Re: Guide BIND(910) Install on FreeBSD 10
Now
we gonna setup we're going to set up the Authoritative DNS (for domain owners) with DNSSEC. The steps about X11, buildworld, ZFs, etc. will be skipped since I'm assuming you already did them on the cache server - previous post).
Building the second jail (s11):
Code:
mkdir -p /usr/jails/s11
cd /usr/src
make installworld DESTDIR=/usr/jails/s11
make distribution DESTDIR=/usr/jails/s11
Enabling ports for installing the stuff inside the jail:
Code:
mount -t devfs devfs /usr/jails/s11/dev
mkdir -p /usr/jails/s11/usr/ports
mount_nullfs /usr/ports /usr/jails/s11/usr/ports
Making a null kernel (most sites on the web say it increases the security):
Code:
cd /usr/jails/s11/dev
ln -sf dev/null kernel
Connecting on your jail and set
[]up BIND (you need to execute those commands inside the jail):
Code:
jail /usr/jails/s11 s13 10.1.1.11 /bin/sh
cd /usr/ports/dns/bind910
make config-recursive install clean
For the options, check the ISC site about them; what I have done:
Disabled:
Enabled:
Code:
FILTER_AAAA
FIXED_RRSET
GEOIP
IDN
IPV6
LARGE_FILE
NEWSTATS
RRL
SIGCHASE
NATIVE_PKCS11
Install Nano:
Code:
cd /usr/ports/editors/nano
make config-recursive install clean
Setting Nano as the default editor:
Change:
setenv EDITOR ee
To:
setenv EDITOR nano
Setting the
rc.conf for s11 jail:
Code:
nano /etc/jails/s11/etc/rc.conf
hostname="s11.yourdomain.com"
ifconfig_em0="inet 10.1.1.11 netmask 255.255.255.0"
defaultrouter="10.1.1.1"
mouse_enabled="YES"
ntpd_enable="YES"
dump_dev="NO"
clear_tmp_enable="YES"
zfs_enable="YES"
kern_securelevel_enable="YES"
kern_securelevel="3"
named_enable="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/named.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
Setup BIND inside the jail to start on reboot:
Code:
nano /etc/rc.cnf
named_enabled="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/name.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
nano /etc/resolv.conf
nameserver 10.1.1.13
Dont gonna use Am not going to use
rndc, but used a strong key just in case it is enabled in the future:
rndc-confgen -a -b 512
Set
[]up BIND configuration files:
Code:
nano /usr/local/etc/namedb/named.conf
options {
directory "/usr/local/etc/named/working";
version "not currently available";
recursion {none;};
allow-transfer {"none"};
dnssec-enable yes;
dnssec-validation yes;
minimal-responses yes;
additional-from-auth no;
additional-from-cache no;
listen-on {10.1.1.11;};
};
Enabling logs (
named.conf) for troubleshooting diagnostics:
Code:
logging {
channel default_file {
file "/var/log/named/default.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel general_file {
file "/var/log/named/general.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel database_file {
file "/var/log/named/database.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel security_file {
file "/var/log/named/security.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel config_file {
file "/var/log/named/config.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel resolver_file {
file "/var/log/named/resolver.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-in_file {
file "/var/log/named/xfer-in.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel xfer-out_file {
file "/var/log/named/xfer-out.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel notify_file {
file "/var/log/named/notify.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel client_file {
file "/var/log/named/client.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel unmatched_file {
file "/var/log/named/unmatched.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel queries_file {
file "/var/log/named/queries.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel network_file {
file "/var/log/named/network.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel update_file {
file "/var/log/named/update.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dispatch_file {
file "/var/log/named/dispatch.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel dnssec_file {
file "/var/log/named/dnssec.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
