24. DNS: Acquiring and configuring CHROOTed and SPLIT master/slave DNS servers

The daemon called "named" is the DNS or "Domain Name Server" service that converts Internet hostnames like "www.yahoo.com" to IP addresses like 204.71.177.71 (one of Yahoo's MANY TCP/IP addresses). Though there are other DNS server alternatives to ISC's BIND, it is the most common and best maintained version available. As you might have already figured out, this is a CRITICAL service for the Internet.

TrinityOS documents how to setup multiple Internet domains for full TCP/IP address subnets using both Bind9 and Bind8. It also also covers advanced redundancy and security topics such as remote secondary (backup) DNS servers and both "CHROOTed Jails" and "Split Zone" files. For the time being, TrinityOS does NOT currently cover Dynamic DNS or DNSSEC. These topics will be covered in future revisions.

What are some of these advanced topics?

• The CHROOTed feature means that the named daemon which runs usually as the "root" user will run in its own isolated area. This behavior is very similar to the access that an anonymous FTP user gets when they log into a server and can only see a subset of the remote file system. The main reason to implement this feature is that if some new named security exploit comes out and a hostile user (cracker) finds your machine, they will be extreamly limited to what they -can- and -can not- do. This is a GOOD thing in the name of security. CHROOTing daemons like named isn't perfect but it does help.

• The "Split Zone" feature means that there will be (2) named processes running on your machine. One daemon will run and answer DNS queries for the external interface while the other daemon will answer on the internal interface for the private network. This setup helps protect your internal network IP addresses and names from being exposed to people out on the Internet. The more information you can hide from hostile users on the Internet, the harder it will be for them to break into your systems.

To setup your own domain, the first thing you need to do is get a domain from one of the Domain Registars listed at http://www.internic.net. There are lots of them out there and price and the quality of their services varies wildly. So far, I've had great luck with http://www.directnic.net since they offer the ability via an SSL encrypted WWW page vs. old-school mechanisms like email, etc. If you have questions about other registrars you're thinking of using, send me an email and I can give you my thoughts. Next, you need to find another DNS server out on the Internet that will be a SECONDARY dns server for your chosen Internet domain(s). This backup server is for the situations when your server or Internet connection goes down and you don't want to bounce email, etc. (see Section 24 - Sendmail for more details about backup email services). Please note that getting this secondary server setup is NOT optional! Many domain registrars won't accept your domain name application without at least ONE backup domain server. Fortunately, many registrars can offer this secondary service for you for some additional fee. Again, prices vary wildly.

* If you would like to read more on HOW to get your own domain names and understand some important legal issues with Internet domain names, please see the How to acquire a Domain Name sub-section at the end of this section.

24.1 Protecting your Internet Domain Name when Making Changes

• NOTE: Due to the fact that DNS can make or break the Internet, you should be very sure that any updates, changes, etc. submitted to the Internic for your domain is done in a secure fashion. I personally recommend that you do all of your Internic updates to your registrar either via a SSL encrypted WWW page or via PGP encrypted email instead of the default old school "Mail-From" email method. Why? Email is very easy to forge. Because of this, it would be easy for a hostile user to screw up your domain name, take ownership of it, etc.

  PGP and GnuPG for Linux will be covered in a future chapter but until then, I recommend to either use the Windows PGP client or at least use the Internic's "crypt-pw" option.

24.2 BIND version 9 vs 8 vs 4 and Figuring out what version you have:

This document is intended for BIND versons 9.1.x (and newer) as well as 8.3.x. If you are still running Bind4 or even Bind8, you really need to upgrade because you are either vunerable to ROOT hacks and/or these versions are old and are either soon to be or are already unsupported.

Just a little history:

• Bind 4.x was the defacto DNS server that helped start the Internet boom. It used the "named.boot" file and lived a long life. ISC then later overhauled BIND with version 8 which added lots of things including Dynamic DNS, IPv6, updated the zone file formats, and added a LOT of other features. With this new version, ISC changed the master configuration file to be "named.conf". With Bind 9, ISC has yet again done another major overhaul. This new version of Bind has added DNSSEC (signed DNS zones tranfered over encrypted SSL connections) as well as added direct database support (for MASSIVE zone files) vs. using the classic flat files as described here. Beyond that, the zone files stayed mostly the same between v8 and v9 except for minor formatting changes and the multitude of new optional features.

If you are unsure what version you have installed, you can find out the version from one of two ways.

• #1: If you have a LOCAL account on the DNS server, log into it and run one of the following commands:
  • "strings /home/chroot-dns-ext/usr/sbin/named | grep 9.2"
  • "strings /home/chroot-dns-ext/usr/sbin/named | grep 9.1"
  • "strings /home/chroot-dns-ext/usr/sbin/named | grep 9.0"
  • "strings /home/chroot-dns-ext/usr/sbin/named | grep 8. | grep REL"

  Or if it's not a CHROOTed DNS server:

  • "strings /usr/sbin/named | grep named"
  • "strings /usr/sbin/named | grep 9.2."
  • "strings /usr/sbin/named | grep 9.1."
  • "strings /usr/sbin/named | grep 9.0."
  • "strings /usr/sbin/named | grep 8. | grep REL"

  From the output, carefully look through the results until you find the version number. You will typically find it somewhere in the middle of the results for Bind 9.x and on the bottom for Bind 8.x.

• #2: If the DNS server is remote or you don't have an account to log into it, do the following on a local machine that has the dig or the older nslookup program:

  The new way using the dig (might not work on older version of Dig):

  • Run "dig @ns1.xyz.com chaos txt version.bind" from the command prompt where "ns1.xyz.com" is one of the DNS server(s) you are trying get the Bind version number from. You can get the names of the DNS servers running for a given domain by running the command "whois xyz.com".

    That should tell you the version of the DNS server.

  Older method using nslookup (deprecated - nslookup is going away. Use Dig):

  • Run nslookup from the command prompt
  • At the > prompt, type in server xyz (return) where xyz is the IP or name of the remote DNS server.
  • Now type in set q=txt (return) and then set class=chaos (return).
  • Finally, type in version.bind (return).

    That should tell you the version.

  • Hit Control-D to exit out of nslookup.

24.3 Security Warnings about previous versions of BIND

There are several MAJOR security exploits out there for older versions of Named (8.3.3-REL, 8.2.5, etc.). Make sure you are running at LEAST version 8.3.4, 9.2.2, or newer. It should be noted that 9.2.2 requires a non-vulnerable version of OpenSSL to be installed if you want to use the "--with-openssl" feature. TrinityOS doesn't currently cover this topic but the installation of 9.2.2 is highly recommended. If you aren't running the newest code, you will be vulnerable to hostile users getting ROOT access on your box!

** To stay up on the newest Bind releases, I recommend that ALL users add themselves to the BIND-announce email list given in Section 5.

This email list is ONLY for BIND version announcements and is very low on email traffic.

24.4 Downloading and compiling BIND

• First, download ISC's "named" server code from the URL in Section 5 and put it into a directory such as /usr/src/archive/bind/. It is also highly recommend to download ISC's PGP key so you can verify that this code hasn't be altered by any hostile users. You should also check and download any required patches, etc. if there are any.
• Next, go into that new directory and both VERIFY and uncompress the archive

• Bind 9.2.x specific instructions:

  • ---

    cd /usr/src/archive/bind/
    
    #Assuming you have GPG installed (but not nessisarily configured), you will
    #need to download both ISC's PGP key and the .asc PGP signature file for the 
    #Bind source code.  Please note that ISC seems to keep changing their PGP keys
    #from time to time so your current ISC key might be old now.  So let's verify 
    #that the code is legit:
    #
    # replace x.y.z with the correct version of Bind you are using
    #
          gpg --import pgpkey2004.txt
          gpg --verify bind-9.2.3.tar.gz.asc
    
    #Make sure it says "Good Signature" at the top. There might be some trust
    # warnings but don't worry about that.
         
