect but it does help security.

• The "Split Zone" feature means that there will be (2) named processes running on your machine. One daemon will run and answer DNS queries for the external interface while the other daemon will answer on the internal interface for the private network. This setup helps protect your internal network IP addresses and names from being exposed to people out on the Internet.

To setup your own domain, the first thing you need to do is register with the a Domain Registar at http://www.internic.net. Next, you need to find another Internet domain that will be a SECONDARY DNS for your Internet domain named. This is for the situations when your server or Internet connection goes down and you don't want to bounce email, etc (see the Sendmail section for more details about backup email services).

* If you would like to read on HOW to get your own domain name and understand some of the new legal issues with Internet domain names, please see the How to acquire a Domain Name sub-section towards the end of this section.

24.1 Thoughts on protecting your Internet Domain Name

• NOTE: Due to the fact that DNS can make or break the Internet, you should be very sure that any updates, changes, etc. submitted to the Internic for your domain is done in a secure fashion. I personally recommend that you do all of your Internic updates via PGP instead of the default "Mail-From" method. Why? The main reason is that email is very easy to forge. Because of this, it would be easy for someone to screw up your domain name, take ownership of it, etc.

  PGP and GPG for Linux will be covered in a future chapter but until then, I recommend to either use the Windows PGP client or at least use the Internic's "crypt-pw" option.

24.2 BIND version 9 vs 8 vs 4 and Figuring out what version you have:

This document is intended for BIND versons 9.1.x (and newer) as well as 8.9.x. If you are still running Bind4 or even Bind8, you really need to upgrade because you are either vunerable to ROOT hacks and/or these versions are old and either soon to be or already deemed -=* DEAD *=-.

Just for a little history:

• Bind 4.x was the defacto DNS server that helped start the Internet boom. It used the "named.boot" file and lived a long life. ISC then later overhauled BIND with version 8 which added lots of things including Dynamic DNS, updated the zone file formats, and added a LOT of other features. With this new version, ISC changed the master configuration file to be "named.conf". With Bind 9, ISC has yet again done another major overhaul. This new version of Bind has added DNSSEC (signed DNS zones tranfered over encrypted SSL connections) as well as added direct database support (for MASSIVE zone files) vs. using the classic flat files as described here. Beyond that, the zone files stayed mostly the same between v8 and v9 except for minor formatting chanes and the multitude of new optional features.

If you are unsure what version you have installed, you can find out the version from one of two ways.

• #1: If you have a LOCAL account on the DNS server, log into it and run one of the following commands:
  • "strings /usr/sbin/named | grep named"
  • "strings /usr/sbin/named | grep 8.9."
  • "strings /usr/sbin/named | grep 9.0."
  • "strings /usr/sbin/named | grep 9.1."

  From the output, look through the results until you find the version number.

• #2: If the DNS server is remote or you don't have an account to log into it, do the following on a local machine that has the nslookup program:
  • Run nslookup from the command prompt
  • At the > prompt, type in server xyz (return) where xyz is the IP or name of the remote DNS server.
  • Now type in set q=txt (return) and then set class=chaos (return).
  • Finally, type in version.bind (return).

    That should tell you the version.

  • Hit Control-D to exit out of nslookup.

24.3 Security Warnings about previous versions of BIND

There are several MAJOR security exploits out there for older versions of Named. Make sure you are running at LEAST version 8.2.3 or newer. If you aren't, you will be vulnerable to hostile users getting ROOT access on your box!

** To say up on the newest Bind releases, I recommend that ALL users add themselves to the BIND-announce email list given in Section 5.

This list is ONLY for announcements and is very low on email traffic.

24.4 Downloading and compiling BIND

• First, download ISC's "named" server code from the URL in Section 5 and put it into a directory such as /usr/src/archive/bind/
• Next, go into that new directory and uncompress the archive

• Bind 9.1.x specific instructions:

  • ---

            cd /usr/src/archive/bind/
            #Bind 9 created its own subdirectory so there is no need to create one
            tar xzvf bind-9.1.0.tar.gz
          
    

    ---

• Bind 8.9.x specific instructions:

  • ---

            #Bind 8 does NOT create its own subdirectory so I recommend to create one first
            mkdir /usr/src/archive/bind/8.2.3
            mv /usr/src/archive/bind* /usr/src/archive/bind/8.2.3
            cd /usr/src/archive/bind/8.2.3
            tar xzvf bind-src.tar.gz
            tar xzvf bind-doc.tar.gz
          
    

    ---

• Bind 9.1.x specific compiling:
  • Go into that new directory and run the configure script

    ---

          cd /usr/src/archive/bind/bind-9.1.0
          
          # For Bind 9.1.0
          # ----------------
          # The various compiling configurations are now configured via Automake
          #
          # Not only that but ISC has again changed their paths and such.  So,
          # the following setup will place files into their more "classic" 
          # directories
          #
          # Please note the "--disabled-threads" option.
          #
          #   This tag will allow CHROOT DNS to work under Linux 2.2.x kernels.
          #   The reason for this is that there is a bug in ALL 2.2.x kernels
          #   that basically makes CHROOTing things broken BUT it was fixed
          #   in the 2.4.x kernels.  If you are running a 2.4.x kernel, you do
          #   NOT need this option.  See the end of the "named" MAN page
          #   for more details about this.
          #
          # Please note that the "--exec-prefix" stuff on the ./configure line 
          # will put BIND into the /usr/sbin directory (the default is /usr/local 
          # (bin, sbin, etc.)) which is the stock place for Mandrake.  You can 
          # put these binaries as well as documentation anywhere you wish.  If 
          # you would like to put it in the proper place for your distribution, 
          # run the command:
          #
          #         whereis named
          # 
          # to find out where they put the binaries and such and then substitute 
          # this new path for the Automake one above.  REMEMBER this path for 
          # later in this section!
          #
          #----------------------------------------------------------------------
    
          #2.2.x kernels
          #
          ./configure --prefix= --exec-prefix=/usr --datadir=/usr/share \
          --includedir=/usr/include --infodir=/usr/share/info \
          --mandir=/usr/share/man --disable-threads
    
          #2.4.x kernels
          #
          ./configure --prefix= --exec-prefix=/usr --datadir=/usr/share \
          --includedir=/usr/include --infodir=/usr/share/info \
          --mandir=/usr/share/man
    
          #All kernels
          #
          make
        
    

    ---

  • From here, the machine should compile things up without any issues. Compile times will definately vary depending on the speed and available resources on your machine.

• Bind 8.9.x Specific: Go into that new directory and run the configure script

  • ---

          cd /usr/src/archive/bind/8.2.3/src
          
          # For Bind 8.2.3
          # ----------------
          # The various compiling configurations are now configured in the 
              # port/linux/Makefile.set file.
          #
          # Interestingly enough,ISC has now made /usr/sbin/ the default directory
          # so you shouldn't have to do anything special beyond that
          #
          # ----------------------------------------------------------------------
          make all
    
        
    

    ---

  • From here, the machine should compile things up without any issues. Compile times will definately vary depending on the speed and available resources on your machine.

• Final installation steps for ALL versions of Bind:
  • Once the compiling is finished, install your new version of Bind by running:

    ---

          make install
        
    

    ---

  • For Bind9 users: ISC no longer includes the installation of the documentation within the Makefile so lets move that over manually:

    ---

            cd /usr/src/archive/bind/bind-9.1.0/doc/man/bin#
            cp *.1 /usr/share/man/man1/
            cp *.5 /usr/share/man/man5/
            cp *.8 /usr/share/man/man8/
        
    

    ---

24.5 Creating the CHROOTed environments

Now, follow the procedures to create the required chrooted user login, group, and various files and do any required substitutions where required.

• First, create the "chroot-dns-ext" user group for the CHROOTed EXTERNAL interface:

                        groupadd -g 120 chroot-dns-ext

• Next, create the "chroot-dns-int" group for the CHROOTed INTERNAL interface:

                        groupadd -g 121 chroot-dns-int  

• Now create the "chroot-dns-ext" and "chroot-dns-int" user for the CHROOTed EXTERNAL and INTERNAL interfaces:

                        useradd -u 120 -g 120 chroot-dns-ext
                        useradd -u 121 -g 121 chroot-dns-int

• The next steps is to create the actual various chroot'ed directories, fix their permissions, etc:

                        #  Since this is a CHROOTed environment, you need to make this little
                        #  world look like the real one.  This means you need the required
                        #  system directorys as well.

                        cd /home/chroot-dns-ext

                        mkdir -p etc lib dev usr/sbin var/named var/run
                        chmod -R 750 /home/chroot-dns-ext
                        mknod -m 666 dev/null c 1 3

                        cd /home/chroot-dns-int

                        mkdir -p etc lib dev usr/sbin var/named var/run
                        chmod -R 750 /home/chroot-dns-int
                        mknod -m 666 dev/null c 1 3

• Now, we need to copy over the required libraries and executable files.
  • NOTE: Whenever you patch your machine and some of the patches include updated GLIBC files, you will need to REPEAT this section to put a copy of the updated libraries into the CHROOT directories.

                        cp /lib/libc.so.6 /home/chroot-dns-ext/lib
                        cp /lib/libc.so.6 /home/chroot-dns-int/lib
                        cp /lib/ld-linux.so.2 /home/chroot-dns-ext/lib
                        cp /lib/ld-linux.so.2 /home/chroot-dns-int/lib

**NOTE: I first copy and then later MOVE the executables into the CHROOT'ed directory. This gives you a little more slack in case you make a mistake as well as finally removes the originals.

                        cp /usr/sbin/named* /home/chroot-dns-ext/usr/sbin
                        chmod 750 /home/chroot-dns-ext/usr/sbin/named*
                        mv /usr/sbin/named* /home/chroot-dns-int/usr/sbin
                        chmod 750 /home/chroot-dns-int/usr/sbin/named*

24.6 Creating the internal named.conf configuration file

• Ok, time to create the actual DNS Zone files. These are the full authoritative configs for both Bind 9.x as well as Bind v8.9.x:

NOTE: You'll notice that some lines will SEEM to have extra "."s (periods) at the end of domain names, etc. LEAVE THEM THERE!! They are supposed to be there and are CRITICAL to bind's internal file format!

