Embed Size (px)
Citation preview
การตดตง DNS Server ดวย BIND บนระบบปฏบตการ FreeBSD 7.0
1 ความตองการของระบบ
สงทจาเปนในการตดตงระบบ:
1. แผน CD FreeBSD เวอรชน 7.0 แผน 1
2. Fast Internet connection
2 ขอมลเบองตน
ในเอกสารชดน จะกาหนด hostname dns.uni.net.th, IP address 192.168.0.100 และ IP gateway
192.168.0.2.
3 การตดตง FreeBSD
ใสแผน boot FreeBSD CD ในชอง CD-ROM กาหนด BIOS ให Boot ท CD-ROM จนกระทง boot เสรจจะ
ม Menu ขนมาดงรปท 1 และใหคณสามารถกด [ENTER] เพอทางานในขนตอไป
รปท 1
เลอกประเทศของคณ, เลอน highlight ไปยงชอประเทศทตองการ และกดปม [OK] แลว กด [ENTER].
รปท 2
เลอกชนด Keyboard , เลอก highlight แลว กด [OK] button และกด [ENTER].
รปท 3
เลอก Standard, เลอน highlight และ [OK] button และกด [ENTER]
รปท 4
เลอน Highlight ไปท [OK] และ [ENTER].
รปท 5
สาหรบ Automatic configuration, กด A และ Q
รปท 6
เลอก Standard MBR
รปท 7
เลอน Highlight มาทปม [OK] และกด [ENTER] เพอจะเขาสขนตอนการทา partitioning ฮารดดสก
รปท 8
กด A อกครง เพอเปนการแบง partition แบบอตโนมตและกด Q เพอจะออกจากการ partition
รปท 9
เลอน Scroll ลงไปท User และ กด [SPACEBAR].
รปท 10
ทาการเลอก ports เราจะลองท [YES] เพอจะหลกเลยงการทา manual ภายหลง, ใหเลอน highlight ไปท
[Yes] และกด [ENTER].
รปท 10
จากนนเราจะกลบมาหนาจอ distribution screen ดงนนกอน [TAB] เลอน highlight ไป OK button และกด
[ENTER]
รปท 11
เราตองแนใจวาไดเครองตอ internet, เราจะทาการเลอกตดตงจากการ FTP ใหเลอน highlight ท FTP และ
[OK] button และกด [ENTER].
รปท 12
ให Host ทดทสด เพอจะไดตดตงอยางรวดเรว โดยเลอน highlight ไปท Host ทตองการและ [OK] button
และกด [ENTER]
รปท 13
กอนทจะตดตงโปรแกรมจะตอง configuration network กอน, โดยเราจะ highlight ไปท Network card และ
[OK] button แลวกด [ENTER]
รปท 14
สาหรบ IPv6 ใหเลอก [NO]
รปท 15
เราจะกาหนดเปน static IP ดงนนใหเลอน highlight มายง [No]
รปท 16
เปนการกาหนด IP ในขนตอนตอไปดงรป Host: dns.uni.net.th, Domain: uni.net.th
รปท 17
ขนตอมา Last Chance? เลอน highlight ไป [Yes] และกด [ENTER].
รปท 18
After the installation you will get the below message, highlight the [OK] button and then press [ENTER].
รปท 18
You will then be asked if you want the server to be a network gateway, so we will go and choose [NO].
รปท 19
Also we will choose [NO] for the inetd.
รปท 20
Choose [YES] for the SSH login.
รปท 21
Choose [NO] for the anonymous FTP login:
รปท 22
Choose [NO] for the NFS server.
รปท 23
Choose [NO] again for the NFS client.
รปท 24
You will then be asked for system console customization so we will choose [NO].
รปท 25
Choose [YES] for the time zone.
รปท 26
Most systems don't use UTC, if not please choose [NO].
รปท 27
Time Zone, choose your region, highlight [OK] and press [ENTER].
รปท 28
Choose your country, highlight [OK] and press [ENTER].
รปท 29
CEST was ok for me, so depending on your region go ahead with the following selection.
รปท 30
It a text based installation and we wont use any mouse here so I choose [NO].
รปท 31
Choose [NO] for application browsing.
