はじめに
2016年11月頭に発表された、Bindの脆弱性対応の作業記録です。
10月に続いてまたもや更新です。
環境
現行バージョン:BIND 9.10.4-P3
更新バージョン:BIND 9.10.4-P4(最新)
OS:CentOS 5.6(ちょっと古い)
方針
構成を変えたくなかったので、上書きインストールで実施。
手順
最新ソースを入手する
- 作業前に現行バージョンの確認
# /usr/local/sbin/named -v
BIND 9.10.4-P3 <id:6b19o23>
→実際は、既存環境の設定ファイルやZONEファイルのバックアップも実施。
# cd /usr/local/src
# wget http://ftp.isc.org/isc/bind9/9.10.4-P4/bind-9.10.4-P4.tar.gz
BINDをインストールする
# cd bind-9.10.4-P4
# ./configure --with-openssl=yes --enable-shared --enable-fetchlimit
configオプションはお好みで。
openssl使わないのであれば外しても良い。
enable-fetchlimitは、DNS水責め攻撃の対策のオプションです。デフォルトで無効。
Configuration:
-h, --help display this help and exit
--help=short display options specific to this package
--help=recursive display the short help of all the included packages
-V, --version display version information and exit
-q, --quiet, --silent do not print `checking ...' messages
--cache-file=FILE cache test results in FILE [disabled]
-C, --config-cache alias for `--cache-file=config.cache'
-n, --no-create do not create output files
--srcdir=DIR find the sources in DIR [configure dir or `..']
Installation directories:
--prefix=PREFIX install architecture-independent files in PREFIX
[/usr/local]
--exec-prefix=EPREFIX install architecture-dependent files in EPREFIX
[PREFIX]
By default, `make install' will install all the files in
`/usr/local/bin', `/usr/local/lib' etc. You can specify
an installation prefix other than `/usr/local' using `--prefix',
for instance `--prefix=$HOME'.
For better control, use the options below.
Fine tuning of the installation directories:
--bindir=DIR user executables [EPREFIX/bin]
--sbindir=DIR system admin executables [EPREFIX/sbin]
--libexecdir=DIR program executables [EPREFIX/libexec]
--sysconfdir=DIR read-only single-machine data [PREFIX/etc]
--sharedstatedir=DIR modifiable architecture-independent data [PREFIX/com]
--localstatedir=DIR modifiable single-machine data [PREFIX/var]
--libdir=DIR object code libraries [EPREFIX/lib]
--includedir=DIR C header files [PREFIX/include]
--oldincludedir=DIR C header files for non-gcc [/usr/include]
--datarootdir=DIR read-only arch.-independent data root [PREFIX/share]
--datadir=DIR read-only architecture-independent data [DATAROOTDIR]
--infodir=DIR info documentation [DATAROOTDIR/info]
--localedir=DIR locale-dependent data [DATAROOTDIR/locale]
--mandir=DIR man documentation [DATAROOTDIR/man]
--docdir=DIR documentation root [DATAROOTDIR/doc/bind]
--htmldir=DIR html documentation [DOCDIR]
--dvidir=DIR dvi documentation [DOCDIR]
--pdfdir=DIR pdf documentation [DOCDIR]
--psdir=DIR ps documentation [DOCDIR]
NOTE: If PREFIX is not set, then the default values for --sysconfdir
and --localstatedir are /etc and /var, respectively.
System types:
--build=BUILD configure for building on BUILD [guessed]
--host=HOST cross-compile to build programs to run on HOST [BUILD]
Optional Features:
--disable-option-checking ignore unrecognized --enable/--with options
--disable-FEATURE do not include FEATURE (same as --enable-FEATURE=no)
--enable-FEATURE[=ARG] include FEATURE [ARG=yes]
--enable-shared[=PKGS] build shared libraries [default=yes]
--enable-static[=PKGS] build static libraries [default=yes]
--enable-fast-install[=PKGS]
optimize for fast installation [default=yes]
--disable-libtool-lock avoid locking (might break parallel builds)
--enable-libbind deprecated
--enable-warn-shadow turn on -Wshadow when compiling
--enable-warn-error turn on -Werror when compiling
--enable-developer enable developer build settings
--enable-seccomp enable support for libseccomp system call filtering
[default=no]
--enable-kqueue use BSD kqueue when available [default=yes]
--enable-epoll use Linux epoll when available [default=auto]
--enable-devpoll use /dev/poll when available [default=yes]
--enable-threads enable multithreading
--enable-native-pkcs11 use native PKCS11 for all crypto [default=no]
--enable-openssl-hash use OpenSSL for hash functions [default=no]
--enable-sit enable source identity token [default=no]
--enable-openssl-version-check
check OpenSSL version [default=yes]
--enable-largefile 64-bit file support
--enable-backtrace log stack backtrace on abort [default=yes]
--enable-symtable use internal symbol table for backtrace
[all|minimal(default)|none]
--enable-ipv6 use IPv6 default=autodetect
--enable-getifaddrs enable the use of getifaddrs() [yes|no].
