Skip to content

DNS

Jump to bottom
Egbert edited this page Apr 20, 2022 · 3 revisions

Easy-Admin DNS

DNS Configuration Concept

The ways that Easy-Admin provides for ISC Bind9 DNS are:

  • named.conf generation
    • logging clause
    • RNDC controls clause and security settings
  • zone database file generation

Features #feature

With both named.conf and zone database configuration file generator, it supports the following features:

  • Split-Horizon DNS server
  • Bastion DNS Server
  • Hidden-Primary (formerly known as Hidden-Master) DNS
  • SSHFP
  • OpenPGPKey
  • Autodiscover/Autoconfig - let remote mail clients find your mail (SMTP/IMAP4/POP3 and its TLS variants) servers

CISecurity Settings

For those who are familiar with CISecurity and their recommended hardening procedures of ISC Bind9, I have added a read-only script to do just that.

$ git clone https://github.com/egberts/easy-admin
$ cd easy-admin/100-cisecurity
$ ./500-cis-dns-bind-dirs.sh
Checking file permissions/ownership/security-context for ISC Bind9

Only one 'named' found: /usr/local/sbin/named
Using 'named' binary in: /usr/local/sbin/named
No files found for bind.service.
No named.conf found in 'systemctl cat bind.service'
Binary 'named' built-in config default: /etc/bind/named.conf


INFO: May prompt for sudo to perform protected read-only activities
Begin scanning for 'include' clauses...

Reading in /etc/bind/named.conf...
Content of /etc/bind/named.conf Syntax OK.
Extract 'directory' value as /var/cache/bind

final configure/autogen/autoreconf settings:
  prefix:        /usr
  sysconfdir:    /etc
  localstatedir: 
Extracting 'statistics-file' as /var/log/named_stats.txt
Extracting 'managed-keys-directory' as /var/lib/bind/dynamic
Extracting 'pid-file' as /var/run/bind/named.pid
Extracting 'session-file' as /var/run/bind/session.key
Extracting 'key-directory' as /var/lib/bind/keys/egbert.net
Based on /etc/bind/named.conf settings...

TMPDIR:			/tmp
Bind username:		bind
Bind groupname:		bind
Bind shell:		/usr/sbin/nologin
/usr/sbin/nologin
random filespec:	/dev/random
KRB5 keytab filespec:	/etc/krb5.key

SELinux name_zone_t group:
Bind $HOME:		/var/cache/bind
/run/rpcbind
Zone files list:	/etc/bind/zones/db.bind /var/lib/bind/slave/zone.egbert.net
Zone clauses_A:	bind egbert.net
Zone file statements_A:	 /etc/bind/zones/db.bind  /var/lib/bind/slave/zone.egbert.net

SELinux name_cache_t group:
DNSSEC Dynamic Dir:	/var/lib/bind/dynamic
Zone Slave Dir:		/var/lib/bind/slave
key_dir_list		/var/lib/bind/keys/egbert.net
ManagedKeys Dir:	/var/lib/bind/dynamic
ManagedKeys filespec:	/var/lib/bind/dynamic/managed-keys.bind
Bind data dir:		/var/lib/bind/data
dump filespec:		/var/cache/bind/cache_dump.db
secroots filespec:	/var/cache/bind
/run/rpcbind/named.secroots
statistics filespec:	/var/log/named_stats.txt
memstatistics filespec:	/var/cache/bind
/run/rpcbind/named.memstats
Journal dir:		/var/cache/bind

SELinux name_conf_t group:
Config files list:	/etc/bind/named.conf /etc/bind/key-named.conf /etc/bind/acl-named.conf /etc/bind/logging-named.conf /etc/bind/options-named.conf /etc/bind/controls-named.conf /etc/bind/masters-named.conf /etc/bind/server-named.conf /etc/bind/zones-named.conf /etc/bind/views-named.conf
BINDKEY:		/etc/bind.keys

SELinux name_log_t group:
Log directory:		/var/log/named

SELinux name_var_run_t group:
CIS_RUNDIR:		/run/named
PID file:		/var/run/bind/named.pid
Session Key:		/var/run/bind/session.key
Lock filespec:		/run/named/named.lock


Four choices of file permission settings are:
   "M"aximum security
   "F"edora/CentOS/Redhat default
   "D"ebian/Devuan default
   "C"ISecurity recommendation
Maximum, Fedora, Debian or CISecurity settings? (M/f/d/c): M
Maximum security settings...
1777 root:root (TMPDIR) /tmp:  ok.
...skipping unused /usr/sbin/nologin
/usr/sbin/nologin (NAMED_SHELL_FILESPEC).
666 root:root (random_filespec) /dev/random:  ok.
...skipping unused /etc/krb5.key (keytab_filespec).
...skipping unused /var/cache/bind
/run/rpcbind (NAMED_HOME_DIRSPEC).
640 bind:bind (zone_file) /etc/bind/zones/db.bind:  ok.
640 bind:bind (zone_file) /var/lib/bind/slave/zone.egbert.net:  ok.
750 bind:bind (DYNAMIC_DIRSPEC) /var/lib/bind/dynamic:  ok.
750 bind:bind (slave_dir) /var/lib/bind/slave:  ok.
750 bind:bind (key_dir) /var/lib/bind/keys/egbert.net:  ok.
...skipping unused /var/lib/bind/dynamic/managed-keys.bind (MANAGEDKEYS_FILESPEC).
750 bind:bind (MANAGEDKEYS_DIR) /var/lib/bind/dynamic:  ok.
...skipping unused /var/lib/bind/data (DATA_DIRSPEC).
640 bind:bind (dump_filespec) /var/cache/bind/cache_dump.db:  ok.
...skipping unused /var/cache/bind
/run/rpcbind/named.secroots (secroots_filespec).
...skipping unused /var/log/named_stats.txt (statistics_filespec).
...skipping unused /var/cache/bind
/run/rpcbind/named.memstats (memstatistics_filespec).
750 bind:bind (JOURNAL_DIR) /var/cache/bind:  ok.
...skipping unused /var/cache/bind
/run/rpcbind/named.recursing (recursing_filespec).
640 bind:bind (config_file) /etc/bind/named.conf:  ok.
640 bind:bind (config_file) /etc/bind/key-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/acl-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/logging-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/options-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/controls-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/masters-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/server-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/zones-named.conf:  ok.
640 bind:bind (config_file) /etc/bind/views-named.conf:  ok.
...skipping unused /etc/bind.keys (BINDKEY).
...skipping unused /run/named (CIS_RUNDIR).
640 bind:bind (pid_filespec) /var/run/bind/named.pid:  ok.
600 bind:bind (SESSION_KEY_FILESPEC) /var/run/bind/session.key:  ok.
...skipping unused /run/named/named.lock (lock_filespec).
750 bind:bind (log_dir) /var/log/named:  ok.
Total files:       35
File missing:          12
Skipped files:        0
Permission errors:         0

My menu

Clone this wiki locally