รปท 32
Choose [YES] for creating a new user.
รปท 33
Scroll down to User, highlight [OK] and press [ENTER].
รปท 34
Type the username and TAB to type the password then the full name, we will then need to type wheel in
the Member groups box so that this user will be able to login via SSH, when finished highlight [OK] and
press [ENTER]:
รปท 35
You will then go back to the previous screen choose X Exit then highlight [OK] and press [ENTER].
รปท 36
Ok no we will configure the root password, so press [OK].
รปท 37
Type the new password and press [ENTER] to go and then Retype the new password again, then press
[ENTER].
รปท 38
Choose [NO] for visiting the configuration menu.
รปท 39
You will then go back to the sysinstall main menu, you can then highlight X Exit Install and press
[ENTER].
รปท 40
Remove the CD, highlight [YES] and press [ENTER].
รปท 41
After the reboot you can login with root to do administrative tasks, however if you are logging in via SSH
you will need to login using the user you created and then switch to root using the su command.
Before installing 3rd party applications we need to configure FreeBSD to find the 3rd Party commands
before the usual FreeBSD commands we will thus have to change the order of the default search path, we
can do that by opening the .cshrc file:
cd /root ee .cshrc
Then we will comment out (disable) the default path by adding a "#" at the beginning of the line so it
looks like that:
#set path = (/sbin /bin /usr/sbin /usr/bin /usr/games /usr/local/sbin /usr/local/bin /usr/X11R6/bin)
Now we will add a new line for the new default search path:
set path = (/usr/local/sbin /usr/local/bin /usr/sbin /usr/bin /sbin /bin $HOME/bin)
Now save and exit the file, to save and exit just press escape then choose option a to leave and it will then
ask you if you want to save or not.
Now logout [CTRL+D] and then login again, if you want to display the current search path use the
following command:
echo $path
A good thing to do is to limit the SSH Access, to specify specific users add them to the sshd_config file,
do to that open the file using easy editor:
ee /etc/ssh/sshd_config
Add the following line and remember to modify the users based on the users you want to allow, in the
below example I'll allow user1 and user2 to access my server via SSH:
AllowUsers user1 user2
Save and Exit, then restart the ssh daemon using the command below:
/etc/rc.d/sshd restart
4 Configuring Static IP
If you have chosen DHCP during the installation, you can follow the following steps to configure a static
IP, just remember to exclude then the server's IP from the DHCP so that it wont conflict with another
network device.
We will edit the rc.conf file using the following command:
ee /etc/rc.conf
You should then see something like:
hostname=" dns.uni.net.th" ifconfig_xlo="DHCP"
Please change your hostname if it's not correct, it should be your servers' FQDN.
Then we will modify the rest to look like that:
hostname="dnsfreebsd.tm.local" ifconfig_xlo="inet 192.168.0.100 netmask 255.255.255.0" defaultrouter="192.168.0.2"
As you can see above, we removed the word DHCP and typed our IP and netmask, and in a new line we
added our router's IP.
Now save and exit.
5 Checking the Hosts and DNS IPs configuration
We need also to make sure that the hosts file and the resolve.conf file are configured correctly, so we will
start by the hosts file:
ee /etc/hosts
It should look like this, please modify your domain name (e.g. uni.net.th), and your hostname (e.g.
dns.uni.net.th). based on your configuration:
::1 localhost localhost.uni.net.th 127.0.0.1 localhost localhost.uni.net.th 192.168.0.100 dns dns.uni.net.th
Now save and exit.
We will now check the resolv.conf file:
ee /etc/resolv.conf
It should look like that, feel free to change based on your configuration, you should put the domain name
at the top and then any DNS servers you have (your ISP ..etc) below after the word nameserver
domain uni.net.th nameserver 192.168.0.2 nameserver 192.168.0.100
6 Updating the system
To make sure you are connected to the internet you can ping any website (e.g. www.google.com) if all
good you can update and reboot the system using the following commands:
freebsd-update fetch freebsd-update install reboot
After rebooting you can display the release level using the following command:
uname -r
7 Configuring FreeBSD Ports Collection
The Ports Collection provides a centralized and simple way to install softwares, it is designed to be
automated and relatively easy to use.