/home/chroot-dns-int/etc/named.conf

// /home/chroot-dns-int/etc/named.conf for TrinityOS - v1.1.0
// Config file for a full authoritative --INTERNAL-- DNS server

options {
        //Remember, this is already CHROOTed.  /var/named IS correct
        directory "/var/named";

        listen-on port 53 { 
        //You dont want the external interface to listen on this zone
        192.168.0.1; 127.0.0.1; 
        };

        // Uncommenting this might help if you have to go through a
        // firewall and things are not working out:
        // query-source address * port 53;
};

zone "." {
        type hint;
        file "root.hints.db";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        notify no;
        file "127.0.0.db";
};

zone "acme123.com" {
        type master;
        notify no;
        file "192.168.0.db";
        allow-transfer { none; };
        allow-query { 127/8; 192.168.0/24; };
};

zone "0.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "192.168.0-in.addr.db";
        allow-transfer {none; };
        allow-query {127/8; 192.168.0/24; };
};

24.7 Creating the internal zone files

• Next, you need to create the root.hints.db file like the one shown below. But, like anything else, the Internet's root servers are always changing. So, I recommend you create your OWN copy by running the following command and not using the below example .db file:

                dig @ns.internic.net . ns > /home/chroot-dns-int/var/named/root.hints.db

/home/chroot-dns-int/var/named/root.hints.db

; <<>> DiG 8.1 <<>> @ns.internic.net . ns 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;;      ., type = NS, class = IN

;; ANSWER SECTION:
.                       5d10h28m15s IN NS  M.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  L.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  K.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  J.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  B.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  F.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  G.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  C.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  H.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  A.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  D.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  E.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
M.ROOT-SERVERS.NET.     5w6d16h IN A    202.12.27.33
L.ROOT-SERVERS.NET.     5w6d16h IN A    198.32.64.12
K.ROOT-SERVERS.NET.     5w6d16h IN A    193.0.14.129
J.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.10
B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107
F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241
G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4
C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12
H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53
A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4
D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90
E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10
I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17

;; Total query time: 15115 msec
;; FROM: ns.acme123.com to SERVER: ns.internic.net  198.41.0.6
;; WHEN: Fri Oct  1 03:02:15 1999
;; MSG SIZE  sent: 17  rcvd: 436

The following file is the REVERSE zone records for "localhost"

/home/chroot-dns-int/var/named/127.0.0.db

;
; /home/chroot-dns-int/var/named/127.0.0.db ZONE file for TrinityOS - 03/05/01
;
$TTL    86400
@               IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                            2000100800      ; serial, todays date + todays serial #
                                1       ; Serial
                                8H      ; Refresh
                                2H      ; Retry
                                1W      ; Expire
                                1D)     ; Minimum TTL

                          NS      ns.acme123.com.

1                  86400  PTR     localhost.acme123.com.

The following file is the FORWARD zone records for the internal ACME123.com network

/home/chroot-dns-int/var/named/acme123-int.com.db

;
; /home/chroot-dns-int/var/named/acme123-int.com ZONE file for TrinityOS - 03/05/01
;
$TTL    86400   
@       IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                                2000100800      ; serial, todays date + todays serial #
                                8H              ; refresh, seconds
                                2H              ; retry, seconds
                                1W              ; expire, seconds
                                1D )            ; minimum, seconds
        
                                NS      ns.acme123.com.                   ; Inet Address of name server
                                NS      102.200.0.25.                     ; Inet address of backup server
                                MX      10      mail.trinnet.net. ; secondary NS server
        
roadrunner-int      86400       A       192.168.0.1
                                HINFO   "a486/160/40M" "Linux 2.0"

mail                    CNAME   roadrunner-int
        
coyote              86400       A       192.168.0.2
                        HINFO   "iPentium-II/260/64M"  "Win95"
        
spare               86400       A       192.168.0.9
                        HINFO   "Unknown" "Unknown"

spare2              86400       A       192.168.0.10
                        HINFO   "Unknown" "Unknown"

The following file is the REVERSE zone records for the internal ACME123.com network

/home/chroot-dns-int/var/named/192.168.0-in.addr.db

;
; /home/chroot-dns-int/var/named/192.168.0-in.addr ZONE file for TrinityOS - 03/05/01
;
$TTL    86400
@               IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                            2000100800      ; serial, todays date + todays serial #
                                1       ; Serial
                                8H      ; Refresh
                                2H      ; Retry
                                1W      ; Expire
                                1D)     ; Minimum TTL

                          NS      ns.acme123.com.
        
1                       86400   PTR     roadrunner-int.acme123.com.
2                       86400   PTR     coyote.acme123.com.

9                       86400   PTR     spare.acme123.com.
10                      86400   PTR    spare2.acme123.com.

24.8 Creating the external named.conf configuration file

• Now, here is the configuration file for the EXTERNAL DNS server:

/home/chroot-dns-ext/etc/named.conf

// /home/chroot-dns-ext/etc/named.conf for TrinityOS - 03/05/01
// Config file for a full authoritative --EXTERNAL-- DNS server

options {
        //Remember, this is already CHROOTed.  /var/named IS correct
        directory "/var/named";

        //Do NOT have the server listening on localhost or the internal interface
        listen-on port 53 { 
        100.200.0.212; 
        };

        // Clean the cache every 6 hours (default is 1).
        cleaning-interval 360;

        // Uncommenting this might help if you have to go through a
        // firewall and things are not working out:
        // query-source address * port 53;
};

zone "." {
        type hint;
        file "root.hints.db";
};

zone "acme123.com" {
        type master;
        notify yes;
        file "acme123.com.db";
        allow-transfer {
           102.200.0.25/32;
        };
};

zone "212.0.200.100.in-addr.arpa" {
        type master;
        notify yes;
        file "212.0.200.100.db";
    allow-transfer {
      102.200.0.25/32;
        };
};

