Home > Articles > Web Services > Cloud Computing

  • Print
  • + Share This
From the author of Managing the BIND Server

Managing the BIND Server

The way that we've set up the DNS servers makes them visible on the Internet, so security is a prime concern. You should check the BIND server regularly and keep it up to date with the latest software available in the yum repository. This process is explained in the following sections.

Maintaining BIND

This section explains the basics of checking the status of the named service and updating BIND. To check the status, use the following command:

$ sudo /sbin/service named status
rndc: connect failed: 127.0.0.1#953: connection refused
named is stopped

The output of the command shows that the named server is stopped.

To check the BIND version installed, use the yum command:

$ sudo yum info bind
Installed Packages
Name        : bind
Version     : 9.8.2
Release     : 0.10.rc1.el6_3.5
Repo        : installed
. . .

To upgrade BIND, use the yum upgrade command:

$ sudo yum upgrade bind

Using the rndc Command-Line Tool

The rndc utility is a management client that communicates over a TCP connection to manage the BIND server. You can use rndc to add DNS entries without restarting the named server. It's authenticated with a cryptographic key; the default key is stored in /etc/rndc.key. The default port is 953. The configuration settings are stored at /etc/rndc.conf.

Make sure that the firewall is open on port 953. Using the command line on the BIND server, use rndc as shown in Listing 11 to check status, reload configuration files, or reload a zone.

Listing 11—Managing BIND with the rndc command.

$ sudo rndc status
. . .
$ sudo rndc reload
server reload successful
$ sudo rndc reload sceexample.com
zone reload up-to-date

Maintaining the Firewall

This section explains the basics of firewall settings for DNS beyond what we discussed in the earlier section "Step 3: Configure the Firewall." Running BIND on the Internet can be a potential security risk if the software isn't kept up to date with security patches and proper settings. To reduce security risks, you can limit traffic to within your VLAN, by using a CIDR IP address range in the iptables rules, as shown in Listing 12.

Listing 12—Restricting access to the DNS system with the firewall.

# vi /etc/sysconfig/iptables
-A INPUT -p udp -m udp -s 10.128.120.0/24 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -s 10.128.120.0/24 --dport 53 -j ACCEPT
-A INPUT -p tcp -m tcp -s 127.0.0.1 --dport 953 -j ACCEPT

The -s (source) flag takes a CIDR range 10.128.120.0/24, indicating that only the packets originating in the 10.128.120.x VLAN will be accepted. (Substitute your own VLAN address range in place of the one given here.) The management port is configured to allow only connections from the local machine. Restart the firewall with the iptables restart command.

  • + Share This
  • 🔖 Save To Your Account