Revision [1952]

This is an old revision of RunningT2 made by JulianDemarchi on 2009-06-24 08:12:54.

 

Configuring and Operating A Tier 2 DNS Server Guide


configuration

OpenNIC supports two methods for running a Tier 2 server using bind9. The first is slaving the root file from a number of Tier 1 servers. This provides the fastest resolution. The second method is to use a hints file to prime your DNS server with knowledge of OpenNIC's Tier 1 servers.

method 1: slaving the root file

We will first go through the method of slaving the root zone. First, it should be known that Tier 1 servers are the only location to obtain the OpenNIC root zone. Other sources cannot be trusted. OpenNIC's Tier 0 server should never be queried directly.

Here we go, below is the statement to add into your bind named.conf.
zone "." {
	    type slave;
	    file "/etc/bind/zones/db.root";
	    masters { <tier-1-ipaddress>; };
	    allow-transfer { any; };
	notify no;
};

It is best practice to add all of the Tier 1 servers into the ip list above. E.G masters { 58.6.115.45; 58.6.115.46; }; This will allow your zone transfer to work in the event one of the Tier 1 servers goes down. Here is the current list of Tier 1 servers;
* ns1.opennic.glue
* ns2.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns7.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue

method 2: using the hints file

Using the hints file is easy to! Below will show you how.

First browse to your bind root dir. Mine is at /etc/bind. When in that dir;
dig . NS @58.6.115.46 > db.root


Your bind named.conf should already contain the below;
zone "." {
	    type hint;
	    file "db.root";
};


Remember that once done, restart bind!

operation

There is not much to running a OpenNIC Tier 2 server. Once you have it configured, the auditingWG will monitor it, and let you know via emails if anything goes wrong along the way. You can also except to use a few gig of bandwidth each month of DNS traffic, this of course varies on how used your DNS server is.

Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, I have provided a perl script written by Brianko which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members right to browse the internet in complete privacy, so use of this perl script is highly encouraged.

To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file;
logging {
   channel "misc" {
	     file "/var/log/misc.log" versions 2 size 25M;
	     severity info; print-severity no;
	     print-category yes; print-time yes;
	     };
  channel "querylog" {
	     file "/var/log/named.log" versions 2 size 25M;
	     severity info; print-severity no;
	     print-category no; print-time yes;
	     };
  category "queries" { "querylog"; };
  category default { "misc"; };
};


Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue;
touch named.log
chown bind:bind named.log
touch misc.log
chown misc.log


Here is that script that Brianko wrote;
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;

while(<STDIN>)
{
	s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
	print $_;
}


Its easy to add this to a script! Below is what I use;
#!/bin/sh

date=`date +%d`
current=`date +%d%m%y`

if [ "$(echo $date)" = 01 ];then
	    tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.*
	    rm /var/log/named/*.log.*
fi

cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current
rm /var/lib/named/var/log/named.log
touch /var/lib/named/var/log/named.log
chown bind:bind /var/lib/named/var/log/named.log

/etc/init.d/bind9 restart


Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services, and bandwidth to OpenNIC visit, http://reg.opennic.glue/
There are no comments on this page.
Valid XHTML :: Valid CSS: :: Powered by WikkaWiki