channel lame-servers_file {
file "/var/log/named/lame-servers.log" versions 3 size 5m;
severity dynamic;
print-time yes;
};
category default { default_file; };
category general { general_file; };
category database { database_file; };
category security { security_file; };
category config { config_file; };
category resolver { resolver_file; };
category xfer-in { xfer-in_file; };
category xfer-out { xfer-out_file; };
category notify { notify_file; };
category client { client_file; };
category unmatched { unmatched_file; };
category queries { queries_file; };
category network { network_file; };
category update { update_file; };
category dispatch { dispatch_file; };
category dnssec { dnssec_file; };
category lame-servers { lame-servers_file; };
};
Disable
rndc:
Enable statistics from server:
Code:
statistics-channel {
inet * port 80 allow {192.168.1.0/24; 10.1.1.0/24;};
};
Be sure the following zones are enabled and
allow-update is set to
none, and change yourdomain.com to your valid domain and set XXX.XXX.XXX.XXX for a secondary name server (you need to set
[]up a reverse zone, so change XXX.XXX.XXX to your network under the second record for the reverse zone, example: XXX.XXX.XXX.IN-ADDR.ARPA)
Code:
// required zone for recursive queries
zone "." {
type hint;
file "/usr/local/etc/namedb/named.root";
};
zone "localhost" {
type master;
file "/usr/local/etc/namedb/master/localhost-forward.db";
allow-update{none;};
};
zone "0.0.127.IN-ADDR.ARPA" in{
type master;
file "/usr/local/etc/namedb/master/localhost-reverse.db";
allow-update{none;};
zone "yourdomain.com" in{
type master;
file "/usr/local/etc/namedb/master/yourdomain.com.db";
allow-transfer {XXX.XXX.XXX.XXX;};
allow-update{none;};
};
zone "XXX.XXX.XXX.IN-ADDR.ARPA" in{
type master;
file "/usr/local/etc/namedb/master/XXX.XXX.XXX.IN-ADDR.ARPA";
};
Exit from the jail:
exit
Check the jail ID:
jls
Add a new user to jail s13 just in case in future your wish to use
rndc (change the ID to the number from the previous command and set the group to
bind)
Code:
jexec ID adduser dnsadmin
Name: dnsadmin
Full Name: Administrator RNDC
Uid: 88
Group: bind
Home: /var/named
shell /bin/sh
/sbin/nologin
Set some permissions to hardening your BIND (change ID from
jexec to previous ID from command
jls for jail s11)
Code:
chown dnsadmin:wheel /usr/local/etc/namedb/named.conf
chmod 0660 /usr/local/etc/namedb/named.conf
mkdir -p /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/keys
chmod 04000 /usr/local/etc/namedb/keys
mkdir -p /usr/local/etc/namedb/master/ddns
chown bind:wheel /usr/local/etc/namedb/master/ddns/*
chmod 0770 $(find /usr/local/etc/namedb/master/ddns/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/ddns/ -type f)
mkdir -p /usr/local/etc/namedb/master/private
chown dnsadmin:wheel /usr/local/etc/namedb/master/private/*
chmod 0770 $(find /usr/local/etc/namedb/master/private/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/private/ -type f)
mkdir -p /usr/local/etc/namedb/rndc/keys
chown -R dnsadmin:wheel /usr/local/etc/namedb/rndc
chmod -R 0770 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc/keys
chmod 0400 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0400 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc.key
chmod -R 0400 /usr/local/etc/namedb/rndc.key
chown bind:wheel /usr/local/etc/namedb/slave/
chmod 0770 $(find /usr/local/etc/namedb/slave/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/slave/ -type f)
mkdir -p /usr/local/etc/namedb/views
chown dnsadmin:wheel /usr/local/etc/namedb/views/*
chmod 0770 $(find /usr/local/etc/namedb/views/ -type d)
chmod 0660 $(find /usr/local/etc/namedb/views/ -type f)
mkdir -p /var/log/named
chown -R bind:wheel /var/log/named/
chmod 0760 $(find /var/log/named/ -type d)
chmod -R 0640 $(find /var/log/named/ -type f)
chown bind:bind /var/run/named/pid
chmod 0644 /var/run/named/pid
It seems like the jail uses a default template for permissions, so we need to make sure that this template will not change previous permissions, add/set this:
Code:
nano /etc/mtree/BSD.root.dist
usr
local
etc
namedb
keys uname=bind gname=bind mode=04000
..