    

    ---

  • ---

    #So if the above PGP section passed (or you skipped it), now do the
    #  following:
    #
    #The Bind 9 archive creates its own subdirectory so there is no need to 
    #  create one
    #
    
          tar xzvf bind-9.x.y.tar.gz
         
    

    ---

• Bind 8.3.x specific instructions:

  • ---

    #I haven't added PGP verification for Bind 8.x as it's old and you
    #  really should install Bind9.  Anyway, for those of you who want Bind8:
    #
    #The Bind 8 archive does NOT create its own subdirectory so I recommend 
    to create one first
    #
          mkdir /usr/src/archive/bind/8.x.y
          mv /usr/src/archive/bind* /usr/src/archive/bind/8.x.y
          cd /usr/src/archive/bind/8.x.y
          tar xzvf bind-src.tar.gz
          tar xzvf bind-doc.tar.gz
        
    

    ---

• Bind 9.x.y specific compiling:
  • Go into that new directory and run the configure script

    ---

        cd /usr/src/archive/bind/bind-9.x.y
        
        # For Bind 9.2.x
        # ----------------
        # The various compiling configurations are now configured via Automake
        #
        # Not only that but ISC has again changed their paths and such.  So,
        # the following setup will place files into their more "classic" 
        # directories
        #
        # Please note the "--disabled-threads" option.
        #
        #   This tag will allow CHROOT DNS to work under Linux 2.2.x kernels.
        #   The reason for this is that there is a bug in ALL 2.2.x kernels
        #   that basically makes CHROOTing things broken BUT it was fixed
        #   in the 2.4.x kernels.  If you are running a 2.4.x kernel, you do
        #   NOT need this option.  See the end of the "named" MAN page
        #   for more details about this.
        #
        # Please note that the "--exec-prefix" stuff on the ./configure line 
        # will put BIND into the /usr/sbin directory (the default is /usr/local 
        # (bin, sbin, etc.)) which is the stock place for Mandrake.  You can 
        # put these binaries as well as documentation anywhere you wish.  If 
        # you would like to put it in the proper place for your distribution, 
        # run the command:
        #
        #         whereis named
        # 
        # to find out where they put the binaries and such and then substitute 
        # this new path for the Automake one above.  REMEMBER this path for 
        # later in this section when making the CHROOT jails!
        #
        #----------------------------------------------------------------------
    
        #2.4.x kernels only
        #
        ./configure --prefix= --exec-prefix=/usr --datadir=/usr/share \
        --includedir=/usr/include --infodir=/usr/share/info \
        --mandir=/usr/share/man
    
    
        #2.2.x kernels only
        #
        ./configure --prefix= --exec-prefix=/usr --datadir=/usr/share \
        --includedir=/usr/include --infodir=/usr/share/info \
        --mandir=/usr/share/man --disable-threads
    
        #All kernels - 2.4 or 2.x
        #
        make
        
    

    ---

  • From here, the machine should compile things up without any issues. Compile times will vary depending on the speed and available resources on your machine.

• Bind 8.3.x Specific compiling:

  Go into that new directory and compile things up

  • ---

            cd /usr/src/archive/bind/8.3.4/src
          
            # For Bind 8.3.4
            # ----------------
            # The various compiling configurations are now configured in the 
              # port/linux/Makefile.set file.
            #
            # Interestingly enough, ISC has now made /usr/sbin/ the default directory
            # so you shouldn't have to do anything special beyond that
            #
            # Note:
            # -----
            # FYI, Bind 8.2.4 would NOT compile on my Mandrake 2.2.19 machine as 
            # it would give me the following error:
            #
            #  eventlib.c:296: structure has no member named `fds_bits' . . .
            #
            # To fix this, edit the file "src/port/linux/include/port_before.h" and 
            # insert the following line after the existing "define" lines:
            #
            #     #define _GNU_SOURCE
            #
            # Ok, before you try to compile the code up again, run the command
            #  "make clean"
            # 
            # ----------------------------------------------------------------------
    
            #Ok.. compile it up
    
            make clean
            make all
    
        
    

    ---

  • From here, the machine should compile things up without any issues. Compile times will vary depending on the speed and available resources on your machine.

• Final installation steps for ALL versions of BIND:
  • Once the compiling is finished, install your new version of Bind by running:

    ---

          make install
        
    

    ---

  • For Bind9 users: Starting with Bind 9.x, ISC creates the MAN and HTML documentation files via SGML. Unless you have the OpenJade program installed on the machine and it's in the path, the "make install" process will quietly mention that OpenJade wasn't found and thus the docs won't be created and installed. Fortunately, ISC has pre-built MAN files in there though unfortunately they DON'T use these during the "make install" phase. Here is a work around:

    ---

            cd /usr/src/archive/bind/bind-9.2.x
            find . -name "*.1" -exec cp {} /usr/share/man/man1/ \;
            find . -name "*.3" -exec cp {} /usr/share/man/man3/ \;
            find . -name "*.5" -exec cp {} /usr/share/man/man5/ \;
            find . -name "*.8" -exec cp {} /usr/share/man/man8/ \;
    
            #you could have also done it with xargs too:
            #find . -name "*.1" | xargs -i cp {} tmp
        
    

    ---

  • For Bind8 users: ISC no longer includes the installation of the documentation within the Makefile so lets move them over manually:

    ---

            cd /usr/src/archive/bind/bind-8.3.4/doc/man
            make clean
            make all
            make install
        
    

    ---

24.5 Creating the CHROOTed environments

Now, follow the procedures to create the required chrooted user login, group, and various files and do any required substitutions where required.

• First, create the "chroot-dns-ext" user group for the CHROOTed EXTERNAL interface:

                        groupadd -g 120 chroot-dns-ext

• Next, create the "chroot-dns-int" group for the CHROOTed INTERNAL interface:

                        groupadd -g 121 chroot-dns-int  

• Now create the "chroot-dns-ext" and "chroot-dns-int" user for the CHROOTed EXTERNAL and INTERNAL interfaces:

                        useradd -u 120 -g 120 chroot-dns-ext
                        useradd -u 121 -g 121 chroot-dns-int

• The next steps is to create the actual various chroot'ed directories, fix their permissions, etc:

  #  Since this is a CHROOTed environment, you need to make this little
  #  world look like the real one.  This means you need the required
  #  system directorys as well.

        cd /home/chroot-dns-ext

        mkdir -p etc lib dev usr/sbin var/named var/run
        chmod -R 750 /home/chroot-dns-ext
        mknod -m 666 dev/null c 1 3
        mknod -m 666 dev/zero c 1 5
        mknod -m 666 dev/random c 1 8

        cd /home/chroot-dns-int

        mkdir -p etc lib dev usr/sbin var/named var/run
        chmod -R 750 /home/chroot-dns-int
        mknod -m 666 dev/null c 1 3
        mknod -m 666 dev/zero c 1 5
        mknod -m 666 dev/random c 1 8

• Now, we need to copy over the required libraries and executable files.
  • NOTE: Whenever you patch your machine and some of the patches include updated GLIBC files, you will need to REPEAT this section to put a new copy of the updated libraries into the various CHROOT directories.

                        cp -f /lib/libc.so.6 /home/chroot-dns-ext/lib
                        cp -f /lib/libc.so.6 /home/chroot-dns-int/lib
                        cp -f /lib/ld-linux.so.2 /home/chroot-dns-ext/lib
                        cp -f /lib/ld-linux.so.2 /home/chroot-dns-int/lib

**NOTE: You will notice that I recommend to first COPY and then later MOVE the executables into the CHROOT'ed directory. This gives you a little more slack in case you make a mistake before you finally remove the original files.

