Bind on OpenBSD

From Free Knowledge Base- The DUCK Project: information for everyone
Jump to: navigation, search

OPENBSD NOTES: Bind on OpenBSD         AUG 2005


REFERENCE: Identify the key files:

text config files

 /etc/resolv.conf                     <- dns server resolution

Local DNS configuration

Place the DNS server information in /etc/resolv.conf

 nameserver 64.21.192.4
 nameserver 10.10.0.13
 lookup file bind

bind

bind listens on TCP port 53 and UDP port 53 for queries from DNS clients or other servers. OpenBSD bind is installed in a chroot jail ( /var/named ) by default.

Contents:

 dev/ etc/ master/ slave/ standard/

The bind configuration file:

 /var/named/etc/named.conf

bind 9 cannot be started by rndc but can be controlled by it.

starting bind manually and testing

Start bind specifing the non-priv user 'named' in the chroot jail at debug level three.

 named -t /var/named -u named -d 3

Information and errors will appear in the system log also:

 cat /var/log/messages

configure bind to start up on system start

Edit the /etc/rc.conf file, adding the following line:

 named_flags="-t /var/named -u named"

using rndc to perform tasks such as zone reloading

reload config file and all zones

 rndc reload

reload a specific dns zone file for a domain

 rndc reload domainname.com

check the status of the dns server

 rndc status

checking the syntax of master zone file

The command named-checkzone will help troubleshoot syntax errors in your domain zone files.

 named-zonecheck domain.com /var/named/master/db.domain.com


BELOW: Introduction to DNS guide by Peter Matulis (MORE DETAILED INFO)

Introduction to DNS
- including caching nameserver -

tutorial updated:      Friday, July 22, 2005
operating system:      OpenBSD 3.7 stable (July 15, 2005)

preamble

A caching DNS server is one way of improving one's internet browsing when you
have a slow link to an ISP. This tutorial will therefore be of most use to
those with a dial-up (regular modem) connection.

In general, what any DNS server does is resolves names to numbers. A name goes
in and a number, an IP address, comes out (there is also reverse resolving).
However simple this sounds, due to the complexity of the internet, the DNS
system can become surprisingly confusing.

There are several types of DNS servers. A caching type is one that does not
contain a raw mapping of names to addresses (such a type is called an
authoritative server which can be further subdivided into master [also called
a primary], slave, and stealth types) but acts as an intermediary between a
DNS client (or resolver) and another DNS server. A caching server is also
called a recursive server. Any type of DNS server can be given the title of
nameserver.

The key here is that when the caching server eventually finds the name/address
mapping and sends it to the requesting client it will remember the resolution
and store it inside itself. The next time the client makes the same request
the caching server will respond back immediately thereby saving a non-trivial
amount of time (you can think of it as a forward DNS proxy server). The slower
your connection to the internet the more benefit you will derive from such a
server. In order to maintain accuracy, there is a configurable expiration time
(time to live, TTL) on the server's data that forces it to periodically return
to the internet for updates.

Different operating systems will differ slightly in a DNS server's
implementation. I will be working with OpenBSD 3.4. Without too much trouble
you should be able to adjust to your environment.

Here is the breakdown:

   1. introduction to DNS on OpenBSD
   2. named.conf
   3. the three standard zone files
   4. starting and testing the server
   5. rndc
   6. debugging and query logging
   7. forwarders
   8. last words
   9. resources 

introduction to DNS on OpenBSD

In this section I will introduce some terms, concepts, and how OpenBSD
implements a DNS server.

First off, the actual software that runs the DNS service on most systems is
called bind. The main component in this software is a daemon called named
(prounounced "name-dee"). This daemon "listens" on TCP port 53 and UDP port 53
for queries from DNS clients or other servers.

OpenBSD now installs bind by default in a chroot environment. This limits the
amount of access any malicious individual could gain by exploiting
vulnerabilities in bind. In order to take advantage of this chroot jail bind
must run as a non-privileged user (such as user named). The jail is located at
/var/named. The contents of this directory will appear to be /, the root
directory. Nothing outside this directory will be accessible to it.

Here is the jail:

# ls -l /var/named
total 1044
drwxr-xr-x  2 root  named     512 Sep 17 04:56 dev
drwxr-x---  2 root  named     512 Jan 10 00:18 etc
drwxr-xr-x  2 root  named     512 Sep 17 04:56 master
drwxrwxr-x  2 root  named     512 Sep 17 04:56 slave
drwxr-xr-x  2 root  named     512 Jan  9 23:31 standard

The named configuration file named.conf is found under the etc directory.