24.9 Creating the external zone files

• Next, you need to create another root.hints.db file like the one shown below. But, like any thing else, the Internet's root servers are always changing. So, I recommend you create your OWN copy by running the following command and not using the below example .db file:

                dig @ns.internic.net . ns > /home/chroot-dns-ext/var/named/root.hints.db

/home/chroot-dns-ext/var/named/root.hints.db

; <<>> DiG 8.1 <<>> @ns.internic.net . ns 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;;      ., type = NS, class = IN

;; ANSWER SECTION:
.                       5d10h28m15s IN NS  M.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  L.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  K.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  J.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  B.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  F.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  G.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  C.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  H.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  A.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  D.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  E.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
M.ROOT-SERVERS.NET.     5w6d16h IN A    202.12.27.33
L.ROOT-SERVERS.NET.     5w6d16h IN A    198.32.64.12
K.ROOT-SERVERS.NET.     5w6d16h IN A    193.0.14.129
J.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.10
B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107
F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241
G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4
C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12
H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53
A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4
D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90
E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10
I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17

;; Total query time: 15115 msec
;; FROM: ns.acme123.com to SERVER: ns.internic.net  198.41.0.6
;; WHEN: Fri Oct  1 03:02:15 1999
;; MSG SIZE  sent: 17  rcvd: 436

The following file is the FORWARD zone records for the external ACME123.com network

/home/chroot-dns-ext/var/named/acme123.com.db

;
; /home/chroot-dns-ext/var/named/acme123.com ZONE file for TrinityOS - 03/05/01
;
$TTL    86400   
@       IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                                2000100800      ; serial, todays date + todays serial #
                                8H              ; refresh, seconds
                                2H              ; retry, seconds
                                1W              ; expire, seconds
                                1D )            ; minimum, seconds
        
                        NS      ns.acme123.com.         ; Inet Address of name server
                        NS      102.200.0.25.           ; Inet address of backup server
        
                        MX      10 mail.acme123.com.    ; Primary Mail Exchanger
        
ns              86400   A       100.200.0.212
                                HINFO   "a486/160/40M" "Linux 2.0"
        
mail            86400   CNAME   ns
        
ftp             86400   CNAME   ns
        
roadrunner      86400   CNAME   ns

The following file is the REVERSE zone records for the external ACME123.com network

/home/chroot-dns-ext/var/named/212.0.200.100.db

;
; /home/chroot-dns-ext/var/named/212.0.200.100-in.addr ZONE file for TrinityOS - 03/05/01
;
$TTL    86400
@       IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                    2000100800      ; serial, todays date + todays serial #
                        8H      ; Refresh
                        2H      ; Retry
                        1W      ; Expire
                        1D)     ; Minimum TTL

                    NS      ns.acme123.com.
                    NS      102.200.0.25.

212.0.200.100.in-addr.arpa. IN PTR     ns.acme123.com.

24.10 Fixing final CHROOTed permissions and ownerships

• Ok, lets finally fix the file owner and group permissions for the respective Zone files:

        chown -R chroot-dns-int.chroot-dns-int /home/chroot-dns-int

        chown -R chroot-dns-ext.chroot-dns-ext /home/chroot-dns-ext

24.11 Tuning how NAMED loads for a SPLIT zone file configuration

Ok, time for the glue. You need to change the way that DNS loads the server up to recognize the new layout and to load multiple servers:

Redhat users:

• Edit /etc/rc.d/init.d/named and change the lines:

                        [ -f /usr/sbin/named ] || exit 0
                        .
                        .
                        .
                        [ -f /etc/named.conf ] || exit 0

to:

                        [ -f /home/chroot-dns-int/usr/sbin/named ] || exit 0
                        [ -f /home/chroot-dns-ext/usr/sbin/named ] || exit 0

                        [ -f /home/chroot-dns-int/etc/named.conf ] || exit 0
                        [ -f /home/chroot-dns-ext/etc/named.conf ] || exit 0

• You now need to setup the following lines to do the actually loading of the two individual DNS servers. It is recommented that you get this file from the TrinityOS-security script to save you time and possible typos.

#!/bin/sh
#
# named           This shell script takes care of starting and stopping
#                 named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true


# ----------------------------------------------------------------------------
# # TrinityOS-named
# v03/05/01
#
# Part of the copyrighted and trademarked TrinityOS document.
# <url url="http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch@trinnet.net
#
# Updates
# -------
#
# 03/05/01 - Updated the file to support the loading of Bind9
# 01/28/01 - Added a few CR-LFs to clean up the output between starting
#            the internal and external zones
# 10/07/00 - Added the start-int, start-ext, stop-int, and stop-ext functions
#
# ----------------------------------------------------------------------------


# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -f /home/chroot-dns-int/usr/sbin/named ] || exit 0
[ -f /home/chroot-dns-ext/usr/sbin/named ] || exit 0

[ -f /home/chroot-dns-int/etc/named.conf ] || exit 0
[ -f /home/chroot-dns-ext/etc/named.conf ] || exit 0

RETVAL=0

# See how we were called.
case "$1" in

       start)
            # Start daemons.
            echo -n "Starting named-int: "

            #Bind9 - Use this setup if you are using Bind9
            #
            daemon /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -t /home/chroot-dns-int

