Guide BIND (9/10) Install on FreeBSD 10

wisdown

Active Member

Reaction score: 13
Messages: 131

Hey guys,

Please would it be possible for someone to share a link to a step-by-step tutorial on how to install and set[]up BIND (99) on FreeBSD 10 x64? Looking on Google for it, many links say it is not possible to have BIND inside a jail anymore, is that true? I found a bug too, here: https://opensource.sas.com/its/browse/RPL-3291

So because this bug is not more secure use BIND on FreeBSD?

PS.: I was reading the handbook, but specifically the chapter 5 is so confusing with PKGNG and ports, I did a new install since the first part of the chapter explains about PKGNG and after making the software database can't redo it. Some tutorials I have found were saying to use ports or can't get jail working (and ports was on second part of handbook). Using ports was compiling with default options since I can't get detailed explanation about what other features does.

Thanks in advice
 

wblock@

Beastie Himself
Developer

Reaction score: 3,695
Messages: 13,851

Re: Guide BIND(99) Install on FreeBSD 10

wisdown said:
Hey guys,

Please would be possible someone share an link for an tutorial step-by-step how to install and setup BIND (99) on FreeBSD 10 x64?

Looking on google for it many links say is not possible have BIND inside an jail anymore, is that true?

No, that's not true. It was not in a jail before unless you set it up that way. It was just in a chroot(8), which can still be set up by the user. But a jail is better.

To install dns/bind99 on FreeBSD 10:

Back up existing /var/named/etc/namedb.

Code:
# cd /usr/ports/dns/bind99
# make install clean


In /etc/rc.conf:
Code:
named_enable="YES"


In /usr/local/etc/namedb, create the same directory structure and files as existed in /var/named/etc/namedb (/etc/namedb, but really here due to the chroot(8). These files can just be copied or moved.

Start named and check for errors: service named start.
 
OP
W

wisdown

Active Member

Reaction score: 13
Messages: 131

Re: Guide BIND(99) Install on FreeBSD 10

Firts of all thanks for the answer!!!

No, that's not true. It was not in a jail before unless you set it up that way. It was just in a chroot(8), which can still be set up by the user. But a jail is better.

I need setup the jail before BIND or this doesnt matter?
Reading about the jail https://www.freebsd.org/doc/handbook/jails-build.html I think I will need change for this:

Code:
# setenv D /usr/jail/bind
# mkdir -p $D
# cd /usr/src
# make buildworld
# make installworld DESTDIR=$D
# make distribution DESTDIR=$D
# mount -t devfs devfs $D/dev


If i got the Jail idea, this is like an virtual machine right?
So instead install BIND on top, the best practice would be make the jail, and then install inside?

Or i need install first BIND, then Jail, then move the BIND to Jail directory?

In the second option there no update right?
If an fix or new version come out, I will need install again BIND outside and the replace the files inside of jail?

Or link the BIND from outside to jail should work? (I guessing if link -ln - works would be an security hole because symlink right?)
 

wblock@

Beastie Himself
Developer

Reaction score: 3,695
Messages: 13,851

Re: Guide BIND(99) Install on FreeBSD 10

The instructions I posted do not involve a chroot or jail at all. One of the projects I'd like to see or do is an article or Handbook section on setting up a minimal jail for BIND, but it probably won't be soon.

Yes, a jail is like a lightweight VM.
 
OP
W

wisdown

Active Member

Reaction score: 13
Messages: 131

Re: Guide BIND(99) Install on FreeBSD 10

Got it,

Thanks for the help, i will keep searching here how to try do this setup, if I get this working then I will post here how I did.
 

freethread

Well-Known Member

Reaction score: 32
Messages: 361

Re: Guide BIND(99) Install on FreeBSD 10

wblock@ said:
To install dns/bind99 on FreeBSD 10:

Back up existing /var/named/etc/namedb.

Code:
# cd /usr/ports/dns/bind99
# make install clean


In /etc/rc.conf:
Code:
named_enable="YES"


In /usr/local/etc/namedb, create the same directory structure and files as existed in /var/named/etc/namedb (/etc/namedb, but really here due to the chroot(8). These files can just be copied or moved.

