DNS caching 70

Enrique Perez-Terron

It works for me now that I have fixed theetc-named.conf file insrv-named-etc. Note that I run named in a chroot area.

So mysrv-named-etc-named.conf now looks like this (with some of the boring stuff removed):

named.conf - Configuration file for BIND9.2 name server

acl "internal" { 127.0.0.1; 192.168.1.0-24; 192.168.2.0-24; };

N.B.: we are invoked in chroot environmentvar-named: options { directory "-"; listen-on { "internal"; }; allow-query { "internal"; }; allow-recursion { "internal"; }; min-refresh-time 3600; or less than an hour cleaning-interval 113; minutes: server not very busy. interface-interval 59; minutes: dial-up interface. dump-file "-var-named-data-nameddump.db"; statistics-file "-var-named-data-namedstats.txt"; };

Use with the following in named.conf, adjusting the allow list as needed: key "rndc-key" { algorithm hmac-md5; secret "AXx-xQ-knNHe2-Sua00wlA=="; }; controls { inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { "rndc-key"; }; };

And in the "real"etc, there must be file rndc.conf that contains:

# Start of rndc.conf key "rndc-key" { algorithm hmac-md5; secret "AXx-xQ-knNHe2-Sua00wlA==";; };

options { default-key "rndc-key"; default-server 127.0.0.1; default-port 953; }; # End of rndc.conf

Of course, do not use that secret; I am not using it either.

Note that up insrv-named, all files are owned by root, with group named. Only root can write, create, or change files up there so if someone hijacks named, it can read only up there and nowhere else, and cannot write at all. To permit writing, I have added a directorysrv-named-var-data that is owned by root, group named, that can be written by named, so those files (nameddump.db and namedstats.txt) can be written.

-- .~. Jean-David Beyer Registered Linux User 85642. V PGP-Key: 9A2FC99A Registered Machine 241939. ^^-^^ 08:50:00 up 5 days, 23:36, 4 users, load average: 4.27, 4.24, 4.14