--disable-isc-spnego use SPNEGO from GSSAPI library
--disable-chroot disable chroot
--disable-linux-caps disable linux capabilities
--enable-atomic enable machine specific atomic operations
[default=autodetect]
--enable-fixed-rrset enable fixed rrset ordering [default=no]
--disable-rpz-nsip disable rpz-nsip rules [default=enabled]
--disable-rpz-nsdname disable rpz-nsdname rules [default=enabled]
--enable-fetchlimit enable recursive fetch limits [default=no]
--enable-filter-aaaa enable filtering of AAAA records [default=no]
--enable-querytrace enable very verbose query trace logging [default=no]
--enable-full-report report values of all configure options
Optional Packages:
--with-PACKAGE[=ARG] use PACKAGE [ARG=yes]
--without-PACKAGE do not use PACKAGE (same as --with-PACKAGE=no)
--with-pic[=PKGS] try to use only PIC/non-PIC objects [default=use
both]
--with-gnu-ld assume the C compiler uses GNU ld [default=no]
--with-sysroot=DIR Search for dependent libraries within DIR
(or the compiler's sysroot if not specified).
--with-python=PATH specify path to python interpreter
--with-geoip=PATH Build with GeoIP support (yes|no|path)
--with-gssapi=PATH Specify path for system-supplied GSSAPI [default=yes]
--with-randomdev=PATH Specify path for random device
--with-locktype=ARG Specify mutex lock type (adaptive or standard)
--with-libtool use GNU libtool
--with-openssl=PATH Build with OpenSSL yes|no|path.
(Crypto is required for DNSSEC)
--with-pkcs11=PATH Build with PKCS11 support yes|no|path
(PATH is for the PKCS11 provider)
--with-ecdsa Crypto ECDSA
--with-gost Crypto GOST yes|no|raw|asn1.
--with-aes Crypto AES
--with-sit-alg=ALG choose the algorithm for SIT [aes|sha1|sha256]
--with-libxml2=PATH build with libxml2 library yes|no|path
--with-libjson=PATH build with libjson0 library yes|no|path
--with-purify=PATH use Rational purify
--with-gperftools-profiler use gperftools CPU profiler
--with-kame=PATH use Kame IPv6 default path /usr/local/v6
--with-readline=LIBSPEC specify readline library default auto
--with-docbook-xsl=PATH specify path for Docbook-XSL stylesheets
--with-idn=MPREFIX enable IDN support using idnkit default PREFIX
--with-libiconv=IPREFIX GNU libiconv are in IPREFIX default PREFIX
--with-iconv=LIBSPEC specify iconv library default -liconv
--with-idnlib=ARG specify libidnkit
--with-atf=ARG support Automated Test Framework
--with-tuning=ARG Specify server tuning (large or default)
--with-dlopen=ARG support dynamically loadable DLZ drivers
--with-dlz-postgres=PATH Build with Postgres DLZ driver yes|no|path.
(Required to use Postgres with DLZ)
--with-dlz-mysql=PATH Build with MySQL DLZ driver yes|no|path.
(Required to use MySQL with DLZ)
--with-dlz-bdb=PATH Build with Berkeley DB DLZ driver yes|no|path.
(Required to use Berkeley DB with DLZ)
--with-dlz-filesystem=ARG Build with filesystem DLZ driver yes|no.
(Required to use file system driver with DLZ)
--with-dlz-ldap=PATH Build with LDAP DLZ driver yes|no|path.
(Required to use LDAP with DLZ)
--with-dlz-odbc=PATH Build with ODBC DLZ driver yes|no|path.
(Required to use ODBC with DLZ)
--with-dlz-stub=ARG Build with stub DLZ driver yes|no.
(Required to use stub driver with DLZ)
--with-make-clean run "make clean" at end of configure [yes|no]
そのままmakeして、namedサービスを停止してインストールを実行する。
インストールが完了したらBINDのバージョンを確認してアップデートが成功した事を確認する。
# make
# etc/init.d/named stop
# ps aux | grep named | grep -v grep
# make install
# rndc
Version: 9.10.4-P4
make installはハードのスペックによって時間が変わります。
こんな時だけオンプレ環境で良かったと思いました。
BINDを起動して動作を確認する
# /etc/init.d/named start
# ps aux | grep named | grep -v grep
→プロセス起動の確認
# netstat -tnlp
→Listenポートの確認
# rndc status
version: BIND 9.10.4-P4 <id:123xa4b> ()
boot time: Fri, 15 Nov 2016 05:30:12 GMT
last configured: Fri, 09 Nov 2016 08:53:14 GMT
CPUs found: 4
worker threads: 4
UDP listeners per interface: 3
number of zones: 100
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is ON
recursive clients: 0/900/1000
tcp clients: 0/100
server is up and running
→BINDステータスの確認
特に問題なし。無事完了。
諸々と確認しておいた事
その1)本当に名前解決できるのか。
# dig +noall +answer @localhost www.yahoo.co.jp
www.yahoo.co.jp. 900 IN CNAME www.g.yahoo.co.jp.
www.g.yahoo.co.jp. 60 IN A 183.79.104.227
www.g.yahoo.co.jp. 60 IN A 183.79.143.229
www.g.yahoo.co.jp. 60 IN A 183.79.143.228
www.g.yahoo.co.jp. 60 IN A 182.22.121.124
実際は自分が所有しているZONEやREVに対しても実施。
その2)master-slaveの転送ができるか確認。
試験用のZONEファイルを更新して、
# vi /var/named/zone/test.zone
test IN A 192.168.2.10
master側でreload、slave側でretransferを実行する。
# rndc reload test-domain.net
# rndc retransfer test-domain.net
さらにログも見つつ、slave側に更新が反映される事を確認する。
# tail -f /var/log/named.log
これで無事アップデート完了です。
何回もアップデートを実施する機会があるので、簡単にできると嬉しいです。
(早くrpmでの更新に変更したいです)
最後に
rpmへの移行やセキュリティに対応した設定の仕方など機会があればまた書きたいと思います。