                        cp -f /usr/sbin/named* /home/chroot-dns-ext/usr/sbin
                        chmod 750 /home/chroot-dns-ext/usr/sbin/named*
                        mv -f /usr/sbin/named* /home/chroot-dns-int/usr/sbin
                        chmod 750 /home/chroot-dns-int/usr/sbin/named*

Ok, fix the binary's file owner and group permissions:

        chown -R chroot-dns-int.chroot-dns-int /home/chroot-dns-int
        chown -R chroot-dns-ext.chroot-dns-ext /home/chroot-dns-ext

24.6 Creating the internal named.conf configuration file

• Ok, time to create the actual DNS Zone files. These are the full authoritative configs for both Bind 9.x.y as well as Bind v8.x.y:

NOTE: You'll notice that some lines will SEEM to have extra "."s (periods) at the end of domain names, etc. LEAVE THEM THERE!! They are supposed to be there and are CRITICAL to bind's internal file format!

/home/chroot-dns-int/etc/named.conf

// /home/chroot-dns-int/etc/named.conf for TrinityOS - 01/12/03

// Config file for a full authoritative --INTERNAL-- DNS server
//
//  This internal server will be the one use by the DNS server itself
//  and by any internal hosts as well

options {
        //Remember, this is already CHROOTed.  /var/named IS correct
                directory "/var/named";

        //You dont want the external interface to listen on this zone
                listen-on port 53 { 
                192.168.0.1; 127.0.0.1; 
                };

        // Uncommenting this might help if you have to go through a
        // firewall and things are not working out:
        // query-source address * port 53;
};


// Filter out any LAME server messages from cluttering up the SYSLOGs
        logging {
         category "lame-servers" { null; };
        };
     

zone "." {
        type hint;
        file "root.hints.db";
};

zone "0.0.127.in-addr.arpa" {
        type master;
        notify no;
        file "127.0.0.db";
};

zone "acme123.com" {
        type master;
        notify no;
        file "acme123-int.com.db";
        allow-transfer { none; };
        allow-query { 127/8; 192.168.0/24; };
};

zone "0.168.192.in-addr.arpa" {
        type master;
        notify no;
        file "192.168.0-in.addr.db";
        allow-transfer {none; };
        allow-query {127/8; 192.168.0/24; };
};

You will notice that I am filtering out LAME SERVER messages from being sent to SYSLOG. What is a "lame server"?

• Basically, when you try to resolve some domain name that is specified from the Internic (as found in "whois") as an AUTHORITATIVE DNS server, the server should reply to that original DNS request as "authoritative". A LAME server is a DNS server that doesn't reply back with an authoritative answer but with a "non-authoritative" answer instead. Basically, DNS requests will still work but you now know that the remote DNS server is mis-configured. So why should you filter these messages? First, there is nothing you can do about these messages other than emailing EVERY remote domain and telling that their server is broken. There are a LOT of LAME servers out on the Internet and all these warning errors will fill up your logs quickly. So I say screw it, let them fix their mess, and until they do, stop logging all this.

24.7 Creating the internal zone files

• Next, you need to create the root.hints.db file like the one shown below. Basically, this file tells your DNS server how to reach the multiple Internet ROOT servers. But, like anything else, the IP address of the various root servers are always changing. So, I recommend you create your OWN root.hints.db file by running the following command and not using the below example .db file:

dig @a.root-servers.net . ns > /home/chroot-dns-int/var/named/root.hints.db

/home/chroot-dns-int/var/named/root.hints.db

; <<>> DiG 8.1 <<>> @a.root-servers.net . ns
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;;      ., type = NS, class = IN

;; ANSWER SECTION:
.                       5d10h28m15s IN NS  M.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  L.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  K.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  J.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  B.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  F.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  G.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  C.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  H.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  A.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  D.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  E.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
M.ROOT-SERVERS.NET.     5w6d16h IN A    202.12.27.33
L.ROOT-SERVERS.NET.     5w6d16h IN A    198.32.64.12
K.ROOT-SERVERS.NET.     5w6d16h IN A    193.0.14.129
J.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.10
B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107
F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241
G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4
C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12
H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53
A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4
D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90
E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10
I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17

;; Total query time: 15115 msec
;; FROM: ns.acme123.com to SERVER: a.root-servers.net 198.41.0.4
;; WHEN: Fri Oct  1 03:02:15 1999
;; MSG SIZE  sent: 17  rcvd: 436

The following file is the REVERSE zone records for the "localhost" or loopback interface:

/home/chroot-dns-int/var/named/127.0.0.db

;
; /home/chroot-dns-int/var/named/127.0.0.db ZONE file for TrinityOS - 09/03/01
;
$TTL    86400
@               IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                            2001052800      ; serial, todays date + todays serial #
                                8H      ; Refresh
                                2H      ; Retry
                                1W      ; Expire
                                1D)     ; Minimum TTL

                          NS      ns.acme123.com.

1                  86400  PTR     localhost.acme123.com.

The following file is the FORWARD zone record for the internal ACME123.com network

/home/chroot-dns-int/var/named/acme123-int.com.db

;
; /home/chroot-dns-int/var/named/acme123-int.com ZONE file for TrinityOS - 09/03/01
;
$TTL    86400   
@       IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                                2001052800      ; serial, todays date + todays serial #
                                8H              ; refresh, seconds
                                2H              ; retry, seconds
                                1W              ; expire, seconds
                                1D )            ; minimum, seconds
        
                                NS      ns.acme123.com.     ; Inet Address of name server
                                NS      ns.backupacme.com.  ; Inet address of backup server
                                MX      10  mail.acme123.com.   ; Primary MX server

; 
; note - If you wish to directly resolve any acme123.com hosts 
;        that are currently only defined in the EXTERNAL zone 
;        files (say www.acme123.com), you MUST list them here 
;        as well since the internal zone assumes that it is 
;        authoritative for acme123.com zone and thus would never 
;        contact the external server for any other 
;        acme123.com queries.

        
roadrunner-int      86400       A       192.168.0.1
                                HINFO   "a486/160/40M" "Linux 2.0"

mail                86400       A       192.168.0.1
                                HINFO   "a486/160/40M" "Linux 2.0"


coyote              86400       A       192.168.0.2
                        HINFO   "iPentium-II/260/64M"  "Win95"
        
spare               86400       A       192.168.0.9
                        HINFO   "Unknown" "Unknown"

spare2              86400       A       192.168.0.10
                        HINFO   "Unknown" "Unknown"

The following file is the REVERSE zone record for the internal ACME123.com network

/home/chroot-dns-int/var/named/192.168.0-in.addr.db

;
; /home/chroot-dns-int/var/named/192.168.0-in.addr ZONE file for TrinityOS - 09/03/01
;
$TTL    86400
@               IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                            2001052800      ; serial, todays date + todays serial #
                                1       ; Serial
                                8H      ; Refresh
                                2H      ; Retry
                                1W      ; Expire
                                1D)     ; Minimum TTL

                          NS      ns.acme123.com.
        
1                       86400   PTR     roadrunner-int.acme123.com.
2                       86400   PTR     coyote.acme123.com.

9                       86400   PTR     spare.acme123.com.
10                      86400   PTR     spare2.acme123.com.

