Wednesday, February 17, 2010

Recovery of a DNS server

There was a DNS server sitting on the network that had been around for ages. Thermal overload and an 'unclean reboot' on an old Red Hat install finally killed it. At least there was failover support!

After some discussions with some colleagues, it was eventually decided that an attempted revival was out of the question.  Rebuild time!

The weapon OS of choice was CentOS (of course), and an attempt was made to salvage whatever data and configurations possible from the old server.

Tomorrow: an update on what was done.

We were luckily able to retrieve the named.conf and the databases from the dead server using a SLAX Live CD.

0. Assuming a Clean install of CentOS and Ethernet / other system configurations complete - log in as root

1. The first thing is to update the files to the latest version
yum update

2. Install the following packages
yum install bind bind-chroot bind-libs bind-utils

It should be noted that the old DNS server did not use the chroot security option, which is essentially a 'jail' to prevent full system access to a hacker using any bind exploit. This meant that the locations of the conf file and the databases needed to be changed for the new install.

3. Rename the original named.conf
mv /var/named/chroot/etc/named.conf /var/named/chroot/etc/named.conf.orig

4. Copy the named.conf which was taken from the old server
cp /location/of//backup/named.conf  /var/named/chroot/etc/

5. Copy the zones
cp /location/of/backup/zones/* /var/named/chroot/var/named/

6. Check to see if the named service is operational
service named restart

Once it starts without problems, proceed to step 7
Troubleshooting? Useful resources here:

7. Set named to automatically start on reboot.
chkconfig named on

8. Configure the firewall
If the server is only being used for DNS, only allow incoming DNS and perhaps SSH/Telnet.

Set firewall to Enabled (*)
Go to Customize
Leave Trusted Devices and Masquerade Devices empty (dependent on your configuration)
Add to "other ports" section
53:tcp 53:udp
Check box by either SSH or Telnet (whichever preferred)

Save and exit

9. Check to see if service is operational
service named status

This setup was based on a restore, so a new install of Bind will need additional tweaking dependent on the environment.

Update: Permissions issue was preventing updates to the server.

10. Further permission fix

cd etc
*Backup named.conf
cp -p named.conf named.conf.bkp

cd /var/named/chroot/var/named
chown named:named db.*

cd /var/named
chown -R named:named ./chroot

chmod g+w /var/named/chroot/var/named