The FreeBSD Diary

The FreeBSD Diary (TM)

Providing practical examples since 1998

If you buy from Amazon USA, please support us by using this link.
[ HOME | TOPICS | INDEX | WEB RESOURCES | BOOKS | CONTRIBUTE | SEARCH | FEEDBACK | FAQ | FORUMS ]

Things look quiet here. But I've been doing a lot of blogging at dan.langille.org because I prefer WordPress now. Not all my posts there are FreeBSD related. I am in the midst of migrating The FreeBSD Diary over to WordPress (and you can read about that here). Once the migration is completed, I'll move the FreeBSD posts into the new FreeBSD Diary website.

installing bind8 from ports 28 March 2001
Share
Need more help on this topic? Click here
This article has 5 comments
Show me similar articles
Over the past two months, there have been two security issues regarding bind.  If you didn't upgrade for the first notice, then the recent worm threat should have prompted you to get moving.  Back in January, when the initial bind security notice was issued, some talk was made of how best to upgrade with minimal effect.  Some preferred downloaded the source code and installing.  I preferred the port.

The main problem with the port was that it installed to a different location than bind which was included with the base system.   This is a normal.  And expected.  However, there is an easy way around this using flags passed to make.

The basis for this article is a message I posted to the FreeBSD Security mailing list back in January.

The install
I think the best way to do this, if you are upgrading, is to perform the following steps:
  1. build
  2. kill
  3. remove
  4. install
  5. check
  6. start.
  7. recheck

It is important to know that the options used for building must be the same options used for installing.  If you do a make, then a make install, please ensure that you use the same options on both commands.  You will see this being done for the build and the install below.

1. build
Since I have the entire ports tree installed, all I needed to do was:
# cd /usr/ports/net/bind8
# make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \
   DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin \
   DESTHELP=/usr/share/misc
   
2. kill
First, I killed the existing named:
# killall -QUIT named
	
3. remove
If you already have installed bind from ports, you will have to remove it before you install.  Here's how to find out if you already have it installed

# pkg_info | grep bind
bind-8.2.3 The Berkeley Internet Name Daemon, an implementation of DNS

If you don't have bind already install via a package or port (i.e. the above grep show nothing), you can omit this step.

Now we delete that:

# pkg_delete bind-8.2.3

4. install
It is important to know that the options used for building must be the same options used for installing.  If you do a make, then a make install, please ensure that you use the same options on both commands.  For the install, I did this:
# cd /usr/ports/net/bind8
# make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \
   DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin \
   DESTHELP=/usr/share/misc install
5. check
You should check that you have the correct version installed:

# /usr/sbin/named -v
named 8.2.3-REL Mon Mar 12 22:43:17 NZDT 2001
   root@xeon.int.nz.freebsd.org:/usr/obj/usr/src/usr.sbin/named

As at the time of writing, this was the latest and greatest version of bind8.  You could install bind9, but for me, that's not an option right now.  Perhaps one day...

6. start
bind can be started automagically using configuration settings within /etc/rc.conf.   You can view the default settings with the following command:

# grep named /etc/defaults/rc.conf

Do not modify /etc/defaults/rc.conf.  These are the default settings and used as examples for /etc/rc.conf.  Make all your changes to /etc/rc.conf.

Here are the settings I use in my /etc/rc.conf file:

named_enable="YES"
named_flags="-u bind -g bind"

Here's how you can start bind using the above settings:

# /usr/sbin/named -u bind -g bind

7. recheck
Checking the logs I found this:
starting (/etc/namedb/named.conf). named 8.2.3-REL Mon Mar 12 22:43:17 NZDT 2001 root@xeon.int.nz.freebsd.org:/usr/obj/usr/src/usr.sbin/named limit files set to fdlimit (1024) Ready to answer queries.

That is the version of bind I was expecting.

Repeat as necessary
There's one great thing about a port.  After it's installed, it looks just like a package.  In fact there's no difference between an installed port and an installed packaged (see also Ports or Packages?).

So what?

If you have ten DNS servers to update, you don't have to download the source to each box.  You can make a package.  And ftp that to each box and then install the package.  For example, you could do this:

cd /usr/ports/net/bind8
make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb 
   DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin 
   DESTHELP=/usr/share/misc package

This should create bind-8.2.3.tgz.  Copy that file to your other box[es] and do this (remember to kill and remove first!) to install:

pkg_add bind-8.2.3.tgz

Then you'll have the same code as you have on the other box.  After the install, remember to do your check, start, and recheck.

A final note
One vital aspect of security is paying attention.  And acting when necessary.  One thing you should pay attention to is security advisories.  If you have not already done, I urge you to subscribe to the FreeBSD Security mailing list.   All security notifications are sent to this list.

When you get a notification, you should decide whether or not it applies to you.  Not all notices will apply to everyone (perhaps you don't have that software installed; perhaps you have already upgraded and you already have the patches).  It usually takes a half hour or so to patch a single box.  Security notices are not issued lightly.  They are real risks which need to be dealt with.  Taking the time now to upgrade might save you hours later if someone does break into your system.

A final note: it's not such much the damage that an intruder might do.  That's usually pretty obvious.  It's what you don't see that you should worry about.   After any intrusion, you cannot trust the system.  A back door may be present.   Some people feel that the only real way to secure a box after an intrusion is to reinstall.  It's easier to patch.  Do it now.

Share
Need more help on this topic? Click here
This article has 5 comments
Show me similar articles