{"id":5,"date":"2015-01-30T21:15:14","date_gmt":"2015-01-30T21:15:14","guid":{"rendered":"http:\/\/blog.voipxswitch.com\/?p=5"},"modified":"2015-03-27T08:35:46","modified_gmt":"2015-03-27T12:35:46","slug":"compiling-bind9","status":"publish","type":"post","link":"https:\/\/blog.voipxswitch.com\/?p=5","title":{"rendered":"Compiling bind9 on linux with Response Rate Limiting (to prevent DDoS DNS attacks)"},"content":{"rendered":"

This tutorial can easily be applied to most any linux system. I went through these steps on Debian 7 server.<\/span><\/p>\n

First let’s setup the environment, this tutorial assumes you have no previous install of bind on the server.<\/span><\/p>\n

\n
mkdir -p \/var\/local\/cache\/bind\r\nmkdir -p \/usr\/local\/etc\/bind<\/pre>\n
We are assuming group id and user id 5005 are free, you may need to substitute ids<\/p>\n
groupadd -g 5005 bind\r\nuseradd -u 5005 -g 5005 -d \/var\/local\/cache\/bind -M -s \/bin\/false bind<\/pre>\n<\/blockquote>\n

\n<\/span> Now let’s download the bind9 source code. This tutorial assumes you have the required dependencies installed. The only one I found tricky to locate was libkrb5-dev (on Debian you can install it with apt-get install libkrb5-dev)<\/p>\n
\n
cd \/usr\/src<\/pre>\n
wget http:\/\/ftp.isc.org\/isc\/bind9\/cur\/9.9\/bind-9.9.5-P1.tar.gz<\/pre>\n
tar zxvf bind-9.9.5-P1.tar.gz<\/pre>\n
cd bind-9.9.5-P1<\/pre>\n
.\/configure '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=\/usr' '--with-gssapi=\/usr' '--with-gnu-ld' '--with-geoip=\/usr' '--enable-ipv6' '--enable-rrl'<\/pre>\n
make<\/pre>\n
make install<\/pre>\n
wget --user=ftp --password=ftp ftp:\/\/ftp.rs.internic.net\/domain\/db.cache -O \/usr\/local\/etc\/bind\/db.root<\/pre>\n<\/blockquote>\n

\n<\/span> Last step is to install the configuration files and startup scripts.<\/span><\/p>\n
\n
rndc-confgen -a -c \/usr\/local\/etc\/bind\/rndc.key<\/pre>\n
cat > \/etc\/named.conf <<EOT\r\n include \"\/usr\/local\/etc\/bind\/rndc.key\";\r\n include \"\/usr\/local\/etc\/bind\/named.conf\";\r\nEOT<\/pre>\n
cat > \/usr\/local\/etc\/named.conf <<EOT\r\n#\r\ncontrols {\r\n inet 127.0.0.1 port 953\r\n allow { 127.0.0.1; 192.168.1.100; } keys { \"rndc-key\"; };\r\n };\r\noptions {\r\n directory \"\/var\/local\/cache\/bind\";\r\n allow-new-zones yes;\r\n transfers-in 500;\r\n empty-zones-enable yes;\r\n \/\/forwarders { 8.8.8.8; 8.8.4.4; };\r\n recursion no;\r\n \/\/allow-transfer {\"none\";};\r\n allow-query { any; };\r\n dnssec-validation auto;\r\n auth-nxdomain no;\u00a0\u00a0\u00a0 # conform to RFC1035\r\n listen-on-v6 { any; };\r\n rate-limit {\r\n  responses-per-second 5;\r\n  #window 5;\r\n  #log-only yes;\r\n  };\r\n};\r\nzone \".\" {\r\n type hint;\r\n file \"\/usr\/local\/etc\/bind\/db.root\";\r\n};\r\nEOT<\/pre>\n
chown bind:bind -R \/var\/local\/cache\/bind\r\nchown bind:bind -R \/usr\/local\/etc\/bind<\/pre>\n<\/blockquote>\n
Please note the init.d scripts only work on Debian based systems. I do not have init.d scripts for any other distribution.<\/b><\/p>\n
Download the init.d script <\/span>here<\/a><\/span><\/p>\n
<\/span>Download the init.d default file here<\/a><\/span><\/p>\n

\n<\/span> Copy the init.d script to \/etc\/init.d\/bind9<\/span><\/p>\n
Copy the init.d default file to \/etc\/default\/bind9<\/span><\/p>\n
\n
chmod +x \/etc\/init.d\/bind9\r\n\/etc\/init.d\/bind9 start<\/pre>\n<\/blockquote>\n","protected":false},"excerpt":{"rendered":"
This tutorial can easily be applied to most any linux system. I went through these steps on Debian 7 server. First let’s setup the environment, this tutorial assumes you have no previous install of bind on the server. mkdir -p \/var\/local\/cache\/bind mkdir -p \/usr\/local\/etc\/bind We are assuming group id and user id 5005 are free, […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-5","post","type-post","status-publish","format-standard","hentry","category-dns"],"_links":{"self":[{"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=\/wp\/v2\/posts\/5","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=5"}],"version-history":[{"count":8,"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=\/wp\/v2\/posts\/5\/revisions"}],"predecessor-version":[{"id":18,"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=\/wp\/v2\/posts\/5\/revisions\/18"}],"wp:attachment":[{"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=5"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=5"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.voipxswitch.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=5"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}