Install BIND9 from source on Debian
Goal oriented, very low tolerance for bull.
If something is worth doing, then it's worth doing it right.
If something is worth doing, then it's worth doing it right.
Published:
Browse All Articles > Install BIND9 from source on Debian
BIND is the most widely used Name Server. A Name Server is the one that translates a site name to it's IP address.
There is a new bug in BIND, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1 and BIND 9.10.2-P2.
Basically, anyone can stop your BIND service (named), effectively shutting down your name resolution.
So if you administer name servers using BIND, you need to update NOW.
Unfortunately, that means you cannot wait for binaries for your distribution to become available, you need to install from source.
Problems:
My solution: configure a test server, configure, compile and install the new version of BIND from source, then copy all the files to the production servers. This way you disrupt the service for 20 sec max.
Caveat: all servers should run the same distribution and packages.
My servers all run Debian 7.8, with minimal packages installed, to reduce attack vectors.
Technique:
1. Create a test server (either from scratch, or by cloning one of your production DNS servers).
2. Prepare the build environment
3. Download and extract the package:
4. Configure and compile. In Debian the named files are in /etc/bind/ and the executables are in /usr/bin and /usr/sbin.
5. Uninstall the old package (this will keep your named files and the /etc/init.d/bind9 startup file)
6. Install paco and use it to get a list of files (paco creates a log in /var/log/paco/<package-nam
7. Start named and check everything is in order:
8. Save the list of files created by the install to a text file
9. Install rsync on all servers:
10. Now the magic: on each server, stop named, remove the packages, copy the files from the list, start named.
20 seconds and you're all patched up :)
11. Now test if you have the right version:
PS: This assumes that you can SSH from your test server to your production servers.
The easiest way to do that is to generate a key on your test server, then copy the public key on each of your production servers:
There is a new bug in BIND, affecting all versions of BIND 9 from BIND 9.1.0 (inclusive) through BIND 9.9.7-P1 and BIND 9.10.2-P2.
Basically, anyone can stop your BIND service (named), effectively shutting down your name resolution.
So if you administer name servers using BIND, you need to update NOW.
Unfortunately, that means you cannot wait for binaries for your distribution to become available, you need to install from source.
Problems:
- You need to install a development environment in your DNS servers
- Configuring and compiling can take a long time, using resources
- You need to uninstall the current packages, without losing your zone files and named config, including startup scripts.
My solution: configure a test server, configure, compile and install the new version of BIND from source, then copy all the files to the production servers. This way you disrupt the service for 20 sec max.
Caveat: all servers should run the same distribution and packages.
My servers all run Debian 7.8, with minimal packages installed, to reduce attack vectors.
Technique:
1. Create a test server (either from scratch, or by cloning one of your production DNS servers).
2. Prepare the build environment
test-server:apt-get install build-essential libssl-dev
3. Download and extract the package:
test-server:mkdir /home/downloads
test-server:cd /home/downloads
test-server:wget https://www.isc.org/downloads/file/bind-9-9-7-p2/?version=tar-gz --no-check-certificate -O bind-9.9.7-P2.tar.gz
test-server:tar -xzvf bind-9.9.7-P2.tar.gz
test-server:cd bind-9.9.7-P2/
4. Configure and compile. In Debian the named files are in /etc/bind/ and the executables are in /usr/bin and /usr/sbin.
test-server:./configure --prefix /usr --sysconfdir /etc/bind
test-server:make
5. Uninstall the old package (this will keep your named files and the /etc/init.d/bind9 startup file)
test-server:/etc/init.d/bind9 stop
test-server:apt-get remove bind9 bind9utils
6. Install paco and use it to get a list of files (paco creates a log in /var/log/paco/<package-nam
test-server:apt-get install paco
test-server:paco -lp bind-9.9.7 "make install"
7. Start named and check everything is in order:
test-server:/etc/init.d/bind9 start
test-server:tail /var/log/syslog
8. Save the list of files created by the install to a text file
test-server:cat /var/log/paco/bind-9.9.7 | sed -n 's/|\(.*\)//;/^#\(.*\)/d;p' > /home/filelist.txt
9. Install rsync on all servers:
serverx:apt-get install rsync
10. Now the magic: on each server, stop named, remove the packages, copy the files from the list, start named.
20 seconds and you're all patched up :)
serverx:/etc/init.d/bind9 stop
serverx:apt-get remove bind9 bind9utils
test-server:rsync -av --files-from=/home/filelist.txt / serverx:/
serverx:/etc/init.d/bind9 start
11. Now test if you have the right version:
serverx: named -v
BIND 9.9.7-P2 (Extended Support Version)
PS: This assumes that you can SSH from your test server to your production servers.
The easiest way to do that is to generate a key on your test server, then copy the public key on each of your production servers:
test-server: ssh-keygen -t rsa
test-server: less ~/.ssh/id_rsa.pub
copy the key
serverx: nano ~/.ssh/authorized_keys
paste the key
Goal oriented, very low tolerance for bull.
If something is worth doing, then it's worth doing it right.
If something is worth doing, then it's worth doing it right.
Have a question about something in this article? You can receive help directly from the article author. Sign up for a free trial to get started.
Get access with a 7-day free trial.
SIGN UP
Not ready to sign up? Try a week for free to see if you belong
Comments (1)
Author
Commented: