Antwort: AW: Backup and Securing Bind servers

holger.honert at signal-iduna.de holger.honert at signal-iduna.de
Thu Jan 20 10:27:10 UTC 2005 

Hi all,
another book worth reading is for sure  "DNS & BIND Cookbook" from Cricket 
Liu!

Kind Regards/Freundlichen Gruß
 
Holger Honert
 
KOMN-97851
 
SIGNAL IDUNA Gruppe
Joseph-Scherer-Str. 3
 
44139 Dortmund
 
Phone: +49 231/135-4043
FAX: +49 231/135-2959
 
mailto: holger.honert at signal-iduna.de






"Walkenhorst, Benjamin" <Benjamin.Walkenhorst at telekom.de>
Gesendet von: bind-users-bounce at isc.org
20.01.2005 08:47
 
An:           bcisco at gmail.com, bind-users at isc.org
Kopie: 
Thema:        AW: Backup and Securing Bind servers


Hello,

> I wonder how you guys manage Bind servers. 

I can only speak for myself... =)

> What are the important files to backup in case need to re-build a Bind
> server from the crashed Primary& Secondary..?

We have BIND run in a chroot environment, so ordinarily - as it is
hosting only a few rather small zones - we just create a tarball
of the chroot-directory.
Furthermore, I assume the entire system gets backed up regularly, but
I do not know any details about when, how often, backup media, etc...

I understand your question as "What files do I have to back up so I can 
get
up and running again in minimum time, in case of a critical failure (e.g. 
hardware).
a) Ordinarily, you should have a backup schedule for the entire system, if 
it's a
   production system. If you back up the entire system, you don't need to 
care
   about specific apps/services.
b) If you just care for BIND - in any case you should backup named.conf, 
that one is
   quite obvious. For all primary zones you host, you should back up the 
zone files as well
   as the reverse lookup files (unless you generate them from another data 
source like LDAP
   or DNS, in that case you should only have to re-generate them and of 
course back up that
   data source).
   For secondary zones, you should consider if it's easier to back up the 
zones or to just
   re-transfer them when you are back online. Depending on the size and 
number of zones,
   re-transferring them can be lengthy and annoying, so you gotta decide 
what's best for you.
   You should also think of log files, maybe you can redirect BIND's 
logging messages to another
   syslog host over the network.

Like I said, if BIND is running in a chroot-environment, the easiest thing 
is to just say
"tar czf bind-chroot.tar.gz /path/to/bind/chroot"
and put that tarball somewhere safe.


> What are the methods to backup the configuration files and database
> files on Bind..?

In short words: named.conf plus every file referenced in named.conf
If existing, rndc.key or rndc.conf might be valuable as well.

> How to secure Bind servers..?

http://www.cymru.com/Documents/secure-bind-template.html
can be a good starting point.

If you don't mind reading a lot, the following might be interesting to 
you, as well:

http://www.zytrax.com/books/dns/
http://crashrecovery.org/named/
And, of course, the BINDv9 Administrator's Reference Manual (Bv9ARM) is 
always a good starting point:
http://www.bind9.net/Bv9ARM.html

In case you like printed books, "DNS & BIND" by Paul Albitz & Cricket Liu 
is very, very good. 

In short words:
Think about who should be allowed to access your nameserver for what 
reasons. I.e. if it is only resolve names for your
private network, don't have it listen on an outside address at all. Limit 
recursive queries to well-known IPs and block
everybody else. If possible, use TSIG (or maybe IPsec) for securing zone 
transfers, don't let any other services run on
your nameserver, use a chroot environment, have BIND run as an 
unprivileged user instead of root, ...

In general, general security related advice applies. =) For BIND- and/or 
DNS-specific security issues, start by looking
at the above URLs and reading.

Kind regards,
Benjamin

More information about the bind-users mailing list