Start named and check for errors: service named start.

Only to be sure. The only difference, for a chrooted named is the directory or the rc.conf variables

Code:
named_chrootdir
named_chroot_autoupdate


should be explicitly defined? In /etc/defaults/rc.conf on FreeBSD 10.0, the named_* variable pack no more exists, I suppose if I copy all that variables, changing the ones that specify file paths and directories, all should works as before. It's right? (I'm talking about chrooted named, not in a jail).
 

wblock@

Beastie Himself
Developer

Reaction score: 3,695
Messages: 13,851

Re: Guide BIND(99) Install on FreeBSD 10

freethread said:
Only to be sure. The only difference, for a chrooted named is the directory or the rc.conf variables

Code:
named_chrootdir
named_chroot_autoupdate


should be explicitly defined? In /etc/defaults/rc.conf on FreeBSD 10.0, the named_* variable pack no more exists, I suppose if I copy all that variables, changing the ones that specify file paths and directories, all should works as before. It's right? (I'm talking about chrooted named, not in a jail).

No, the start script installed by the port does not use chroot(8), so defining the variables won't help. The port itself does different things depending on whether it is installed on FreeBSD 9 or 10.
 

freethread

Well-Known Member

Reaction score: 32
Messages: 361

Re: Guide BIND(99) Install on FreeBSD 10

Ah. I will try it in a VM. Also, things are more complicated, upgrading from 9.2 to 10.0, if I install named from ports in 9.2 and then upgrade to FreeBSD 10.0 I think it's not the same as upgrading the OS and then install named from ports. Mah, I will try. Thank you @wblock.
 
Last edited by a moderator:
OP
W

wisdown

Active Member

Reaction score: 13
Messages: 131

Re: Guide BIND(99) Install on FreeBSD 10

Seems finally I got sometime to do this setup, grab one week from my vacation reading tutorials on net and some books, then after making tests, finally seems I got this working, gonna post what I did, if someone can point whats is wrong or whats is missing i will be gratefull.
Did this for a multihomed server runing VMware ESXi with 3 NICs: LAN (192.168.1.0/24) / DMZ (10.1.1.0/24) /WAN (Static IP)

Note: I'm noob on FreeBSD world, so probaly this steps there a lot of mistakes or can compromisse your network, by the way, seems be 100% functional...
(Probaly I dindt wrote all steps since was reading many sites for get this working, so sorry for forget anything)

After an fresh install of FreeBSD 10 (using ZFS), I have started upgrading the stuff:

Code:
portsnap fetch extract


Then:

Code:
freebsd-update fetch install


Since I hate vi(), the next step for me is get nano:

Code:
cd /usr/ports/editors/nano
make config-recursive install clean


Setting nano as default editor:

Code:
cd /root/
nano .cshrc

Change: setenv EDITOR ee
To: setenv EDITOR nano

Get away from FreeBSD ZFS warn:

Code:
nano /boot/loader.conf


Add:

Code:
vfs.zfs.prefetch_disable="0"
vm.kmem_size="512M"
vm.kmem_size_max="512M"
vfs.zfs.arc_max="60M"
vfs.zfs.vdev.cache.size="10M"


Disabling X11 stuff:

Code:
nano /etc/make.conf


Add:

Code:
OPTIONS_UNSET=X11
reboot


Setup Subversion to grab FreeBSD source updated:

Code:
cd /usr/ports/devel/subversion
make config-recursive install clean


Update the Souce:

Code:
svn checkout http://svn.freebsd.org/base/release/10.0.0/ /usr/src


From now the system is updated and ready for build the jails, on my scenario I used two jails:

1 - Bind 910 to Authoritative DNS (will call it as s11)
2 - Bind 910 to Cache Server (will call it as s13)

Building the First Jail (s13):

Code:
mkdir -p /usr/jails/s13
cd /usr/src
make buildworld
make installworld DESTDIR=/usr/jails/s13
make distribution DESTDIR=/usr/jails/s13


