[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

BIND en chroot (mensaje largo)

         Tengo bind_8.2.3-0.potato.1 metido en  un chroot y sospecho que
     no  funciona todo  lo bien  que debería.  Al cabo  de unos  días de
     reiniciarlo me encontré sin clones en  el IRC porque el servidor de
     IRC no era capaz de hacer la  resolución inversa de mi IP. Ahora le
     he dado una  dirección de mi dominio  a una amiga y me  dijo que no
     funcionaba, entonces le dije la IP y ahora mismo está navegando.

         Si inicio el  daemon como root todo vuelve a  la normalidad, lo
     que parece indicar que puede ser un problema de permisos.

# ls -laR /chroot/named/
/chroot/named/:
total 28
drwxr-xr-x    7 root     root         4096 May 21 21:54 ./
drwxr-xr-x    3 root     root         4096 May 21 21:54 ../
drwxr-xr-x    2 root     root         4096 May 24 12:13 dev/
drwxr-xr-x    3 root     root         4096 May 21 16:43 etc/
drwxr-xr-x    2 root     root         4096 May 21 21:55 lib/
drwxr-xr-x    3 root     root         4096 May 21 16:10 usr/
drwxr-xr-x    4 root     root         4096 May 22 09:01 var/

/chroot/named/dev:
total 8
drwxr-xr-x    2 root     root         4096 May 24 12:13 ./
drwxr-xr-x    7 root     root         4096 May 21 21:54 ../
srw-rw-rw-    1 root     root            0 May 24 12:13 log=
crw-rw-rw-    1 root     root       1,   3 May 21 16:12 null

/chroot/named/etc:
total 24
drwxr-xr-x    3 root     root         4096 May 21 16:43 ./
drwxr-xr-x    7 root     root         4096 May 21 21:54 ../
drwxr-xr-x    2 named    named        4096 Jun 24 05:08 bind/
-rw-r--r--    1 root     root           13 May 21 16:43 group
-rw-r--r--    1 root     root          946 May 21 16:12 localtime
-rw-r--r--    1 root     root          465 May 21 16:11 nsswitch.conf

/chroot/named/etc/bind:
total 128
drwxr-xr-x    2 named    named        4096 Jun 24 05:08 ./
drwxr-xr-x    3 root     root         4096 May 21 16:43 ../
-rw-r--r--    1 named    named         237 Apr 11  2000 db.0
-rw-r--r--    1 named    named         271 Apr 11  2000 db.127
-rw-r--r--    1 named    named         237 Apr 11  2000 db.255
-rw-r--r--    1 named    named         256 Apr 11  2000 db.local
-rw-r--r--    1 named    named        1516 May 14 20:17 db.root
-rw-r--r--    1 named    named         616 Jun  6 00:26 named.cc2k
-rw-r--r--    1 root     root         4281 May 21 16:11 named.conf
-rw-r--r--    1 named    named         973 Jun 25 21:57 named.millennium
-rw-r--r--    1 named    named         170 May  2 23:07 named.rev-cc2k
-rw-r--r--    1 named    named         177 May  2 23:07 named.rev-internal

/chroot/named/lib:
total 968
drwxr-xr-x    2 root     root         4096 May 21 21:55 ./
drwxr-xr-x    7 root     root         4096 May 21 21:54 ../
-rwxr-xr-x    1 root     root        85654 May 21 17:34 ld-linux.so.2*
-rwxr-xr-x    1 root     root       887712 May 21 17:33 libc.so.6*

/chroot/named/usr:
total 12
drwxr-xr-x    3 root     root         4096 May 21 16:10 ./
drwxr-xr-x    7 root     root         4096 May 21 21:54 ../
drwxr-xr-x    2 root     root         4096 May 22 08:56 sbin/

/chroot/named/usr/sbin:
total 684
drwxr-xr-x    2 root     root         4096 May 22 08:56 ./
drwxr-xr-x    3 root     root         4096 May 21 16:10 ../
-rwxr-xr-x    1 root     root       470748 May 22 08:56 named*
-rwxr-xr-x    1 root     root       210108 May 22 08:56 named-xfer*