We will carry on the following steps also with the superuser.
First we will need to copy the ports-supfile to the /root to find it easily later:
cp /usr/share/examples/cvsup/ports-supfile /root
You need now to choose the nearest update server to your location, you can go to:
http://www.freebsd.org/doc/en/books/handbook/cvsup.html
And choose the nearest server to you.
We will then open the ports-supfile and we will type in our server name:
ee /root/ports-supfile
Around line 49 you will see the default server parameters, mine looks like that below, you can change the
server to which ever near you:
*default host=ftp.freebsd.uni.net.th
Save and Exit.
Use the following command to update the ports:
csup -g -L 2 /root/ports-supfile
It may take sometime, however if it didn't connect during the first 2 mins please make sure you have port
5999 opened on your firewall (from your server to the update server), If it doesn't work just make sure
you can telnet on your server using port 5999.
telnet ftp.freebsd.uni.net.th 5999
If telnet was successful you should see something like that:
OK 17 0 SNAP_16_1h CVSup server ready
To create ports index file we will need to install Perl using the following commands:
cd /usr/ports/lang/perl5.8 make install clean rehash
After that we will update the ports index and the readme files this may take really long time (may be 40
mins):
cd /usr/ports make install readmes && make index
8 Installing Portmaster and Portaudit (Optional but Recommended)
Portmaster makes life easy when upgrading most of the packages even if there are other packages depend
on it, for example if you have Apache Server and you want to upgrade eXpat you have to uninstall eXpat
and install the new version, doing this will break the Apache installation, Portmaster can be used to do this
operation safely without breaking any links ..etc.
To install Portmaster do the following:
cd /usr/ports/ports-mgmt/portmaster make install clean rehash
Portaudit is a nice application which will check the vulnerability database when building ports to ensure
that there is no known security issues with what you are installing, if there is a known issue if wont
continue and will reference you to the vulnerability.
To install it do the following:
cd /usr/ports/ports-mgmt/portaudit make install clean rehash
If you want to install a program even if it has a known vulnerability you can do that using the following
command:
make -D DISABLE_VULNERABILITIES install clean
9 Installing and Configuring DNS
BIND is part of the FreeBSD 7.0 distribution, check the version you have in the ports collection and if it's
equal 9.4.2 skip to the configuration section, if its supersedes 9.4.2 then continue with the installation
section
You can check the version you have using the following command:
cat /usr/ports/dns/bind94/Makefile | grep PORTVERSION
Installation
cd /usr/ports/dns/bind94 make configure ; make clean
A menu will appear displaying options for BIND, press the [SPACEBAR] to choose the
REPLACE_BASE the others you can leave at the defaults, then [TAB] to highlight [OK] and press
[ENTER] to complete the installation process.
Configuration
We will now configure BIND 1st thing we will add "NO_BIND = YES" to the make.conf file in /etc you
can do that using the following commands:
cp /etc/make.conf /etc/make.conf.old echo "NO_BIND = YES" >> /etc/make.conf
This will let the make command not to build the base version of BIND in case you rebuild FreeBSD from
the source.
Now let's edit named.conf to configure our forwarders, zones ...etc.
ee /var/named/etc/namedb/named.conf
Scroll down and comment out the listen-on line (about line 21) by adding // at the beginning of the line,
this is to configure BIND to answer both internal and external queries, it should then look like this:
// listen-on { 127,0,0,1 };
Again scroll down to about line 43 - 47, and you will need to remove the /* before the forwarders section
as well as the */ after the forwarders section, then you can replace the 127.0.0.1 with your ISP DNS IP,
if you have more than one ISP DNSs you can add them all with ; as a separator.
It should then look something like that:
forwarders { 192.168.0.2;192.168.0.3; };
Now we need to add our zones, in the same file scroll to the bottom and add your forward and reverse
lookup zones, to add the forward lookup zone add the following to the bottom of the file:
zone "tm.local" { type master; file "master/tm.local"; allow-transfer { localhost; }; allow-update { key rndc-key };
};
Well as you can see above, my zone name and zone file name are both tm.local, feel free to change that to
your domain name.