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            #daemon /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int

            RETVAL=$?
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-int       

            sleep 5

            echo -e "\r"
            echo -n "Starting named-ext: "

            #For some reason, this server won't load with the "daemon" line in 
            # front - if you have a solution for this, please let me know
 
            #Bind9 - Use this setup if you are using Bind9
            #
            /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -t /home/chroot-dns-ext

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            #/home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext

            RETVAL=$?
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-ext
            echo -e "\r"
         ;;

        start-int)
            # Start daemons.
            echo -n "Starting named-int: "

            #For some reason, this server won't load with the "daemon" line in 
            # front - if you have a solution for this, please let me know

            #Bind9 - Use this setup if you are using Bind9
            #
            /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -t /home/chroot-dns-int

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            #/home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int

            RETVAL=$?
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-int
            echo -e "\r"
        ;;

        start-ext)
            echo -n "Starting named-ext: "

            #For some reason, this server won't load with the "daemon" line in 
            # front - if you have a solution for this, please let me know

            #Bind9 - Use this setup if you are using Bind9
            #
            /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -t /home/chroot-dns-ext

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext

            RETVAL=$?
            $RETVAL -eq 0 ] && touch /var/lock/subsys/named-ext
            echo -e "\r"
        ;;

        stop)
          # Stop daemons.       
                   echo -n "Shutting down named: "
           killproc named
           RETVAL=$?
           [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-int && rm -f /var/lock/subsys/named-ext
           echo -e "\r"
        ;;

        stop-int)
            # Stop INT daemons.
            echo -n "Shutting down named-int: "
            kill `ps ax | grep chroot-dns-int/usr/sbin/named | grep -v -e grep | awk '{print $1}'`
            RETVAL=$?
            [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-int
            echo -e "\r"
        ;;

        stop-ext)
            # Stop EXT daemons.
            echo -n "Shutting down named-ext: "
            kill `ps ax | grep chroot-dns-ext/usr/sbin/named | grep -v -e grep | awk '{print $1}'`
            RETVAL=$?
            [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-ext
            echo -e "\r"
        ;;

        status)
          /usr/sbin/ndc status
          exit $?
        ;;


        restart)
           $0 stop
           $0 start
        ;;


        reload)
           /usr/sbin/ndc reload
           exit $?
        ;; 


        probe)
           # named knows how to reload intelligently; we don't want linuxconf
           # to offer to restart every time
           /usr/sbin/ndc reload >/dev/null 2>&1 || echo start
           exit 0
        ;;

 
        *)
          echo "Usage: named {start|start-int|start-ext|stop|stop-int|stop-ext|status|restart}"
        exit 1
esac
exit $RETVAL

24.12 Enabling Bind to load upon boot

• Now, do the following for your respective Linux Distribution:
  • Slackware Specific:
    • Un #'d out the lines in the "/etc/rc.d/rc.inet2" file for "named"

  • Redhat Specific:
    • Make sure that both the files "/etc/rc.d/init.d/named" and "/etc/rc.d/rc3.d/S55named" exists

24.13 Fixing SYSLOGing to understand the new CHROOTed setup

• Next, we need now modify how SYSLOG loads up so it understands how to deal with the new DNS servers:

  Edit /etc/rc.d/init.d/syslog file and change the loading of SYSLOG to the following:

                        daemon syslogd -a /home/chroot-dns-int/dev/log -a /home/chroot-dns-ext/dev/log -m 0

Now, configure your machine to use the local DNS server by editing /etc/resolv.conf

        search acme123.com 
        nameserver 127.0.0.1

        #Backup - your ISP's DNS servers
        #nameserver 10.200.200.69
        #nameserver 10.200.200.96

Next, make sure that your machine is prepped to use DNS:

Slackware: /etc/host.conf

                order hosts, bind
                multi on

Redhat: /etc/nsswitch.conf

Change the "hosts" line to read:

                                "hosts:      files dns"

Also, I would recommend to DELETE all instances of NIS from each line of this file UNLESS you *ARE* using NIS!

24.14 Starting up and testing BIND

Ok, getting close! Now, make sure that BIND is enabled to load upon boot.

• To do this, UN-DO all edits done to disable DNS from Section 8 Note: the NTSYSV method won't work for all of this.

• Now, test that all the named files are correct by running "named" in a forground test:

  ---

  /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int -f
  

  ---

  The INTERNAL server output should look something like:

  ---

  Apr 10 01:48:42 project named[27951]: starting.  named 8.2.2-P5 Tue Dec 14 20:30:23 CET 1999 ^Iroot@jedi.mandrakesoft.com:/usr/src/RPM/BUILD/bind-8.2.2P5/src/bin/named
  Apr 10 01:48:42 project named[27951]: hint zone "" (IN) loaded (serial 0)
  Apr 10 01:48:42 project named[27951]: Zone "192.168.0" (file 192.168.0.db): No default TTL set using SOA minimum instead
  Apr 10 01:48:42 project named[27951]: master zone "192.168.0" (IN) loaded (serial 2000033100)
  Apr 10 01:48:42 project named[27951]: Zone "0.168.192.in-addr.arpa" (file 192.168.0-in.addr.db): No default TTL set using SOA minimum instead
  Apr 10 01:48:42 project named[27951]: master zone "0.168.192.in-addr.arpa" (IN) loaded (serial 1999111300)
  Apr 10 01:48:42 project named[27951]: listening on [127.0.0.1].53 (lo)
  Apr 10 01:48:42 project named[27951]: Forwarding source address is [0.0.0.0].1033
  Apr 10 01:48:42 project named[27951]: chrooted to /home/chroot-dns-int
  Apr 10 01:48:42 project named[27951]: group = chroot-dns-int
  Apr 10 01:48:42 project named[27951]: user = chroot-dns-int
  Apr 10 01:48:42 project named[27951]: Ready to answer queries.
  Apr 10 01:48:42 project named[27951]: Zone "192.168.0" (file 192.168.0.db): No default TTL set using SOA minimum instead
  Apr 10 01:48:42 project named[27951]: Zone "0.168.192.in-addr.arpa" (file 192.168.0-in.addr.db): No default TTL set using SOA minimum instead         --
  

