BIND, installing
m (BIND (installing) moved to BIND, installing) |
(update bind version in ports (maybe shouldn't have the version in this wiki?)) |
||
Line 5: | Line 5: | ||
to overwrite the base installation. | to overwrite the base installation. | ||
− | Installing BIND is fairly straightforward; the latest version is 9.3. | + | Installing BIND is fairly straightforward; the latest version is 9.3.4-P1 and it's in ports: |
# cd /usr/ports/dns/bind9 | # cd /usr/ports/dns/bind9 | ||
# make install clean | # make install clean |
Revision as of 19:28, 29 September 2007
The most common versions of BIND are 9 and 8, although you will occasionally see a BIND version 4 server around, they're not very common -- which is a good thing, since DNS bugs and vulnerabilities are Bad News and older versions of BIND were plagued with both.
BIND in FreeBSD is part of the base system -- it's already there and waiting for you. If you must install it yourself, you can do it from ports, but remember to use
# make -DWITH_PORT_REPLACES_BASE_BIND9 install clean
to overwrite the base installation.
Installing BIND is fairly straightforward; the latest version is 9.3.4-P1 and it's in ports:
# cd /usr/ports/dns/bind9 # make install clean
and you're pretty much done.
Wait, I thought you said we were done
Well, you're done if you want a standard install. If you want a really secure DNS server, you're probably going to want to install BIND in a chroot jail. It's a pain, but it means that even if your server gets compromised, the rest of the box isn't at risk.
When making a program live inside a jail, the important thing to remember is that everything that the program will need to access will need to live inside the same directories that are inside the jail environment. BIND needs to have some kind of randomness, so you'll need to put a copy of /dev/random inside the jail, as well as all the DNS config files and zone files etc are all in the same jail dir.
So the easy way to do it is to specify the directory that you want to build BIND into using the --prefix=/path/to/chroot/dir and --with-randomdev=/path/to/chroot/dir/dev/random
Rememer the chroot into your jail's chroot directory before you start BIND, and if you have any problems, it's likely because you are missing files in your jail that are necessary for your installation to run; ldd will help you find any missing libraries.
Logging from within the chroot jail
You may be interested in keeping logs of queries made to BIND, zone transfers, etc. This is easy enough using BIND's logging directive. However, because you've likely installed BIND within a chroot jail, you'll have just a few extra hoops to jump through to get logging to work correctly from within the chroot environment.
First, you need to tell syslogd, the syslog daemon, that it should listen for logging messages inside the jail, since BIND cannot send its logging messages outside the jail. To do this add
syslogd_flags=-ss -l /var/named/var/log
to your /etc/rc.conf file.
Second, tell BIND where to place its log files. If you chose the default installation of BIND9, BIND was installed to /var/named and that is where it is chrooted. Conveniently enough, there is a directory /var/named/var/log where it seems obvious to place your log files. So, in BIND9's named.conf file (/etc/namedb/named.conf) you might use a logging directive such as:
logging { queries_file { channel queries_file { file "/var/log/queries.log" versions 3 size 5m; severity dynamic; print-time yes; }; }; category queries { queries_file; }; };
Finally, you may forget that BIND's log files are located in the chroot jail. Therefore, you may wish to place a soft link in /var/log to the directory where your log files are located. For example:
cd /var/log ln -s /var/named/var/log named