27.7. BIND9 and FreeBSD

Written by Tom Rhodes.

The release of FreeBSD 5.3 brought the BIND9 DNS server software into the distribution. New security features, a new file system layout and automated chroot(8) configuration came with the import. This section has been written in two parts, the first will discuss new features and their configuration; the latter will cover upgrades to aid in move to FreeBSD 5.3. From this moment on, the server will be referred to simply as named(8) in place of BIND. This section skips over the terminology described in the previous section as well as some of the theoretical discussions; thus, it is recommended that the previous section be consulted before reading any further here.

Configuration files for named currently reside in /var/named/etc/namedb/ and will need modification before use. This is where most of the configuration will be performed.

27.7.1. Configuration of a Master Zone

To configure a master zone visit /var/named/etc/namedb/ and run the following command:

# sh make-localhost

If all went well a new file should exist in the master directory. The filenames should be localhost.rev for the local domain name and localhost-v6.rev for IPv6 configurations. As the default configuration file, configuration for its use will already be present in the named.conf file.

27.7.2. Configuration of a Slave Zone

Configuration for extra domains or sub domains may be done properly by setting them as a slave zone. In most cases, the master/localhost.rev file could just be copied over into the slave directory and modified. Once completed, the files need to be properly added in named.conf such as in the following configuration for example.com:

zone "example.com" {
        type slave;
        file "slave/example.com";
        masters {
                10.0.0.1;
        };
};

zone "0.168.192.in-addr.arpa" {
        type slave;
        file "slave/0.168.192.in-addr.arpa";
        masters {
                10.0.0.1;
        };
};

Note well that in this example, the master IP address is the primary domain server from which the zones are transferred; it does not necessary serve as DNS server itself.

27.7.3. System Initialization Configuration

In order for the named daemon to start when the system is booted, the following option must be present in the rc.conf file:

named_enable="YES"

While other options exist, this is the bare minimal requirement. Consult the rc.conf(5) manual page for a list of the other options. If nothing is entered in the rc.conf file then named may be started on the command line by invoking:

# /etc/rc.d/named start

27.7.4. BIND9 Security

While FreeBSD automatically drops named into a chroot(8) environment; there are several other security mechanisms in place which could help to lure off possible DNS service attacks.

27.7.4.1. Query Access Control Lists

A query access control list can be used to restrict queries against the zones. The configuration works by defining the network inside of the acl token and then listing IP addresses in the zone configuration. To permit domains to query the example host, just define it like this:

acl "example.com" {
        192.168.0.0/24;
};

zone "example.com" {
        type slave;
        file "slave/example.com";
        masters {
                10.0.0.1;
        };
	allow-query { example.com; };
};

zone "0.168.192.in-addr.arpa" {
        type slave;
        file "slave/0.168.192.in-addr.arpa";
        masters {
                10.0.0.1;
        };
	allow-query { example.com; };
};

27.7.4.2. Restrict Version

Permitting version lookups on the DNS server could be opening the doors for an attacker. A malicious user may use this information to hunt up known exploits or bugs to utilize against the host.

警告Setting a false version will not protect the server from exploits. Only upgrading to a version that is not vulnerable will protect your server.

A false version string can be placed the options section of named.conf:

options {
        directory       "/etc/namedb";
        pid-file        "/var/run/named/pid";
        dump-file       "/var/dump/named_dump.db";
        statistics-file "/var/stats/named.stats";
        version		"None of your business";
};

本文及其他文件,可由此下載:ftp://ftp.FreeBSD.org/pub/FreeBSD/doc/

若有 FreeBSD 方面疑問,請先閱讀 FreeBSD 相關文件,如不能解決的話,再洽詢 <questions@FreeBSD.org>。
關於本文件的問題,請洽詢 <doc@FreeBSD.org>。