Enabling ports for install the stuff inside Jail:

Code:
mount -t devfs devfs /usr/jails/s13/dev


Making a Null Kernell (mostly sites on web say it increase the security)

Code:
cd /usr/jails/s13/dev
ln -sf dev/null kernel


Enabling the Jail at startup:

Code:
nano /etc/rc.conf
jail_enable="YES"
jail_conf="/etc/jail.conf
jail_parallel_start="YES"
jail_list="s11 s13"


Setup the Jail config:
(change yourdomain.com for your domain and the network 10.1.1.XX for you current network setup)

Code:
nano /etc/jail.conf

s11 {
		   path	= /usr/jails/s11;
		   mount.devfs;
		   host.hostname = s11.yourdomain.com;
		   ip4.addr = 10.1.1.11;
		   interface = em0;
		   exec.start =	"/bin/sh /etc/rc";
		   exec.stop = "/bin/sh	/etc/rc.shutdown";
	   }

s13 {
		   path	= /usr/jails/s13;
		   mount.devfs;
		   host.hostname = s13.yourdomain.com;
		   ip4.addr = 10.1.1.13;
		   interface = em0;
		   exec.start =	"/bin/sh /etc/rc";
		   exec.stop = "/bin/sh	/etc/rc.shutdown";
	   }


Setiing the rc.conf for s13 jail:

Code:
nano /etc/jails/s13/etc/rc.conf
hostname="s13.yourdomain.com"
ifconfig_em0="inet 10.1.1.13 netmask 255.255.255.0"
defaultrouter="10.1.1.1"
mouse_enabled="YES"
ntpd_enable="YES"
dump_dev="NO"
clear_tmp_enable="YES"
zfs_enable="YES"

kern_securelevel_enable="YES"
kern_securelevel="3"

named_enable="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/named.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"


Connecting on your jail and setup BIND:
(Need execute those comands inside of the jail)
Code:
jail /usr/jails/s13 s13 10.1.1.13 /bin/sh
cd /usr/ports/dns/bind910
make config-recursive install clean


For the options check the ISC site. What I did:

Disabled:

Code:
DOCS


Enabled:

Code:
FILTER_AAAA
FIXED_RRSET
GEOIP
IDN
IPV6
LARGE_FILE
NEWSTATS
RRL
SIGCHASE


Setup BIND inside of jail to start on reboot:

Code:
nano /etc/rc.cnf
named_enabled="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/name.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
nano /etc/resolv.conf
nameserver 10.1.1.13


Not going to use rndc(8), but created a strong key just in case enabled it on future:

Code:
rndc-confgen -a -b 512


Set up BIND config files:

Code:
nano /usr/local/etc/namedb/named.conf
options {
			directory	"/usr/local/etc/named/working";

			version		"not currently available";

			allow-transfer{"none"};

			dnssec-enable		yes;
			dnssec-validation	yes;

			recursion yes;
			allow-recursion {10.1.1/24; 192.168.1/24;}; // prevents Open resolver and allow LAN and DMZ interface use it
			
			listen-on	{10.1.1.13;};
		};


Enabling logs (named.conf) for troubleshoot diagnostics:

Code:
logging {
    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/log/named/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/log/named/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/log/named/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/log/named/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/log/named/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/log/named/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/log/named/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/log/named/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/log/named/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/log/named/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/log/named/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/log/named/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/log/named/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/log/named/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};


Disable RNDC:

Code:
controls {};


Enable statistics from server:

Code:
statistics-channel {
			inet * port 80 allow {192.168.1.0/24; 10.1.1.0/24;};
};


Be sure following zones are enabled and allow-update is set to none:

Code:
// required zone for recursive queries
zone "." {
			type	hint;
			file	"/usr/local/etc/namedb/named.root";
		};

zone "localhost" {
			type master;
			file "/usr/local/etc/namedb/master/localhost-forward.db";
			allow-update{none;};
		};

zone "0.0.127.IN-ADDR.ARPA" in{
			type master;
			file "/usr/local/etc/namedb/master/localhost-reverse.db";
			allow-update{none;};
		};


