Internal Links
Main
Mac
Linux
Previous Work
Blog
Contact
External Links
Mac OS X comes with a fully working distribution of BIND. However, anyone going to be running a DNS server should know how to get the latest version, compile and configure BIND from scratch.
Note: Make sure you install the Xcode developer tools that came with your Mac or copy of Mac OS X. You will also need to have admin rights on the account you use.
First get the source for the latest version of BIND from ISC.
At the time of this article BIND 9.5.0-p1 was the latest version. Once you have downloaded the .gz file double click it to expand the file. Using the terminal change directory to the BIND source folder.
cd /path/to/BIND9.5.0-p1
Once you are in the BIND source folder type the following command to prepare the compile.
./configure
Once the prompt comes back type the following.
make
Once the prompt comes back type the following.
sudo make install
Once the prompt comes back you will now have a full install of the latest version of BIND in /usr/local/sbin.
Apple has included a launch daemon plist that can be used to start and stop the named service. Unfortunately, it doesn’t work because it launches named before all the network stuff is loaded at boot. If anyone out there knows a way to delay the service starting using the launchd plist let me know. Until we get a fix we will use the old style startup item. Download this file, unzip it and place the BIND folder in /Library/Startupitems/. This will make sure named is launched at startup. They are just text files you can open any with a text editor to make sure I’m not giving you virus or trojan.
Here I will go over some basic security when setting up the initial config files. I recommend picking up the O’reilly BIND and DNS book. At the end of this HOWTO check out the links for more info.
First you should setup an rndc key file so you can send commands like reload to the named service. In the terminal type the following and hit return.
/usr/local/sbin/rndc-confgen
It should spew out something like below.
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "Z3LG7rfMjNAc5EBVkmjz2Q==";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
# End of rndc.conf
# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndc-key" {
# algorithm hmac-md5;
# secret "Z3LG7rfMjNAc5EBVkmjz2Q==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndc-key"; };
# };
# End of named.conf
The only part we want is the key statement. Copy the part that looks like this.
key "rndc-key" {
algorithm hmac-md5;
secret "Z3LG7rfMjNAc5EBVkmjz2Q==";
};
Paste the key statement into a text file called rndc.key that will live in /etc. Make sure the file is not world readable.
Now we can start setting up a named.conf file. At the top of the conf file you will want to have an include statement to point to the rndc.key file.
include "/etc/rndc.key";
Next we will set what port the server will receive signals on and which IP's are allowed to send those signals.
controls {
inet * port 154 allow { localhost; 192.168.1.51; } keys {"rndc-key"; };
};
What the above statement says is run on port 154 and allow the server itself and one other IP(192.168.1.51) to send me signals. A malicious user would have to have the MD5 128bit hash, know the port to send signals to, and have the right IP to send signals. Change the port to your liking just don't use ports from other services or the default name server port of 953.
Other security measures.
Make use of Access control lists in the named.conf file. use them to define your trusted subnets and zone transfer servers.
For example
# Access control list to limit what servers can do zone transfers from this server.
acl "xfer" { 192.168.1.251; };
Replace the 192.168.1.251 with your slave name server.
Stop recursion to the outside world by setting up an ACL for your internal subnets.
For example
# Access control list to define our internal subnets.
acl "trusted" {localhost;192.168.1.0/24};
In the options statement use the following to only allow recursion from your subnets. Also only allow transfers from your xfer acl.
allow-recursion { trusted; };
allow-transfer { xfer; };
Don’t let anyone query the version number.
version "I got nothin!";
Use transaction signatures or TSIG.. TSIG uses a shared key to authenticate DNS messages.
Setup an ACL for the blackhole statement. Fill the ACL with RFC1918 private subnets that you are not using.
Here are some links to other sites that go over DNS security.