/chroot/named/var:
total 16
drwxr-xr-x    4 root     root         4096 May 22 09:01 ./
drwxr-xr-x    7 root     root         4096 May 21 21:54 ../
drwxrwx---    3 root     named        4096 May 22 09:01 cache/
drwxrwx---    2 root     named        4096 Jun 23 22:53 run/

/chroot/named/var/cache:
total 12
drwxrwx---    3 root     named        4096 May 22 09:01 ./
drwxr-xr-x    4 root     root         4096 May 22 09:01 ../
drwxrwx---    2 root     named        4096 May 22 09:01 bind/

/chroot/named/var/cache/bind:
total 8
drwxrwx---    2 root     named        4096 May 22 09:01 ./
drwxrwx---    3 root     named        4096 May 22 09:01 ../

/chroot/named/var/run:
total 12
drwxrwx---    2 root     named        4096 Jun 23 22:53 ./
drwxr-xr-x    4 root     root         4096 May 22 09:01 ../
-rw-r--r--    1 named    named           6 Jun 23 22:53 named.pid
srw-------    1 root     root            0 Jun 23 22:53 ndc=

         Ni que decir tiene que el servidor, en condiciones normales, se
     ejecuta como named.named.

# grep named /etc/passwd /etc/shadow /etc/group
/etc/passwd:named:x:104:104::/chroot/named:/bin/false
/etc/shadow:named:!:11304:0:99999:7:::
/etc/group:named:x:104:

         El script de inicio está ligeramente modificado:

# cat /etc/init.d/bind
#!/bin/sh

PATH=/sbin:/bin:/chroot/named/usr/sbin:/usr/sbin:/usr/bin

test -x /chroot/named/usr/sbin/named || exit 0

case "$1" in
    start)
        echo -n "Starting domain name service: named"
        start-stop-daemon --start --quiet --exec /chroot/named/usr/sbin/named -- -t /chroot/named -u named -g named
        echo "."
    ;;

    stop)
        echo -n "Stopping domain name service: named"
        start-stop-daemon --stop --quiet  \
            --pidfile /chroot/named/var/run/named.pid --exec /chroot/named/usr/sbin/named
        echo "."
    ;;

    restart)
        echo "Plis haz /etc/init.d/bind stop; /etc/init.d/bind start"
        exit 1
#       /usr/sbin/ndc restart
    ;;

    reload)
        echo "Plis haz /etc/init.d/bind stop; /etc/init.d/bind start"
        exit 1
#       /usr/sbin/ndc reload
    ;;

    force-reload)
        $0 restart
    ;;

    *)
        echo "Usage: /etc/init.d/bind {start|stop|reload|restart|force-reload}" >&2
        exit 1
    ;;
esac

exit 0

         ¿Problema de firewall?

# ipchains -nL | grep -w 53
ACCEPT     tcp  ------  1.2.3.4              195.55.160.33         * ->   53
DENY       tcp  ------  0.0.0.0/0            195.55.160.33         * ->   53
ACCEPT     udp  ------  0.0.0.0/0            195.55.160.33         * ->   53

         Sólo le permito las conexiones entrantes hacia el puerto TCP 53
     al servidor secundario de la zona (1.2.3.4), a fin de que se puedan
     producir  las  transferencias  de  zona  pertinentes.  Permito  por
     supuesto UDP a todo el mundo.

         No  se me  ocurren más  posibles causas.  Si alguien  se siente
     benéfico que pruebe con nslookup algo así:

> server 195.55.160.33
> set q=ptr
> 195.55.160.33

         Y a ver qué sale. Quien me arregle esto tiene un par de cubatas
     o lo que guste en Vigo :^).


-- 
 David Serrano <cyberchat2000.com@hue> - Linux Registered User #87069

Attachment: pgpyZ0T5eFX9l.pgp
Description: PGP signature

Reply to: