Operating System - Linux
1839249 Members
2032 Online
110137 Solutions
New Discussion

Re: Does anyone have DNS working in Fedora

 
SOLVED
Go to solution
Vernon Brown_4
Trusted Contributor

Does anyone have DNS working in Fedora

I was running DNS on my server before I upgraded from RedHat 7.1 to Fedora Core 1. Apache virtual hosts and mail are working but just noticed that DNS does not work. Named is running; starts without complaint; but strange things happen in the /var/named directory. I find there /var/named/chroot in which the /var/named directory is duplicated; and in that yet another /var/named/chroot/var/named/chroot etc. to who knows how far.

Seems broke.

How to revert back to the old DNS that works while waiting for this new chroot scheme to get fixed.

Anyone know ??

Vern
13 REPLIES 13
Steven E. Protter
Exalted Contributor

Re: Does anyone have DNS working in Fedora

I've made this work with Fedora. I did as follows:

1) Copied my /etc/named.conf file exactly as it was from Red Hat 7.x

2) copied all the entries in /var/named from the old system to the new system.

service named start

There were a few warning messages, but I was able to comment out the lines in /etc/named.conf that were being complained about.

You didn't run Bastile on this system did you?

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Vernon Brown_4
Trusted Contributor

Re: Does anyone have DNS working in Fedora

Hi Steven; I didn't intentionally run Bastille but I did the DNS setup with the Gnome GUI and am not sure what all that setup did.

Searching on the internet I find lots of folks having problems with DNS with Fedora; I'll try your approach and see if I can tweak for my setup.

Thanks !!

Vern
Vernon Brown_4
Trusted Contributor

Re: Does anyone have DNS working in Fedora

Success !!!

Steven; it worked; had to do a couple of additional steps. In the file /etc/sysconfig/named comment out the entry:

ROOTDIR=/var/named/chroot

so that it looks like:

#ROOTDIR=/var/named/chroot


Then make the /etc/resolv.conf first entry be:

nameserver 127.0.0.1


Stuart Browne
Honored Contributor

Re: Does anyone have DNS working in Fedora

By default, it would appear as if your system was set up to use a CHRoot jail for Named.

Until last night, I'd never purposely done this. I've since found out it's bloody simple!

The CHRoot jail by it's very nature means that if 'named' does get exploited, there's nothing to do within the exploited filesystem, as there's no shell, no utilities, hell, no libraries! Very secure.

The requirements are pretty simple too. I admit to being a bit confused by the zero-byte-length 'named.conf' in the distributed fedora chroot jail however, as the documentation says this is read *after* the chroot creation. Anyway..

As for the double duplication, I think that was a bugger-up on behalf of the packager.
One long-haired git at your service...
Vernon Brown_4
Trusted Contributor

Re: Does anyone have DNS working in Fedora

The CHRoot jail could have happened in my GUI config of named; GUI config of my ADSL always breaks the init script for example. No matter what I enter as the password the GUI puts "none" in the password portion of the paps-secrets file. Have to manually change it to the correct password to get ADSL to start.

Like they say; if it was easy it would be no fun !!

Steven E. Protter
Exalted Contributor

Re: Does anyone have DNS working in Fedora

So you've taken named out of the chroot jail.

Its still reasonably secure. Now I'd like to suggest that you attempt to get it working within the chroot jail.

I've injured myself playing sports(yeah, more itrc time right?) and will attempt to do this very same thing on a non-production BIND server over the next few days.

Of the procedures I've found thus far, this one looks best.

http://sxs.thexdershome.com/internet_serving/bind9_chroot.html

I'm going to try it and see how it works.

We'll learn together.

I suggest this only because you have been hacked so many times, its best to secure everything you can.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Does anyone have DNS working in Fedora

I literally did this last night for a friend of mine who runs a small local ISP.

He mentioned it, I looked, and lo-and-behold, 10 minutes later one CHRoot'd monster!

Looking at how fedora does it by default seems I did too much, but *shrug* it works well!

requirements:

/etc/named.conf
/etc/localtime
/var/named/*
/var/run/named/ (group-write 'named')
/dev/random (c/1/8)
/dev/null (c/1/3)

The 'ROOTDIR' entry in '/etc/sysconfig/named' to point to your new chroot structure.

I didn't have to make any syslog changes, it found them all on it's own.
One long-haired git at your service...
Alexander Chuzhoy
Honored Contributor

Re: Does anyone have DNS working in Fedora

Why would you convert it to the older version.The only difference (to someone who configures of course) is that the configuration files are now under /var/named/chroot/.
If you edit /var/named/chroot/etr/named.conf

and then /var/named/chroot/var/named/zonefile
correctly and then restart the named service-everything is suppose to work.

However if you still wish to work without the chroot enviroment-try to remove the bind-chroot package:
rpm -e bind-chroot



Steven E. Protter
Exalted Contributor

Re: Does anyone have DNS working in Fedora

Okay, progress report.

After much annoyance I had to combine Stuart's and my procedure. His assumes you know the mknod commands which frankly I don't. Mine doesn't work due to the syslog changes I think.

One caveat.

I get this error at startup.

/etc/init.d/named: line 7: --: command not found


There is nothing on line 7 of /etc/init.d/ so I'm not sure how serious this is.

I do however have named running in a choot jail. I may try it on HP-UX at work.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Does anyone have DNS working in Fedora

Err, oops! ;) Sorry Steve. Did a bit of 'mknod'n last week so it's fresh in my mind ;)

(for the record, the docuemnt SEP posted has the commands, but they are simply 'mknod null c 1 3;mknod random c 1 8').

I did it last night on an ES3 box with copying those files, and mknod'n those device nodes.

I admit it took 3 restarts to get all the permissions right though :)

SEP, I'm looking through RH8, RH9, FC1 and RHES3's '/etc/init.d/named', and line 7 on all of them appear to be part of the commented-out 'chkconfig' Description lines.

Wanna paste the top dozen or so lines of it, or email 'em to me (stuart at promed.com.au), and we'll see what it's thinking.

Oh, and I forgot the '/etc/rndc.key' file earlier. Apologies.

One long-haired git at your service...
Vernon Brown_4
Trusted Contributor

Re: Does anyone have DNS working in Fedora

Ok; I'll try to put DNS back in jail :o)

I managed to get an install of Fedora with chroot'ed named only one level deep; the way I think it should be. It works as a caching only name server.

I'll try adding my local zones later.
Steven E. Protter
Exalted Contributor
Solution

Re: Does anyone have DNS working in Fedora

Stuart, my /etc/init.d/named looks just like yours.

Which makes the error rather problematic and hard to diagnose. I have no clue how to proceed but note that DNS is running in the chroot jail, appears to be stable, so I'm not going production yet, but I'm not terribly worried.

Vernon,

Stuart was "spot on" with regards to not having to alter the syslog. My document is out of date where it refers to /etc/rc.d/named that should be /etc/init.d/named ... At some point, I'll post a version to my own website.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Stuart Browne
Honored Contributor

Re: Does anyone have DNS working in Fedora

Hrm.. Freaky.. Ghost errors.. always fun ;)
One long-haired git at your service...