Date: Sun, 31 May 1998 12:24:10 -0700 From: Studded <Studded@san.rr.com> To: Brian Lube <brian@mpinet.net> Cc: isp@FreeBSD.ORG Subject: Re: Bind revisited Message-ID: <3571AE5A.12362BA@san.rr.com> References: <13371622019371@mpinet.net>
next in thread | previous in thread | raw e-mail | index | archive | help
Brian Lube wrote:
>
> I'm currently working on securing up our BSD box, I apologize in advance
> if this has already been beaten to death, but what is the best way to
> secure my copy of bind? Should I upgrade to 8.1.1 and then keep up to date
> with patches, or is there going to be some sort of update for the 4 series?
> We are currently looking to upgrade to the 8.1.1 series, but we're not
> really sure how much work it is going to entail.
As covered, you want to upgrade to 8.1.2. There is a port for that,
you'll want to use cvsup to get the latest ports collection. As for
making the transition itself, here's a little guide that I wrote up:
1. Make good, reliable backups of your current configuration, store them
in more than one physical location and TEST to make sure that you can
actually recover with them. :) That last step is often skipped by
people and you only find out that you're fubar at the worst possible
moment.
2. Make sure that your *current* configuration is working as it should
be. At minimum I open up two windows to the server, start 'tail -f
/var/log/named.log' in one and then shut the server down in the other. I
watch the log while it shuts down, then start it up and watch it again
to make sure that there are no errors. Once I'm convinced that things
are working as advertised I proceed. If I have to make any changes to
make things go I repeat step one.
3. Back up the current working binaries. First lesson on first day of
sysadmin school, make every change reversible. (On FreeBSD this isn't
absolutely necessary if you have the code handy.)
4. Unpack the BIND source and read the installation documentation. (On
FreeBSD you're much better off with the port.)
5. Compile and install that bad boy. :)
6. Convert your named.boot file to named.conf using the
src/bin/named/named-bootconf.pl script.
7. At this point I usually rotate the named logs so that I know I'll be
logging the new stuff in new logs.
8. Delete any secondary zone files you have so that you can be sure they
are downloaded with the new installation. BIND 8.x downloads secondary
zones asynchronously, so you shouldn't worry if you don't see a
secondary zone till after an hour or so.
9. Make sure that you're watching the log in one window (tail -f above)
and then start up the new named in the other and with luck watch
everything work the way it should. :)
At times BIND 8 will find bogons in your zone files that were
not a
problem for older versions of BIND 4. Underscores in host names are very
common errors that pop up after an upgrade, as are various problems with
CNAME's. You might want to give the html documentation for the config
file a look two or three times before you start it up. There are some
options you can tailor to increase named's efficiency based on your
particular needs. Several of those options were compile options with
BIND 4.
Good luck,
Doug
--
*** Chief Operations Officer, DALnet IRC network ***
*** Proud designer and maintainer of one of the world's largest
*** Internet Relay Chat servers with 5,328 simultaneous connections
*** Try spider.dal.net on ports 6662-4 (Powered by FreeBSD)
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-isp" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3571AE5A.12362BA>