Source

bind9-clone / FAQ

Full commit



Frequently Asked Questions about BIND 9


Q: Why doesn't -u work on Linux 2.2.x?

A: Linux threads do not fully implement the Posix threads (pthreads) standard.
In particular, setuid() operates only on the current thread, not the full
process.  Because of this limitation, BIND 9 cannot use setuid() on Linux as it
can on all other supported platforms.  setuid() cannot be called before
creating threads, since the server does not start listening on reserved ports
until after threads have started.

  In the 2.3.99-pre3 and newer kernels, the ability to preserve capabilities
across a setuid() call is present.  This allows BIND 9 to call setuid() early,
while retaining the ability to bind reserved ports.  This is a Linux-specific
hack.

  On a 2.2 kernel, BIND 9 does drop many root privileges, so it should be less
of a security risk than a root process that has not dropped privileges.

  If Linux threads ever work correctly, this restriction will go away.

  Configuring BIND9 with the --disable-threads option causes a non-threaded
version to be built, which will allow -u to be used.


Q: Why does named log the error message "no TTL specified" and refuse
to load my zone file?

A: Your zone file must either have a line like

   $TTL 86400

at the beginning, or the first record in it must have a TTL field,
like the "84600" in this example:

   example.com. 86400 IN SOA ns hostmaster ( 1 3600 1800 1814400 3600 )

BIND 8 incorrectly accepted files that had neither.


Q: Why do I see 5 (or more) copies of named on Linux?

A: Linux threads each show up as a process under ps.  The approximate
number of threads running is n+4, where n is the number of CPUs.


Q: Why does BIND 9 log "permission denied" errors accessing its
configuration files on my Linux system even though it is running as
root?

A: On Linux, BIND 9 drops most of its root privileges on startup.
This including the privilege to open files owned by other users.
Therefore, if the server is running as root, the configuration files
should also be owned by root.


Q: Why do I get errors like "dns_zone_load: zone foo/IN: loading master file
bar: ran out of space"

A: This is often caused by TXT records with missing close quotes.  Check that
all TXT records containing quoted strings have both open and close quotes.


Q: How do I produce a useful core file on Linux?

A: Apply the kernel patch found in bind9/linux/coredump-patch and rebuild
the kernel.  This patch causes multithreaded programs to dump the correct
thread.


Q: How do I restrict people from looking up the server version?

A: Put a "version" option containing something other than the real
version in the "options" section of named.conf.  Note doing this will
not prevent attacks and may impede people trying to diagnose problems
with your server.  Also it is possible to "fingerprint" nameservers to
determine their version.


Q: How do I restrict only remote users from looking up the server
version?

A: The following view statement will intercept lookups as the internal
view that holds the version information will be matched last.  The
caveats of the previous answer still apply, of course.

  view "chaos" chaos {
	  match-clients { <those to be refused>; };
	  allow-query { none; };
	  zone "." {
		  type hint;
		  file "/dev/null";  // or any empty file
	  };
  };