{"id":934,"date":"2013-09-25T12:13:04","date_gmt":"2013-09-25T10:13:04","guid":{"rendered":"http:\/\/clark.tipistrani.it\/?p=934"},"modified":"2019-04-08T11:59:41","modified_gmt":"2019-04-08T09:59:41","slug":"server-dns-chroot","status":"publish","type":"post","link":"http:\/\/clark.tipistrani.it\/?p=934","title":{"rendered":"Server DNS in chroot"},"content":{"rendered":"

Il DNS<\/a> \u00e8 indispensabile per la risoluzione dei nomi, vale a dire convertire in nomi dominio “human friendly” gli indirizzi IP dei siti o degli hosts di una LAN.
\nIl pi\u00f9 noto server DNS in circolazione \u00e8 BIND (Berkeley Internet Name Domain) vediamo in dettaglio come preparare un server DNS\u00a0 che sia utile tanto alla nostra LAN quanto per risolvere i nomi su internet.<\/p>\n

#apt-get install bind9<\/pre>\n
che si tira dietro le necessarie dipendenze<\/p>\n
Bind ha delle pecche intrinseche di sicurezza, quindi \u00e8 decisamente meglio installarlo in chroot, a tale scopo seguiremo Bind Chroot<\/a> di Debian.<\/p>\n
# \/etc\/init.d\/bind9 stop<\/pre>\n
# vim \/etc\/default\/bind9<\/pre>\n
e modificare\u00a0 la voce OPTIONS nel modo seguente<\/p>\n
OPTIONS=\"-u bind -t \/var\/bind9\/chroot\"<\/pre>\n
che \u00e8 poi in definitiva il posto dove si creer\u00e0 il chroot.<\/p>\n
Ora\u00a0 si deve creare l’intero albero di directory necessario per il chroot:<\/p>\n
# mkdir -p \/var\/bind9\/chroot\/{etc,dev,var\/cache\/bind,var\/run\/named}<\/pre>\n
Creiamo i device necessari e settiamo i permessi corretti per essi<\/p>\n
# mknod\u00a0 \/var\/bind9\/chroot\/dev\/null c 1 3<\/pre>\n
# mknod \/var\/bind9\/chroot\/dev\/random c 1 8<\/pre>\n
# mknod \/var\/bind9\/chroot\/dev\/urandom c 1 9<\/p>\n
# chmod 660 \/var\/bind9\/chroot\/dev\/{null,random}<\/pre>\n
Spostiamo i files di configurazione nella nuova posizione e creiamo un symlink<\/p>\n
# mv \/etc\/bind \/var\/bind9\/chroot\/etc<\/p>\n
# ln -s \/var\/bind9\/chroot\/etc\/bind \/etc\/bind
\nchown -R bind:bind \/etc\/bind\/* <\/span>chmod 775 \/var\/bind9\/chroot\/var\/{cache\/bind,run\/named} <\/span>chgrp bind \/var\/bind9\/chroot\/var\/{cache\/bind,run\/named}<\/p>\n
Modifichiamo il path del pidfile in \/etc\/init.d\/bind9<\/p>\n
PIDFILE=\/var\/bind9\/chroot\/var\/run\/named\/named.pid<\/p>\n
Istruiamo rsyslogd ad ascoltare i messaggi di bind in chroot<\/p>\n
echo \"\\$AddUnixListenSocket \/var\/bind9\/chroot\/dev\/log\" > \/etc\/rsyslog.d\/bind-chroot.conf<\/span><\/pre>\n
Istruiamo adesso resolv.conf ad ascoltare sulla loopback<\/p>\n
# vim \/etc\/resolv.conf<\/pre>\n
commentare la\/le voce\/i nameserver presente e aggiungere<\/p>\n
 nameserver 127.0.0.1<\/pre>\n
Quindi riavviamo rsyslog e facciam partire bind<\/p>\n
# \/etc\/init.d\/rsyslog restart; \/etc\/init.d\/bind9 start<\/pre>\n
A questo punto abbiamo un server DNS che \u00e8 in grado di risolvere i nomi INTERNET perfettamente funzionante e relativamente sicuro, dandolo come DNS alla LAN le macchine interne possono navigare tranquillamente. Creiamo adesso 2 files che descrivono la nostra LAN, in modo tale che tramite un unico DNS sia possibile risolvere interno ed esterno, user\u00f2 come esempio crazyhouse.lan la LAN di casa i due files sono anche detti files di zona.<\/p>\n
# vim \/etc\/bind\/crazyhouse.lan<\/pre>\n
;# database per la risoluzione diretta della rete crazyhouse.lan<\/pre>\n
;# indirizzi 192.168.20.0\/24<\/pre>\n
;# ricordarsi di aumentare il seriale ad ogni modifica<\/pre>\n
$TTL 64800<\/pre>\n
crazyhouse.lan.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN SOA dns.crazyhouse.lan. hostmaster.dns.crazyhouse.lan. (<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 140520110\u00a0\u00a0\u00a0\u00a0 ; Serial<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10800\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Refresh<\/pre>\n
  \u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3600\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  ; Retry<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0  604800\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Expire 30 days<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3600)\u00a0  \u00a0\u00a0\u00a0\u00a0\u00a0 ; Minimum<\/pre>\n
;#server dns<\/pre>\n
crazyhouse.lan.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 NS\u00a0\u00a0\u00a0\u00a0\u00a0 dns.crazyhouse.lan.<\/pre>\n
;## aggiunto il 10\/04\/07 per prova postfix interno<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 MX\u00a0\u00a0\u00a0\u00a0\u00a0 5 aliseo.crazyhouse.lan.<\/pre>\n
;# forward mapping<\/pre>\n
noi\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.20.1<\/pre>\n
libeccio.crazyhouse.lan.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.20.2<\/pre>\n
ale.crazyhouse.lan.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.20.9<\/pre>\n
aliseo.crazyhouse.lan.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.20.241<\/pre>\n
dns.crazyhouse.lan.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.20.10<\/pre>\n
maestrale.crazyhouse.lan.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.20.100 ;wifi router<\/pre>\n