Exit from jail:

Code:
exit


Check the jail ID:

Code:
jls


Add an new user on jail s13 just in case in future you wish use rndc(8):
(Change ID to the number from previous command and set the group to bind)
Code:
jexec ID adduser dnsadmin
Name:		dnsadmin
Full Name:	Administrator RNDC
Uid:		88
Group:		bind
Home:		/var/named
shell /bin/sh
/sbin/nologin


Set some permissions to harden your BIND:
(Change ID from jexec to previous ID from comand jls for jail s13)

Code:
 chown dnsadmin:wheel /usr/local/etc/namedb/named.conf
chmod 0660 /usr/local/etc/namedb/named.conf
mkdir -p /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/keys
chmod 04000 /usr/local/etc/namedb/keys
mkdir -p /usr/local/etc/namedb/master/ddns
chown bind:wheel /usr/local/etc/namedb/master/ddns/*
chmod 0770 $(find /usr/local/etc/namedb/master/ddns/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/ddns/ -type f)
mkdir -p /usr/local/etc/namedb/master/private
chown dnsadmin:wheel /usr/local/etc/namedb/master/private/*
chmod 0770 $(find /usr/local/etc/namedb/master/private/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/private/ -type f)
mkdir -p /usr/local/etc/namedb/rndc/keys
chown -R dnsadmin:wheel /usr/local/etc/namedb/rndc
chmod -R 0770 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc/keys
chmod 0400 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0400 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc.key
chmod -R 0400 /usr/local/etc/namedb/rndc.key
chown bind:wheel /usr/local/etc/namedb/slave/
chmod 0770 $(find /usr/local/etc/namedb/slave/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/slave/ -type f)
mkdir -p /usr/local/etc/namedb/views
chown dnsadmin:wheel /usr/local/etc/namedb/views/*
chmod 0770 $(find /usr/local/etc/namedb/views/ -type d)
chmod 0660 $(find /usr/local/etc/namedb/views/ -type f)
mkdir -p /var/log/named
chown -R bind:wheel /var/log/named/
chmod 0760 $(find /var/log/named/ -type d)
chmod -R 0640 $(find /var/log/named/ -type f)
chown bind:bind /var/run/named/pid
chmod 0644 /var/run/named/pid


Seems jails use a default template for permissions, so we need make sure this template will not change previous permission, add/set this:

Code:
nano /etc/mtree/BSD.root.dist

usr
   local
      etc
	     namedb
		    keys uname=bind gname=bind mode=04000
			..
			master
			   ddns uname=bind gname=wheel mode=0770
			   .. mode=0660
			   private uname=dnsadmin gname=wheel mode=0770
			   .. mode=0660
            ..
			rndc undame=dnsadmin gname=wheel mode=0770
			   keys uname=bind gname=bind mode=0400
			   .. mode=0400
			.. mode=0660
			slave uname=bind gname=wheel mode=0770
            .. mode=0660
		    named.conf uname=dnsadmin gname=wheel mode=0660
			rndc.key uname=bind gname=bind mode=0400
			..
	    ..
	..
..
var
   log
      named uname=bind gname=wheel mode=0760
      .. mode=0640
   ..
   run
      named uname=bind gname=bind mode=0644
      ..
   ..
..


Change default DNS servers add this server and comment other using #:
Code:
nano /etc/resolv.conf
nameserver 10.1.1.13


Exit from jail and do same thing on host, then reboot to get all this up:
Code:
exit
nano /etc/resolv.conf
nameserver 10.1.1.13
reboot


From now, if I remember all steps correctly your cache server is ready and working after reboot, and you will need set all clients to use your local DNS cache (on this example 10.1.1.13) next post I will post the setup for Authoritative Server with DNSSEC.
 

kpa

Beastie's Twin

Reaction score: 1,828
Messages: 6,318

Re: Guide BIND(99) Install on FreeBSD 10

wisdown said:
Making a Null Kernell (mostly sites on web say it increase the security)

Code:
cd /usr/jails/s13/dev
ln -sf dev/null kernel

This won't do anything to increase security. First of all there is no /dev/kernel in FreeBSD, if there ever was it's long gone now. Second issue is that the /dev contents are controlled by devfs(5), if you want to hide/unhide devices from the jails use devfs.rules(5). If you need to create links on the /dev filesystem or change permissions the correct configuration file for that is devfs.conf(5).


