LinuxQuestions.org

LinuxQuestions.org (/questions/)
-   Linux - Server (http://www.linuxquestions.org/questions/linux-server-73/)
-   -   Setting, configuring, authoritative or stealth DNS Domain Name Server Red Hat (http://www.linuxquestions.org/questions/linux-server-73/setting-configuring-authoritative-or-stealth-dns-domain-name-server-red-hat-879732/)

iPatch 05-09-2011 06:11 PM

Setting, configuring, authoritative or stealth DNS Domain Name Server Red Hat
 
Recently, the admin of the current server that has been hosting my blog gave me the option to upgrade my current server configuration, but I needed to spend some cash, and get my own domain name (done). I decided to go the godaddy.com route to purchase a domain name.

Well, with purchasing my domain, and getting a my virtual Linux server comes setting up DNS. I have no prior experience setting up DNS using BIND so (insert thread). The admin of the virtual server, which also admins the equipment on which the virtual server resides recommended setting up BIND on the virtual server to use his DNS servers, and keep the version of BIND running on my virtual server protected by having BIND run in "stealth mode".

In the order of simplicity I am going to establish the following values in the spirit of KISS

Distribution: Red Hat (Scientific Linux 6.0 Carbon)
Domain name: mysite.com
Static WAN IP: 1.2.3.4
Static WAN IP (netmask): 255.255.255.255 or /32

Question 1
How would I configure the named.conf file to be setup in "stealth mode" so that I am using the local copy of BIND on the virtual server to point to a master DNS server?

Question 1.1
What would a sample named.conf look like for using BIND in stealth?

Question 1.2
What would a sample mysite.zone file look like for stealth setup?

Questions 2

What would a sample named.conf file look like for authoritative server look like?

Question 2.1

What would a sample mysite.zone file look like for an authoritative server look like?


Here are snippets for my current named.conf and mysite.zone

named.conf

Code:

##########################################################################
# File: /etc/named.conf
##########################################################################
# BIND configuration file
#########################################################################
# maintained by: me
##########################################################################
# Examples: /usr/share/doc/bind*/sample/ for example configuration files
##########################################################################
# CHANGELOG:
# 1. change1
#########################################################################

// Only one "options" statement is allowed in this configuration file.

options
{
  directory "/var/named";    // default directory

  // SECURITY - version statement - inhibited
  // avoids hacking any known weaknesses
  version "not currently available";

  // Additions added from Red Hat config - named.conf
  //  listen-on-v6 port { ::1; };
  listen-on port 53 { 127.0.0.1; };
  listen-on port 53 { any; };

  // specify dump file
  dump-file  "/var/named/data/cache_dump.db";
  statistics-file "/var/named/data/named_stats.txt";
  memstatistics-file "/var/named/data/named_mem_stats.txt";

  // Addtions added from Red Hat config - named.conf
  allow-query { localhost; };
  recursion yes;

  dnssec-enable yes;
  dnssec-validation yes;
  dnssec-lookaside auto;

  // Path to ISC DLV key
  bindkeys-file "/etc/named.iscdlv.key";
};


// Logging for DNS and BIND

logging
{
  channel default_debug {
            file "data/named.run";
            severity dynamic;
            };
};

// INTERNAL - provide recursive queries and caching for goodguys

view "goodguys" {
  match-clients { 127.0.0.1; }; // local network
      recursion yes;

      // ZONE - allows the name server
      // ZONE - to talk to the 13 authoritative name servers

      zone "." IN {
        type hint;
        file "named.ca";
      };

      include "/etc/named.rfc1912.zones";

// ZONE - mysite.com

      zone "mysite.com" {
        type master;
        // private zone file including local hosts
        file "zones/internal/master.mysite.com.internal";
      };

      // ZONE - required local host domain - commented out to get working - already exists

      //zone "localhost" in {
        // type master;
        // file "zones/internal/master.localhost";
        // allow-update { none; };
    // };

      // ZONE - required reverse map

      zone "0.0.127.in-addr.arpa" in {
      type master;
      file "zones/internal/localhost.rev";
      allow-update { none; };
      };

  }; // INTERNAL - endview

// EXTERNAL - provides view for badguys

view "external" { // What the Internet will see

  // This view will contain zones you want to serve only to "external"
  // clients that have addresses that are not on your directly attached
  //  LAN interface subnets:


    match-clients      { any; };
    match-destinations  { any; };

    // you'd prbably want to deny recursion to external clients, so you don't
    // end up providing free DNS service to all takers
    recursion no;

    // These are your "authoritative" external zones, and would probably
    // contain entries for just your web and mail servers:

    // the class "in" stands for Internet

  zone "3.2.1.in-addr.arpa" {
      type master;
      file "zones/external/84.114.207.in-addr.arpa.zone"; 
  };

  zone "mysite.com" {
      type master;
      file "zones/external/mysite.com.zone";
      allow-update { none; };
  };
  // EXTERNAL - endview
};

mysite.zone
Code:

; File: /var/named/zones/external/mysite.com.zone
;
; Zone file for mysite.com
;
; The full Forward zone file
;
;
$TTL 86400
@    IN    SOA      ns1.mysite.com.    admin.mysite.com. (
                    200110507 ;  serial#
                    3600  ;  refresh, seconds
                    3600  ; retry, seconds
                    3600  ; expire, seconds
                    3600  ; minimum, seconds
)
      IN    NS      ns1.mysite.com
      IN    NS      ns2.mysite.com

www  IN    A        1.2.3.4

Any and all suggestions and examples are greatly appreciated.

cheers
-C

bathory 05-10-2011 12:41 AM

Hi,

Have a look at the various examples here

Regards

iPatch 05-10-2011 09:27 AM

Thanks, I'll give that run through in a minute.

iPatch 05-12-2011 01:49 PM

So a little more googlefu presented this -> http://www.unixwiz.net/techtips/bind9-chroot.html

I now have BIND 9 running in a chroot jail.

TB0ne 05-12-2011 03:16 PM

Quote:

Originally Posted by iPatch (Post 4354580)
So a little more googlefu presented this -> http://www.unixwiz.net/techtips/bind9-chroot.html

I now have BIND 9 running in a chroot jail.

Outstanding. Thank you for posting your solution, and how you found it. So many folks never do.


All times are GMT -5. The time now is 01:48 PM.