Attachment #182757 for bug #219421

View | Details | Raw Unified | Return to bug 219421
Collapse All | Expand All




      <title>High-Level Administrative Tools in the &os; Ports
	Collection</title>

	<para>Manually creating and managing jails can quickly become
	tedious and error-prone.  The ports collection contains some
	utilities designed to simplify jail management.

	Their listing here doesn't imply an recommendation or
	endorsement.  Nothing more than a list of the different names
	of jail utilities in the ports sysutils category that you may
	want to review.</para>

	<programlisting>bsdploy, cbsd, ezjail, iocage, iocell, jail-primer, jailadmin, qjail, warden</programlisting>
    </sect2>

    <sect2 xml:id="jails-updating">

      it provides a simple way to add, remove, and upgrade
      jails.</para>

    <note>
      <para>Simpler solutions exist, such as
	<application>ezjail</application>, which provides an easier
	method of administering &os; jails but is less versatile than
	this setup.  <application>ezjail</application> is covered in
	more detail in <xref linkend="jails-ezjail"/>.</para>
    </note>

    <para>The goals of the setup described in this section are:</para>

    <itemizedlist>

    </sect2>
  </sect1>

  <sect1 xml:id="jails-ezjail">
    <info>
      <title>Managing Jails with
	<application>ezjail</application></title>

      <authorgroup>
	<author>
	  <personname>
	    <firstname>Warren</firstname>
	    <surname>Block</surname>
	  </personname><contrib>Originally contributed by </contrib>
	</author>
      </authorgroup>
    </info>

    <para>Creating and managing multiple jails can quickly become
      tedious and error-prone.  Dirk Engling's
      <application>ezjail</application> automates and greatly
      simplifies many jail tasks.  A <emphasis>basejail</emphasis> is
      created as a template.  Additional jails use
      &man.mount.nullfs.8; to share many of the basejail directories
      without using additional disk space.  Each additional jail takes
      only a few megabytes of disk space before applications are
      installed.  Upgrading the copy of the userland in the basejail
      automatically upgrades all of the other jails.</para>

    <para>Additional benefits and features are described in detail on
      the <application>ezjail</application> web site, <link
	xlink:href="https://erdgeist.org/arts/software/ezjail/"></link>.</para>

    <sect2 xml:id="jails-ezjail-install">
      <title>Installing <application>ezjail</application></title>

      <para>Installing <application>ezjail</application> consists of
	adding a loopback interface for use in jails, installing the
	port or package, and enabling the service.</para>

      <procedure xml:id="jails-ezjail-install-procedure">
	<step>
	  <para>To keep jail loopback traffic off the host's loopback
	    network interface <literal>lo0</literal>, a second
	    loopback interface is created by adding an entry to
	    <filename>/etc/rc.conf</filename>:</para>

	  <programlisting>cloned_interfaces="lo1"</programlisting>

	  <para>The second loopback interface <literal>lo1</literal>
	    will be created when the system starts.  It can also be
	    created manually without a restart:</para>

	  <screen>&prompt.root; <userinput>service netif cloneup</userinput>
Created clone interfaces: lo1.</screen>

	  <para>Jails can be allowed to use aliases of this secondary
	    loopback interface without interfering with the
	    host.</para>

	  <para>Inside a jail, access to the loopback address
	    <systemitem class="ipaddress">127.0.0.1</systemitem> is
	    redirected to the first <acronym>IP</acronym> address
	    assigned to the jail.  To make the jail loopback
	    correspond with the new <literal>lo1</literal> interface,
	    that interface must be specified first in the list of
	    interfaces and <acronym>IP</acronym> addresses given when
	    creating a new jail.</para>

	  <para>Give each jail a unique loopback address in the
	    <systemitem
	      class="ipaddress">127.0.0.0</systemitem><systemitem
	      class="netmask">/8</systemitem> netblock.</para>
	</step>

	<step>
	  <para>Install
	    <package role="port">sysutils/ezjail</package>:</para>

	  <screen>&prompt.root; <userinput>cd /usr/ports/sysutils/ezjail</userinput>
&prompt.root; <userinput>make install clean</userinput></screen>
	</step>

	<step>
	  <para>Enable <application>ezjail</application> by adding
	    this line to <filename>/etc/rc.conf</filename>:</para>

	  <programlisting>ezjail_enable="YES"</programlisting>
	</step>

	<step>
	  <para>The service will automatically start on system boot.
	    It can be started immediately for the current
	    session:</para>

	  <screen>&prompt.root; <userinput>service ezjail start</userinput></screen>
	</step>
      </procedure>
    </sect2>

    <sect2 xml:id="jails-ezjail-initialsetup">
      <title>Initial Setup</title>

      <para>With <application>ezjail</application> installed, the
	basejail directory structure can be created and populated.
	This step is only needed once on the jail host
	computer.</para>

