作者:冷風 Berkeley Internert Name Domain(BIND)是我們所熟知的域名軟件,它具有廣泛的使用基礎,Internet上的絕大多數DNS服務器都是基於這個軟件的。BIND目前由ISC(Internet Software Consortium)負責維護,具體的開發由Nominum(www.nominum.com)公司來完成。 CERT於2002年6月4日發布了一個有關 ISC BIND 9 的安全漏洞. 由於網絡上很多的功能運作有賴於DNS的正常運轉, 所以受到此漏洞影響的層面可能很廣. 受到影響的版本是 9.2.1 以前的版本, 8.x 與 4.x 版並不受到影響, 攻擊者可以通過發送特殊的數據包導致 BIND 9 DNS Service 無法運作. 不過攻擊者並不能利用這個漏洞在DNS服務器上運行代碼或者寫入數據. ISC 已經發布了 BIND 9.2.1 以修正此安全漏洞, 建議所有使用 BIND 9 的系統盡快升級. BIND9.2.1下載地址: http://www.isc.org/prodUCts/BIND/bind9.Html 按照下面的步驟安裝升級,程序將被安裝在/usr/local/bind921目錄. 備份和卸載原來的bind: # cp /etc/named.conf /etc/named.conf.bak # cp -R /var/named /var/named.bak # rpm -e bind bind-devel bind-utils caching-nameserver 編譯安裝新的bind921: # tar zxvf bind-9.2.1.tar.gz # cd bind-9.2.1 # ./configure --with-liBTool --enable-threads --prefix=/usr/local/bind921 # make # make install 恢復數據: # mkdir /usr/local/bind921/etc # cp /etc/named.conf.bak /usr/local/bind921/etc/named.conf # mkdir -p /usr/local/bind921/var/named/run # useradd -u 25 -d /usr/local/bind921/var/named -s /bin/false named # cp -r /var/named.bak/* /usr/localbind921/var/named # chown -R named /usr/local/bind921/var 修改配置文集: 修改/usr/local/bind921/etc/named.conf使之可以在我們新安裝的系統上工作,將: options { Directory "/var/named"; 改為: options { directory "/usr/local/bind921/var/named"; 注釋掉原來的rndc.key,當然如果一會你想使用rndc來控制bind的話還需要它,我這裡不多講: include "/etc/rndc.key"; 為: //include "/etc/rndc.key"; 創建啟動教本: 我主要是根據redhat自帶的rpm包進行修改的,大家可以參考一下然後根據自己的情況修改 #!/bin/bash # # named This shell script takes care of starting and stopping # named (BIND DNS server). # # chkconfig: - 55 45 # description: named (BIND) is a Domain Name Server (DNS) # that is used to resolve host names to IP addresses. # probe: true # Source function library. . /etc/rc.d/init.d/functions eXPort PATH="/sbin:/usr/sbin:/bin:/usr/bin:/usr/X11R6/bin:/usr/local/bind921/bin:/usr/local/bind921/sbin" # Source networking configuration. . /etc/sysconfig/network # Check that networking is up. [ "${NETWORKING}" = "no" ] && exit 0 #[ -f /etc/sysconfig/named ] && . /etc/sysconfig/named [ -f /usr/local/bind921/sbin/named ] exit 0 [ -f /usr/local/bind921/etc/named.conf ] exit 0 RETVAL=0 prog="/usr/local/bind921/sbin/named" start() { # Start daemons. if [ -n "`/sbin/pidof named`" ]; then echo -n $"$prog: already running" return 1 fi echo -n $"Starting $prog: " if [ -n "${ROOTDIR}" -a "x${ROOTDIR}" != "x/" ]; then OPTIONS="${OPTIONS} -t ${ROOTDIR}" fi # Since named doesn't return proper exit codes at the moment # (won't be fixed before 9.2), we can't use daemon here - emulate # its functionality base=$prog named -u named ${OPTIONS} RETVAL=$? usleep 100000 if [ -z "`/sbin/pidof named`" ]; then # The child processes have died after fork()ing, e.g. # because of a broken config file RETVAL=1 fi [ $RETVAL -ne 0 ] && failure $"$base startup" [ $RETVAL -eq 0 ] && touch /var/lock/subsys/named && success $"$base startup" echo return $RETVAL } stop() { # Stop daemons. echo -n $"Stopping $prog: " killproc named RETVAL=$? [ $RETVAL -eq 0 ] && rm -f /var/lock/subsys/named echo return $RETVAL } rhstatus() { /usr/local/bind921/sbin/rndc status return $? } restart() { stop start } reload() { /usr/local/bind921/sbin/rndc reload >/dev/null 2>&1 /usr/bin/killall -HUP named return $? } probe() { # named knows how to reload intelligently; we don't want Linuxconf # to offer to restart every time /usr/local/bind921/sbin/rndc reload >/dev/null 2>&1 echo start return $? } # See how we were called. case "$1" in start) start ;; stop) stop ;; status) rhstatus ;; restart) restart ;; condrestart) [ -f /var/lock/subsys/named ] && restart ;; reload) reload ;; probe) probe ;; *) echo $"Usage: $0 {startstopstatusrestartcondrestartreloadprobe}" exit 1 esac exit $? 把上面的教本復制到/etc/init.d/並改名為named,修改權限為600 chmod 600 /etc/inid.d/named 將/usr/local/bind921/bin和/usr/local/bind921/sbin添加到/etc/profile中 if [ `id -u` = 0 ]; then pathmunge /sbin pathmunge /usr/sbin pathmunge /usr/local/sbin pathmunge /usr/local/mysql/bin pathmunge /usr/local/bind921/bin pathmunge /usr/local/bind921/sbin fi 測試: # chkconfig --add 456 named # chkconfig --level 345 named on # /etc/init.d/named start 記得執行如果不能啟動,請查看/var/log/mesages裡的日志並根據日志進行排錯,也可以到本站論壇尋求幫助.