I didn't have time and the energy to scan the rest of your HOWTO thoroughly but it looked to me that you're doing quite a bit of manual work to change permissions etc., are all those steps really necessary?
 
OP
W

wisdown

Active Member

Reaction score: 13
Messages: 131

Re: Guide BIND(910) Install on FreeBSD 10

Now we gonna setup we're going to set up the Authoritative DNS (for domain owners) with DNSSEC. The steps about X11, buildworld, ZFs, etc. will be skipped since I'm assuming you already did them on the cache server - previous post).

Building the second jail (s11):

Code:
mkdir -p /usr/jails/s11
cd /usr/src
make installworld DESTDIR=/usr/jails/s11
make distribution DESTDIR=/usr/jails/s11


Enabling ports for installing the stuff inside the jail:

Code:
mount -t devfs devfs /usr/jails/s11/dev
mkdir -p /usr/jails/s11/usr/ports
mount_nullfs /usr/ports /usr/jails/s11/usr/ports


Making a null kernel (most sites on the web say it increases the security):

Code:
cd /usr/jails/s11/dev
ln -sf dev/null kernel


Connecting on your jail and set[]up BIND (you need to execute those commands inside the jail):

Code:
jail /usr/jails/s11 s13 10.1.1.11 /bin/sh
cd /usr/ports/dns/bind910
make config-recursive install clean


For the options, check the ISC site about them; what I have done:

Disabled:

Code:
DOCS


Enabled:

Code:
FILTER_AAAA
FIXED_RRSET
GEOIP
IDN
IPV6
LARGE_FILE
NEWSTATS
RRL
SIGCHASE
NATIVE_PKCS11


Install Nano:

Code:
cd /usr/ports/editors/nano
make config-recursive install clean


Setting Nano as the default editor:

Code:
cd /root/
nano .cshrc

Change: setenv EDITOR ee
To: setenv EDITOR nano

Setting the rc.conf for s11 jail:

Code:
nano /etc/jails/s11/etc/rc.conf
hostname="s11.yourdomain.com"
ifconfig_em0="inet 10.1.1.11 netmask 255.255.255.0"
defaultrouter="10.1.1.1"
mouse_enabled="YES"
ntpd_enable="YES"
dump_dev="NO"
clear_tmp_enable="YES"
zfs_enable="YES"

kern_securelevel_enable="YES"
kern_securelevel="3"

named_enable="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/named.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"


Setup BIND inside the jail to start on reboot:

Code:
nano /etc/rc.cnf
named_enabled="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/name.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
nano /etc/resolv.conf
nameserver 10.1.1.13


Dont gonna use Am not going to use rndc, but used a strong key just in case it is enabled in the future:

rndc-confgen -a -b 512

Set[]up BIND configuration files:

Code:
nano /usr/local/etc/namedb/named.conf
options {
			directory	"/usr/local/etc/named/working";

			version		"not currently available";

			recursion {none;};

			allow-transfer			{"none"};

			dnssec-enable			yes;
			dnssec-validation		yes;

			minimal-responses		yes;
			additional-from-auth 		no;
			additional-from-cache	no;
			
			listen-on	{10.1.1.11;};
		};


Enabling logs (named.conf) for troubleshooting diagnostics:

Code:
logging {
    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/log/named/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/log/named/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/log/named/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/log/named/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/log/named/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/log/named/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/log/named/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/log/named/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/log/named/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/log/named/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/log/named/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/log/named/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/log/named/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/log/named/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};


Disable rndc:

Code:
controls {};


Enable statistics from server:

Code:
statistics-channel {
			inet * port 80 allow {192.168.1.0/24; 10.1.1.0/24;};
};


