Master & Slave with chrooted Bind9

Instruction for first and second paragraph are the same: master and slave servers.

Differences are shown in next chapters.

1.Bind installation

Run command to install bind on your server:

apt-get install bind9

It will probably start right after the installation so we have to stop it with:

/etc/init.d/bind9 stop

2.Create chroot environment for bind

Tree directory structure is needed for bind:

mkdir -p /var/chroot/bind/{etc,dev,var/cache/bind,var/run/bind/run}

Of course bind should be the owner of these directories so we need to change it:

chown -R bind:bind /var/chroot/bind/var/*

Now we have to create some devices used by bind:

mknod /var/chroot/bind/dev/null c 1 3
mknod /var/chroot/bind/dev/random c 1 8
chmod 666 /var/chroot/bind/dev/{null,random}

Move your bind configuration files into chroot-ed environment and create symbolic link to it:

mv /etc/bind /var/chroot/bind/etc
ln -s /var/chroot/bind/etc/bind /etc/bind

Next step is to create new file in /etc/rsyslog.d directory

nano /etc/rsyslog.d/chroot-bind.conf

and add following line so rsyslog watches log events in chroot bind:

$AddUnixListenSocket /var/chroot/bind/dev/log

Restart rsyslog to make changes visible for the service

/etc/init.d/rsyslog restart

One last thing and we can run bind. Edit /etc/default/bind9 and change line by adding directory where chroot-ed bind is configured:

OPTIONS="-u bind -t /var/chroot/bind"

Run bind with command:

/etc/init.d/bind9 start

3.Master bind server configuration

Edit /etc/bind/named.conf.options file to be similar to below entries:

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none; };
        listen-on { 127.0.0.1; ns1.example.com_ip_address_here; };
        allow-query { 0.0.0.0/0; };
        notify yes;
        allow-transfer { ns2.example.com_ip_address_here; };

};

where:

• ns1.example.com_ip_address_here - is the master bind IP address
• ns2.example.com_ip_address_here - is the slave bind IP address

For adding new domain edit /etc/bind/named.conf.local file and add new zone:

zone "example.com" {
     type master;
     file "/var/cache/bind/example.com.hosts";
   };

As defined above, we have to create /var/chroot/bind/var/cache/bind/example.com.hosts file and add example domain configuration in it:

$TTL    3600
$ORIGIN com.
example.com.       IN      SOA     ns1.example.com. root.example.com. (
                        2009070101 ; Serial
                        604800     ; Refresh
                        86400      ; Retry
                        604800     ; Expire
                        86400 )    ; Negative Cache TTL
;
example.com.       IN      NS      ns1.example.com.
example.com.       IN      NS      ns2.example.com.
example.com.       IN      MX      10 mail.example.com.
;
$ORIGIN example.com.
;
ns1               IN    A    ip_address_here
ns2               IN    A    ip_address_here
www               IN    A    ip_address_here
example.com.      IN    A    ip_address_here

Each change in above file is connected with Serial number which must also be changed. If you don't change the Serial number, any changes in that file won't work even if bind will be restarted

4.Slave bind server configuration

Check /etc/bind/named.conf.options file and change it to be similar to below entries:

options {
        directory "/var/cache/bind";
        auth-nxdomain no;    # conform to RFC1035
        listen-on-v6 { none;};
        listen-on {  127.0.0.1; ns2.example.com_ip_address_here; };
        allow-query { 0.0.0.0/0; };
};

For adding new domain edit /etc/bind/named.conf.local file and add new zone:

zone "example.com" {
     type slave;
     file "/var/cache/bind/example.com.hosts";
     masters{ ns1.example.com_ip_address_here; };
   };

5.Restarting bind's

After master and slave configuration, it's time to restart both bind's with command:

/etc/init.d/bind9 restart

As you can see in /var/log/syslog files:

#master
Jul 1 17:34:45 ns1.example.com named[10821]: client ns2_IP_here#40275: transfer of 'example.com/IN': AXFR started
Jul 1 17:34:45 ns1.example.com named[10821]: client ns2_IP_here#40275: transfer of 'example.com/IN': AXFR ended

#slave
Jul 1 17:34:45 ns2.example.com named[4657]: zone example.com/IN: Transfer started.
Jul 1 17:34:45 ns2.example.com named[4657]: transfer of 'example.com/IN' from ns1_IP_here#53: connected using ns2_IP_here#51526
Jul 1 17:34:45 ns2.example.com named[4657]: zone example.com/IN: transferred serial 2009070101
Jul 1 17:34:45 ns2.example.com named[4657]: transfer of 'example.com/IN' from ns1_IP_here#53: Transfer completed: 1 messages, 10 records, 269 bytes, 0.068 secs (3955 bytes/sec)
Jul 1 17:34:45 ns2.example.com named[4657]: zone example.com/IN: sending notifies (serial 2009070101)

master bind notifies and sends whole configuration about zone's changes to slave bind. On slave bind server file /var/chroot/bind/var/cache/bind/example.com.hosts will be automatically created.
That's all. If you have any suggestions post comments below ;-)

• Search

   

• Debian security

  • DSA-2384 cacti
  • DSA-2403 php5
  • DSA-2402 iceape
  • DSA-2401 tomcat6
  • DSA-2400 iceweasel
  • DSA-2399 php5

• tag cloud

  • debian lenny (9)
  • debian squeeze (3)
  • nagios (3)
  • ldap (2)
  • mysql (2)
  • bind (2)
  • heartbeat (1)
  • backup (1)
  • drbd (1)
  • postgresql (1)