24.8 Creating the external named.conf configuration file

• Now, here is the configuration file for the EXTERNAL DNS server:

/home/chroot-dns-ext/etc/named.conf

// /home/chroot-dns-ext/etc/named.conf for TrinityOS - 11/25/02
// Config file for a full authoritative --EXTERNAL-- DNS server

options {
    //Remember, this is already CHROOTed.  /var/named IS correct
    directory "/var/named";

    //Do NOT have the server listening on localhost or the internal interface
    listen-on port 53 { 
      100.200.0.212; 
    };

    // Clean the cache every 6 hours (default is 1).
    cleaning-interval 360;

    // Do NOT respond to DNS queries for any domains other than local zones
    //
    //   All remote DNS lookups for this host and any internal machines will 
    //   be served from the INTERNAL DNS server
    recursion no;

    // Uncommenting this might help if you have to go through a
    // firewall and things are not working out:
   // query-source address * port 53;
};

zone "." {
        type hint;
        file "root.hints.db";
};

zone "acme123.com" {
        type master;
        notify yes;
        file "acme123.com.db";
        allow-transfer {
           102.200.0.25/32;
        };
};

zone "212.0.200.100.in-addr.arpa" {
        type master;
        notify yes;
        file "212.0.200.100.db";
    allow-transfer {
      102.200.0.25/32;
        };
};

24.9 Creating the external zone files

• Next, you need to create another root.hints.db file like the one shown below. But, like any thing else, the Internet's root servers are always changing. So, I recommend you create your OWN copy by running the following command and not using the below example .db file:

                dig @a.root-servers.net . ns > /home/chroot-dns-ext/var/named/root.hints.db

/home/chroot-dns-ext/var/named/root.hints.db

; <<>> DiG 8.1 <<>> @a.root-servers.net . ns 
; (1 server found)
;; res options: init recurs defnam dnsrch
;; got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10
;; flags: qr rd; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 13
;; QUERY SECTION:
;;      ., type = NS, class = IN

;; ANSWER SECTION:
.                       5d10h28m15s IN NS  M.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  L.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  K.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  J.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  B.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  F.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  G.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  C.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  H.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  A.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  D.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  E.ROOT-SERVERS.NET.
.                       5d10h28m15s IN NS  I.ROOT-SERVERS.NET.

;; ADDITIONAL SECTION:
M.ROOT-SERVERS.NET.     5w6d16h IN A    202.12.27.33
L.ROOT-SERVERS.NET.     5w6d16h IN A    198.32.64.12
K.ROOT-SERVERS.NET.     5w6d16h IN A    193.0.14.129
J.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.10
B.ROOT-SERVERS.NET.     5w6d16h IN A    128.9.0.107
F.ROOT-SERVERS.NET.     5w6d16h IN A    192.5.5.241
G.ROOT-SERVERS.NET.     5w6d16h IN A    192.112.36.4
C.ROOT-SERVERS.NET.     5w6d16h IN A    192.33.4.12
H.ROOT-SERVERS.NET.     5w6d16h IN A    128.63.2.53
A.ROOT-SERVERS.NET.     5w6d16h IN A    198.41.0.4
D.ROOT-SERVERS.NET.     5w6d16h IN A    128.8.10.90
E.ROOT-SERVERS.NET.     5w6d16h IN A    192.203.230.10
I.ROOT-SERVERS.NET.     5w6d16h IN A    192.36.148.17

;; Total query time: 15115 msec
;; FROM: ns.acme123.com to SERVER: a.root-servers.net 198.41.0.4
;; WHEN: Fri Oct  1 03:02:15 1999
;; MSG SIZE  sent: 17  rcvd: 436

The following file is the FORWARD zone records for the external ACME123.com network

/home/chroot-dns-ext/var/named/acme123.com.db

;
; /home/chroot-dns-ext/var/named/acme123.com ZONE file for TrinityOS - 09/03/01
;
$TTL    86400   
@       IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                                2001052800      ; serial, todays date + todays serial #
                                8H              ; refresh, seconds
                                2H              ; retry, seconds
                                1W              ; expire, seconds
                                1D )            ; minimum, seconds
        
               NS      ns.acme123.com.      ; Inet Address of name server
               NS      ns.backupacme.com.   ; Inet address of backup server
        
               MX   10 mail.acme123.com.    ; Primary Mail Exchanger
        

ns              86400   A       100.200.0.212
                                HINFO   "a486/160/40M" "Linux 2.0"
        
mail            86400   A       100.200.0.212
                                HINFO   "a486/160/40M" "Linux 2.0"
        

ftp             86400   CNAME   ns
        
roadrunner      86400   CNAME   ns

The following file is the REVERSE zone records for the external ACME123.com network:

/home/chroot-dns-ext/var/named/212.0.200.100.db

;
; /home/chroot-dns-ext/var/named/212.0.200.100-in.addr ZONE file for TrinityOS - 09/03/01
;
$TTL    86400
@       IN      SOA     ns.acme123.com. hostmaster.acme123.com. (
                    2001052800      ; serial, todays date + todays serial #
                        8H      ; Refresh
                        2H      ; Retry
                        1W      ; Expire
                        1D)     ; Minimum TTL

                    NS      ns.acme123.com.    ; Inet Address of name server
                    NS      ns.backupacme.com. ; Inet address of backup server

212.0.200.100.in-addr.arpa. IN PTR     ns.acme123.com.

24.10 Fixing final CHROOTed permissions and ownerships

• Ok, lets finally fix the file owner and group permissions for the respective Zone files:

        chown -R chroot-dns-int.chroot-dns-int /home/chroot-dns-int
        chown -R chroot-dns-ext.chroot-dns-ext /home/chroot-dns-ext

24.11 Tuning How NAMED loads the SPLIT zone file configuration

Ok, time for the glue. You need to change the way that DNS loads the server up to recognize the new CHROOT layout and to load the SPLIT servers:

Redhat users:

• Edit /etc/rc.d/init.d/named and change the lines:

                        [ -f /usr/sbin/named ] || exit 0
                        .
                        .
                        .
                        [ -f /etc/named.conf ] || exit 0

to:

                        [ -f /home/chroot-dns-int/usr/sbin/named ] || exit 0
                        [ -f /home/chroot-dns-ext/usr/sbin/named ] || exit 0

                        [ -f /home/chroot-dns-int/etc/named.conf ] || exit 0
                        [ -f /home/chroot-dns-ext/etc/named.conf ] || exit 0

• You now need to setup the following lines to do the actually loading of the two individual DNS servers. It is recommented that you get this file from the TrinityOS-security script at http://www.ecst.csuchico.edu/~dranch/LINUX/TrinityOS-security/TrinityOS-security.tar.gz to save you time and avoid possible typos.

• It's IMPORTANT that you edit this file and enable the correct version of Bind that you plan on running. To disable a specific version, place "#" charecters in the front of the respective lines.

#!/bin/sh
#
# named           This shell script takes care of starting and stopping
#                 named (BIND DNS server).
#
# chkconfig: - 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true


# ----------------------------------------------------------------------------
# # TrinityOS-named
# v11/25/02
#
# Part of the copyrighted and trademarked TrinityOS document.
# <url url="http://www.ecst.csuchico.edu/~dranch">
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
#
#  NOTE: It's IMPORTANT that you edit this file and enable the correct 
#        version of Bind that you plan on running.  To disable a specific 
#        version, place "#" charecters in the front of the respective lines.
#
#        Bind9 is the TrinityOS default setting.
#
#
# Updates
# -------
# 11/25/02 - Updated some of the comments
#
# 03/05/01 - Updated the file to support the loading of Bind9
#
# 01/28/01 - Added a few CR-LFs to clean up the output between starting
#            the internal and external zones
# 10/07/00 - Added the start-int, start-ext, stop-int, and stop-ext functions
#
# ----------------------------------------------------------------------------


# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -f /home/chroot-dns-int/usr/sbin/named ] || exit 0
[ -f /home/chroot-dns-ext/usr/sbin/named ] || exit 0

[ -f /home/chroot-dns-int/etc/named.conf ] || exit 0
[ -f /home/chroot-dns-ext/etc/named.conf ] || exit 0

RETVAL=0

# See how we were called.
case "$1" in

       start)
            # Start daemons.
            echo -n "Starting named-int: "

            #Bind9 - Use this setup if you are using Bind9
            #
            daemon /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -t /home/chroot-dns-int

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            #daemon /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int

            RETVAL=$?
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-int       

            sleep 5

            echo -e "\r"
            echo -n "Starting named-ext: "

            #For some reason, this server won't load with the "daemon" line in 
            # front - if you have a solution for this, please let me know
 
            #Bind9 - Use this setup if you are using Bind9
            #
            /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -t /home/chroot-dns-ext

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            #/home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext

            RETVAL=$?
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-ext
            echo -e "\r"
         ;;

        start-int)
            # Start daemons.
            echo -n "Starting named-int: "

