The release of FreeBSD 5.3 brought the BIND9 DNS server software into the distribution. New security features, a new file system layout and automated chroot(8) configuration came with the import. This section has been written in two parts, the first will discuss new features and their configuration; the latter will cover upgrades to aid in move to FreeBSD 5.3. From this moment on, the server will be referred to simply as named(8) in place of BIND. This section skips over the terminology described in the previous section as well as some of the theoretical discussions; thus, it is recommended that the previous section be consulted before reading any further here.
Configuration files for named currently
reside in
/var/named/etc/namedb/
and
will need modification before use. This is where most of the
configuration will be performed.
To configure a master zone visit
/var/named/etc/namedb/
and run the following command:
#
sh make-localhost
If all went well a new file should exist in the
master
directory. The
filenames should be localhost.rev
for
the local domain name and localhost-v6.rev
for IPv6 configurations. As the default
configuration file, configuration for its use will already
be present in the named.conf
file.
Configuration for extra domains or sub domains may be
done properly by setting them as a slave zone. In most cases,
the master/localhost.rev
file could just be
copied over into the slave
directory and modified. Once completed, the files need
to be properly added in named.conf
such
as in the following configuration for
example.com
:
zone "example.com" { type slave; file "slave/example.com"; masters { 10.0.0.1; }; }; zone "0.168.192.in-addr.arpa" { type slave; file "slave/0.168.192.in-addr.arpa"; masters { 10.0.0.1; }; };
Note well that in this example, the master IP address is the primary domain server from which the zones are transferred; it does not necessary serve as DNS server itself.
In order for the named daemon to start
when the system is booted, the following option must be present
in the rc.conf
file:
named_enable="YES"
While other options exist, this is the bare minimal
requirement. Consult the rc.conf(5) manual page for
a list of the other options. If nothing is entered in the
rc.conf
file then named
may be started on the command line by invoking:
#
/etc/rc.d/named start
While FreeBSD automatically drops named into a chroot(8) environment; there are several other security mechanisms in place which could help to lure off possible DNS service attacks.
A query access control list can be used to restrict
queries against the zones. The configuration works by
defining the network inside of the acl
token and then listing IP addresses in
the zone configuration. To permit domains to query the
example host, just define it like this:
acl "example.com" { 192.168.0.0/24; }; zone "example.com" { type slave; file "slave/example.com"; masters { 10.0.0.1; }; allow-query { example.com; }; }; zone "0.168.192.in-addr.arpa" { type slave; file "slave/0.168.192.in-addr.arpa"; masters { 10.0.0.1; }; allow-query { example.com; }; };
Permitting version lookups on the DNS server could be opening the doors for an attacker. A malicious user may use this information to hunt up known exploits or bugs to utilize against the host.
Setting a false version will not protect the server from exploits. Only upgrading to a version that is not vulnerable will protect your server.
A false version string can be placed the
options
section of
named.conf
:
options { directory "/etc/namedb"; pid-file "/var/run/named/pid"; dump-file "/var/dump/named_dump.db"; statistics-file "/var/stats/named.stats"; version "None of your business"; };
本文及其他文件,可由此下載: ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/。
若有 FreeBSD 方面疑問,請先閱讀
FreeBSD 相關文件,如不能解決的話,再洽詢
<questions@FreeBSD.org>。
關於本文件的問題,請洽詢
<doc@FreeBSD.org>。