There is a feature in BIND called dynamic DNS updates allows BIND to work with the DHCP to
dynamically update the client records, I will cover that in detail in my FreeBSD DHCP tutorial.
Now we need to add the reverse lookup zone, so same thing at the end of the file we will add the
following:
zone "0.168.192.in-addr.arpa" { type master; file "master/tm.local.rev"; allow-transfer { localhost; }; allow-update { key rndc-key }; };
As you can see my Zone name starts with 0.168.192 that's because my network ID is 192.168.0 after
reverse it, it should be 0.168.192, you will need to change this based on your network configuration.
Save and Exit the file.
Now we need to add the rndc.key file and add its contents to the bottom of the named.conf file, rndc.key is
an encryption key that rndc utility needs to work, also it's used in case you are using dynamic DNS
together with DHCP.
To do that run the following commands:
rndc-confgen -a cd /var/named/etc/namedb cp named.conf named.conf.old cat rndc.key >> named.conf
Now we are finished with the named.conf file, we need now to create our zone files which contain the
records, etc.
Creating the Master forward lookup zone file
Remember to replace tm.local with your domain name, it must match what you have used before.
So we will create the file tm.local:
cd /var/named/etc/namedb/master ee tm.local
Then we add the following:
$TTL 3600 tm.local. IN SOA dnsfreebsd.tm.local. root.tm.local. ( 1 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400 ) ;Minimum TTL ; DNS Servers
tm.local. IN NS dnsfreebsd.tm.local. ; Computer names and records dnsfreebsd.tm.local. IN A 192.168.0.2 ; Aliases www IN CNAME dnsfreebsd.tm.local. ; Mail MX Records tm.local. IN MX 10 dnsfreebsd.tm.local.
Feel free to modify based on what you want to do, you can add more aliases, A or MX records, and make
sure to change your domain name above from tm.local to your domain name and make sure to add a "."
after words, also change your hostname from dnsfreebsd to the hostname you are using.
root.tm.local is the e-mail address of the person responsible for the zone, here we use a "." instead of an
"@" sign.
Creating the Master reverse lookup zone file
Now we will create a reverse lookup zone file for the forward one we created above using the following
commands:
cd /var/named/etc/namedb/master ee tm.local.rev
Then we we will add the below data to it, again feel free to modify based on your configuration:
$TTL 3600 0.168.192.in-addr.arpa. IN SOA dnsfreebsd.tm.local. root.tm.local. ( 1 ; Serial 10800 ; Refresh 3600 ; Retry 604800 ; Expire 86400) ; Minimum TTL ; DNS Servers 0.168.192.in-addr.arpa. IN NS dnsfreebsd.tm.local. ; Computer IPs 100 IN PTR dnsfreebsd.tm.local. 100 IN PTR www.tm.local.
Testing your DNS Server
Now we are finished with configuration, we just need to start the service and test it.
First of all let's make sure that your server has it's own IP as the primary DNS server in the resolv.conf
file.
Open the resolv.conf:
ee /etc/resolv.conf
and make sure you are using your DNS servers IP as the primary IP, my server's IP is 192.168.0.100 thus
my resolv.conf looks like that with my IP at the first place:
domain tm.local nameserver 192.168.0.100 nameserver 192.168.0.2
Save and Exit.
Configure named to start automatically at the boot time.
Open the rc.conf file in /etc:
ee /etc/rc.conf
We will then add the following line to it:
named_enable="YES"
Save and Exit.
Start the named service:
/etc/rc.d/named start
You can try to dig for google.com to make sure all good with your DNS server:
dig google.com
If you saw at the end (probably the 3rd line from down) something like this:
;; SERVER: 192.168.0.100#53(192.168.0.100)
So this means your DNS server (e.g. 192.168.0.100) was the one who answered the query.
You can try then to ping your A records if all give the expected reply then your DNS is working fine.
10 Sources and References
• Official FreeBSD Handbook
• Using the ports collection (FreeBSD Handbook)
• Search FreeBSD Ports Collection
• PortMaster
• BIND 9 Administrator Reference Manual
• RFC 1034 - Domain Names: Concepts and Facilities
• RFC 1035 - Domain Names: Implementation and Specification
• The FreeBSD DNS Handbook
• Building a Server with FREEBSD 7