Three other files which every kind of DNS server must have are found here
under the standard directory:

# ls -l standard/
total 40
-rw-r--r--  1 root  named   255 Sep 17 04:56 localhost
-rw-r--r--  1 root  named   258 Sep 17 04:56 loopback
-rw-r--r--  1 root  named  2560 Sep 17 04:56 root.hint

Version 9 of bind (the version we'll be using) can be controlled (but not
started) by the rndc utility. Its config file is /etc/rndc.conf.

So that's five files we'll be looking at.

A few things to keep in mind:

   1. Other operating systems may call all the files we've seen so far by
different names.
   2. OpenBSD is the only operating system I have seen that defines the
localhost domain. 

named.conf

This is the main configuration file. All you should modify at this point is
the description of clients that will be connecting to the nameserver.
Currently it is set to answer queries from the 192.168.1.0 network. There are
also three zones set up. These are required for any nameserver. We will take a
look at them in the next section.


// $OpenBSD: named-simple.conf,v 1.4 2003/02/27 14:44:04 todd Exp $
//

acl clients {
        192.168.1.0/24;
        ::1;
};

options {
        version "";     // remove this to allow version queries
        listen-on    { any; };
        allow-recursion { clients; };
};

// Standard zones
//
zone "." {
        type hint;
        file "standard/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

the three standard zone files

As we saw already, the three standard zone files are:

   1. root.hint
   2. localhost
   3. loopback 

I will provide an explanation of each. These files are static and should never
have to be modified (although root.hint may be updated).

root.hint

The purpose of this file is to allow the server to contact a single root
server in order to download an authoritative list of root servers. So that's
why this zone is of type hint. It provides a clue on where to get info instead
of using its own data directly. This download occurs during server startup
after which this file is never used again.

When a nameserver is unable to answer a query it will contact one of the root
servers on this downloaded list which will return the address of another
server that can help. Your server will then contact this second server which
will reply with another server to question. This continues until your server
questions a server that knows the answer (to the original query).

This is where your server's cache comes into play. Each time it receives a
reply from any server along the way it will store (or cache) this information.
So a cache is built up not solely from the original query/answer. This is
important to understand.

I mentioned earlier that this file is required for any installation. Based on
what we now know, this file is not necessary if the server is servicing an
internal network. And even if you are connected to the internet, if the file
is missing bind has access to a list that was compiled in when the software
was created.


; formerly NS.INTERNIC.NET
;
.                        3600000  IN  NS    A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET.      3600000      A     198.41.0.4
;
; formerly NS1.ISI.EDU
;
.                        3600000      NS    B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET.      3600000      A     128.9.0.107
;
; formerly C.PSI.NET
;
.                        3600000      NS    C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET.      3600000      A     192.33.4.12
;
; formerly TERP.UMD.EDU
;
.                        3600000      NS    D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET.      3600000      A     128.8.10.90
;
; formerly NS.NASA.GOV
;
.                        3600000      NS    E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET.      3600000      A     192.203.230.10
;
; formerly NS.ISC.ORG
;
.                        3600000      NS    F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET.      3600000      A     192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
.                        3600000      NS    G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET.      3600000      A     192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
.                        3600000      NS    H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET.      3600000      A     128.63.2.53
;
; formerly NIC.NORDU.NET
;
.                        3600000      NS    I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET.      3600000      A     192.36.148.17
;
; operated by VeriSign, Inc.
;
.                        3600000      NS    J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET.      3600000      A     192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
.                        3600000      NS    K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET.      3600000      A     193.0.14.129
;
; operated by IANA
;
.                        3600000      NS    L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET.      3600000      A     198.32.64.12
;
; housed in Japan, operated by WIDE
;
.                        3600000      NS    M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET.      3600000      A     202.12.27.33
; End of File

Visit www.root-servers.org for more info on the root servers.

localhost

On OpenBSD we have our first forward name resolution zone. It resolves the
host name localhost to the loopback address 127.0.0.1.


; $OpenBSD: db.localhost,v 1.1 2003/01/20 22:30:13 jakob Exp $

$ORIGIN localhost.
$TTL 6h

@       IN      SOA     localhost. root.localhost. (
                        1       ; serial
                        1h      ; refresh
                        30m     ; retry
                        7d      ; expiration
                        1h )    ; minimum

                NS      localhost.
                A       127.0.0.1
                AAAA    ::1

loopback

Every nameserver is the master of its own loopback domain. The whole point of
creating the loopback interface is to reduce network traffic. Sending domain
queries about the loopback address across the network would defeat that
purpose.

