Installation of BIND using RHEL 6 Based on Selinux
May 14, 2011Its been a while since i post new tutorials and found some time again in doing so, what i share to you today is the installation of BIND based on the new Red Hat Enterprise Linux 6 running SELINUX. This version of bind 9.7 is running on Fedora Core starting with version 13 (i think) and on CentOS 5.6.Understanding the new features of Bind 9.7 can be read on this links.
http://cdns.net/DNSSEC.pdf
So lets get started.
1. First of all check the base installation of BIND rpm’s
- Requirements in installing Bind (minimum)
[root@linuxiph ~]# rpm -qa | grep -i bind
bind-utils-9.7.0-5.P2.el6.i686
bind-libs-9.7.0-5.P2.el6.i686
bind-9.7.0-5.P2.el6_0.1.i686
and then:
[root@linuxiph ~]# rpm -ql bind
—
—
—
/var/named
/var/named/data
/var/named/dynamic
/var/named/named.ca
/var/named/named.empty
/var/named/named.localhost
/var/named/named.loopback
/var/named/slaves
/var/run/named
[root@linuxiph ~]#chkconfig named on - set the daemon to start during reboot
[root@linuxiph~]#service named start - starting bind
Starting named: [ OK ]
[root@klinuxiph named]#
2. Check for rndc status:
[root@linuxiph ~]# rndc status
version: 9.7.0-P2-RedHat-9.7.0-5.P2.el6_0.1
CPUs found: 2
worker threads: 2
number of zones: 16
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/0/1000
tcp clients: 0/100
server is up and running
[root@linuxiph ~]#
3. Check Selinux status
[root@linuxiph named]# sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: enforcing
Mode from config file: disabled
Policy version: 24
Policy from config file: targeted
Otherwise,
[root@linuxiph named]# setenforce 1 - to have it enabled.
POINTERS: at this point:: Please never attempt to replace /etc/named.conf and named.rfc1912.zones with the one that
comes with the sample. Also, avoid replacing the contents of /var/named as this will make the bind unusable all through out the installation because of access denied issues.
Why SELINUX i say? well, based on Redhat, selinux is far more secure than using chroot, its one of my main reason why i did not choose to install it.
YOU HAVE BEEN WARNED!
So lets continue…
Since bind requirements was already installed, we can now modify /etc.named.conf and create forward and reverse zones.
For my installation, i use linuxiph.com as my example, you can replace this domain if it is a private network or production network, works very much the same except for the IP Address.
4. Edit /etc/hosts - here’s mine
[root@linuxiph named]# cat /etc/hosts
192.168.0.197 pinoy. linuxiph.com pinoy # Added by NetworkManager
127.0.0.1 localhost.localdomain localhost
::1 localhost6.localdomain6 localhost6
5. Modify /etc/named.conf
[root@linuxiph named]# cat /etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
#listen-on port 53 { 127.0.0.1; 192.168.0.197; };
listen-on port 53 { any; };
#listen-on-v6 port 53 { ::1; };
listen-on-v6 port 53 { any; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { localhost; 192.168.0.0/24; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;
};
logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};
zone “.” IN {
type hint;
file “named.ca”;
};
zone “linuxiph.com” IN {
type master;
file “linuxiph.com.zone.signed”;
notify yes;
};
zone “0.168.192.in-addr.arpa” IN {
type master;
file “192.168.0.zone”;
allow-update { none; };
};
include “/etc/named.rfc1912.zones”;
===========================================================
Note:
For basic testing, you can disable this features to avoid browsing issues when bind starts: your browsing froze if this features
Left un attended. Re-enable this feature once the key sign has been generated and used.
dnssec-enable no;
dnssec-validation no;
I will explain as to why did my file in my forward zone become - “linuxiph.com.zone.signed”
Answer: You need to generate keys to be able to use bind properly without any disturbance to browsing. DVL issues.
*.signed file was created using dnssed-signzone
6. So here’s my initial forward zone:
[root@linuxiph named]# cat linuxiph.com.zone
$ORIGIN linuxiph.com.
$TTL 86400
@ IN SOA pinoy.linuxiph.com. root.pinoy.linuxiph.com. (
2001062504 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
;
;
IN NS pinoy.linuxiph.com.
linuxiph IN A 192.168.0.197
;
;
@ IN MX 10 mail.linuxiph.com.
mail IN A 192.168.0.197
;
;
; This sample zone file illustrates sharing the same IP addresses
; for multiple services:
;
ftp IN CNAME linuxiph.com.
www IN CNAME linuxiph.com;
;
=======================================
$include Klinuxiph.com.+005+64086.key ;ZSK
$include Klinuxiph.com.+005+30064.key ;KSK
This line should be included in the forward zone when the keys has been generated: will be doing that shortly.
By default, this line is NOT added for testing purposes or otherise commented it.
==========================================
7. Since my server is a stand alone server, it will also serve’s as my reverse zone server.
[root@linuxiph named]# cat 192.168.0.zone
$ORIGIN 0.168.192.in-addr.arpa.
$TTL 86400
@ IN SOA pinas.linux.iph. root.pinas.linuxiph.com. (
2001062501 ; serial
21600 ; refresh after 6 hours
3600 ; retry after 1 hour
604800 ; expire after 1 week
86400 ) ; minimum TTL of 1 day
;
@ IN NS pinas.linuxiph.com.
;
197 IN PTR pinas.linuxiph.com.
8. Edit /etc/resolv.conf
[root@linuxiph named]# vim /etc/resolv.conf
# Generated by NetworkManager
search pinoy.linuxiph.com
nameserver 127.0.0.1
nameserver 202.126.40.5
nameserver 222.127.143.5
~
9. Edit windows dns and include the linux dns server.
ipconfig /all should output something like this.
DNS Servers . . . . . . . . . . . : 192.168.0.197 - dns server ip should be on top of the list
202.126.40.5
222.127.143.5
10. Test it!
Check if port :53 is running
netstat -anp|grep :53
[root@linuxiph named]# netstat -anp|grep :53
tcp 0 0 192.168.0.197:53 0.0.0.0:* LISTEN 1763/named
tcp 0 0 127.0.0.1:53 0.0.0.0:* LISTEN 1763/named
tcp 0 0 :::53 :::* LISTEN 1763/named
udp 0 0 192.168.0.197:53 0.0.0.0:* 1763/named
udp 0 0 127.0.0.1:53 0.0.0.0:* 1763/named
udp 0 0 0.0.0.0:5353 0.0.0.0:* 1328/avahi-daemon:
udp 0 0 :::53 :::* 1763/named
open port 53 in IPTABALES
#iptables -A INPUT -p tcp –dport 53 -j ACCEPT
#iptables -A INPUT -p udp –dport 53 -j ACCEPT
OR
#add the all source in iptables:
#iptables -A INPUT -p tcp -s 0/0 –dport 53 -j ACCEPT
#iptables -A INPUT -p udp -s 0/0 –dport 53 -j ACCEPT
When you check the iptables list, output should be like this.
ACCEPT tcp – 0.0.0.0/0 0.0.0.0/0 tcp dpt:53
ACCEPT udp – 0.0.0.0/0 0.0.0.0/0 udp dpt:53
dns server:
[root@linuxiph named]# dig pinoy.linuxiph.com
; <<>> DiG 9.7.0-P2-RedHat-9.7.0-5.P2.el6 <<>> pinoy.linuxiph.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31204
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;pinoy.linuxiph.com. IN A
;; ANSWER SECTION:
pinoy.linuxiph.com. 86400 IN A 192.168.0.197
;; AUTHORITY SECTION:
linuxiph.com. 86400 IN NS pinoy.linuxiph.com.
;; Query time: 1 msec
;; SERVER: 192.168.0.197#53(192.168.0.197)
;; WHEN: Sun May 15 00:22:53 2011
;; MSG SIZE rcvd: 66
in windows:
C:\Users\Ruel>nslookup pinoy.linuxiph.com
DNS request timed out.
timeout was 2 seconds.
Server: UnKnown
Address: 192.168.0.197
DNS request timed out.
timeout was 2 seconds.
Name: pinoy.linuxiph.com
Address: 192.168.0.197
============================================================================
11. so lets generate dnssec keys.
