NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > OpenBSD Security> 2003-07

BIND 9 questions

From: Mark D Robinson (mrobinsofpkc.com)
Date: Wed Jul 02 2003 - 15:03:29 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

I've got a couple of (probably dumb newbie) questions about running BIND 9 on OpenBSD that I'm hoping someone can help me with. I've read the man pages, the FAQ, searched the list archives, but haven't found any answers yet.

I'm running a vanilla OpenBSD 3.3-release installation with the included BIND 9.2.2.

I've based my named.conf on Rob Thomas' excellent Secure BIND Template
http://www.cymru.com/Documents/secure-bind-template.html . It requires some editing for the default OpenBSD3.3/BIND 9.2.2 config, but nothing too major.

He's got a view to restrict chaos class queries and he uses /dev/null as the hints file:

          zone "." {
              type hint;
              file "/dev/null";
          };

After an initial set of errors, I thought that because BIND is chrooted to /var/named that it couldn't access /dev/null, so based on the mknod man page and /dev/MAKEDEV, I ran
mknod -m a=rw /var/named/dev/null c 2 2
and changed the file mode to crw-rw-rw-. Now I get these errors:

Jul 2 14:18:55 artemis named[8491]: /usr/src/usr.sbin/bind/lib/isc/unix/errno2result.c:109: unexpected error:
Jul 2 14:18:55 artemis named[8491]: unable to convert errno to isc_result: 6: Device not configured
Jul 2 14:18:55 artemis named[8491]: could not configure root hints from '/dev/null': unexpected error

It works fine if I use a empty file as the chaos hints file. So my questions are, what did I do wrong and is there any advantage to using /dev/null over an ordinary file?

My other question regards the log file. Rob has some messages going to a separate log file.

channel audit_log {
      // Send the security related messages to a separate file.
      file "/var/named/named.log";
      severity debug;
      print-time yes;
};

But when I try this, I get this error message

Jul 2 13:38:16 artemis named[31373]: logging channel 'audit_log' file '/var/named/named.log': file not found

Named still starts, but it doesn't create the log file. I tried using /named.log or even /master/named.log, but then I get "access denied" errors. Any ideas on what I'm doing wrong here?

Thanks.

Mark Robinson

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]