$GENERATE 25-50 dhcp$ A 192.168.20.$\r\n\r\nsangiusto2\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172.27.1.1\r\n;sanmarco2\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10.0.10.4\r\npc0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.100.3\r\nsibilla\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.150.10\r\n\r\nsangiorgio\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xxx.xxx.xxx.xxx\r\ncrm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 xxx.xxx.xxx.xxx \r\ncrm\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.150.6\r\nangelo\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 192.168.100.6\r\nperseo\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 77.93.230.62\r\ncluster\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172.27.1.1\r\nhorde\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 A\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 172.27.1.1\r\n\r\n; alias\r\ngateway\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 CNAME\u00a0\u00a0 aliseo.crazyhouse.lan.\r\nmail\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 CNAME\u00a0\u00a0 aliseo.crazyhouse.lan.\r\nproxy\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 CNAME\u00a0\u00a0 aliseo.crazyhouse.lan.<\/pre>\n
e il file per la risoluzione inversa<\/p>\n
#vim \/etc\/bind\/crazyhouse.rev<\/pre>\n
; database per la risoluzione inversa della rete crazyhouse.lan<\/pre>\n
; indirizzi 192.168.20.0\/24<\/pre>\n
; filename db.192.168.20.<\/pre>\n
; ricordarsi di aumentare il seriale ad ogni modifica<\/pre>\n
$TTL 64800<\/pre>\n
20.168.192.in-addr.arpa.\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0 SOA dns.crazyhouse.lan hostmaster.crazyhouse.lan. (<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 140520111\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Serial<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 10800\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Refresh<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 3600\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Retry<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 604800\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Expire<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 7200)\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 ; Minimum\r\n\r\n; server dns<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 NS\u00a0\u00a0\u00a0\u00a0\u00a0 dns.crazyhouse.lan.<\/pre>\n
; reverse mapping<\/pre>\n
10.20.168.192.in-addr.arpa.\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 PTR\u00a0\u00a0\u00a0\u00a0 dns.crazyhouse.lan.<\/pre>\n
100.20.168.192.in-addr.arpa.\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 PTR\u00a0\u00a0\u00a0\u00a0 maestrale.crazyhouse.lan.\r\n1.20.168.192.in-addr.arpa.\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 PTR\u00a0\u00a0\u00a0\u00a0 noi.crazyhouse.lan.\r\n2.20.168.192.in-addr.arpa.\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 PTR\u00a0\u00a0\u00a0\u00a0 libeccio.crazyhouse.lan.\r\n9.20.168.192.in-addr.arpa.\u00a0\u00a0\u00a0\u00a0\u00a0 IN\u00a0\u00a0\u00a0\u00a0\u00a0 PTR\u00a0\u00a0\u00a0\u00a0 ale.crazyhouse.lan.241.20.168.192.in-addr.arpa.\r\n241.20.168.192.in-addr.arpa.    IN\u00a0\u00a0\u00a0\u00a0\u00a0 PTR\u00a0\u00a0\u00a0\u00a0 aliseo.crazyhouse.lan.\r\n$GENERATE 25-50\u00a0 IN\u00a0 PTR dhcp$.crazyhouse.<\/pre>\n
e con questi 2 files abbiamo definito la nostra LAN e nello specifico gli indirizzi di VPN<\/p>\n
che usiamo per connetterci dall’esterno o che dobbiamo raggiungere dall’interno.<\/p>\n
L’ultimo passo \u00e8 modificare il file \/etc\/bind\/named.conf.local inserendo le zone che abbiamo appena creato<\/p>\n
#vim \/etc\/bind\/named.conf.local<\/pre>\n
\/\/ Do any local configuration here<\/pre>\n
\/\/<\/pre>\n
\/\/ Consider adding the 1918 zones here, if they are not used in your<\/pre>\n
\/\/ organization\/\/include \"\/etc\/bind\/zones.rfc1918\";<\/pre>\n
zone \"crazyhouse.lan\" {<\/pre>\n
\u00a0\u00a0\u00a0\u00a0 type master;<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 file \"\/etc\/bind\/crazyhouse.lan\";<\/pre>\n
}<\/pre>\n
;zone \"20.168.192.in-addr.arpa\" {<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 type master;<\/pre>\n
\u00a0\u00a0\u00a0\u00a0\u00a0 file \"\/etc\/bind\/crazyhouse.rev\";<\/pre>\n
};<\/pre>\n
e con questo rilanciando bind9 abbiamo concluso<\/p>\n","protected":false},"excerpt":{"rendered":"
Il DNS \u00e8 indispensabile per la risoluzione dei nomi, vale a dire convertire in nomi dominio “human friendly” gli indirizzi IP dei siti o degli hosts di una LAN. Il pi\u00f9 noto server DNS in circolazione \u00e8 BIND (Berkeley Internet Name Domain) vediamo in dettaglio come preparare un server DNS\u00a0 che sia utile tanto alla […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[8,14,6],"tags":[16,53,15],"class_list":["post-934","post","type-post","status-publish","format-standard","hentry","category-linux","category-networking","category-work","tag-bind9","tag-chroot","tag-dns"],"_links":{"self":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/934","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=934"}],"version-history":[{"count":7,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/934\/revisions"}],"predecessor-version":[{"id":1613,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=\/wp\/v2\/posts\/934\/revisions\/1613"}],"wp:attachment":[{"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=934"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=934"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/clark.tipistrani.it\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=934"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}