Short and brief explanation can be found on this link
-https://www.os3.nl/2009-2010/students/marcus_bakker/cia/assignments/week4
We will be generating ZSK(Zone Signing Key) and KSK(Key Signing Key), please read the links for explanation on this. Mine is shortcut - sorry
-ZSK
[root@linuxiph named]#dnssec-keygen -a RSASHA1 -n ZONE -r /dev/urandom -b 1024 linuxiph.com
-KSK
[root@linuxiph named]#dnssec-keygen -a RSASHA1 -n ZONE -f KSK -r /dev/urandom -b 2048 linuxiph.com
4 files has been generated namely
Klinuxiph.com.+005+30064.key
Klinuxiph.com.+005+30064.private
Klinuxiph.com.+005+64086.key
Klinuxiph.com.+005+64086.private
Attach the *.key files inside linuxiph.com.zone or uncomment it if you accidentally add the lines on previous occassions - This is the forward zone files, we will not touch the reverse zone.
$include Klinuxiph.com.+005+64086.key ;ZSK
$include Klinuxiph.com.+005+30064.key ;KSK
Create the sign file using - dnssec signzone
/usr/local/sbin/dnssec-signzone -o linuxiph.com -k Klinuxiph.com.+005+30064 linuxiph.com.zone Klinuxiph.com.+005+64086.key
Where:
-o linuxiph.com - the domain you want to generate the keys
-k Klinuxiph.com.+005+30064 - KSK files
linuxiph.com.zone -Forward Zone files
Klinuxiph.com.+005+64086.key - KSK Files
And why ZSK and KSK:
Klinuxiph.com.+005+30064 - KSK - 1 year expiration using this keys
Klinuxiph.com.+005+64086.key -ZSK - 1 month expiration using this keys
Then do #rndc reload
12. Ok, so to test it
[root@linuxiph.com named]# nslookup
> set type=RRSIG
> pinoy.linuxiph.com
Server: 192.168.0.197
Address: 192.168.0.197#53
pinoy.linuxiph.com rdata_46 = A 5 3 86400 20110613015211 20110514015211 64086 linuxiph.com. YSuBYVt/t3+yWlAmSqmKCwqt7ZPvkRemMHM/Dioe1ZKDhPXUFlHcjDIr +XppCi/qr2VPm28in5S8ibG9c6pp7T1xmU/OJapE1WXU4AihxDrHdObY VRfIDmvvZRigZaO/apLXqqdu/wlJkZeGuMSZxJuIDMWvPWi723vC/33g Lg0=
pinoy.linuxiph.com rdata_46 = NSEC 5 3 86400 20110613015211 20110514015211 64086 linuxiph.com. qJUODY142YAWTF2XZ2wO2IZ98OQwdDPr+ugI8GJQ2IywcjmUsxAb1R5x yzJCpAuyYARI29Txowt5BU01WcQ+wnA9Xw+npAqdCb6S4geZDQhzQhOb tCmcALiy9mSpH99gM7RlSVMk+h4fv3iRDqXnhm3dopJME8bSRAIWrc89 exI=
>
In /var/log/messages - you should have output something like this:
named[6067]: zone linuxiph.com/IN: loaded serial 2011062504 (DNSSEC signed)
==========================================================================
Before the topic starts, i mention Selinux, right?
Here’s the error you will be getting because of this security.
#selinux is in Enforcing as of this moment…
#service named restart
-check /var/log/messages
now compare and enable permissive
#setenforce 0
#sestatus
Current mode: permissive
#service named restart
#cat /var/log/messages
check again /var/log/messages
certain degrees of problem can be seen in enforcing outpout, Some of the error i found are the following.
Some common problem like this can be found annoying:
named[29057]: the working directory is not writable
solution
chmod g+w /var/named
This appear because of selinux enabled!
named[28854]: logging channel ‘default_debug’ file ‘data/named.run’: permission denied
named[28854]: isc_log_open ‘data/named.run’ failed: permission denied
To solve this:
restorecon -R -v /var/named/data/* - should make it writable
#setenforce 1 - setting again selinux to enforcing
I havent done Re-sign of the keys as of this writing, either i will post the howtos or should i wait the ZSK to expire before i re-sign the keys.
Something i missed? feel free to comment…
Search
Monthly Archives
Tag Cloud
About Me
Latest Items
Most Popular
Recommendations
Recent Photo
Latest Comments
- Lester: Thanks for discussing on how...