network-dns.html

FreeBSD操作系统的详细使用手册

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cp /etc/localtime etc</kbd><a
id="LOCALTIME" name="LOCALTIME"><img src="./imagelib/callouts/1.png" hspace="0"
vspace="0" border="0" alt="(1)" /></a>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">mv named.conf etc &#38;&#38; ln -sf etc/named.conf</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">mv named.root master</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">sh make-localhost &#38;&#38; mv localhost.rev localhost-v6.rev master</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cat &#62; master/named.localhost
$ORIGIN localhost.
$TTL 6h
@   IN  SOA localhost. postmaster.localhost. (
            1   ; serial
            3600    ; refresh
            1800    ; retry
            604800  ; expiration
            3600 )  ; minimum
    IN  NS  localhost.
    IN  A       127.0.0.1
^D</kbd>
</pre>

<div class="CALLOUTLIST">
<dl compact="COMPACT">
<dt><a href="network-dns.html#LOCALTIME"><img src="./imagelib/callouts/1.png" hspace="0"
vspace="0" border="0" alt="(1)" /></a></dt>

<dd>This allows <b class="APPLICATION">named</b> to log the correct time to <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=syslogd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">syslogd</span>(8)</span></a>.</dd>
</dl>
</div>
</li>

<li>
<p>If you are running a version of FreeBSD prior to 4.9-RELEASE, build a statically
linked copy of <b class="APPLICATION">named-xfer</b>, and copy it into the sandbox:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /usr/src/lib/libisc</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">make cleandir &#38;&#38; make cleandir &#38;&#38; make depend &#38;&#38; make all</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /usr/src/lib/libbind</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">make cleandir &#38;&#38; make cleandir &#38;&#38; make depend &#38;&#38; make all</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /usr/src/libexec/named-xfer</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">make cleandir &#38;&#38; make cleandir &#38;&#38; make depend &#38;&#38; make NOSHARED=yes all</kbd>
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">cp named-xfer /etc/namedb/bin &#38;&#38; chmod 555 /etc/namedb/bin/named-xfer</kbd><a
 id="CLEAN-CRUFT" name="CLEAN-CRUFT"><img src="./imagelib/callouts/1.png" hspace="0"
vspace="0" border="0" alt="(1)" /></a>
</pre>

<p>After your statically linked <tt class="COMMAND">named-xfer</tt> is installed some
cleaning up is required, to avoid leaving stale copies of libraries or programs in your
source tree:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /usr/src/lib/libisc</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">make cleandir</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /usr/src/lib/libbind</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">make cleandir</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">cd /usr/src/libexec/named-xfer</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">make cleandir</kbd>
</pre>

<div class="CALLOUTLIST">
<dl compact="COMPACT">
<dt><a href="network-dns.html#CLEAN-CRUFT"><img src="./imagelib/callouts/1.png"
hspace="0" vspace="0" border="0" alt="(1)" /></a></dt>

<dd>This step has been reported to fail occasionally. If this happens to you, then issue
the command:</dd>

<dd>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">cd /usr/src &#38;&#38; make cleandir &#38;&#38; make cleandir</kbd>
</pre>
</dd>

<dd>
<p>and delete your <tt class="FILENAME">/usr/obj</tt> tree:</p>
</dd>

<dd>
<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">rm -fr /usr/obj &#38;&#38; mkdir /usr/obj</kbd>
</pre>
</dd>

<dd>
<p>This will clean out any ``cruft'' from your source tree, and retrying the steps above
should then work.</p>
</dd>
</dl>
</div>

<p>If you are running FreeBSD version 4.9-RELEASE or later, then the copy of <tt
class="COMMAND">named-xfer</tt> in <tt class="FILENAME">/usr/libexec</tt> is statically
linked by default, and you can simply use <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=cp&sektion=1"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">cp</span>(1)</span></a> to copy it into
your sandbox.</p>
</li>

<li>
<p>Make a <tt class="FILENAME">dev/null</tt> that <b class="APPLICATION">named</b> can
see and write to:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">cd /etc/namedb/dev &#38;&#38; mknod null c 2 2</kbd>
<samp class="PROMPT">#</samp> <kbd class="USERINPUT">chmod 666 null</kbd>
</pre>
</li>

<li>
<p>Symlink <tt class="FILENAME">/var/run/ndc</tt> to <tt
class="FILENAME">/etc/namedb/var/run/ndc</tt>:</p>

<pre class="SCREEN">
<samp class="PROMPT">#</samp> <kbd
class="USERINPUT">ln -sf /etc/namedb/var/run/ndc /var/run/ndc</kbd>
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> This simply avoids having to specify the <var class="OPTION">-c</var>
option to <a href="http://www.FreeBSD.org/cgi/man.cgi?query=ndc&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ndc</span>(8)</span></a> every time you
run it. Since the contents of <tt class="FILENAME">/var/run</tt> are deleted on boot, if
this is something that you find useful you may wish to add this command to <tt
class="USERNAME">root</tt>'s <tt class="FILENAME">crontab</tt>, making use of the <var
class="OPTION">@reboot</var> option. See <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=crontab&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">crontab</span>(5)</span></a> for more
information regarding this.</p>
</blockquote>
</div>
</li>

