topic Re: Does anyone have DNS working in Fedora in Operating System - Linux

Does anyone have DNS working in Fedora

Vernon Brown_4 — Sun, 02 May 2004 20:15:13 GMT

I was running DNS on my server before I upgraded from RedHat 7.1 to Fedora Core 1. Apache virtual hosts and mail are working but just noticed that DNS does not work. Named is running; starts without complaint; but strange things happen in the /var/named directory. I find there /var/named/chroot in which the /var/named directory is duplicated; and in that yet another /var/named/chroot/var/named/chroot etc. to who knows how far.

Seems broke.

How to revert back to the old DNS that works while waiting for this new chroot scheme to get fixed.

Anyone know ??

Vern

Re: Does anyone have DNS working in Fedora

Steven E. Protter — Sun, 02 May 2004 20:51:58 GMT

I've made this work with Fedora. I did as follows:

1) Copied my /etc/named.conf file exactly as it was from Red Hat 7.x

2) copied all the entries in /var/named from the old system to the new system.

service named start

There were a few warning messages, but I was able to comment out the lines in /etc/named.conf that were being complained about.

You didn't run Bastile on this system did you?

SEP

Re: Does anyone have DNS working in Fedora

Vernon Brown_4 — Sun, 02 May 2004 21:18:05 GMT

Hi Steven; I didn't intentionally run Bastille but I did the DNS setup with the Gnome GUI and am not sure what all that setup did.

Searching on the internet I find lots of folks having problems with DNS with Fedora; I'll try your approach and see if I can tweak for my setup.

Thanks !!

Vern

Re: Does anyone have DNS working in Fedora

Vernon Brown_4 — Sun, 02 May 2004 22:08:27 GMT

Success !!!

Steven; it worked; had to do a couple of additional steps. In the file /etc/sysconfig/named comment out the entry:

ROOTDIR=/var/named/chroot

so that it looks like:

#ROOTDIR=/var/named/chroot

Then make the /etc/resolv.conf first entry be:

nameserver 127.0.0.1

Re: Does anyone have DNS working in Fedora

Stuart Browne — Sun, 02 May 2004 22:52:55 GMT

By default, it would appear as if your system was set up to use a CHRoot jail for Named.

Until last night, I'd never purposely done this. I've since found out it's bloody simple!

The CHRoot jail by it's very nature means that if 'named' does get exploited, there's nothing to do within the exploited filesystem, as there's no shell, no utilities, hell, no libraries! Very secure.

The requirements are pretty simple too. I admit to being a bit confused by the zero-byte-length 'named.conf' in the distributed fedora chroot jail however, as the documentation says this is read *after* the chroot creation. Anyway..

As for the double duplication, I think that was a bugger-up on behalf of the packager.

Re: Does anyone have DNS working in Fedora

Vernon Brown_4 — Sun, 02 May 2004 23:10:02 GMT

The CHRoot jail could have happened in my GUI config of named; GUI config of my ADSL always breaks the init script for example. No matter what I enter as the password the GUI puts "none" in the password portion of the paps-secrets file. Have to manually change it to the correct password to get ADSL to start.

Like they say; if it was easy it would be no fun !!

Re: Does anyone have DNS working in Fedora

Steven E. Protter — Sun, 02 May 2004 23:12:20 GMT

So you've taken named out of the chroot jail.

Its still reasonably secure. Now I'd like to suggest that you attempt to get it working within the chroot jail.

I've injured myself playing sports(yeah, more itrc time right?) and will attempt to do this very same thing on a non-production BIND server over the next few days.

Of the procedures I've found thus far, this one looks best.

http://sxs.thexdershome.com/internet_serving/bind9_chroot.html

I'm going to try it and see how it works.

We'll learn together.

I suggest this only because you have been hacked so many times, its best to secure everything you can.

SEP

Re: Does anyone have DNS working in Fedora

Stuart Browne — Sun, 02 May 2004 23:18:08 GMT

I literally did this last night for a friend of mine who runs a small local ISP.

He mentioned it, I looked, and lo-and-behold, 10 minutes later one CHRoot'd monster!

Looking at how fedora does it by default seems I did too much, but *shrug* it works well!

requirements:

/etc/named.conf
/etc/localtime
/var/named/*
/var/run/named/ (group-write 'named')
/dev/random (c/1/8)
/dev/null (c/1/3)

The 'ROOTDIR' entry in '/etc/sysconfig/named' to point to your new chroot structure.

I didn't have to make any syslog changes, it found them all on it's own.

Re: Does anyone have DNS working in Fedora

Alexander Chuzhoy — Mon, 03 May 2004 00:53:01 GMT

Why would you convert it to the older version.The only difference (to someone who configures of course) is that the configuration files are now under /var/named/chroot/.
If you edit /var/named/chroot/etr/named.conf

and then /var/named/chroot/var/named/zonefile
correctly and then restart the named service-everything is suppose to work.

However if you still wish to work without the chroot enviroment-try to remove the bind-chroot package:
rpm -e bind-chroot

Re: Does anyone have DNS working in Fedora

Steven E. Protter — Mon, 03 May 2004 01:31:16 GMT

Okay, progress report.

After much annoyance I had to combine Stuart's and my procedure. His assumes you know the mknod commands which frankly I don't. Mine doesn't work due to the syslog changes I think.

One caveat.

I get this error at startup.

/etc/init.d/named: line 7: --: command not found

There is nothing on line 7 of /etc/init.d/ so I'm not sure how serious this is.

I do however have named running in a choot jail. I may try it on HP-UX at work.

SEP

Re: Does anyone have DNS working in Fedora

Stuart Browne — Mon, 03 May 2004 01:56:55 GMT

Err, oops! ;) Sorry Steve. Did a bit of 'mknod'n last week so it's fresh in my mind ;)

(for the record, the docuemnt SEP posted has the commands, but they are simply 'mknod null c 1 3;mknod random c 1 8').

I did it last night on an ES3 box with copying those files, and mknod'n those device nodes.

I admit it took 3 restarts to get all the permissions right though :)

SEP, I'm looking through RH8, RH9, FC1 and RHES3's '/etc/init.d/named', and line 7 on all of them appear to be part of the commented-out 'chkconfig' Description lines.

Wanna paste the top dozen or so lines of it, or email 'em to me (stuart at promed.com.au), and we'll see what it's thinking.

Oh, and I forgot the '/etc/rndc.key' file earlier. Apologies.

Re: Does anyone have DNS working in Fedora

Vernon Brown_4 — Mon, 03 May 2004 06:42:24 GMT

Ok; I'll try to put DNS back in jail :o)

I managed to get an install of Fedora with chroot'ed named only one level deep; the way I think it should be. It works as a caching only name server.

I'll try adding my local zones later.

Re: Does anyone have DNS working in Fedora

Steven E. Protter — Mon, 03 May 2004 10:30:21 GMT

Stuart, my /etc/init.d/named looks just like yours.

Which makes the error rather problematic and hard to diagnose. I have no clue how to proceed but note that DNS is running in the chroot jail, appears to be stable, so I'm not going production yet, but I'm not terribly worried.

Vernon,

Stuart was "spot on" with regards to not having to alter the syslog. My document is out of date where it refers to /etc/rc.d/named that should be /etc/init.d/named ... At some point, I'll post a version to my own website.

SEP

Re: Does anyone have DNS working in Fedora

Stuart Browne — Mon, 03 May 2004 18:14:19 GMT

Hrm.. Freaky.. Ghost errors.. always fun ;)