            #For some reason, this server won't load with the "daemon" line in 
            # front - if you have a solution for this, please let me know

            #Bind9 - Use this setup if you are using Bind9
            #
            /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -t /home/chroot-dns-int

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            #/home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -g chroot-dns-int -t /home/chroot-dns-int

            RETVAL=$?
            [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named-int
            echo -e "\r"
        ;;

        start-ext)
            echo -n "Starting named-ext: "

            #For some reason, this server won't load with the "daemon" line in 
            # front - if you have a solution for this, please let me know

            #Bind9 - Use this setup if you are using Bind9
            #
            /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -t /home/chroot-dns-ext

            #Bind8 - # out the "daemon" line above and un-# out the line below
            #        if you are running Bind8
            #
            /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext

            RETVAL=$?
            $RETVAL -eq 0 ] && touch /var/lock/subsys/named-ext
            echo -e "\r"
        ;;

        stop)
          # Stop daemons.       
                   echo -n "Shutting down named: "
           killproc named
           RETVAL=$?
           [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-int && rm -f /var/lock/subsys/named-ext
           echo -e "\r"
        ;;

        stop-int)
            # Stop INT daemons.
            echo -n "Shutting down named-int: "
            kill `ps ax | grep chroot-dns-int/usr/sbin/named | grep -v -e grep | awk '{print $1}'`
            RETVAL=$?
            [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-int
            echo -e "\r"
        ;;

        stop-ext)
            # Stop EXT daemons.
            echo -n "Shutting down named-ext: "
            kill `ps ax | grep chroot-dns-ext/usr/sbin/named | grep -v -e grep | awk '{print $1}'`
            RETVAL=$?
            [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named-ext
            echo -e "\r"
        ;;

        status)
          /usr/sbin/ndc status
          exit $?
        ;;


        restart)
           $0 stop
           $0 start
        ;;


        reload)
           /usr/sbin/ndc reload
           exit $?
        ;; 


        probe)
           # named knows how to reload intelligently; we don't want linuxconf
           # to offer to restart every time
           /usr/sbin/ndc reload >/dev/null 2>&1 || echo start
           exit 0
        ;;

 
        *)
          echo "Usage: named {start|start-int|start-ext|stop|stop-int|stop-ext|status|restart}"
        exit 1
esac
exit $RETVAL

24.12 Fixing SYSLOGing to understand the new CHROOTed setup

• Next, we need now modify how SYSLOG loads up so it understands how to deal with the new CHROOTed DNS servers:

  Edit the /etc/rc.d/init.d/syslog file and change the loading of SYSLOG to the following:

        daemon syslogd -a /home/chroot-dns-int/dev/log -a /home/chroot-dns-ext/dev/log -m 0

Now, configure your machine to use the local DNS server by editing /etc/resolv.conf

• This is a CRITICAL setting. If you configure the Linux machine to use the EXTERNAL IP address or one of your ISP's DNS server, the Linux server won't be able to resolve any of the Internet hosts due to the SPLIT server setup.

        search acme123.com 
        nameserver 127.0.0.1

        #Backup - your ISP's DNS servers
        #nameserver 10.200.200.69
        #nameserver 10.200.200.96

Next, make sure that your machine is prepped to use DNS:

Slackware: /etc/host.conf

                order hosts, bind
                multi on

Redhat: /etc/nsswitch.conf

Change the "hosts" line to read:

                                "hosts:      files dns"

Also, I would recommend to DELETE all instances of NIS from each line of this file UNLESS you *ARE* using NIS, NIS+, etc!

24.13 Starting up and testing BIND

Ok, getting close! Now, make sure that BIND is enabled to load upon boot.

• To do this, UN-DO all edits done to disable DNS in Section 8
  • Note: the NTSYSV method won't work for all of this

• Now, test that all the named files are correct by running "named" in a forground test (For Bind9):

  ---

  /home/chroot-dns-int/usr/sbin/named -u chroot-dns-int -t /home/chroot-dns-int -f
  

  ---

  The INTERNAL server output should look something like this for Bind 9.2.x:

  ---

  Nov 25 22:34:01 roadrunner named[1959]: starting BIND 9.2.1 -u chroot-dns-int -t /home/chroot-dns-int
  Nov 25 22:34:01 roadrunner named[1959]: using 1 CPU
  Nov 25 22:34:02 roadrunner named[1959]: loading configuration from '/etc/named.conf'
  Nov 25 22:34:02 roadrunner named[1959]: no IPv6 interfaces found
  Nov 25 22:34:02 roadrunner named[1959]: listening on IPv4 interface lo, 127.0.0.1#53
  Nov 25 22:34:02 roadrunner named[1959]: listening on IPv4 interface eth1, 192.168.0.1#53
  Nov 25 22:34:02 roadrunner named[1959]: listening on IPv4 interface eth2, 192.168.10.1#53
  Nov 25 22:34:02 roadrunner named[1959]: zone 0.0.127.in-addr.arpa/IN: loaded serial 2001022400
  Nov 25 22:34:02 roadrunner named[1959]: zone 0.168.192.in-addr.arpa/IN: loaded serial 2002102600
  Nov 25 22:34:02 roadrunner named[1959]: zone 10.168.192.in-addr.arpa/IN: loaded serial 2001031101
  Nov 25 22:34:02 roadrunner named[1959]: zone acme123.com/IN: loaded serial 2002112500
  Nov 25 22:34:02 roadrunner named[1959]: running
  

  ---

  The INTERNAL server output should look something like this for Bind 8.3.x:

  ---

  Apr 10 01:48:42 roadrunner named[27951]: starting.  named 8.3.4 Tue Dec 14 20:30:23 CET 1999 ^Iroot@jedi.mandrakesoft.com:/usr/src
  /RPM/BUILD/bind-8.2.2P5/src/bin/named
  Apr 10 01:48:42 roadrunner named[27951]: hint zone "" (IN) loaded (serial 0)
  Apr 10 01:48:42 roadrunner named[27951]: Zone "192.168.0" (file 192.168.0.db): No default TTL set using SOA minimum instead
  Apr 10 01:48:42 roadrunner named[27951]: master zone "192.168.0" (IN) loaded (serial 2000033100)
  Apr 10 01:48:42 roadrunner named[27951]: Zone "0.168.192.in-addr.arpa" (file 192.168.0-in.addr.db): No default TTL set using SOA 
  minimum instead
  Apr 10 01:48:42 roadrunner named[27951]: master zone "0.168.192.in-addr.arpa" (IN) loaded (serial 1999111300)
  Apr 10 01:48:42 roadrunner named[27951]: listening on [127.0.0.1].53 (lo)
  Apr 10 01:48:42 roadrunner named[27951]: Forwarding source address is [0.0.0.0].1033
  Apr 10 01:48:42 roadrunner named[27951]: chrooted to /home/chroot-dns-int
  Apr 10 01:48:42 roadrunner named[27951]: group = chroot-dns-int
  Apr 10 01:48:42 roadrunner named[27951]: user = chroot-dns-int
  Apr 10 01:48:42 roadrunner named[27951]: Ready to answer queries.
  Apr 10 01:48:42 roadrunner named[27951]: Zone "192.168.0" (file 192.168.0.db): No default TTL set using SOA minimum instead
  Apr 10 01:48:42 roadrunner named[27951]: Zone "0.168.192.in-addr.arpa" (file 192.168.0-in.addr.db): No default TTL set using SOA 
  minimum instead
  

  ---

  Hit Control-C when you are sure that Named is running ok and it's running the correct version of Named. Now try running the external server:

  ---

  /home/chroot-dns-ext/usr/sbin/named -u chroot-dns-ext -g chroot-dns-ext -t /home/chroot-dns-ext
  

  ---

  The EXTERNAL server output should look something like this for Bind 9.2.x:

