loop), dnswalk will point it out. However, if you set your preferred mail exchanger to mail.whitehouse.gov, it'll let that pass.
To use dnswalk on a domain, use it like this:
...............................................................................................
# dnswalk AbsoluteBSD.com.
...............................................................................................
Named Configuration Errors
DNS configuration errors appear in /var/log/messages and appear as error messages when you start, restart, or reload named. If your nameserver is not serving information on a domain, check this log file. The log messages are generally fairly explicit and state which line number an error might appear on.
Named Security
Named is a popular target for hackers because it provides a lot of information about your network and because it defaults to running as root. If someone breaks into named, he owns your machine. We'll tackle both of these problems separately.
The dig example I just gave, in which we snagged a complete list of hosts in a domain, is called a zone transfer. A prospective intruder would be very interested in this information, especially if your hosts have descriptive names. ("Oh, http://ceo.absolutebsd.com/ must be the company president's machine! That would be neat to hack.")
Because the purpose of a nameserver is to serve names, we can't entirely cut out the bad guy's access. However, we can make sure that named will only give answers to specific queries rather than spilling its guts upon request. Thus, if someone asks for a particular hostname, the nameserver will answer, but if someone asks for a list, nameserver will deny their request.
To restrict zone transfers to only being performed by specific hosts, use the allow−transfer option:
...............................................................................................
options {
directory "/var/named"; allow−transfer {
192.168.87.3; 10.115.4.3 ; };
};
...............................................................................................
In this example, the hosts 192.168.87.3 and 10.115.4.3 are the only systems permitted to perform a zone transfer. Replace those IP addresses with those of your slave nameservers and your workstation, and you've concealed a lot of information about your network. You might also add the network staff's desktop machines to this list, so that they can perform zone transfers to debug DNS issues.
290
Note You can define much tighter access lists than this. See the bind documentation in /usr/src/contrib/bind/doc for more details.
How about hackers attacking named itself? We can do two things about this. First, run named in a jail (see Chapter 8) to ensure that a successful intruder won't be able to access anything else on your network. Second, run named as a user other than root. Just make sure the following is set in /etc/rc.conf or /etc/defaults/rc.conf. (This might be the default by the time this book comes out, so be sure to check if it's already done.)
...............................................................................................
named_flags="−u bind −g bind"
...............................................................................................
Once this is set, to gain root access the intruder would have to break into named, then break into root as a regular user on the jail, and then break out of the jail into the main system. You should notice something wrong well before anyone completes all of these steps.
Controlling Information Order
The order in which the hosts file and a nameserver are checked can greatly affect how a program or system behaves. Firewalls, for example, frequently need customized host entries that other hosts don't need, and they must check the local hosts before consulting the global DNS table. The /etc/host.conf file allows you to control the order in which information services are used, and it has only two possible entries: hosts and bind. Each entry appears on its own line. Host IP information sources are checked in the order that they appear in this file.
For example, if you want your hosts file to be checked before your nameservice, this file would contain the following:
...............................................................................................
hosts
bind
...............................................................................................
If, on the other hand, you wanted your nameserver to be checked before the hosts file, you would use this:
...............................................................................................
bind
hosts
...............................................................................................
Note The second information source is only checked if the first one fails. If a machine has conflicting entries in /etc/hosts and DNS, the first one checked wins.
291
More About BIND
As your network grows, you'll need more information on BIND. While one good source is the documentation in /usr/src/contrib/bind/doc, that documentation can be difficult. The standard book on BIND is DNS and BIND by Paul Albitz and Cricket Liu (O'Reilly and Associates). This book is very readable and highly recommended—it's the only book that I automatically order each new edition of, sight unseen.
292