Managing the BIND Server
The way that we've set up the DNS servers makes them visible on the Internet, so security is a prime concern. You should check the BIND server regularly and keep it up to date with the latest software available in the yum repository. This process is explained in the following sections.
This section explains the basics of checking the status of the named service and updating BIND. To check the status, use the following command:
$ sudo /sbin/service named status rndc: connect failed: 127.0.0.1#953: connection refused named is stopped
The output of the command shows that the named server is stopped.
To check the BIND version installed, use the yum command:
$ sudo yum info bind Installed Packages Name : bind Version : 9.8.2 Release : 0.10.rc1.el6_3.5 Repo : installed . . .
To upgrade BIND, use the yum upgrade command:
$ sudo yum upgrade bind
Using the rndc Command-Line Tool
The rndc utility is a management client that communicates over a TCP connection to manage the BIND server. You can use rndc to add DNS entries without restarting the named server. It's authenticated with a cryptographic key; the default key is stored in /etc/rndc.key. The default port is 953. The configuration settings are stored at /etc/rndc.conf.
Make sure that the firewall is open on port 953. Using the command line on the BIND server, use rndc as shown in Listing 11 to check status, reload configuration files, or reload a zone.
Listing 11Managing BIND with the rndc command.
$ sudo rndc status . . . $ sudo rndc reload server reload successful $ sudo rndc reload sceexample.com zone reload up-to-date
Maintaining the Firewall
This section explains the basics of firewall settings for DNS beyond what we discussed in the earlier section "Step 3: Configure the Firewall." Running BIND on the Internet can be a potential security risk if the software isn't kept up to date with security patches and proper settings. To reduce security risks, you can limit traffic to within your VLAN, by using a CIDR IP address range in the iptables rules, as shown in Listing 12.
Listing 12Restricting access to the DNS system with the firewall.
# vi /etc/sysconfig/iptables -A INPUT -p udp -m udp -s 10.128.120.0/24 --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp -s 10.128.120.0/24 --dport 53 -j ACCEPT -A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 953 -j ACCEPT
The -s (source) flag takes a CIDR range 10.128.120.0/24, indicating that only the packets originating in the 10.128.120.x VLAN will be accepted. (Substitute your own VLAN address range in place of the one given here.) The management port is configured to allow only connections from the local machine. Restart the firewall with the iptables restart command.