Be sure the following zones are enabled and allow-update is set to none, and change yourdomain.com to your valid domain and set XXX.XXX.XXX.XXX for a secondary name server (you need to set[]up a reverse zone, so change XXX.XXX.XXX to your network under the second record for the reverse zone, example: XXX.XXX.XXX.IN-ADDR.ARPA)

Code:
// required zone for recursive queries
zone "." {
			type	hint;
			file	"/usr/local/etc/namedb/named.root";
		};

zone "localhost" {
			type master;
			file "/usr/local/etc/namedb/master/localhost-forward.db";
			allow-update{none;};
		};

zone "0.0.127.IN-ADDR.ARPA" in{
			type master;
			file "/usr/local/etc/namedb/master/localhost-reverse.db";
			allow-update{none;};

zone "yourdomain.com" in{
			type master;
			file "/usr/local/etc/namedb/master/yourdomain.com.db";
			allow-transfer {XXX.XXX.XXX.XXX;};
			allow-update{none;};
		};
zone "XXX.XXX.XXX.IN-ADDR.ARPA" in{
			type master;
			file "/usr/local/etc/namedb/master/XXX.XXX.XXX.IN-ADDR.ARPA";
		};


Exit from the jail:

exit

Check the jail ID:

jls

Add a new user to jail s13 just in case in future your wish to use rndc (change the ID to the number from the previous command and set the group to bind)

Code:
jexec ID adduser dnsadmin
Name:		dnsadmin
Full Name:	Administrator RNDC
Uid:			88
Group:		bind
Home:		/var/named
shell 			/bin/sh
/sbin/nologin


Set some permissions to hardening your BIND (change ID from jexec to previous ID from command jls for jail s11)

Code:
 chown dnsadmin:wheel /usr/local/etc/namedb/named.conf
chmod 0660 /usr/local/etc/namedb/named.conf
mkdir -p /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/keys
chmod 04000 /usr/local/etc/namedb/keys
mkdir -p /usr/local/etc/namedb/master/ddns
chown bind:wheel /usr/local/etc/namedb/master/ddns/*
chmod 0770 $(find /usr/local/etc/namedb/master/ddns/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/ddns/ -type f)
mkdir -p /usr/local/etc/namedb/master/private
chown dnsadmin:wheel /usr/local/etc/namedb/master/private/*
chmod 0770 $(find /usr/local/etc/namedb/master/private/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/private/ -type f)
mkdir -p /usr/local/etc/namedb/rndc/keys
chown -R dnsadmin:wheel /usr/local/etc/namedb/rndc
chmod -R 0770 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc/keys
chmod 0400 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0400 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc.key
chmod -R 0400 /usr/local/etc/namedb/rndc.key
chown bind:wheel /usr/local/etc/namedb/slave/
chmod 0770 $(find /usr/local/etc/namedb/slave/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/slave/ -type f)
mkdir -p /usr/local/etc/namedb/views
chown dnsadmin:wheel /usr/local/etc/namedb/views/*
chmod 0770 $(find /usr/local/etc/namedb/views/ -type d)
chmod 0660 $(find /usr/local/etc/namedb/views/ -type f)
mkdir -p /var/log/named
chown -R bind:wheel /var/log/named/
chmod 0760 $(find /var/log/named/ -type d)
chmod -R 0640 $(find /var/log/named/ -type f)
chown bind:bind /var/run/named/pid
chmod 0644 /var/run/named/pid


It seems like the jail uses a default template for permissions, so we need to make sure that this template will not change previous permissions, add/set this:

Code:
nano /etc/mtree/BSD.root.dist

usr
   local
      etc
	     namedb
		    keys uname=bind gname=bind mode=04000
			..
			master
			   ddns uname=bind gname=wheel mode=0770
			   .. mode=0660
			   private uname=dnsadmin gname=wheel mode=0770
			   .. mode=0660
            ..
			rndc undame=dnsadmin gname=wheel mode=0770
			   keys uname=bind gname=bind mode=0400
			   .. mode=0400
			.. mode=0660
			slave uname=bind gname=wheel mode=0770
            .. mode=0660
		    named.conf uname=dnsadmin gname=wheel mode=0660
			rndc.key uname=bind gname=bind mode=0400
			..
	    ..
	..
..
var
   log
      named uname=bind gname=wheel mode=0760
      .. mode=0640
   ..
   run
      named uname=bind gname=bind mode=0644
      ..
   ..
..