<li>
<p>Configure <a href="http://www.FreeBSD.org/cgi/man.cgi?query=syslogd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">syslogd</span>(8)</span></a> to create
an extra <tt class="DEVICENAME">log</tt> socket that <b class="APPLICATION">named</b> can
write to. To do this, add <var class="LITERAL">-l /etc/namedb/dev/log</var> to the <var
class="VARNAME">syslogd_flags</var> variable in <tt
class="FILENAME">/etc/rc.conf</tt>.</p>
</li>

<li>
<p>Arrange to have <b class="APPLICATION">named</b> start and <tt
class="COMMAND">chroot</tt> itself to the sandbox by adding the following to <tt
class="FILENAME">/etc/rc.conf</tt>:</p>

<pre class="PROGRAMLISTING">
named_enable="YES"
named_flags="-u bind -g bind -t /etc/namedb /etc/named.conf"
</pre>

<div class="NOTE">
<blockquote class="NOTE">
<p><b>Note:</b> Note that the configuration file <var
class="REPLACEABLE">/etc/named.conf</var> is denoted by a full pathname <span
class="emphasis"><i class="EMPHASIS">relative to the sandbox</i></span>, i.e. in the line
above, the file referred to is actually <tt
class="FILENAME">/etc/namedb/etc/named.conf</tt>.</p>
</blockquote>
</div>
</li>
</ul>

<p>The next step is to edit <tt class="FILENAME">/etc/namedb/etc/named.conf</tt> so that
<b class="APPLICATION">named</b> knows which zones to load and where to find them on the
disk. There follows a commented example (anything not specifically commented here is no
different from the setup for a DNS server not running in a sandbox):</p>

<pre class="PROGRAMLISTING">
options {
        directory "/";<a id="DIRECTORY" name="DIRECTORY"><img
src="./imagelib/callouts/1.png" hspace="0" vspace="0" border="0" alt="(1)" /></a>
        named-xfer "/bin/named-xfer";<a id="NAMED-XFER" name="NAMED-XFER"><img
src="./imagelib/callouts/2.png" hspace="0" vspace="0" border="0" alt="(2)" /></a>
        version "";     // Don't reveal BIND version
        query-source address * port 53;
};
// ndc control socket
controls {
        unix "/var/run/ndc" perm 0600 owner 0 group 0;
};
// Zones follow:
zone "localhost" IN {
        type master;
        file "master/named.localhost";<a id="MASTER" name="MASTER"><img
src="./imagelib/callouts/3.png" hspace="0" vspace="0" border="0" alt="(3)" /></a>
        allow-transfer { localhost; };
        notify no;
};
zone "0.0.127.in-addr.arpa" IN {
        type master;
        file "master/localhost.rev";
        allow-transfer { localhost; };
        notify no;
};
zone "0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.int" {
    type master;
    file "master/localhost-v6.rev";
    allow-transfer { localhost; };
    notify no;
};
zone "." IN {
        type hint;
        file "master/named.root";
};
zone "private.example.net" in {
        type master;
        file "master/private.example.net.db";
    allow-transfer { 192.168.10.0/24; };
};
zone "10.168.192.in-addr.arpa" in {
        type slave;
        masters { 192.168.10.2; };
        file "slave/192.168.10.db";<a id="SLAVE" name="SLAVE"><img
src="./imagelib/callouts/4.png" hspace="0" vspace="0" border="0" alt="(4)" /></a>
};
</pre>

<div class="CALLOUTLIST">
<dl compact="COMPACT">
<dt><a href="network-dns.html#DIRECTORY"><img src="./imagelib/callouts/1.png" hspace="0"
vspace="0" border="0" alt="(1)" /></a></dt>

<dd>The <var class="LITERAL">directory</var> statement is specified as <tt
class="FILENAME">/</tt>, since all files that <b class="APPLICATION">named</b> needs are
within this directory (recall that this is equivalent to a ``normal'' user's <tt
class="FILENAME">/etc/namedb</tt>).</dd>

<dt><a href="network-dns.html#NAMED-XFER"><img src="./imagelib/callouts/2.png" hspace="0"
vspace="0" border="0" alt="(2)" /></a></dt>

<dd>Specifies the full path to the <tt class="COMMAND">named-xfer</tt> binary (from <b
class="APPLICATION">named</b>'s frame of reference). This is necessary since <b
class="APPLICATION">named</b> is compiled to look for <tt class="COMMAND">named-xfer</tt>
in <tt class="FILENAME">/usr/libexec</tt> by default.</dd>

<dt><a href="network-dns.html#MASTER"><img src="./imagelib/callouts/3.png" hspace="0"
vspace="0" border="0" alt="(3)" /></a></dt>

