Antwort: AW: Backup and Securing Bind servers
holger.honert at signal-iduna.de
holger.honert at signal-iduna.de
Thu Jan 20 10:27:10 UTC 2005
another book worth reading is for sure "DNS & BIND Cookbook" from Cricket
Kind Regards/Freundlichen Gruß
SIGNAL IDUNA Gruppe
Phone: +49 231/135-4043
FAX: +49 231/135-2959
mailto: holger.honert at signal-iduna.de
"Walkenhorst, Benjamin" <Benjamin.Walkenhorst at telekom.de>
Gesendet von: bind-users-bounce at isc.org
An: bcisco at gmail.com, bind-users at isc.org
Thema: AW: Backup and Securing Bind servers
> I wonder how you guys manage Bind servers.
I can only speak for myself... =)
> What are the important files to backup in case need to re-build a Bind
> server from the crashed Primary& Secondary..?
We have BIND run in a chroot environment, so ordinarily - as it is
hosting only a few rather small zones - we just create a tarball
of the chroot-directory.
Furthermore, I assume the entire system gets backed up regularly, but
I do not know any details about when, how often, backup media, etc...
I understand your question as "What files do I have to back up so I can
up and running again in minimum time, in case of a critical failure (e.g.
a) Ordinarily, you should have a backup schedule for the entire system, if
production system. If you back up the entire system, you don't need to
about specific apps/services.
b) If you just care for BIND - in any case you should backup named.conf,
that one is
quite obvious. For all primary zones you host, you should back up the
zone files as well
as the reverse lookup files (unless you generate them from another data
source like LDAP
or DNS, in that case you should only have to re-generate them and of
course back up that
For secondary zones, you should consider if it's easier to back up the
zones or to just
re-transfer them when you are back online. Depending on the size and
number of zones,
re-transferring them can be lengthy and annoying, so you gotta decide
what's best for you.
You should also think of log files, maybe you can redirect BIND's
logging messages to another
syslog host over the network.
Like I said, if BIND is running in a chroot-environment, the easiest thing
is to just say
"tar czf bind-chroot.tar.gz /path/to/bind/chroot"
and put that tarball somewhere safe.
> What are the methods to backup the configuration files and database
> files on Bind..?
In short words: named.conf plus every file referenced in named.conf
If existing, rndc.key or rndc.conf might be valuable as well.
> How to secure Bind servers..?
can be a good starting point.
If you don't mind reading a lot, the following might be interesting to
you, as well:
And, of course, the BINDv9 Administrator's Reference Manual (Bv9ARM) is
always a good starting point:
In case you like printed books, "DNS & BIND" by Paul Albitz & Cricket Liu
is very, very good.
In short words:
Think about who should be allowed to access your nameserver for what
reasons. I.e. if it is only resolve names for your
private network, don't have it listen on an outside address at all. Limit
recursive queries to well-known IPs and block
everybody else. If possible, use TSIG (or maybe IPsec) for securing zone
transfers, don't let any other services run on
your nameserver, use a chroot environment, have BIND run as an
unprivileged user instead of root, ...
In general, general security related advice applies. =) For BIND- and/or
DNS-specific security issues, start by looking
at the above URLs and reading.
More information about the bind-users