Change the default DNS servers, add this server and comment the other using #:
Code:
nano /etc/resolv.conf
nameserver 10.1.1.13


You will need to set[]up the reverse zone and the main zone files inside the jail in the directory /usr/local/etc/namedb/master/.

The details about how to set[]up your zone and reverse zone you will need to search on the internet.

Following steps only can be done after setting up the zone files:

Creating your ZSK key files (the standards say to use 2048 but since I'm only hosting my personal website, I have used 4096, the 365d means the expiration date to this key, one time, you need to change yourdomain.com to you current domain):

Code:
cd /usr/local/etc/namedb/keys/
dnssec-keygen -a rsasha256 -b 4096 -P now -A now -I +365d -D +367d -n zone yourdomain.com


Creating your KSK files (one time, change yourdomain.com to your current domain, this one is for three years)

Code:
dnssec-keygen -a rsasha256 -b 4096 -f ksk -P now -A now -R +730d -D +733d -n zone yourdomain.com


Checking the certificates (one time change yourdomain.com to your current domain and XXX+XXXXX for the generate on files, remove .key and .private))
Code:
dnssec-settime -p all Kyourdomain.com.+XXX+XXXXX
dnssec-settime -p all Kyourdomain.com.+XXX+XXXXX


Add the .key files to your zone file (this time be sure to add only the .key file):
Code:
nano /usr/local/etc/named/master/yourdomain.com.db
$INCLUDE ..keys/Kyourdomain.com.+XXX+XXXXX.key ; KSK
$INCLUDE ..keys/Kyourdomain.com.+XXX+XXXXX.key ; ZSK


Sign your zone files (first parameter the KSK - second ZSK) and update it in named.conf (this will generate a copy encrypted of your zone files with .signed on the end in the same directory of the zone file):
Code:
dnssec-signzone -o yourdomain.com -t -k Kyourdomain.com.+XXX+XXXXX /usr/local/etc/namedb/master/yourdomain.com.db Kyourdomain.com.+XXX+XXXXX
nano ../named.conf
Add extension .signed for your zone file
service named restart


Copy the contents from your .key to your registrar and add it in the DNSSEC section. Wait a few minutes and now you have DNSSEC on. Move the .private files to a safe place (you need them to make new certificates, to revoke, etc...)

Any hints, advice about missing steps, or how to increase the security, or if those steps are wrong are welcome.

Sorry for not providing the references links, lost most of them after Firefox crashed because it ran out of memory and crashed, losing the history.

By the way I grabbed many hints from this book:

http://www.amazon.com/BIND-Experts-Voice-Open-Source/dp/1430230487

Links for tools for checking your setup:

http://www.ipok.com.br/tools.php?tool=nslookup
http://dnscheck.pingdom.com/
Code:
http://www.dnsstuff.com/tools#reverseDns

http://mxtoolbox.com/
http://www.nabber.org/projects/dnscheck/
http://dnssec-debugger.verisignlabs.com/
http://dnsviz.net/d/
https://www.ultratools.com/tools
 
OP
W

wisdown

Active Member

Reaction score: 13
Messages: 131

Re: Guide BIND(99) Install on FreeBSD 10

kpa said:
wisdown said:
I didn't have time and the energy to scan the rest of your HOWTO thoroughly but it looked to me that you're doing quite a bit of manual work to change permissions etc., are all those steps really necessary?

I was following the book Pro DNS and BIND 10 about how to increase the security. There is a special chapter about how to set permissions. What I have done is follow all of the author's tips, whether really necessary or not, I'm not sure. But this is working, so in my opinion, decreasing the privileges without breaking things sounds like a security good practice.
 
Top