<dd>Specifies the filename (relative to the <var class="LITERAL">directory</var>
statement above) where <b class="APPLICATION">named</b> can find the zone file for this
zone.</dd>

<dt><a href="network-dns.html#SLAVE"><img src="./imagelib/callouts/4.png" hspace="0"
vspace="0" border="0" alt="(4)" /></a></dt>

<dd>Specifies the filename (relative to the <var class="LITERAL">directory</var>
statement above) where <b class="APPLICATION">named</b> should write a copy of the zone
file for this zone after successfully transferring it from the master server. This is why
we needed to change the ownership of the directory <tt class="FILENAME">slave</tt> to <tt
class="GROUPNAME">bind</tt> in the setup stages above.</dd>
</dl>
</div>

<p>After completing the steps above, either reboot your server or restart <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=syslogd&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">syslogd</span>(8)</span></a> and start
<a href="http://www.FreeBSD.org/cgi/man.cgi?query=named&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">named</span>(8)</span></a>, making sure
to use the new options specified in <var class="VARNAME">syslogd_flags</var> and <var
class="VARNAME">named_flags</var>. You should now be running a sandboxed copy of <b
class="APPLICATION">named</b>!</p>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN35286" name="AEN35286">23.6.9 Security</a></h2>

<p>Although BIND is the most common implementation of DNS, there is always the issue of
security. Possible and exploitable security holes are sometimes found.</p>

<p>It is a good idea to read <a href="http://www.cert.org/" target="_top">CERT</a>'s
security advisories and to subscribe to the <a
href="http://lists.FreeBSD.org/mailman/listinfo/freebsd-security-notifications"
target="_top">FreeBSD security notifications mailing list</a> to stay up to date with the
current Internet and FreeBSD security issues.</p>

<div class="TIP">
<blockquote class="TIP">
<p><b>Tip:</b> If a problem arises, keeping sources up to date and having a fresh build
of <b class="APPLICATION">named</b> would not hurt.</p>
</blockquote>
</div>
</div>

<div class="SECT2">
<h2 class="SECT2"><a id="AEN35295" name="AEN35295">23.6.10 Further Reading</a></h2>

<p>BIND/<b class="APPLICATION">named</b> manual pages: <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=ndc&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">ndc</span>(8)</span></a> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=named&sektion=8"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">named</span>(8)</span></a> <a
href="http://www.FreeBSD.org/cgi/man.cgi?query=named.conf&sektion=5"><span
class="CITEREFENTRY"><span class="REFENTRYTITLE">named.conf</span>(5)</span></a></p>

<ul>
<li>
<p><a href="http://www.isc.org/products/BIND/" target="_top">Official ISC BIND
Page</a></p>
</li>

<li>
<p><a href="http://www.nominum.com/getOpenSourceResource.php?id=6" target="_top">BIND
FAQ</a></p>
</li>

<li>
<p><a href="http://www.oreilly.com/catalog/dns4/" target="_top">O'Reilly DNS and BIND 4th
Edition</a></p>
</li>

<li>
<p><a href="ftp://ftp.isi.edu/in-notes/rfc1034.txt" target="_top">RFC1034 - Domain Names
- Concepts and Facilities</a></p>
</li>

<li>
<p><a href="ftp://ftp.isi.edu/in-notes/rfc1035.txt" target="_top">RFC1035 - Domain Names
- Implementation and Specification</a></p>
</li>
</ul>
</div>
</div>

<div class="NAVFOOTER">
<hr align="LEFT" width="100%" />
<table summary="Footer navigation table" width="100%" border="0" cellpadding="0"
cellspacing="0">
<tr>
<td width="33%" align="left" valign="top"><a href="network-dhcp.html"
accesskey="P">Prev</a></td>
<td width="34%" align="center" valign="top"><a href="index.html"
accesskey="H">Home</a></td>
<td width="33%" align="right" valign="top"><a href="network-bind9.html"
accesskey="N">Next</a></td>
</tr>

<tr>
<td width="33%" align="left" valign="top">Automatic Network Configuration (DHCP)</td>
<td width="34%" align="center" valign="top"><a href="network-servers.html"
accesskey="U">Up</a></td>
<td width="33%" align="right" valign="top"><acronym class="ACRONYM">BIND</acronym>9 and
FreeBSD</td>
</tr>
</table>
</div>

<p align="center"><small>This, and other documents, can be downloaded from <a
href="ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/">ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/</a>.</small></p>

<p align="center"><small>For questions about FreeBSD, read the <a
href="http://www.FreeBSD.org/docs.html">documentation</a> before contacting &#60;<a
href="mailto:questions@FreeBSD.org">questions@FreeBSD.org</a>&#62;.<br />
For questions about this documentation, e-mail &#60;<a
href="mailto:doc@FreeBSD.org">doc@FreeBSD.org</a>&#62;.</small></p>
</body>
</html>