  ---

  Nov 25 22:34:07 roadrunner named[1965]: starting BIND 9.2.1 -u chroot-dns-ext -t /home/chroot-dns-ext
  Nov 25 22:34:07 roadrunner named[1965]: using 1 CPU
  Nov 25 22:34:07 roadrunner named[1965]: loading configuration from '/etc/named.conf'
  Nov 25 22:34:07 roadrunner named[1965]: no IPv6 interfaces found
  Nov 25 22:34:07 roadrunner named[1965]: listening on IPv4 interface eth0, 64.220.150.140#53
  Nov 25 22:34:07 roadrunner named[1965]: zone 212.0.200.100.in-addr.arpa/IN: loaded serial 2002070700
  Nov 25 22:34:07 roadrunner named[1965]: zone acme123.com/IN: loaded serial 2002070700
  Nov 25 22:34:07 roadrunner named[1965]: running
  

  ---

  The EXTERNAL server output should look something like this for Bind 8.3.x:

  ---

  Apr 10 01:52:10 roadrunner named[27960]: starting.  named 8.3.4 Tue Dec 14 20:30:23 CET 1999 ^Iroot@jedi.mandrakesoft.com:/usr/src/
  RPM/BUILD/bind-8.2.2P5/src/bin/named
  Apr 10 01:52:10 roadrunner named[27960]: hint zone "" (IN) loaded (serial 0)
  Apr 10 01:52:10 roadrunner named[27960]: Zone "acme123.com" (file acme123.com.db): No default TTL set using SOA minimum instead
  Apr 10 01:52:10 roadrunner named[27960]: master zone "acme123.com" (IN) loaded (serial 2000033100)
  Apr 10 01:52:10 roadrunner named[27960]: Zone "212.0.200.100.in-addr.arpa" (file 100.200.0.212.db): No default TTL set using SOA 
  minimum instead
  Apr 10 01:52:10 roadrunner named[27960]: master zone "212.0.200.100.db.in-addr.arpa" (IN) loaded (serial 2000033100)
  Apr 10 01:52:10 roadrunner named[27960]: listening on [100.200.0.212].53 (eth0)
  Apr 10 01:52:10 roadrunner named[27960]: Forwarding source address is [0.0.0.0].1033
  Apr 10 01:52:10 roadrunner named[27961]: chrooted to /home/chroot-dns-ext
  Apr 10 01:52:10 roadrunner named[27961]: group = chroot-dns-ext
  Apr 10 01:52:10 roadrunner named[27961]: user = chroot-dns-ext
  Apr 10 01:52:10 roadrunner named[27961]: Ready to answer queries.
  

  ---

  Hit Control-C when you are sure that NAMED is running ok and it's running the correct version of NAMED. Please also note that if the TIME and DATE of your log files is off, you need to set the TZ environment variable as described in Section 7.

24.14 Possible Bind errors upon load

• modprobe: can't locate module net-pf-10
  named: no IPv6 interfaces found

  This error is due to Bind9 supporting IPv6 packets but your system doesn't. It sure would be nice if you could compile BIND without IPv6 support but you can't. To work around this, add the following to the /etc/module.conf ( /etc/conf.module file for older distros ):

  ---

          alias net-pf-10 off
          
  

  ---

• named: none:0: open: /etc/rndc.key: file not found
  named: couldn't add command channel 127.0.0.1#953: file not found

  The "rndc" program is a tool to manage local and remote named servers. It allows you to start / stop the server, increase debugging, reload the zone files, get stats, etc. TrinityOS doesn't cover the configuration or use of ndc/rndc because I've found using the /etc/rc.d/init.d/named tool just as good IMHO. Yes, it might create a minor lapse in service as you "restart" named but it's very minor.

• named: could not open entropy source /dev/random: file not found:

  You forgot to create a /dev/random in the CHROOT environment. Look above in this section for the "mknod" commands.

24.15 Enabling Bind to load upon future boots

• Now, do the following for your respective Linux Distribution:
  • Slackware Specific:
    • Un #'d out the lines in the "/etc/rc.d/rc.inet2" file for "named"

  • Redhat Specific:
    • Run the command "chkconfig --level=345 named on". Then make sure that the file "/etc/rc.d/rc3.d/S55named" exists

24.16 Changes for Bind9

As I mentioned before, TrinityOS currently doesn't currently cover advanced topics like Dynamic DNS, DNSSEC, etc. Some of these features are very cool and they WILL be covered some time in the future.

Anyway, for now, I wanted to mention that the "nslookup" that we are all familiar with is going away in favor of the "dig" and "host" commands instead. I recommend that you start getting used to using the "dig" and "host" commands. If you need to continue to use "nslookup", you should consider the following alias to avoid the annoying nslookup warnings:

/etc/bashrc

 alias nslookup='nslookup -silent'

24.17 Supporting more than one Internet Domain name on this DNS server

Having your Linux box do DNS for more that just ONE domain is VERY simple. If you want to do this, all you have to do is:

1. Create another FORWARD zone file (e.g. another-domain.com) for your new domain.

   e.g. use the old acme123.com files from above as a template for your new /home/chroot-dns-ext/var/named/another-domain.com.db file

2. Edit the /home/chroot-dns-ext/etc/named.conf file to:
   1. Add the loading of the new /var/named/newdomain.com.db zone file just like you did for the acme123.com zone file.

   2. Allow your remote secondary DNS servers to be able access this new domain's zone file

   3. Restart Bind

24.18 Setting up Secondary (BACKUP) DNS servers

If you want someone else's DNS server to be a secondary DNS server for your domain(s) *OR* you want your DNS server to be a secondary for someone else's domain(s), follow these following steps.

• Edit /home/chroot-dns-ext/etc/named.conf file and make sure the "allow-transfer" line has the proper IP address of the remote secondary DNS server. You can have as many secondary DNS servers as you want.
• Edit either your server's (if you want to be backup for some remote server) or the remote server's (if they are going to be a backup for your domains) /home/chroot-dns-ext/etc/named.conf file and APPEND the following:

    zone "acme123.com." {
      type slave;
      file "acme123.com.db";
      masters { 100.200.0.212; };
      allow-transfer { none; };
    };

    zone "212.0.200.100.in-addr.arpa." {
      type slave;
      file "212.0.200.100.db";
      masters { 100.200.0.212; };
      allow-transfer { none; };
    };

NOTE: If the remote domain actually had multiple IPs or a "subnet of IPs" (typically 5 or more IP addresses), you would need a slightly different configuration. The following example would be correct if the remote domain had -8- IP allocated.

                zone "128/29.0.200.100.in-addr.arpa." {
                  type slave;
                  file "128.0.200.100.db";
                  masters { 100.200.0.129; };
                  allow-transfer { none; };
                };

Basically, you need to understand that:

The IP addresses the remote site was given an address range of 100.200.0.128 through .135 with a subnet mask of 255.255.255.248 (a /29).

Then, with the not-so-obvious DNS syntax from RFC 2317, you read the top line as:

• In the last octet of the IP address, the first IP address of this remote subet is "128". (This is the NETWORK address)
• Next, the subnet mask is a /29 or 8 IPs
• The remaining reverse zone is 0.200.100

Yes, its weird syntax and NOT obvious (try even reading the RFC!) but it works fine.

• Finally, you need to create a dummy file for this remote domain.

                        touch /home/chroot-dns-ext/var/named/acme123.com.db

• Now, restart the remote secondary DNS server by running the following command from the remote box:
  • Redhat:

    ---

                    /etc/rc.d/init.d/named stop
                    /etc/rc.d/init.d/named start
        
    

    ---

  • Slackware:

    ---

                    kill -HUP `ps aux | grep named | grep -v -e grep | awk '{print $2}'`/usr/sbin/named &
        
    

    ---

Once everything is working fine, be SURE to follow the "aliases" instruction in Section 18.

24.19 Gotchas with Master DNS servers being down for long periods of time

IMPORTANT:

• If the MASTER DNS server for a given domain(s) is either down or unavailable for more than (1) week, that domain will then become unavailable and unresponsive REGARDLESS if there are any other secondary DNS servers for that domain. The reason for this is the "expire" option configured in each of the zone file's SOA section.