The loopback domain is a reverse domain. It is used to map the loopback
address 127.0.0.1 to the host name localhost.


; $OpenBSD: db.loopback,v 1.1 2003/01/20 22:30:13 jakob Exp $

$ORIGIN 127.in-addr.arpa.
$TTL 6h

@       IN      SOA     localhost. root.localhost. (
                        1       ; serial
                        1h      ; refresh
                        30m     ; retry
                        7d      ; expiration
                        1h )    ; minimum

                NS      localhost.
1.0.0           PTR     localhost.

starting and testing the server

Let's start this beast:
# named -t /var/named -u named -d 3

So we've specified the chroot environment and the non-privileged user as well
as a debug level of three.

Let's look at our system's logs:
# tail /var/log/messages
Jan 11 00:51:54 apriori named[9146]: starting BIND 9.2.2 -t /var/named -u
named -d 3

Yeah! Good stuff.

Onto testing now. On the server, use tcpdump to see what's happening on the
wire:
# tcpdump -i tun0 -ttt -n not '(port 22 or 80 or 110)'         { your mileage may
# vary }

Now find yourself a client (I'm using a Windows 2000 machine) and tell it to
use our OpenBSD box as its nameserver. Once that's done, open a web browser
and go somewhere. Check the tcpdump output. You should get many lines with
port 53 involved. This proves the server is working.

As explained in the preamble, the purpose of setting up a caching nameserver
is to take advantage of its cache. Therefore only stop or restart the server
when necessary for the cache is emptied when you do this.

rndc

The rndc utility, or the Remote Name Daemon Control program, provides some
control over the nameserver. It doesn't work out of the box. As a security
measure, it requires setting up before named will allow itself to be
controlled. That's what we'll look at now.

This tool does pretty much the same as ndc does in Bind 8. Here are its main
features:

    * Reload a zone
    * Stop the server
    * View the server's status
    * Turn on (or off) log querying
    * Dump the server's cache to a file
    * Flush the server's cache
    * Change debugging levels 

In order for this to work, the rndc and named configuration files, rndc.conf
and named.conf respectively, must be in agreement. We can use the rndc-confgen
tool to generate an appropriate configuration:
# rndc-confgen | tee /etc/rndc.conf

This yields:

# Start of rndc.conf
key "rndc-key" {
        algorithm hmac-md5;
        secret "OCC0vk4pyIkYMjeeHNSZ2A==";
};

options {
        default-key "rndc-key";
        default-server 127.0.0.1;
        default-port 953;
};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
#       algorithm hmac-md5;
#       secret "OCC0vk4pyIkYMjeeHNSZ2A==";
# };
#
# controls {
#       inet 127.0.0.1 port 953
#               allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf

Due to the way I invoked the utility, the above configuration now resides in
/etc/rndc.conf. Cut out (or copy) the bottom portion and paste it into
named.conf.

The first chunk (for both files) specifies our secret key and the second chunk
(for both files; although slightly different for named.conf) specifies the
address and port of the nameserver to be controlled (otherwise known as a
channel).

Stop the server, start it, and then give rndc a dry run:

# kill `cat /var/run/named.pid`
# /usr/sbin/named -t /var/named -u named -d 3
# rndc status

number of zones: 3
debug level: 3
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running

Restarting named with its modified config file should of generated something
similar to the following in your system's log file:

Jan 11 19:18:13 apriori named[26221]: starting BIND 9.2.2 -t /var/named -u
named -d 3
Jan 11 19:18:13 apriori named[26221]: command channel listening on
127.0.0.1#953

To look at the cache's contents you must first dump it to file:
# rndc dumpdb

It is an ASCII text file and is, by default, named named_dump.db. It ends up
in the root of your chroot jail (probably /var/named).