  ---

  Hit Control-C when you are sure that Named is running ok. Now try running the external server:

  ---

  /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext
  

  ---

  The EXTNERAL server output should look something like:

  ---

  Apr 10 01:52:10 project named[27960]: starting.  named 8.2.2-P5 Tue Dec 14 20:30:23 CET 1999 ^Iroot@jedi.mandrakesoft.com:/usr/src/RPM/BUILD/bind-8.2.2P5/src/bin/named
  Apr 10 01:52:10 project named[27960]: hint zone "" (IN) loaded (serial 0)
  Apr 10 01:52:10 project named[27960]: Zone "acme123.com" (file acme123.com.db): No default TTL set using SOA minimum instead
  Apr 10 01:52:10 project named[27960]: master zone "acme123.com" (IN) loaded (serial 2000033100)
  Apr 10 01:52:10 project named[27960]: Zone "212.0.200.100.in-addr.arpa" (file 100.200.0.212.db): No default TTL set using SOA minimum instead
  Apr 10 01:52:10 project named[27960]: master zone "212.0.200.100.db.in-addr.arpa" (IN) loaded (serial 2000033100)
  Apr 10 01:52:10 project named[27960]: listening on [100.200.0.212].53 (eth0)
  Apr 10 01:52:10 project named[27960]: Forwarding source address is [0.0.0.0].1033
  Apr 10 01:52:10 project named[27961]: chrooted to /home/chroot-dns-ext
  Apr 10 01:52:10 project named[27961]: group = chroot-dns-ext
  Apr 10 01:52:10 project named[27961]: user = chroot-dns-ext
  Apr 10 01:52:10 project named[27961]: Ready to answer queries.
  Apr 10 01:52:15 project named[27961]: Sent NOTIFY for "acme123.com IN SOA" (trinityos.com); 1 NS, 1 A
  Apr 10 01:52:21 project named[27961]: Received NOTIFY answer from 216.111.111.216 for "trinityos.com IN SOA"
  Apr 10 01:52:37 project named[27961]: Sent NOTIFY for "212.0.200.100.in-addr.arpa IN SOA" (212.0.200.100.in-addr.arpa); 4 NS, 4 A
  Apr 10 01:52:38 project named[27961]: Received NOTIFY answer from 102.200.0.25 for "212.0.200.100.in-addr.arpa IN SOA"
  

  ---

  Hit Control-C when you are sure that Named is running ok. Please also note that if the TIME and DATE of your log files is off, you need to set the TZ environment variable as described in Section 7.

24.15 Changes for Bind9

As I mentioned before, TrinityOS currently doesn't currently cover Dynamic DNS, DNSSEC, etc. Some of these features are very cool and they WILL be covered some time in the future.

Anyway, for now, I wanted to mention that the "nslookup" that we are all familiar with are going away in favor of the "dig" and "host" commands instead. I recommend that you start getting used to "host" and "dig" and if you need to continue to use "nslookup", you should consider the following alias to avoid the annoying nslookup warnings:

/etc/bashrc

 alias nslookup='nslookup -silent'

24.16 Supporting more than one Internet Domain name

Having your Linux box do DNS for more that just ONE domain is VERY simple. If you want to do this, all you have to do is:

1. Create and edit both another FORWARD zone file (acme123.com) for your new domain.

   e.g. use the old acme123.com files from above as a template for your new /home/chroot-dns-ext/var/named/newdomain.com.db file

2. Edit the /home/chroot-dns-ext/etc/named.conf file to:
   1. Allow secondary DNS access to your new 2nd domain's secondary DNS server (if a different secondary than your primary domain secondary server).

   2. Add the loading of the new /var/named/newdomain.com.db zone file just like you did for the acme123.com zone file.

   3. Restart Bind

24.17 Setting up Secondary (BACKUP) DNS servers

If you want to configure someone else's DNS server to be a secondary for you *OR* you want configure your DNS server to be a secondary for someone else's domain(s), do the following:

Setting up NAMED to allow a remote server to be a Secondary for your domain(s):

• Next, edit /home/chroot-dns-ext/etc/named.conf file and make sure the "allow-transfer" line has the proper IP address of the remote slave DNS server.
• Edit the remote server's /home/chroot-dns-ext/etc/named.conf file and APPEND the following:

    zone "acme123.com." {
      type slave;
      file "acme123.com.db";
      masters { 100.200.0.212; };
      allow-transfer { none; };
    };

    zone "212.0.200.100.in-addr.arpa." {
      type slave;
      file "212.0.200.100.db";
      masters { 100.200.0.212; };
      allow-transfer { none; };
    };

NOTE: The second section above is for setting up a secondary DNS server for a remote domains that only has ONE IP ADDRESS. If the remote domain had a "subnet of IPs (typically 5 or port IP addresses), you would need a slightly different configuration. The following example would be correct if the remote system had -8- IP allocated.

                zone "128/29.0.200.100.in-addr.arpa." {
                  type slave;
                  file "128.0.200.100.db";
                  masters { 100.200.0.129; };
                  allow-transfer { none; };
                };

Basically, you need to understand that:

The IP addresses the remote site was given an address range of 100.200.0.128-135 with a subnet mask of 255.255.255.250 (a /29).