  So, what do you do when you know that a domain is going to be down for an extended period of time OR the domain has already been down for over a week and is now UNAVAILABLE?

  If you know AHEAD of time that the domain is going to go down:

  • Ask the administrator of the domain to edit the zone file(s) and increase the SOA's EXPIRE field to something LONGER than the time that the master DNS will be offline. This is configured in units of seconds. Don't forget to also tell the admin to update the zone file's SERIAL number and reload the DNS server to re-sync to all of the domain's secondary servers with these zone file changes.

  If the MASTER domain server is already down and there AREN'T any other master servers for this domain to make changes to the zone's SOA "expire" option, you only really have one option:

  • You need to change one of the secondary servers to now be a MASTER name server for that specific zone. To do this, simply change the name server's "etc/named.conf" file on the specific zone entry from "secondary" to "master". Also be sure you don't forget to allow zone transfers for this domain to that zone's other secondary name servers (as shown via whois).

24.20 Secondary DNS Design considerations

It should be mentioned that there is a very interesting and SERIOUS design issue that needs to be considered when setting up secondary zones with a split DNS setup. Say you have acme123.com running on both the INTERNAL -and- EXTERNAL processes on a server (same as the TrinityOS example set above).

The problem arises when you secondary for some remote domain(s) on the Internet. The email server for your domain then tries to send email to that remote email server. The process goes something as follows:

• Your internal SMTP server, which uses your INTERNAL DNS server (127.0.0.1) as its DNS server, does a DNS MX lookup for the destination email server.. say "buggs.com".
• So the internal DNS server (127.0.0.1) goes out to the Internet and asks, "what server is authoritative for the "buggs.com" domain". A response comes back saying: " your machine, ns.acme123.com is authoritative!" Technically, this is true. Well, HALF true actually.
• If you followed the TrinityOS example exactly, your EXTERNAL DNS server (ns.acme123.com) *IS* authoritative for both the "acme123.com" domain as well as "buggs.com" domain but the INTERNAL server is not. The INTERNAL server is only authoritative for the "acme123.com" domain (not "buggs.com")!
• What does that all mean? That means that when this MX DNS response comes back to the INTERNAL acme123.com server, the 127.0.0.1 server will think.. "Hey! They said I'm authoritative for that "buggs.com" domain but I don't know anything about it!" Error...
• If you had this situation, you would ultimately see weird and unhelpful error messages in the SYSLOG files that look something like:

  named[1188]: ns_forw: query(buggs.com) contains our address (roadrunner.acme123.com:192.168.0.1) learnt (A=acme123.com:NS=1.2.3.4)

There are TWO valid solutions:

• One: You setup both the INTERNAL and EXTERNAL dns servers to secondary for the remote DNS zone(s). This would basically duplicate the secondary configurations from the EXTERNAL /home/chroot-dns-ext/etc/named.conf file into the INTERNAL /home/chroot-dns-int/etc/named.conf file. For example, you would copy these zone configurations from the EXTERNAL named.conf to your INTERNAL named.conf file. For example, you would copy info like the following into the Internal named.conf file:

  ---

      zone "acme123.com." {
        type slave;
        file "acme123.com.db";
        masters { 100.200.0.212; };
        allow-transfer { none; };
      };
  

  ---

  This would effectively make both the internal and external acme123.com DNS servers authoritative for those remote secondary zones. Now, when one of the slave DNS servers change something in their zones, both the external AND internal DNS processes would actually get a zone transfer.

• Two: You can change your internal zone name to something OTHER than being "acme123.com". Don't worry.. this won't hurt ANYTHING, even email as the Sendmail configuration shown in TrinityOS will re-write the email headers anyway. For example: you could change your internal domain from "acme123.com" to to "acme123.pvt". Yes, ".pvt". Remember, this is YOUR DNS server so, while only domains like ".com, .net, .org, .us, etc." are legal on the Internet (today), anything goes for internal networks. So, with this .pvt domain configuration in place, the internal DNS server would know that it is NOT authoritative for the "acme123.com" domain. Because it is no longer "acme123.com", it is also NOT authoritative for those other remote secondary zones ("buggs.com"). This might all seem like a pain but this second solution is somewhat cleaner than solution #1. Ultimately.. both work fine.

24.21 Automating the maintenance of the root-hints.db file

Ok, now DNS is hopefully working for your new connection. Next, I recommend that you implement the following script to maintain the root-hints file. Remember, the ROOT DNS server addresses change from time time. This script borrowed from the tldp.org's DNS-HOWTO (with a few changes on my behalf [should be in the DNS-HOWTO now]) makes sure things are occasionally updated:

/usr/local/sbin/root-hints-update

<root-hints-update START>

#!/bin/bash
#
# Part of the copyrighted and trademarked TrinityOS document.
# http://www.ecst.csuchico.edu/~dranch/LINUX/index-linux.html
#
# Written and Maintained by David A. Ranch
# dranch at trinnet dot net
#
#
# Update the nameserver cache information file once per month.
# This is run automatically by a cron entry.
#
# v2.6 - Fixed an error where the root.hints.new file was missing
#        from the "results" email.  The script is now deleting the 
#        "results" file and is using all absolute paths.  Finally, the
#        script is again sending the "result" output as well.
# v2.5 - Fixed a filename error where the final status email was using
#        int/root.hints.new instead of int/root.hints.db
#      - Removed the line trying to delete a non-existant file
#      - Added some echo statements to make things a little
#        clearer 
# v2.4 - Updated the dig info lookup from ns.internic.net to
#        a.root-servers.net 
# v2.3 - Updated the initial CD into one of the real CHROOTed dirs
#        vs. /var/named.  The old script was also leaving a stray NEW
#        file in the EXT directory.  Because of all this, the email
#        notification would show an old root.hints file though DNS
#        would have the correct updated file.
# v2.2 - Change getting the hints file from rs.internic.net to ns.internic.
#        net
# v2.1 - Fixed a typo in the CHMOD of the external root-hints.sb file
#      - Fixed the file ownership of the internal root-hints.db file
#      - Changed the default path of where the new root.hints.new file 
#        is to be placed
#      - Updated to have a backup copy of the INTERNAL hints file and not
#        just have an EXTERNAL backup
# v2.0 - Updated the script to support dual zone files
# v1.3 - Updated the script to show more verbose FAILURE logs.
#        Thanks to jon.marks@novatek.co.nz for the ideas
#
# v1.2 - added the test if no ROOT-SERVERS were returned
# v1.1 - added the test if the result had a SERV-FAIL
# v1.0 - original script from the DNS-HOWTO

echo -e "Running /home/chroot-dns/ext/var/named/root-hints-update..\n" 
export PATH=/sbin:/usr/sbin:/bin:/usr/bin:

echo "Entering chroot-dns-ext" 
cd /home/chroot-dns-ext/var/named

echo "Getting current root servers list.." 
dig @a.root-servers.net . ns > /home/chroot-dns-ext/var/named/root.hints.new \
2> /home/chroot-dns-ext/var/named/result