One way to see that the cache is working is to dump the cache to file, perform
a grep for an element of some domain you have never been to, surf to that
domain, dump the cache again, and issue the same grep command:

# rndc dumpdb
# grep altamira named_dump.db
# rndc dumpdb
# grep altamira named_dump.db

       

{ then surf to, say, www.altamira.com }



Whereas before I got no output from grep I now get this:

altamira.com.           14      NS      ns.uunet.ca.
www.altamira.com.       14      A       205.150.151.22
altamira.stockgroup.com. 1796   A       199.175.179.160

You can stop the server via rndc but you cannot start (or restart) it. We will
make more use of rndc in the next section.

debugging and query logging

Debugging is simply the logging of messages that are sent to your system's log
files (usually /var/log/messages). With the rndc tool we can change its level
to produce more or less information. Using the options trace, trace <some
level>, and notrace we can, respectively, increase the level, specify the
level, or turn off debugging. Below we specify a level of 2:
# rndc trace 2

The capture of communications related to name resolution is known as query
logging. In order to achieve this another adjustment must be made to
named.conf. Insert the following block of text:

logging {
        channel query_info {
                 file "named_query.log" versions 3 size 10m;
                 severity info;
                 print-category yes;
                 print-time yes;
         };

        category queries { query_info; };
        category resolver { query_info; };
};

       

{ the name of the channel }
{ the log filename, keep three rotated logs, rotate the log every 10 MB }
{ the "debug" level }
{ print the type of communication occuring for each message }
{ print the date and time for each message }


{ use the query_info channel for queries }
{ use the query_info channel for internet resolutions }


To remove the possibility for query logging (whether "queries" or "resolver")
replace the channel name ("query_info") with "null". To toggle such logging on
the fly use the rndc tool:
# rndc querylog

So with query logging activated issue the following command:
# tail -f /var/named/named_query.log

All name queries and internet resolutions should now be appended.

forwarders

So far we have been using our nameserver to scour the internet on its own in
search of name/address mappings. It talks to one server which will get an
answer on who to talk to next and so on. This is slow and inefficient.
Instead, the normal thing to do is to have it talk solely with the DNS servers
belonging to your ISP. Our server will then offload queries to one or two
servers which will handle the rest. Your ISP's nameservers also have huge
caches of their own that we can dip into directly. When we point our
nameserver to another nameserver like this we call this target nameserver a
forwarder.

An issue that arises when you're disconnected from the net is when you try
(for some reason) to resolve an external domain name. Your server will forward
the request along but will naturally be unable to connect. But then it will
try to contact the root servers as per our original config. It can take quite
a while for this to time out. To avoid this, we stipulate to only use the
forwarders (and not the root servers). There are other ways around this (see
here).

Implement all this by adding the next two lines to the options statement of
named.conf:

        forward only;
        forwarders { <your ISP DNS1>; <your ISP DNS2>; };

Reload your new configuration with rndc and test again with tcpdump. You
should see the server talking to your forwarder and there should also be far
less activity (less output). This indicates a more efficient setup.

Your final named.conf file should now look very similar to this:


// $OpenBSD: named-simple.conf,v 1.4 2003/02/27 14:44:04 todd Exp $
//

acl clients {
        192.168.1.0/24;
        ::1;
};

options {
        forward only;
        forwarders { 198.235.216.114; 206.47.244.104; };
        version "";     // remove this to allow version queries
        listen-on    { any; };
        allow-recursion { clients; };
};

key "rndc-key" {
        algorithm hmac-md5;
        secret "sOiIv9PpNGDzWx2FAPlFGg==";
};

controls {
        inet 127.0.0.1 port 953
        allow { 127.0.0.1; } keys { "rndc-key"; };
};

logging {
        channel query_info {
                 file "named_query.log" versions 3 size 10m;
                 severity debug;
                 print-category yes;
                 print-time yes;
         };

        category queries { query_info; };
        category resolver { query_info; };
      //category queries { null; };
      //category lame-servers { null; };
};

// Standard zones
//
zone "." {
        type hint;
        file "standard/root.hint";
};

zone "localhost" {
        type master;
        file "standard/localhost";
        allow-transfer { localhost; };
};

zone "127.in-addr.arpa" {
        type master;
        file "standard/loopback";
        allow-transfer { localhost; };
};

last words

On OpenBSD, in order to start the bind daemon when the computer starts we edit
the /etc/rc.conf file. Make sure a similar line exists and is not commented
out:
named_flags="-t /var/named -u named"

and

named_enable=YES

Add whatever options you want but the ones shown above are the minimum.

Reboot and test.

If you get any "permission denied" errors in /var/log/messages you may need to
kill and restart named. Just reloading the configuration with rndc will not
rectify these errors.

I hope you enjoyed this tutorial. Hopefully your dial-up connection is now a
little faster. If you want to improve it some more the next step is to install
a web proxy server (which caches web page content instead of name/address
mappings).