Then, with the not-so-obvious DNS syntax from RFC 2317, you read the top line as:

• In the last octet of the IP address, the first IP address of this remote subet is "128". (This is the NETWORK address)
• Next, the subnet mask is a /29 or 8 IPs
• The remaining reverse zone is 0.200.100

Yes, its weird syntax and NOT obvious (try even reading the RFC!) but it works fine.

• Finally, you need to create a dummy file for this remote domain.

                        touch /home/chroot-dns-ext/var/named/acme123.com.db

• Now, restart the remote secondary DNS server by running the following command from the remote box:
  • Redhat:

    ---

                    /etc/rc.d/init.d/named stop
                    /etc/rc.d/init.d/named start
        
    

    ---

  • Slackware:

    ---

                    kill -HUP `ps aux | grep named | grep -v -e grep | awk '{print $2}'`/usr/sbin/named &
        
    

    ---

Once everything is working fine, be SURE to follow the "aliases" instruction in Section 18.

24.18 Automating the maintenance of the root-hints.db file

Ok, now DNS is hopefully working for your new connection. Next, I recommend that you implement the following script to maintain the root-hints file. This script is from the DNS-HOWTO (with a few changes on my behalf [should be in the DNS-HOWTO now]):

/usr/local/sbin/root-hints-update

<root-hints-update START>

#!/bin/bash
#
# Update the nameserver cache information file once per month.
# This is run automatically by a cron entry.
#
# v2.4 - Updated the dig info lookup from ns.internic.net to
#        a.root-servers.net 
# v2.3 - Updated the initial CD into one of the real CHROOTed dirs
#        vs. /var/named.  The old script was also leaving a stray NEW
#        file in the EXT directory.  Because of all this, the email
#        notification would show an old root.hints file though DNS
#        would have the correct updated file.
# v2.2 - Change getting the hints file from rs.internic.net to ns.internic.
#        net
# v2.1 - Fixed a typo in the CHMOD of the external root-hints.sb file
#      - Fixed the file ownership of the internal root-hints.db file
#      - Changed the default path of where the new root.hints.new file 
#        is to be placed
#      - Updated to have a backup copy of the INTERNAL hints file and not
#        just have an EXTERNAL backup
# v2.0 - Updated the script to support dual zone files
# v1.3 - Updated the script to show more verbose FAILURE logs.
#        Thanks to jon.marks@novatek.co.nz for the ideas
#
# v1.2 - added the test if no ROOT-SERVERS were returned
# v1.1 - added the test if the result had a SERV-FAIL
# v1.0 - original script from the DNS-HOWTO

export PATH=/sbin:/usr/sbin:/bin:/usr/bin:
cd /home/chroot-dns-ext/var/named

dig @a.root-servers.net . ns > /home/chroot-dns-ext/var/named/root.hints.new 2> result

DIG_OUTCOME=FAIL
if [ `grep -c SERVFAIL root.hints.new ` = 0 ] && [ `grep -c ROOT-SERVERS /home/chroot-dns-ext/var/named/root.hints.new` -gt 0 ]
   then
        DIG_OUTCOME=SUCCESS
        mv -f /home/chroot-dns-ext/var/named/root.hints.db /home/chroot-dns-ext/var/named/root.hints.db.old
        cp -f /home/chroot-dns-ext/var/named/root.hints.new /home/chroot-dns-ext/var/named/root.hints.db
        chown chroot-dns-ext:chroot-dns-ext /home/chroot-dns-ext/var/named/root.hints.db
        chmod 444 /home/chroot-dns-ext/var/named/root.hints.db

        mv -f /home/chroot-dns-int/var/named/root.hints.db /home/chroot-dns-int/var/named/root.hints.db.old
        mv /home/chroot-dns-ext/var/named/root.hints.new /home/chroot-dns-int/var/named/root.hints.db
        chown chroot-dns-int:chroot-dns-int /home/chroot-dns-int/var/named/root.hints.db
        chmod 444 /home/chroot-dns-int/var/named/root.hints.db

        echo -n "Restarting named: " >> result
#       note:  We dont use restart since old Redhat didn't support it

        /etc/rc.d/init.d/named stop >> result
        /etc/rc.d/init.d/named start >> result
fi

(
        echo "To: hostmaster <root>"
        echo "From: system <root>"
        echo "Subject: TrinityOS DNS monthly root.hints.db update status: $DIG_OUTCOME."
        echo
        cat /home/chroot-dns-int/var/named/root.hints.new result
        echo

) | /usr/sbin/sendmail -t
rm -f result /home/chroot-dns-int/var/named/root.hints.new
exit 0

Now, make it executable and readable ONLY by root:

                chmod 700 /usr/local/sbin/root-hints-update

Finally, put it in the cron job to run monthly:

Redhat:

                        ln -s /usr/local/sbin/root-hints-update /etc/cron.monthly/root-hints-update

Slackware:

- Edit "/var/spool/cron/crontab/root" and add this line to the bootom of the file:

                        --
                        02 3 1 * *      /usr/local/sbin/root-hints-update
                        --

That's it!