DIG_OUTCOME=FAIL
if [ `grep -c SERVFAIL /home/chroot-dns-ext/var/named/root.hints.new ` = 0 \
] && [ `grep -c ROOT-SERVERS /home/chroot-dns-ext/var/named/root.hints.new` -gt 0 ]
   then
        DIG_OUTCOME=SUCCESS
        echo "   - Copying new hints file to the EXT named directory"   
        mv -f /home/chroot-dns-ext/var/named/root.hints.db /home/chroot-dns-ext/var/named/root.hints.db.old
        cp -f /home/chroot-dns-ext/var/named/root.hints.new /home/chroot-dns-ext/var/named/root.hints.db
        chown chroot-dns-ext:chroot-dns-ext /home/chroot-dns-ext/var/named/root.hints.db
        chmod 444 /home/chroot-dns-ext/var/named/root.hints.db

        echo "   - Moving new hints file to the INT named directory" 
        mv -f /home/chroot-dns-int/var/named/root.hints.db /home/chroot-dns-int/var/named/root.hints.db.old
        mv /home/chroot-dns-ext/var/named/root.hints.new /home/chroot-dns-int/var/named/root.hints.db
        chown chroot-dns-int:chroot-dns-int /home/chroot-dns-int/var/named/root.hints.db
        chmod 444 /home/chroot-dns-int/var/named/root.hints.db

        echo "Restarting both INT and EXT name.."  
        echo -n "Restarting named: " >> result
        # note:  We dont use restart since old Redhat didn't support it
        /etc/rc.d/init.d/named stop >> /home/chroot-dns-ext/var/named/result
        /etc/rc.d/init.d/named start >> /home/chroot-dns-ext/var/named/result
fi

echo "Emailing the results to root.."
(
        echo "To: hostmaster <root>"
        echo "From: system <root>"
        echo "Subject: TrinityOS DNS monthly root.hints.db update status: $DIG_OUTCOME."
        echo
        cat /home/chroot-dns-ext/var/named/result
        cat /home/chroot-dns-ext/var/named/root.hints.db 
        echo

) | /usr/sbin/sendmail -t
echo "Done."
rm -f /home/chroot-dns-ext/var/named/result
exit 0

Now, make it executable and readable ONLY by the root user:

                chmod 700 /usr/local/sbin/root-hints-update

Finally, put it in the cron job to run monthly:

Redhat:

        ln -s /usr/local/sbin/root-hints-update /etc/cron.monthly/root-hints-update

Slackware:

- Edit "/var/spool/cron/crontab/root" and add this line to the bootom of the file:

                02 3 1 * *      /usr/local/sbin/root-hints-update

That's it!

24.22 How to acquire an Internet Domain Name

To get your own Internet domain, you need:

1. A pre-selected Internet domain name that isn't already taken. You can check to see if your desired domain is available by going to: http://www.internic.net or use the UNIX "whois" command. If the domain you want is already gone, don't forget to try the other suffixes like .com, .net, .org and now the new TLDs like .biz, .info, .name, .museum, .coop, .aero, and .pro. You should also know that many other countries are pushing users to use their domain space. For example, .cc and .tv are fairly popular with some people.

   NOTE: U.S. laws are about to change in the Internet. Currently, sleazy Internet users have been reserving domain names like cheezewiz.com and making the rightful owners (Kraft Corporation) pay ransoms to get them back.

   In 2000, companies that owned standard name trademarks to names, like CheeseWiz, finally got the LEGAL rights get to those domains. On the flip side, even if you had the domain superdupergizo.com for years and sold even gizmos with that name, someone might get that name "SuperDumoGizmo" trademarked. If that happened, they would then have the LEGAL right to take that domain away from you. Sucks huh?

   How can you protect YOUR domain? You might also want to get your domain trademarked. You might not care too much about this but some people will NEED TO. Please also understand that if you get a trademark for for the name and you already secured the .com domain name, you will then have legal grounds to kick people off the .net and .org domains as well. Personally, I think it will be cheaper in the long run if you just register ALL three domain name suffixes (.com, .net, .org) at one time. But if you then start to think about the new .biz, .info, etc. domains and this can be a LOT of money. Overall, the whole situation is a mess and I'm not sure what is the least-evil way of protecting your domain.

2. You need agreements with (1) or more EXISTING /remote/ DNS servers their to be your secondary (backup) DNS servers. You will have to coordinate this with the remote DNS administrators but it isn't too hard. It should also be noted that many Domain registrars can act a secondary DNS server for an addition fee. As it stands, the setup of the secondary DNS support is fully documented in TrinityOS's DNS section.
   • NOTE: You can RESERVE your desired DNS domain name NOW and not configure any DNS stuff for however long as you want. Basically, once you pay for for the domain, the domain is then YOURS unless you don't pay the renewal fees. One thing several Internet Domain Registrars are now doing is providing full co-location service for your domain where they will setup the DNS services, email, etc. ALL on their own servers for additional fees. Understand that these services costs more than just the purchase of the initial domain name procurment (currently $119 for 2 years from Network Solutions (Verisign) but some people like this service. Realistically, if you've read TrinityOS this far, you obviously want to run your own domain on your OWN server.

   • NOTE #2: Realistically, the primary and multiple secondary servers shouldn't be on the same network or preferably even through the same ISP. For example: if you want to put a DNS server behind your "XYZ" ISP provider, your secondary DNS servers shouldn't be connected via "XYZ" as well. Why? What happens if the ISP's network goes down? ALL DNS for your domain will fail. That means email will bounce, etc.

3. A permanent Internet connection with a static IP --OR-- you can sign up with some of those dynamic DNS providers and THEY can then update their zones to you.

4. A credit card (makes things easier but they can also bill you too for bulk requests). Each domain currently costs different amounts depending which Registrar you use. DirectNIC charges $15 (U.S.) per domain but other Registrars might be even cheaper. Do your homework and see what you find.

   NOTE: Fortunately, you can usually deduct this cost from your taxes.

5. Now, with all this information (IP addresses, etc), go to http://www.internic.net and pick a Registrar. The incumbant registrar is Network Solutions (NSI) but my experience with them hasn't been very good. Though I can't recommend one registrar over another, I encourage you to research it a little. If you have good/bad luck with some of these new players, I'd love to hear from you.

6. Follow the prompts and enter in your domain name(s). Then click on either "reserve" or "register".

   NOTE: In the past, all DNS registrations were done via an email-only system. It was confusing at times and a pain. The new systems are usually SSL WWW based and is much easier to use. Interestingly enough, NSI would let you fill things out via a WWW form but it still would email you the completed form and then expect you to EMAIL it back to them. Lame. This might not be the case anymore as I don't use nor recommend NSI anymore.

   NOTE #2: Do not put in bogus data for any of the fields thinking it will keep your information private from SPAMMERs, etc.. Registrars check the info and if it doesn't all check, they will deny you the domain. They need your snail mailing address for your receipt and telephone numbers in case your DNS server, etc. goes down, is hacked into, etc. Them having your phone number is more valuable than you might think.

   NOTE #3: If you chose to use Network Solutions, you might be filling out the new Contact Information area, you might see the section for security. There are three types:

   ---

           MAIL-FROM:  This means that any changes to your domain must come
                                   from an email address from your domain and it is
                                   the default setting.  
   
                                   DO NOT USE THIS OPTION.
   
                                   Its too simple for remote people to forge email.
                                   Because of this, many people have had their domains
                                   STOLEN from them because of this weak link.
   
           CRYPT:          This is a password encrypted setup.  This is pretty good 
                                   as long as you use a GOOD password.  See 
                   <ref id="sect-8" name="Section 8"> in TrinityOS for how to 
                   pick good passwords.
   
           PGP:            This is the ultimate in security and you need to submit your 
                                   public PGP key to the Internic.  BE WARNED:
                                   If you change your PGP key often (your need to do this), 
                                   you might lock yourself out of your domain and you will 
                                   have to call the Internic direct.
     
   

   ---

   If you DO NOT SEE these fields, don't worry. Once you finish your domain registration, go back to:

   http://www.networksolutions.com/cgi-bin/itts/handle

   and change it there.

7. When the Registrar asks you for an email address, do NOT use an email address that will be behind this new domain. Why? Until you get this DNS system fully running, any email from the Registrar sent to this email will be lost! Get it? Putting it another way, if you have problems with your domain and email isn't working, you WON'T be able to fix it because some registrars expect Domain change emails to come FROM the problem DNS domain. Stupid.. very stupid. Eh.. But.. don't worry, once everything works uine, you can go back and change this address.

8. After that, its pretty simple and VERY fast.

If you need more info on DNS, follow this great HOWTO:

ftp://sunsite.unc.edu/pub/Linux/docs/HOWTO/DNS-HOWTO