interfasys
Verified User
This configuration works for us. I'm no expert. Expecting feedback to improve it.
GOAL
Use the more secure chrooted bind environnement that comes as default with FreeBSD >5.3
SYSTEM
FreeBSD >5.3 only.
LIST OF KNOWN PROBLEMS:
Are permissions on files and folders correct and secure?
DISCLAIMER:
Use at your own risk. This Howto could wipe your data or kill your server and neither I, nor interfaSys llc would be held responsible.
No support is available, I will try to update this Howto as soon as things change.
ACKNOWLEDGMENT:
Based on an email from Dr Matthew J Seaman MA, D.Phil. to the FreeBSD lists and scripts from Yikes2000.
HISTORY:
0.9.1, disabled recursion since I don't want my dns to be used to get info about other domain names (security).
0.9, included some fixes by Yikes2000 (reload, perl script) and some copy bugs.
0.8, initial release
//////////////////////////////////////////////////
Modify startup script
------------------------
# pico /etc/rc.conf
remove everything about named because everything is already in /etc/defaults/rc.conf
ie.
--
named_enable="NO"
--
Create the localhost reverse DNS (optional)
------------------------
# cd /var/named/etc/namedb/
# ./make-localhost
Migrate old DNS data
------------------------
We move our old files out of the way (think backup)
# cd /etc
# cp namedb/*.db /var/named/etc/namedb/master
# cp namedb/rndc.* /var/named/etc/namedb
# mv namedb namedb.old
Change some permissions, just in case you don't have them right already
------------------------
# cd /var/named/etc
# chown -R bind:wheel namedb
Modify named.conf
------------------------
All the information you need for the rndc.key sections are in rndc.key (if you don't have a secret key, it will be generated at the first start).
# pico /var/named/etc/namedb/named.conf
1)Add this or modify this at the top
--
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
2)Add this to your options block:
version "";
recursion no;
3)Paste your zones from you original /etc/namedb.old/named.conf. We will upgrade them later on.
4)Comment listen-on { 127.0.0.1; };
5)Comment the IPV6 zones
--
Modify the paths in named.conf from /etc/named to /etc/named/master with this command:
#perl -pi -e 's#(/etc/namedb/)([^/]+\.db)#${1}master/$2#' named.conf
Create rndc.conf if it doesn't exist yet
#touch /var/named/etc/namedb/rndc.conf
--
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
--
Check you config
------------------------
# cd /var/named/etc/namedb/
# named-checkconf named.conf && echo "Configuration OK"
Configure DirectAdmin
------------------------
# pico /usr/local/directadmin/conf/directadmin.conf
Modify to:
--
nameddir=/etc/namedb/master
--
Now we need to replace the original DA script
--
# pico /usr/local/directadmin/scripts/custom/named
paste this:
Place the script where DA can find it.
# cp /usr/local/directadmin/scripts/custom/named /usr/local/etc/rc.d/named
--
//////////////////////////////////////////////////
That's it.
You can now try:
# /usr/local/etc/rc.d/named restart
and the right folders and links should be created.
If everything is working fine you can see how it survives a reboot.
GOAL
Use the more secure chrooted bind environnement that comes as default with FreeBSD >5.3
SYSTEM
FreeBSD >5.3 only.
LIST OF KNOWN PROBLEMS:
Are permissions on files and folders correct and secure?
DISCLAIMER:
Use at your own risk. This Howto could wipe your data or kill your server and neither I, nor interfaSys llc would be held responsible.
No support is available, I will try to update this Howto as soon as things change.
ACKNOWLEDGMENT:
Based on an email from Dr Matthew J Seaman MA, D.Phil. to the FreeBSD lists and scripts from Yikes2000.
HISTORY:
0.9.1, disabled recursion since I don't want my dns to be used to get info about other domain names (security).
0.9, included some fixes by Yikes2000 (reload, perl script) and some copy bugs.
0.8, initial release
//////////////////////////////////////////////////
Modify startup script
------------------------
# pico /etc/rc.conf
remove everything about named because everything is already in /etc/defaults/rc.conf
ie.
--
named_enable="NO"
--
Create the localhost reverse DNS (optional)
------------------------
# cd /var/named/etc/namedb/
# ./make-localhost
Migrate old DNS data
------------------------
We move our old files out of the way (think backup)
# cd /etc
# cp namedb/*.db /var/named/etc/namedb/master
# cp namedb/rndc.* /var/named/etc/namedb
# mv namedb namedb.old
Change some permissions, just in case you don't have them right already
------------------------
# cd /var/named/etc
# chown -R bind:wheel namedb
Modify named.conf
------------------------
All the information you need for the rndc.key sections are in rndc.key (if you don't have a secret key, it will be generated at the first start).
# pico /var/named/etc/namedb/named.conf
1)Add this or modify this at the top
--
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
2)Add this to your options block:
version "";
recursion no;
3)Paste your zones from you original /etc/namedb.old/named.conf. We will upgrade them later on.
4)Comment listen-on { 127.0.0.1; };
5)Comment the IPV6 zones
--
Modify the paths in named.conf from /etc/named to /etc/named/master with this command:
#perl -pi -e 's#(/etc/namedb/)([^/]+\.db)#${1}master/$2#' named.conf
Create rndc.conf if it doesn't exist yet
#touch /var/named/etc/namedb/rndc.conf
--
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
--
Check you config
------------------------
# cd /var/named/etc/namedb/
# named-checkconf named.conf && echo "Configuration OK"
Configure DirectAdmin
------------------------
# pico /usr/local/directadmin/conf/directadmin.conf
Modify to:
--
nameddir=/etc/namedb/master
--
Now we need to replace the original DA script
--
# pico /usr/local/directadmin/scripts/custom/named
paste this:
Code:
#!/bin/sh
if [ "$1" = "reload" ]; then
/usr/sbin/rndc reload
else
/etc/rc.d/named $1
fi
Place the script where DA can find it.
# cp /usr/local/directadmin/scripts/custom/named /usr/local/etc/rc.d/named
--
//////////////////////////////////////////////////
That's it.
You can now try:
# /usr/local/etc/rc.d/named restart
and the right folders and links should be created.
If everything is working fine you can see how it survives a reboot.
Last edited: