BIND and DNS issues

[alexroche]

named-checkconf -t /var/named/run-root /etc/named.conf
No results.... just brought me to next line

[root@alexandrerochedesign root]# ls -l /etc/named.conf
-rw-r--r-- 1 root root 3830 Mar 26 11:50 /etc/named.conf

[root@alexandrerochedesign root]# ls -l /var/named/run-root/etc/named.conf
-r--r--r-- 1 root root 3471 Mar 15 09:44 /var/named/run-root/etc/named.conf

ANd then for your last one I had to fool around with the syntax a bit to get it working..... The second one looked like it worked OK....

[root@alexandrerochedesign root]# named-checkzone downwithbettman.com downwithbettman.zone
zone downwithbettman.com/IN: loading master file downwithbettman.zone: file not found

[root@alexandrerochedesign root]# named-checkzone downwithbettman.com /var/named/downwithbettman.zone
zone downwithbettman.com/IN: loaded serial 2005032400
OK


Thanks.... you really know what you're doing here...

[SilentRage]

Ok, we're going to rearrange things a bit with your configuration. There should never EVER be configuration files lying around unused. It just confuses administrators. So follow these directions:

# duplicate the config you've been editing to the chroot location
cat /etc/named.conf > /var/named/run-root/etc/named.conf

# overwrite config with a symlink pointing to the chroot location
ln -fs /var/named/run-root/etc/named.conf /etc/named.conf

# Move all zone files to the chroot zone file directory
mv -f /var/named/* /var/named/run-root/var/named

Now you only have 1 config file, which can be accessed from 2 locations, which just makes things more efficient, convenient, and intuitive. Also, all those zone files you've been editing or looking at are no longer located in /var/named. BIND couldn't even reach them, and was loading a config that didn't even try to load them.

CHROOT EXPLAINED...

I've mentioned chroot several times without any indication as to what it is, or why you're even using it. Chroot stands for "change root". It does exactly what it stands for. BIND will tell the kernel that it wants to run under a different virtual root directory. After doing so, any time BIND tries to access the file /etc/named.conf, it will ACTUALLY be accessing /var/named/run-root/etc/named.conf. The directory "/var/named/run-root" is BIND's root directory and it absolutely can not access other files in the file system. This is a security feature. If a hacker were to break into BIND and start telling it what to do, the hacker will only have access to files in the /var/named/run-root directory.

Chroot can be a pretty clumsy thing when it comes to organization, and is frequently difficult to setup the "jail" that a given application will work within. Chroot can be argued as an unnecessary security precaution due to the unlikelihood that your version of BIND will be hacked into (9.2.1). However, some OS configurations come with chroot prepared by default, and since it is already setup, we might as well work with it.

----

quote: "you really know what you're doing here..."

heh, thanks. I've made DNS and BIND my business in more than one sense of the word. I've tried very hard to learn everything there is to know about DNS and BIND.

[alexroche]

Ok wait.
So I moved the named.conf to /var/named/run-root/etc/named.conf

Then, I created a symlink in /etc/ to that file.
then, I moved all the zone files to /var/named/run-root/var/named/

HOWEVER.... the directory /var/named/run-root/var/named/ did not exist, so I created the directory named in var/named/run-root/var/.....

I restarted named, but now DNS crawler is saying the server does not exist!
It says server failure.....

Alexandre

[alexroche]

There is another folder /var/named/run-root/var/run/named

inside is a file called named.pid.

What is this?
Should the zone files go in here instead?

[alexroche]

I fixed it you're a genius!
I moved the zone files to /var/named/run-root/var/ and it worked!

[SilentRage]

That's strange. I guess your BIND was compiled to use /var by default. This can be customized by your named.conf.

Server Failure - means BIND couldn't load the zone file for whatever reason. Reasons include missing file, permission denied, syntax error in the file, etc.

named.pid is where BIND writes its process id.

[alexroche]

Yeah it seems that would be the issue.

Thanks again for your help.

Alexandre