      <para>In both of these examples, <option>-p</option> causes the
	ports tree to be retrieved with &man.portsnap.8; into the
	basejail.  That single copy of the ports directory will be
	shared by all the jails.  Using a separate copy of the ports
	directory for jails isolates them from the host.  The
	<application>ezjail</application> <acronym>FAQ</acronym>
	explains in more detail: <link
	  xlink:href="http://erdgeist.org/arts/software/ezjail/#FAQ"></link>.</para>

      <procedure xml:id="jails-ezjail-initialsetup-procedure">
	<step>
	  <stepalternatives>
	    <step>
	      <title>To Populate the Jail with &os;-RELEASE</title>

	      <para>For a basejail based on the &os; RELEASE matching
		that of the host computer, use
		<command>install</command>.  For example, on a host
		computer running &os;&nbsp;10-STABLE, the latest
		RELEASE version of &os;&nbsp;-10 will be installed in
		the jail):</para>

	      <screen>&prompt.root; <userinput>ezjail-admin install -p</userinput></screen>
	    </step>

	    <step>
	      <title>To Populate the Jail with
		<command>installworld</command></title>

	      <para>The basejail can be installed from binaries
		created by <buildtarget>buildworld</buildtarget> on
		the host with
		<command>ezjail-admin update</command>.</para>

	      <para>In this example, &os;&nbsp;10-STABLE has been
		built from source.  The jail directories are created.
		Then <buildtarget>installworld</buildtarget> is
		executed, installing the host's
		<filename>/usr/obj</filename> into the
		basejail.</para>

	      <screen>&prompt.root; <userinput>ezjail-admin update -i -p</userinput></screen>

	      <para>The host's <filename>/usr/src</filename> is used
		by default.  A different source directory on the host
		can be specified with <option>-s</option> and a path,
		or set with <varname>ezjail_sourcetree</varname> in
		<filename>/usr/local/etc/ezjail.conf</filename>.</para>
	    </step>
	  </stepalternatives>
	</step>
      </procedure>

      <tip>
	<para>The basejail's ports tree is shared by other jails.
	  However, downloaded distfiles are stored in the jail that
	  downloaded them.  By default, these files are stored in
	  <filename>/var/ports/distfiles</filename> within each
	  jail.  <filename>/var/ports</filename> inside each jail is
	  also used as a work directory when building ports.</para>
      </tip>

      <tip>
	<para>The <acronym>FTP</acronym> protocol is used by default
	  to download packages for the installation of the basejail.
	  Firewall or proxy configurations can prevent or interfere
	  with <acronym>FTP</acronym> transfers.  The
	  <acronym>HTTP</acronym> protocol works differently and
	  avoids these problems.  It can be chosen by specifying a
	  full <acronym>URL</acronym> for a particular download mirror
	  in <filename>/usr/local/etc/ezjail.conf</filename>:</para>

	<programlisting>ezjail_ftphost=http://<replaceable>ftp.FreeBSD.org</replaceable></programlisting>

	<para>See <xref linkend="mirrors-ftp"/> for a list of
	  sites.</para>
      </tip>
    </sect2>

    <sect2 xml:id="jails-ezjail-create">
      <title>Creating and Starting a New Jail</title>

      <para>New jails are created with
	<command>ezjail-admin create</command>.  In these examples,
	the <literal>lo1</literal> loopback interface is used as
	described above.</para>

      <procedure xml:id="jails-ezjail-create-steps">
	<title>Create and Start a New Jail</title>

	<step>
	  <para>Create the jail, specifying a name and the loopback
	    and network interfaces to use, along with their
	    <acronym>IP</acronym> addresses.  In this example, the
	    jail is named <literal>dnsjail</literal>.</para>

	  <screen>&prompt.root; <userinput>ezjail-admin create <replaceable>dnsjail</replaceable> '<replaceable>lo1|127.0.1.1</replaceable>,<replaceable>em0</replaceable>|<replaceable>192.168.1.50</replaceable>'</userinput></screen>

	  <tip xml:id="jails-ezjail-raw-network-sockets">
	    <para>Most network services run in jails without
	      problems.  A few network services, most notably
	      &man.ping.8;, use
	      <emphasis>raw network sockets</emphasis>.  In jails, raw
	      network sockets are disabled by default for security.
	      Services that require them will not work.</para>

	    <para>Occasionally, a jail genuinely needs raw sockets.
	      For example, network monitoring applications often use
	      &man.ping.8; to check the availability of other
	      computers.  When raw network sockets are actually needed
	      in a jail, they can be enabled by editing the
	      <application>ezjail</application>
	      configuration file for the individual jail,
	      <filename>/usr/local/etc/ezjail/<replaceable>jailname</replaceable></filename>.
	      Modify the <literal>parameters</literal>
	      entry:</para>

