FreeBSD known as one of the most rock solid reliable and perfect operating systems, I personally lover of FreeBSD OS, so I want to publish a very nice howto about dns (Bind).
In this tutorial I’ll describe to you that how to set up secure FreeBSD based master/slave DNS server. You can use this tutorial on both 64-bit and 32-bit platforms.
We will use 192.168.0.1 as a Master Server and 192.168.0.2 as Slave Server
Installing and Configuring DNS:
FreeBSD 7.2 will be use for this tutorial. BIND is already installed in FreeBSD installation. You can check installed bind version using this link
1) Update your ports tree, I personally preferred portsnap for ports tree management. After updating ports tree check the version you have in the ports collection.
cat /usr/ports/dns/bind94/Makefile | grep PORTVERSION
If ports version equal your existing installed bind version then we don’t need to installation new bind version otherwise we will install new version.
Installation from Ports: Master/Slave
cd /usr/ports/dns/bind94 make configure ; make clean
You have to select REPLACE_BASE from options menu using press spacebar, you can leave other options.
Configuration:
We need to add “NO_BIND = YES” in /etc/make.conf file on both master/slave, you can do that using the following command:
echo "NO_BIND = YES" >> /etc/make.conf
The above configuration will let the make command not to build the base version of BIND in case you rebuild FreeBSD from the source.
Chroot Environment: master/slave
Now, let’s set up the directory structure for chroot jaild BIND. The directory can be anywhere on your system’s file system. I have planed to use /var/chroot/named as BIND directory. Let’s start by creating the following directory structure.
mkdir -p /var/chroot/named/etc/namedb/log mkdir -p /var/chroot/named/etc/namedb/master mkdir -p /var/chroot/named/etc/namedb/slave mkdir -p /var/chroot/named/dev mkdir -p /var/chroot/named/var/run
Placing existing Data
We need to copy named.root file into chroot directory, so BIND can easily communicate with root servers. For example:
cp /etc/namedb/named.root /var/chroot/named/etc/namedb/
We need another file in the /etc directory inside the chroot jail. You must copy /etc/localtime, so that BIND logs things with the right time on them.
cp /etc/localtime /var/chroot/named/etc
System Supported Files
When BIND is running in the chroot jail then it will not be able to access files outside the jail. However, few necessary files required for proper working within chroot environment.
cd /var/chroot/named/dev mknod zero c 2 12 ln -s /dev/random . mknod null c 2 2 chmod 666 zero random null
When you’ve created the directories, (re)move ore take backup old /etc/namedb directory.
cd /etc mv namedb old.namedb ln -s /var/chroot/named/etc/namedb .
Change the ownership newly created directories
cd /var/chroot chown -R bind:bind named chmod 700 named
RNDC Key
Now we need to generate rndc.key file and then add its contents into named.conf, rndc.key is an encryption key that rndc utility needs to work, also it’s used in case you are using dynamic DNS together with DHCP.
rndc-confgen -a -c /etc/namedb/rndc.conf -k dnsadmin -b 256
This will create a key named dnsadmin with the size of 256 bits. At least 256 bits is recommended is you’re using this for a public server. When you’ve generated the key, edit /etc/namedb/rndc.conf and add these line end of this file.
options {
default-key "dnsadmin";
default-server 127.0.0.1;
};
That’s all every thing is now configured and placed now we need to create named.conf files for both master and slave server, lets create named.conf file on master and slave dns server.
named.conf – master/slave
vi /etc/named.conf
First we will create ACL for our slave servers
acl "slaves" {
192.168.1.2;
};
Set general options like base directory, pid file and other controlling options
options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
};
In above configuration we have defined /etc/namedb as a base directory which is linked from /var/chroot/named/etc/namedb & then pid file path has been mentioned.
Now wee need to define control clause and key section for rndc connection and port where bind will be listen.
controls {
inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { dnsadmin; };
};
key "dnsadmin" {
algorithm hmac-md5;
secret "o/cb6L1GDSbJWfRBpY3L=";
};
In the above configuration we have created key “dnsadmin” for rndc connection, you may need to copy secret line from /etc/namedb/rndc.conf file and then place within key { } section mentioned above.
For caching name server we need to define root server’s file
zone "." {
type hint;
file "named.root";
};
Our named.conf file has been configured on both servers, lets configure /etc/rc.conf file on master/slave servers so bind can start on system startup.
named_enable="YES" named_program="/usr/sbin/named" named_chrootdir="/var/chroot/named" named_flags="-u bind -c /etc/named.conf"
Let’s configure our domain’s forward and reverse lookup zone on master server and then start bind server
For forward lookup zone add the following into named.conf file
zone "techbabu.com" {
type master;
file "master/techbabu.com";
allow-transfer { slaves; };
};
Now we need to add the reverse lookup zone, same thing need to be add after forward zone section into named.conf file
zone "0.168.192.in-addr.arpa" {
type master;
file "master/techbabu.rev";
allow-transfer { slaves; };
};
Creating forward lookup zone files
cd /var/chroot/named/etc/namedb/master/ vi techbabu.com
Add these lines
$TTL 3600
$ORIGIN techbabu.com.
@ IN SOA ns1.techbabu.com. postmaster.techbabu.com. (
300000328 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.techbabu.com.
NS ns2.techbabu.com.
MX 10 mailbox.techbabu.com.
ns1 A 192.168.0.1 ns2 A 192.168.0.2
Creating reverse lookup zone files
cd /var/chroot/named/etc/namedb/master/ vi techbabu.rev
Add these lines
$TTL 3600
$ORIGIN 0.168.192.in-addr.arpa.
@ IN SOA ns1.techbabu.com. postmaster.techbabu.com. (
300000328 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
NS ns1.techbabu.com.
NS ns2.techbabu.com.
1 PTR ns1.techbabu.com. 2 PTR ns2.techbabu.com.
Our Master server has been configured completely now start our server.
/etc/rc.d/named start
Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.1 then try to dig your domain’s NS (A) record to make sure that Master DNS server running.
dig ns1.techbabu.com
If you saw the output something like this:
;; ANSWER SECTION: ns1.techbabu.com. 3600 IN A 192.168.0.1
So this means your DNS server is working fine.
You can try then to ping outside domains to check either caching is working or not.
That is our Master DNS server is fully functional and ready to use now configure slave named.conf file for slave dns
vi /etc/namedb/name.conf
For forward lookup zone add these lines
zone "techbabu.com" {
type slave;
file "slave/techbabu.com";
masters { 192.168.0.1; };
allow-notify { 192.168.0.1; };
};
And for reverse lookup
zone "0.168.192.in-addr.arpa" {
type slave;
file "slave/techbabu.rev";
masters { 192.168.0.1; };
allow-notify { 192.168.0.1; };
};
Our Salve server also configured now start slave server.
/etc/rc.d/named start
Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.2 then try to dig your domain’s NS (A) record to make sure that Slave DNS server running.
If you get the response the its means your slave dns is also functional and ready to use.
Congratulation you have successfully configured Secure Master/Slave DNS server
If you have any suggestion regarding this tutorial please tell us, your comments will be very helpful for us