Friday, August 22, 2014
Thursday, August 21, 2014
TUTORIAL: Compile bind9 on linux with Response Rate Limiting (to prevent DDoS DNS attacks)
This tutorial can easily be applied to most any linux system. I went through these steps on Debian 7 server.
First let's setup the environment, this tutorial assumes you have no previous install of bind on the server.
Now let's download the bind9 source code. This tutorial assumes you have the required dependencies installed. The only one I found tricky to locate was libkrb5-dev (on Debian you can install it with apt-get install libkrb5-dev)
Last step is to install the configuration files and startup scripts.
Please note the init.d scripts only work on Debian based systems. I do not have init.d scripts for any other distribution.
Download the init.d script here
Download the init.d default file here
Copy the init.d script to /etc/init.d/bind9
Copy the init.d default file to /etc/default/bind9
First let's setup the environment, this tutorial assumes you have no previous install of bind on the server.
mkdir -p /var/local/cache/bind
mkdir -p /usr/local/etc/bind
groupadd -g 5005 bind
useradd -u 5005 -g 5005 -d /var/local/cache/bind -M -s /bin/false bind
Now let's download the bind9 source code. This tutorial assumes you have the required dependencies installed. The only one I found tricky to locate was libkrb5-dev (on Debian you can install it with apt-get install libkrb5-dev)
cd /usr/src
wget http://ftp.isc.org/isc/bind9/cur/9.9/bind-9.9.5-P1.tar.gz
tar zxvf bind-9.9.5-P1.tar.gz
cd bind-9.9.5-P1
./configure '--enable-threads' '--enable-largefile''--with-libtool' '--enable-shared' '--enable-static' '--with-openssl= /usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' '--enable-rrl'
make
make install
wget --user=ftp --password=ftp ftp://ftp.rs.internic.net/domain/db.cache -O /usr/local/etc/bind/db.root
Last step is to install the configuration files and startup scripts.
rndc-confgen -a -c /usr/local/etc/bind/rndc.key
cat > /etc/named.conf <<EOT
include "/usr/local/etc/bind/rndc.key";
include "/usr/local/etc/bind/named.conf";
EOT
cat > /usr/local/etc/named.conf <<EOT
#
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; 192.168.1.100; } keys { "rndc-key"; };
};
options {
directory "/var/local/cache/bind";
allow-new-zones yes;
transfers-in 500;
empty-zones-enable yes;
//forwarders { 8.8.8.8; 8.8.4.4; };
recursion yes;
//allow-transfer {"none";};
allow-query { any; };
allow-recursion { any; };
dnssec-validation auto;
auth-nxdomain no; # conform to RFC1035
listen-on-v6 { any; };
rate-limit {
responses-per-second 5;
#window 5;
#log-only yes;
};
};
zone "." {
type hint;
file "/usr/local/etc/bind/db.root";
};
EOT
chown bind:bind -R /var/local/cache/bind
chown bind:bind -R /usr/local/etc/bind
Please note the init.d scripts only work on Debian based systems. I do not have init.d scripts for any other distribution.
Download the init.d script here
Download the init.d default file here
Copy the init.d script to /etc/init.d/bind9
Copy the init.d default file to /etc/default/bind9
chmod +x /etc/init.d/bind9
/etc/init.d/bind9 start
Subscribe to:
Posts (Atom)