From: Frank Brehm Date: Tue, 7 Feb 2012 22:49:10 +0000 (+0100) Subject: Bind aktiviert X-Git-Url: https://git.uhu-banane.net/?a=commitdiff_plain;h=ca19f8f15db2803367dfef8c22b4dd8b72069ead;p=config%2Fuhu1%2Fetc.git Bind aktiviert --- diff --git a/.etckeeper b/.etckeeper index 17a88c1..1ac6dde 100755 --- a/.etckeeper +++ b/.etckeeper @@ -111,8 +111,15 @@ maybe chown named './bind' maybe chmod 0755 './bind' maybe chgrp named './bind/bind.keys' maybe chmod 0640 './bind/bind.keys' +maybe chmod 0644 './bind/named-acl.conf' +maybe chmod 0644 './bind/named-dyn.conf' +maybe chmod 0644 './bind/named-log.conf' +maybe chmod 0644 './bind/named-pri.conf' +maybe chmod 0644 './bind/named-sec.conf' maybe chgrp named './bind/named.conf' maybe chmod 0640 './bind/named.conf' +maybe chgrp named './bind/named.conf.orig' +maybe chmod 0640 './bind/named.conf.orig' maybe chgrp named './bind/rndc.key' maybe chmod 0640 './bind/rndc.key' maybe chmod 0755 './ca-certificates' diff --git a/bind/named-acl.conf b/bind/named-acl.conf new file mode 100644 index 0000000..de512c8 --- /dev/null +++ b/bind/named-acl.conf @@ -0,0 +1,42 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Access-Control-Listen +//# /etc/bind/named-acl.conf +//# +//# $Header: /etc/bind/.rcs/named-acl.conf,v 1.8 2011/01/09 18:18:18 root Exp $ +//# +//# Host Helga +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + +//############################################################### +//# Access-Control-Listen + +acl common-allow-transfer { + 213.20.92.7; + 80.154.16.7; + 85.199.64.7; + 46.16.73.175; + 85.214.43.33; + 85.214.134.152; + 85.214.147.150; + 195.50.185.7; + 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; + 127.0.0.1; + ::1; + 85.214.134.152; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 2001:6f8:1db7::1; + 2001:6f8:1c00:365::2; +}; + +acl allow-dyn-update { + 127.0.0.1; + 85.214.134.152; + 46.16.73.175; +}; + + +# vim: ts=4 filetype=named noai diff --git a/bind/named-dyn.conf b/bind/named-dyn.conf new file mode 100644 index 0000000..395b84c --- /dev/null +++ b/bind/named-dyn.conf @@ -0,0 +1,17 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Dynamische Master-Zonen +//# /etc/bind/named-dyn.conf +//# +//# Host Uhu1 +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + +//############################################################### +//# dynamische Zonen (sind aber Master) + +// Keine! + +# vim: ts=4 filetype=named noai diff --git a/bind/named-log.conf b/bind/named-log.conf new file mode 100644 index 0000000..9e4de15 --- /dev/null +++ b/bind/named-log.conf @@ -0,0 +1,68 @@ +//############################################################### +//# Bind9-Konfigurationsdatei Logging +//# /etc/bind/named-log.conf +//# +//# Host Uhu1 +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + +//############################################################### +//# Angaben zum Logging + +logging { + + // Kategorien + + category default { + default_debug; + logtofile; + }; + category general { + logtofile; + syslog-warning; + }; + category lame-servers { + null; + }; + category queries { + query_logging; + }; + + // Kanäle + + channel complete_debug { + file "/var/log/bind/complete-debug.log"; + print-category yes; + print-severity yes; + print-time yes; + severity debug 99; + }; + channel logtofile { + file "/var/log/bind/named.log"; + print-category yes; + print-severity yes; + print-time yes; + severity info; + }; + channel moderate_debug { + file "/var/log/bind/debug.log"; + print-category yes; + print-severity yes; + print-time yes; + severity debug 1; + }; + channel query_logging { + file "/var/log/bind/query.log"; + print-time yes; + }; + channel syslog-warning { + syslog daemon; + severity warning; + }; + +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named-pri.conf b/bind/named-pri.conf new file mode 100644 index 0000000..f51ec57 --- /dev/null +++ b/bind/named-pri.conf @@ -0,0 +1,17 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Primäre Zonen +//# /etc/bind/named-pri.conf +//# +//# Host Uhu1 +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + +//############################################################### +//# Master-Zonen (Primary) + +// Keine! + +# vim: ts=4 filetype=named noai diff --git a/bind/named-sec.conf b/bind/named-sec.conf new file mode 100644 index 0000000..62a89ac --- /dev/null +++ b/bind/named-sec.conf @@ -0,0 +1,26 @@ +//############################################################### +//# Bind9-Konfigurationsdatei - Sekundäre Zonen +//# /etc/bind/named-sec +//# +//# Host Uhu1 +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + +//############################################################### +//# Slave-Zonen (Secondary) + +zone "home.brehm-online.com" IN { + type slave; + file "sec/home.brehm-online.com.zone"; + masters { + 85.214.134.152; + }; + allow-transfer { + common-allow-transfer; + }; +}; + +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf b/bind/named.conf index aab639f..5999846 100644 --- a/bind/named.conf +++ b/bind/named.conf @@ -1,3 +1,15 @@ +//############################################################### +//# Bind9-Konfigurationsdatei +//# /etc/bind/named.conf +//# +//# Host Helga +//# +//# Generiert am: 26.05.2010 +//# von: frank@brehm-online.com +//# +//############################################################### + + /* * Refer to the named.conf(5) and named(8) man pages, and the documentation * in /usr/share/doc/bind-9 for more details. @@ -10,83 +22,34 @@ * useless Internet traffic. */ -acl "xfer" { - /* Deny transfers by default except for the listed hosts. - * If we have other name servers, place them here. - */ - none; -}; - -/* - * You might put in here some ips which are allowed to use the cache or - * recursive queries - */ -acl "trusted" { - 127.0.0.0/8; - ::1/128; -}; +//############################################################### +//# Allgemeine Optionen options { + directory "/var/bind"; pid-file "/var/run/named/named.pid"; /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ //bindkeys-file "/etc/bind/bind.keys"; - listen-on-v6 { ::1; }; - listen-on { 127.0.0.1; }; - - allow-query { - /* - * Accept queries from our "trusted" ACL. We will - * allow anyone to query our master zones below. - * This prevents us from becoming a free DNS server - * to the masses. - */ - trusted; + listen-on-v6 { + any; }; - - allow-query-cache { - /* Use the cache for the "trusted" ACL. */ - trusted; - }; - - allow-recursion { - /* Only trusted addresses are allowed to use recursion. */ - trusted; - }; - - allow-transfer { - /* Zone tranfers are denied by default. */ - none; + listen-on { + any; }; - allow-update { - /* Don't allow updates, e.g. via nsupdate. */ - none; - }; - - /* - * If you've got a DNS server around at your upstream provider, enter its - * IP address here, and enable the line below. This will make you benefit - * from its cache, thus reduce overall DNS traffic in the Internet. - * - * Uncomment the following lines to turn on DNS forwarding, and change - * and/or update the forwarding ip address(es): - */ -/* - forward first; - forwarders { - // 123.123.123.123; // Your ISP NS - // 124.124.124.124; // Your ISP NS - // 4.2.2.1; // Level3 Public DNS - // 4.2.2.2; // Level3 Public DNS - 8.8.8.8; // Google Open DNS - 8.8.4.4; // Google Open DNS + allow-notify { + 85.214.147.150; + 85.214.134.152; + 46.16.73.175; + 127.0.0.1/8; + ::1; + 2a01:238:4225:6e00:8f8c:808a:7fb8:88df; + 2a01:238:4239:8a00:d4da:215d:3d01:f9b9; }; -*/ - //dnssec-enable yes; //dnssec-validation yes; @@ -99,6 +62,10 @@ options { /* if you have problems and are behind a firewall: */ //query-source address * port 53; + + // pid-file "/var/run/named/named.pid"; + + version "none"; }; /* @@ -115,11 +82,37 @@ logging { }; */ +// Logging +include "/etc/bind/named-log.conf"; + +// Managed Keys +include "/etc/bind/bind.keys"; + +//############################################################### +//# Kontrollkanäle für RNDC + include "/etc/bind/rndc.key"; + controls { - inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; + inet 127.0.0.1 port 953 allow { + 127.0.0.1; + ::1/128; + } keys { + "rndc-key"; + }; }; +key DYN_DNS_UPDATER { + algorithm hmac-md5; + secret "gi69Yjzo1OSPVQ/oTTgw+Q=="; +}; + +// Access-Control-Listen +include "/etc/bind/named-acl.conf"; + +//############################################################### +//# Hint-Zonen (zum Finden der Root-Server) + zone "." in { type hint; file "/var/bind/root.cache"; @@ -137,36 +130,16 @@ zone "127.in-addr.arpa" IN { notify no; }; -/* - * Briefly, a zone which has been declared delegation-only will be effectively - * limited to containing NS RRs for subdomains, but no actual data beyond its - * own apex (for example, its SOA RR and apex NS RRset). This can be used to - * filter out "wildcard" or "synthesized" data from NAT boxes or from - * authoritative name servers whose undelegated (in-zone) data is of no - * interest. - * See http://www.isc.org/software/bind/delegation-only for more info - */ +//############################################################### +// Include der Zonendefinitionen + +// Master-Zonen +include "/etc/bind/named-pri.conf"; + +// Dynamische Zonen +include "/etc/bind/named-dyn.conf"; + +// Slave-Zonen +include "/etc/bind/named-sec.conf"; -//zone "COM" { type delegation-only; }; -//zone "NET" { type delegation-only; }; - -//zone "YOUR-DOMAIN.TLD" { -// type master; -// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone"; -// allow-query { any; }; -// allow-transfer { xfer; }; -//}; - -//zone "YOUR-SLAVE.TLD" { -// type slave; -// file "/var/bind/sec/YOUR-SLAVE.TLD.zone"; -// masters { ; }; - - /* Anybody is allowed to query but transfer should be controlled by the master. */ -// allow-query { any; }; -// allow-transfer { none; }; - - /* The master should be the only one who notifies the slaves, shouldn't it? */ -// allow-notify { ; }; -// notify no; -//}; +# vim: ts=4 filetype=named noai diff --git a/bind/named.conf.orig b/bind/named.conf.orig new file mode 100644 index 0000000..aab639f --- /dev/null +++ b/bind/named.conf.orig @@ -0,0 +1,172 @@ +/* + * Refer to the named.conf(5) and named(8) man pages, and the documentation + * in /usr/share/doc/bind-9 for more details. + * Online versions of the documentation can be found here: + * http://www.isc.org/software/bind/documentation + * + * If you are going to set up an authoritative server, make sure you + * understand the hairy details of how DNS works. Even with simple mistakes, + * you can break connectivity for affected parties, or cause huge amounts of + * useless Internet traffic. + */ + +acl "xfer" { + /* Deny transfers by default except for the listed hosts. + * If we have other name servers, place them here. + */ + none; +}; + +/* + * You might put in here some ips which are allowed to use the cache or + * recursive queries + */ +acl "trusted" { + 127.0.0.0/8; + ::1/128; +}; + +options { + directory "/var/bind"; + pid-file "/var/run/named/named.pid"; + + /* https://www.isc.org/solutions/dlv >=bind-9.7.x only */ + //bindkeys-file "/etc/bind/bind.keys"; + + listen-on-v6 { ::1; }; + listen-on { 127.0.0.1; }; + + allow-query { + /* + * Accept queries from our "trusted" ACL. We will + * allow anyone to query our master zones below. + * This prevents us from becoming a free DNS server + * to the masses. + */ + trusted; + }; + + allow-query-cache { + /* Use the cache for the "trusted" ACL. */ + trusted; + }; + + allow-recursion { + /* Only trusted addresses are allowed to use recursion. */ + trusted; + }; + + allow-transfer { + /* Zone tranfers are denied by default. */ + none; + }; + + allow-update { + /* Don't allow updates, e.g. via nsupdate. */ + none; + }; + + /* + * If you've got a DNS server around at your upstream provider, enter its + * IP address here, and enable the line below. This will make you benefit + * from its cache, thus reduce overall DNS traffic in the Internet. + * + * Uncomment the following lines to turn on DNS forwarding, and change + * and/or update the forwarding ip address(es): + */ +/* + forward first; + forwarders { + // 123.123.123.123; // Your ISP NS + // 124.124.124.124; // Your ISP NS + // 4.2.2.1; // Level3 Public DNS + // 4.2.2.2; // Level3 Public DNS + 8.8.8.8; // Google Open DNS + 8.8.4.4; // Google Open DNS + }; + +*/ + + //dnssec-enable yes; + //dnssec-validation yes; + + /* + * As of bind 9.8.0: + * "If the root key provided has expired, + * named will log the expiration and validation will not work." + */ + //dnssec-validation auto; + + /* if you have problems and are behind a firewall: */ + //query-source address * port 53; +}; + +/* +logging { + channel default_log { + file "/var/log/named/named.log" versions 5 size 50M; + print-time yes; + print-severity yes; + print-category yes; + }; + + category default { default_log; }; + category general { default_log; }; +}; +*/ + +include "/etc/bind/rndc.key"; +controls { + inet 127.0.0.1 port 953 allow { 127.0.0.1/32; ::1/128; } keys { "rndc-key"; }; +}; + +zone "." in { + type hint; + file "/var/bind/root.cache"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + notify no; +}; + +/* + * Briefly, a zone which has been declared delegation-only will be effectively + * limited to containing NS RRs for subdomains, but no actual data beyond its + * own apex (for example, its SOA RR and apex NS RRset). This can be used to + * filter out "wildcard" or "synthesized" data from NAT boxes or from + * authoritative name servers whose undelegated (in-zone) data is of no + * interest. + * See http://www.isc.org/software/bind/delegation-only for more info + */ + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +//zone "YOUR-DOMAIN.TLD" { +// type master; +// file "/var/bind/pri/YOUR-DOMAIN.TLD.zone"; +// allow-query { any; }; +// allow-transfer { xfer; }; +//}; + +//zone "YOUR-SLAVE.TLD" { +// type slave; +// file "/var/bind/sec/YOUR-SLAVE.TLD.zone"; +// masters { ; }; + + /* Anybody is allowed to query but transfer should be controlled by the master. */ +// allow-query { any; }; +// allow-transfer { none; }; + + /* The master should be the only one who notifies the slaves, shouldn't it? */ +// allow-notify { ; }; +// notify no; +//}; diff --git a/runlevels/default/iptables b/runlevels/default/iptables new file mode 120000 index 0000000..b4acbcb --- /dev/null +++ b/runlevels/default/iptables @@ -0,0 +1 @@ +/etc/init.d/iptables \ No newline at end of file diff --git a/runlevels/default/named b/runlevels/default/named new file mode 120000 index 0000000..52094d3 --- /dev/null +++ b/runlevels/default/named @@ -0,0 +1 @@ +/etc/init.d/named \ No newline at end of file