master
ddns uname=bind gname=wheel mode=0770
.. mode=0660
private uname=dnsadmin gname=wheel mode=0770
.. mode=0660
..
rndc undame=dnsadmin gname=wheel mode=0770
keys uname=bind gname=bind mode=0400
.. mode=0400
.. mode=0660
slave uname=bind gname=wheel mode=0770
.. mode=0660
named.conf uname=dnsadmin gname=wheel mode=0660
rndc.key uname=bind gname=bind mode=0400
..
..
..
..
var
log
named uname=bind gname=wheel mode=0760
.. mode=0640
..
run
named uname=bind gname=bind mode=0644
..
..
..
Change the default DNS servers, add this server and comment the other using
#:
Code:
nano /etc/resolv.conf
nameserver 10.1.1.13
You will need to set
[]up the reverse zone and the main zone files inside the jail in the directory
/usr/local/etc/namedb/master/.
The details about how to set
[]up your zone and reverse zone you will need to search on the internet.
Following steps only can be done after setting up the zone files:
Creating your ZSK key files (the standards say to use 2048 but since
I'm only hosting my personal website, I have used 4096, the
365d means the expiration date to this key, one time, you need to change yourdomain.com to you current domain):
Code:
cd /usr/local/etc/namedb/keys/
dnssec-keygen -a rsasha256 -b 4096 -P now -A now -I +365d -D +367d -n zone yourdomain.com
Creating your KSK files (one time, change yourdomain.com to your current domain, this one is for three years)
Code:
dnssec-keygen -a rsasha256 -b 4096 -f ksk -P now -A now -R +730d -D +733d -n zone yourdomain.com
Checking the certificates (one time change yourdomain.com to your current domain and XXX+XXXXX for the generate on files, remove
.key and
.private))
Code:
dnssec-settime -p all Kyourdomain.com.+XXX+XXXXX
dnssec-settime -p all Kyourdomain.com.+XXX+XXXXX
Add the
.key files to your zone file (this time be sure to add only the
.key file):
Code:
nano /usr/local/etc/named/master/yourdomain.com.db
$INCLUDE ..keys/Kyourdomain.com.+XXX+XXXXX.key ; KSK
$INCLUDE ..keys/Kyourdomain.com.+XXX+XXXXX.key ; ZSK
Sign your zone files (first parameter the KSK - second ZSK) and update it in
named.conf (this will generate a copy encrypted of your zone files with
.signed on the end in the same directory of the zone file):
Code:
dnssec-signzone -o yourdomain.com -t -k Kyourdomain.com.+XXX+XXXXX /usr/local/etc/namedb/master/yourdomain.com.db Kyourdomain.com.+XXX+XXXXX
nano ../named.conf
Add extension .signed for your zone file
service named restart
Copy the contents from your
.key to your registrar and add it in the DNSSEC section. Wait a few minutes and now you have DNSSEC on. Move the
.private files to a safe place (you need them to make new certificates, to revoke, etc...)
Any hints, advice about missing steps, or how to increase the security, or if those steps are wrong are welcome.
Sorry for not providing the references links, lost most of them after Firefox crashed because it ran out of memory and crashed, losing the history.
By the way I grabbed many hints from this book:
http://www.amazon.com/BIND-Experts-Voice-Open-Source/dp/1430230487
Links for tools for checking your setup:
http://www.ipok.com.br/tools.php?tool=nslookup
http://dnscheck.pingdom.com/
Code:
http://www.dnsstuff.com/tools#reverseDns
http://mxtoolbox.com/
http://www.nabber.org/projects/dnscheck/
http://dnssec-debugger.verisignlabs.com/
http://dnsviz.net/d/
https://www.ultratools.com/tools