Revision [1877]
This is an old revision of RunningT2 made by RichardLyons on 2009-05-13 20:18:35.
Configuring and Operating A Tier 2 DNS Server Guide
- This guide only covers bind9, other guides should be sent to support@opennicproject.org
configuration
OpenNIC supports two methods for running a Tier 2 server using bind9. The first is slaving the root file from a number of Tier 1 servers. This provides the fastest resolution. The second method is to use a hints file to prime your DNS server with knowledge of OpenNIC's Tier 1 servers.method 1: slaving the root file
We will first go through the method of slaving the root zone. First, it should be known that Tier 1 servers are the only location to obtain the OpenNIC root zone. Other sources cannot be trusted. OpenNIC's Tier 0 server should never be queried directly.Here we go, below is the statement to add into your bind named.conf.
zone "." {
type slave;
file "/etc/bind/zones/db.root";
masters { <tier-1-ipaddress>; };
allow-transfer { any; };
notify no;
};It is best practice to add all of the Tier 1 servers into the ip list above. E.G masters { 58.6.115.45; 58.6.115.46; }; This will allow your zone transfer to work in the event one of the Tier 1 servers goes down. Here is the current list of Tier 1 servers;
* ns1.opennic.glue
* ns2.opennic.glue
* ns3.opennic.glue
* ns4.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns7.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue
* ns2.opennic.glue
* ns3.opennic.glue
* ns4.opennic.glue
* ns5.opennic.glue
* ns6.opennic.glue
* ns7.opennic.glue
* ns21.opennic.glue
* ns22.opennic.glue
method 2: using the hints file
Using the hints file is easy to! Below will show you how.First browse to your bind root dir. Mine is at /etc/bind. When in that dir;
dig . NS @58.6.115.46 > db.root
Your bind named.conf should already contain the below;
zone "." {
type hint;
file "db.root";
};Remember that once done, restart bind!
operation
There is not much to running a OpenNIC Tier 2 server. Once you have it configured, the auditingWG will monitor it, and let you know via emails if anything goes wrong along the way. You can also except to use a few gig of bandwidth each month of DNS traffic, this of course varies on how used your DNS server is.Lets go through turning on some logging for your bind9 DNS server. These logs are interesting to look through, but should not be archived. If you wish to archive them, I have provided a perl script written by Brianko which will remove all IP addresses and replace them with XXX.XXX.XXX.XXX. It is important that we protect our members right to browse the internet in complete privacy, so use of this perl script is highly encouraged.
To turn on logging, open named.conf.options in your favourite text editor and add the below to the end of the file;
logging {
channel "misc" {
file "/var/log/misc.log" versions 2 size 25M;
severity info; print-severity no;
print-category yes; print-time yes;
};
channel "querylog" {
file "/var/log/named.log" versions 2 size 25M;
severity info; print-severity no;
print-category no; print-time yes;
};
category "queries" { "querylog"; };
category default { "misc"; };
};Depending on your bind setup(we always recommend chroot), the log dir can live in two locations. In a chroot setup it is at /var/lib/named/var/log and in a normal install it is at /var/log. You know how yours is installed, so go to the log dir, and issue;
touch named.log chown bind:bind named.log touch misc.log chown misc.log
Here is that script that Brianko wrote;
#! /usr/bin/perl
#
# blurAddys.pl - Obfuscate IP addresses in a file
#
# cat some.log | blurAddys.pl > some_blurred.log
#
#####################################################################
use strict;
while(<STDIN>)
{
s/\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}(\.|-)\d{1,3}/XX$1XX$2XX$3XX/g;
print $_;
}Its easy to add this to a script! Below is what I use;
#!/bin/sh date=`date +%d` current=`date +%d%m%y` if [ "$(echo $date)" = 01 ];then tar cfvz /var/log/named/named.$current.tar.gz /var/log/named/*.log.* rm /var/log/named/*.log.* fi cat /var/lib/named/var/log/named.log | /usr/local/bin/blurAddys.pl > /var/log/named/named.log.$current rm /var/lib/named/var/log/named.log touch /var/lib/named/var/log/named.log chown bind:bind /var/lib/named/var/log/named.log /etc/init.d/bind9 restart
Hope that this guide has helped you in your Tier 2 and OpenNIC adventures. Once you have yours working, if you plan to donate your DNS services, and bandwidth to OpenNIC visit, http://reg.opennic.glue/