24.19 How to acquire an Internet Domain Name

To get your own Internet domain, you need:

1. A pre-selected Internet domain name that isn't already taken. You can check to see if your desired domain is available by going to: http://www.internic.net or use the UNIX "whois" command. If the domain you want is already gone, don't forget to try the other suffixes like .com, .net, and .org. You should also know that many other countries are pushing users to use their domain space. For example, .cc is fairly popular with some people.

   NOTE: US laws are about to change in the Internet. Currently, sleazy Internet users have been reserving domain names like cheezewiz.com and making the rightful owners (Kraft Corporation) pay ransoms to get them back.

   In 2000, companies that own trademarks to these names, like CheeseWiz, will have LEGAL rights to those domains. So, even if you had the domain, superdupergizo.com for years and sold gizmos with that name, someone might get that name trademarked. If that happens, they then will have LEGAL right to take that domain away from you.

   Because of this, you might also want to get a trademark in addition to the domain name. You might not care too much about this but some people NEED TO. Please also understand that if you get a trademark for for the name and you already secured the .com domain name, you will then have legal grounds to kick people off the .net and .org domains as well. Personally, I think it will be cheaper in the long run if you just register ALL three domain name suffixes (.com, .net, .org) at one time.

2. Agreements with (2) or more EXISTING DNS servers their TCP/IP address to be your secondary (backup) DNS servers. You will have to coordinate this setup with the remote DNS administrators but it isn't too hard. As it stands, the setup of the secondary supprot is fully documented in TrinityOS's DNS section.

   NOTE: You can RESERVE your desire DNS domain name NOW and not need to configure any server for a while. Basically, once you pay for it, the domain is YOURS unless you don't pay the renewal fees in (2) years. One thing several Internet Domain Registrars are now doing is providing a full co-location service for your domain where they will setup the DNS services, email, etc ALL on their server for a extra fee. . This service costs more than just the initial domain name procurment (currently $119 for 2 years from NSI) but some people like it.

   Note #2: Realistically the primary and multiple secondary servers shouldn't be on the same network (ISP). For example: if you want to put a DNS server behind your "XYZ" ISP provider, your backup DNS servers shouldn't be connected via "XYZ" as well. Why? What happens if XYZ ISP's network goes down? ALL DNS for your domain will fail. That means email will bounce, etc.

3. A permanent Internet connection with a static IP. --OR-- You can sign up with some of those dynamic DNS providers and they can then update their tables to you.

4. A credit card (makes things easier but they can also bill you too for bulk requests). Each domain currently costs $70 for 2 years and then $35 per year after that.

   NOTE: Fortunately, you can usually deduct this cost from your taxes.

5. Now, with all this information (IP addresses, etc), go to http://www.internic.net and pick a Registrar. The incumbant registrar is Network Solutions (NSI) but my experience with them hasn't been the best. Though I can't recommend one registrar over another, I encourage you to research it a little. If you have good/bad luck with some of these new players, I'd love to hear from you.

6. Follow the prompts and enter in your domain name(s). Then click on either "reserve" or "register".

   NOTE: In the past, all DNS registration was done via a email-only system. It was confusing at times and a pain. The new system is ALL web based and is much better. Interestingly enough, NSI would let you fill things out via a WWW form but it still will email you the completed for and expect you to EMAIL it back to them. Lame.

   NOTE #2: Do not put in bogus data for any of the fields thinking it will keep your information private. They check the info and if it doesn't all check, they will deny you the domain. The need your snail mail address for your receipt and phone numbers in case your DNS server, etc. goes down, is hacked into, etc. This phone number is more valuable than you might think.

   NOTE #3: When filling out the new Contact Information area, you might see the section for security. There are three types:

   MAIL-FROM: This means that any changes to your domain must come from an email address from your domain and it is the default setting.

   DO NOT USE THIS OPTION.

   Its too simple for remote people to forge email. Because of this, many people have had their domains STOLEN from them because of this weak link.

   CRYPT: This is a password encrypted setup. This is pretty good as long as you use a GOOD password. See Section 8 in TrinityOS for how to pick good passwords.

   PGP: This is the ultimate in security and you need to submit your public PGP key to the Internic. BE WARNED: If you change your PGP key often (your need to do this), you might lock yourself out of your domain and you will have to call the Internic direct.

   If you DO NOT SEE these fields, don't worry. Once you finish your domain registration, go back to:

   http://www.networksolutions.com/cgi-bin/itts/handle

   and change it there.

7. When it asks you for a email address, do NOT use an email address that will be behind this new domain. Why? Until you get this DNS system fully running, any email from the Registrar will be lost! Get it? If you have problems with your domain and email isn't working, you WON'T be able to fix it because some registrars expect DNS fixit emails to come from the problem DNS domain. Stupid.. very stupid. Eh.. But.. don't worry, once everything works fine, you can go back and change this address.

8. After that, its pretty simple and VERY fast.

If you need more info on DNS, follow this great HOWTO:

ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/DNS-HOWTO