From: Robert Lowe (Robert.H.Lowe@lawrence.edu)
Date: Tue Jul 13 2004 - 23:05:57 CDT
Patrick Jaques wrote:
> I believe you could have edited '/etc/sysconfig/named' and remarked out the
> line
>
> # ROOTDIR=/var/named/chroot
>
> so bind would look for it configuration files in /etc in a non-chroot
> configuration.
I highly recommend *always* running bind in a chroot jail. With BIND9
it's so easy, that there really isn't a good excuse not to. DNS is
always going to be a target for attacks of various kinds.
-Robert
> -----Original Message-----
> From: owner-netreg@southwestern.edu [mailto:owner-netreg@southwestern.edu]
> On Behalf Of DelVecchio, Anthony R.
> Sent: Tuesday, July 13, 2004 11:17 PM
> To: netreg@southwestern.edu
> Subject: RE: NetReg: NetReg DNS server notautomatically redirecting
>
>
>
> Thanks everyone,
>
> I found that FC 2 runs named as chroot and when it does it appears to load
> the named.conf last. Unfortunately, in the chroot path those two files were
> empty so it was running in pretty much a default mode. Linking the
> named.conf (hard link not symbolic) and db.root to the chroot /etc fixed the
> problem. Red Hat 9 (which was the last time under which I built this) did
> not do this.
>
> I am told that a jailed process would normally load it's conf files first
> then get jailed rather than what happened here.
>
> Here is how FC 2 is running bind from it's intstallation:
> /usr/sbin/named -u named -t /var/named/chroot
>
> Summary: link /var/named/chroot/etc/named.conf and db.root to
> /etc/named.conf and /etc/db.root
>
> Tony DelVecchio
> Network Security Manager
> University of St Thomas, St Paul, Mn
>
> _____
>
> From: Robert Lowe [mailto:Robert.H.Lowe@lawrence.edu]
> Sent: Tue 7/13/2004 4:31 PM
> To: netreg@southwestern.edu
> Subject: Re: NetReg: NetReg DNS server notautomatically redirecting
>
>
>
>
>
> DelVecchio, Anthony R. wrote:
>
>
>>Hi,
>>
>>
>>
>>I am running into an issue where I have an unregistered client pick up
>>the DHCP info from an unregistered range including DNS. I verified this
>>with an ipconfig. When you go to a browser I am still able to get to
>>any url. I have to manually enter the url for netreg in order to
>>register the client.
>>
>>
>>
>>I haven't confirmed if this is only happening with my Windows XP Pro
>>client or if it is happening to everyone else. I have experienced a
>>similar intermittent problem in the past where the client would not
>>give up its old, valid IP. This is not the case this time.
>>
>>
>>
>>Running nslookup shows the server to be the netreg dns but when you
>>actually do an nslookup you will get non-authoritative answers with real
>>IP's. I am running BIND 9.2.3 from the Fedora 2 install using the
>>cut-and-paste files from the docs. DHCP and Apache installed separately.
>
>
> First use dig on your DNS/NetReg box. Check your logfiles, just to make
> sure named hasn't reported any errors. Are you really running BIND8?
> Versus BIND9, that is.
>
> Are you sure you're not already running some version of named that came
> with your Fedora install?
>
> My comments below are not directly related to your problem at the moment...
>
>
>>---------------------
>>
>>// named.conf for NetReg
>>
>>// Belongs at /etc/named.conf
>>
>>
>>
>>server 140.209.13.3{
>>
>> bogus yes;
>>
>>};
>>
>>
>>
>>
>>
>>options {
>>
>> directory "/etc/";
>>
>> recursion no;
>>
>> fetch-glue no;
>>
>>};
>>
>>
>>
>>zone "." in {
>>
>> type master;
>>
>> file "db.root";
>>
>>};
>>
>>; Bind 8 -- Zone file -- for NetReg
>>
>>; Belongs at /etc/db.root
>>
>>
>>
>>$TTL 3600
>>
>>. IN SOA ust-netregspn.stthomas.edu. root.ust-netregspn.stthomas.edu. (
>>
>> 2 ;serial
>>
>> 10800 ;refresh
>>
>> 3600 ;retry
>>
>> 604800 ;expire
>>
>> 86400 ;default ttl
>
>
> FYI, this is the 'minimum' value, now used for negative caching TTL.
>
>
>> )
>>
>> IN NS ust-netregspn.stthomas.edu.
>>
>>ust-netregspn 86400 IN A 140.209.13.3
>
>
> Your in the root zone (.) here. This should fully
> qualified, e.g. ust-netregspn.stthomas.edu.
>
>
>>*. 86400 IN A 140.209.13.3
>
>
> Get rid of the TTL you've specified here. Let the $TTL
> statement take care of that. In any case, this value is
> way too large. What happens if a client registers but
> doesn't reboot? And the client runs a DNS resolver
> service that caches responses? I'd make the default
> TTL something on the order of 10 minutes myself.
>
> -Robert
>
>
>>
>>
>>
>>
>>c>
>
>
> **********************************************************************
> To unsubscribe from this list, send an e-mail message to
> majordomo@southwestern.edu containing a single line with the words:
> unsubscribe netreg
> Send requests for assistance to: owner-netreg@southwestern.edu
> **********************************************************************
>
**********************************************************************
To unsubscribe from this list, send an e-mail message to
majordomo@southwestern.edu containing a single line with the words:
unsubscribe netreg
Send requests for assistance to: owner-netreg@southwestern.edu
**********************************************************************
This archive was generated by hypermail 2.1.4 : Thu Aug 12 2004 - 12:01:46 CDT