installing bind8 from portsOver the past two months, there have been two security issues regarding bind. If you didn’t upgrade for the first notice, then the recent worm threat should have prompted you to get moving. Back in January, when the initial bind security notice was issued, some talk was made of how best to upgrade with minimal effect. Some preferred downloaded the source code and installing. I preferred the port.
The main problem with the port was that it installed to a different location than bind which was included with the base system. This is a normal. And expected. However, there is an easy way around this using flags passed to make.
The basis for this article is a message I posted to the FreeBSD Security mailing list back in January.
The installI think the best way to do this, if you are upgrading, is to perform the following steps:
It is important to know that the options used for building must be the same options used for installing. If you do a make, then a make install, please ensure that you use the same options on both commands. You will see this being done for the build and the install below.
1. buildSince I have the entire ports tree installed, all I needed to do was:
# cd /usr/ports/net/bind8 # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \ DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin \ DESTHELP=/usr/share/misc
2. killFirst, I killed the existing named:
# killall -QUIT named
3. removeIf you already have installed bind from ports, you will have to remove it before you install. Here’s how to find out if you already have it installed
# pkg_info | grep bind
bind-8.2.3 The Berkeley Internet Name Daemon, an implementation of DNS
If you don’t have bind already install via a package or port (i.e. the above grep show nothing), you can omit this step.
Now we delete that:
# pkg_delete bind-8.2.3
4. installIt is important to know that the options used for building must be the same options used for installing. If you do a make, then a make install, please ensure that you use the same options on both commands. For the install, I did this:
# cd /usr/ports/net/bind8 # make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb \ DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin \ DESTHELP=/usr/share/misc install
5. checkYou should check that you have the correct version installed:
# /usr/sbin/named -v
named 8.2.3-REL Mon Mar 12 22:43:17 NZDT 2001
As at the time of writing, this was the latest and greatest version of bind8. You could install bind9, but for me, that’s not an option right now. Perhaps one day…
6. startbind can be started automagically using configuration settings within
/etc/rc.conf. You can view the default settings with the following command:
# grep named /etc/defaults/rc.conf
Do not modify
/etc/defaults/rc.conf. These are the default settings
and used as examples for /etc/rc.conf. Make all your changes to /etc/rc.conf.
Here are the settings I use in my /etc/rc.conf file:
named_flags="-u bind -g bind"
Here’s how you can start bind using the above settings:
# /usr/sbin/named -u bind -g bind
7. recheckChecking the logs I found this:
starting (/etc/namedb/named.conf). named 8.2.3-REL Mon Mar 12 22:43:17 NZDT 2001 email@example.com:/usr/obj/usr/src/usr.sbin/named limit files set to fdlimit (1024) Ready to answer queries.
That is the version of bind I was expecting.
Repeat as necessaryThere’s one great thing about a port. After it’s installed, it looks just like a package. In fact there’s no difference between an installed port and an installed packaged (see also Ports or Packages?).
If you have ten DNS servers to update, you don’t have to download the source to each box. You can make a package. And ftp that to each box and then install the package. For example, you could do this:
cd /usr/ports/net/bind8 make PREFIX=/usr PIDDIR=/var/run DESTETC=/etc/namedb DESTEXEC=/usr/libexec DESTRUN=/var/run DESTSBIN=/usr/sbin DESTHELP=/usr/share/misc package
A final noteOne vital aspect of security is paying attention. And acting when necessary. One thing you should pay attention to is security advisories. If you have not already done, I urge you to subscribe to the FreeBSD Security mailing list. All security notifications are sent to this list.
When you get a notification, you should decide whether or not it applies to you. Not all notices will apply to everyone (perhaps you don’t have that software installed; perhaps you have already upgraded and you already have the patches). It usually takes a half hour or so to patch a single box. Security notices are not issued lightly. They are real risks which need to be dealt with. Taking the time now to upgrade might save you hours later if someone does break into your system.
A final note: it’s not such much the damage that an intruder might do. That’s usually pretty obvious. It’s what you don’t see that you should worry about. After any intrusion, you cannot trust the system. A back door may be present. Some people feel that the only real way to secure a box after an intrusion is to reinstall. It’s easier to patch. Do it now.