AW: Backup and Securing Bind servers
Walkenhorst, Benjamin
Benjamin.Walkenhorst at telekom.de
Thu Jan 20 07:47:01 UTC 2005
Hello,
> I wonder how you guys manage Bind servers.
I can only speak for myself... =)
> What are the important files to backup in case need to re-build a Bind
> server from the crashed Primary& Secondary..?
We have BIND run in a chroot environment, so ordinarily - as it is
hosting only a few rather small zones - we just create a tarball
of the chroot-directory.
Furthermore, I assume the entire system gets backed up regularly, but
I do not know any details about when, how often, backup media, etc...
I understand your question as "What files do I have to back up so I can get
up and running again in minimum time, in case of a critical failure (e.g. hardware).
a) Ordinarily, you should have a backup schedule for the entire system, if it's a
production system. If you back up the entire system, you don't need to care
about specific apps/services.
b) If you just care for BIND - in any case you should backup named.conf, that one is
quite obvious. For all primary zones you host, you should back up the zone files as well
as the reverse lookup files (unless you generate them from another data source like LDAP
or DNS, in that case you should only have to re-generate them and of course back up that
data source).
For secondary zones, you should consider if it's easier to back up the zones or to just
re-transfer them when you are back online. Depending on the size and number of zones,
re-transferring them can be lengthy and annoying, so you gotta decide what's best for you.
You should also think of log files, maybe you can redirect BIND's logging messages to another
syslog host over the network.
Like I said, if BIND is running in a chroot-environment, the easiest thing is to just say
"tar czf bind-chroot.tar.gz /path/to/bind/chroot"
and put that tarball somewhere safe.
> What are the methods to backup the configuration files and database
> files on Bind..?
In short words: named.conf plus every file referenced in named.conf
If existing, rndc.key or rndc.conf might be valuable as well.
> How to secure Bind servers..?
http://www.cymru.com/Documents/secure-bind-template.html
can be a good starting point.
If you don't mind reading a lot, the following might be interesting to you, as well:
http://www.zytrax.com/books/dns/
http://crashrecovery.org/named/
And, of course, the BINDv9 Administrator's Reference Manual (Bv9ARM) is always a good starting point:
http://www.bind9.net/Bv9ARM.html
In case you like printed books, "DNS & BIND" by Paul Albitz & Cricket Liu is very, very good.
In short words:
Think about who should be allowed to access your nameserver for what reasons. I.e. if it is only resolve names for your
private network, don't have it listen on an outside address at all. Limit recursive queries to well-known IPs and block
everybody else. If possible, use TSIG (or maybe IPsec) for securing zone transfers, don't let any other services run on
your nameserver, use a chroot environment, have BIND run as an unprivileged user instead of root, ...
In general, general security related advice applies. =) For BIND- and/or DNS-specific security issues, start by looking
at the above URLs and reading.
Kind regards,
Benjamin
More information about the bind-users
mailing list