	    <programlisting>export jail_<replaceable>jailname</replaceable>_parameters="allow.raw_sockets=1"</programlisting>

	    <para>Do not enable raw network sockets unless services in
	      the jail actually require them.</para>
	  </tip>
	</step>

	<step>
	  <para>Start the jail:</para>

	  <screen>&prompt.root; <userinput>ezjail-admin start <replaceable>dnsjail</replaceable></userinput></screen>
	</step>

	<step>
	  <para>Use a console on the jail:</para>

	  <screen>&prompt.root; <userinput>ezjail-admin console <replaceable>dnsjail</replaceable></userinput></screen>
	</step>
      </procedure>

      <para>The jail is operating and additional configuration can be
	completed.  Typical settings added at this point
	include:</para>

      <procedure>
	<step>
	  <title>Set the
	    <systemitem class="username">root</systemitem>
	    Password</title>

	  <para>Connect to the jail and set the
	    <systemitem class="username">root</systemitem> user's
	    password:</para>

	  <screen>&prompt.root; <userinput>ezjail-admin console <replaceable>dnsjail</replaceable></userinput>
&prompt.root; <userinput>passwd</userinput>
Changing local password for root
New Password:
Retype New Password:</screen>
	</step>

	<step>
	  <title>Time Zone Configuration</title>

	  <para>The jail's time zone can be set with &man.tzsetup.8;.
	    To avoid spurious error messages, the &man.adjkerntz.8;
	    entry in <filename>/etc/crontab</filename> can be
	    commented or removed.  This job attempts to update the
	    computer's hardware clock with time zone changes, but
	    jails are not allowed to access that hardware.</para>
	</step>

	<step>
	  <title><acronym>DNS</acronym> Servers</title>

	  <para>Enter domain name server lines in
	    <filename>/etc/resolv.conf</filename> so
	    <acronym>DNS</acronym> works in the jail.</para>
	</step>

	<step>
	  <title>Edit <filename>/etc/hosts</filename></title>

	  <para>Change the address and add the jail name to the
	    <literal>localhost</literal> entries in
	    <filename>/etc/hosts</filename>.</para>
	</step>

	<step>
	  <title>Configure <filename>/etc/rc.conf</filename></title>

	  <para>Enter configuration settings in
	    <filename>/etc/rc.conf</filename>.  This is much like
	    configuring a full computer.  The host name and
	    <acronym>IP</acronym> address are not set here.  Those
	    values are already provided by the jail
	    configuration.</para>
	</step>
      </procedure>

      <para>With the jail configured, the applications for which the
	jail was created can be installed.</para>

      <tip>
	<para>Some ports must be built with special options to be used
	  in a jail.  For example, both of the network monitoring
	  plugin packages
	  <package role="port">net-mgmt/nagios-plugins</package> and
	  <package role="port">net-mgmt/monitoring-plugins</package>
	  have a <literal>JAIL</literal> option which must be enabled
	  for them to work correctly inside a jail.</para>
      </tip>
    </sect2>

    <sect2 xml:id="jails-ezjail-update">
      <title>Updating Jails</title>

      <sect3 xml:id="jails-ezjail-update-os">
	<title>Updating the Operating System</title>

	<para>Because the basejail's copy of the userland is shared by
	  the other jails, updating the basejail automatically updates
	  all of the other jails.  Either source or binary updates can
	  be used.</para>

	<para>To build the world from source on the host, then
	  install it in the basejail, use:</para>

	<screen>&prompt.root; <userinput>ezjail-admin update -b</userinput></screen>

	<para>If the world has already been compiled on the host,
	  install it in the basejail with:</para>

	<screen>&prompt.root; <userinput>ezjail-admin update -i</userinput></screen>

	<para>Binary updates use &man.freebsd-update.8;.  These
	  updates have the same limitations as if
	  &man.freebsd-update.8; were being run directly.  The most
	  important one is that only -RELEASE versions of &os; are
	  available with this method.</para>

	<para>Update the basejail to the latest patched release of
	  the version of &os; on the host.  For example, updating from
	  RELEASE-p1 to RELEASE-p2.</para>

	<screen>&prompt.root; <userinput>ezjail-admin update -u</userinput></screen>

	<para>To upgrade the basejail to a new version, first
	  upgrade the host system as described in <xref
	    linkend="freebsdupdate-upgrade" />.  Once the host has
	  been upgraded and rebooted, the basejail can then be
	  upgraded.  &man.freebsd-update.8; has no way of determining
	  which version is currently installed in the basejail, so the
	  original version must be specified.  Use &man.file.1; to
	  determine the original version in the basejail:</para>

	<screen>&prompt.root; <userinput>file /usr/jails/basejail/bin/sh</userinput>
/usr/jails/basejail/bin/sh: ELF 64-bit LSB executable, x86-64, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 9.3, stripped</screen>

	<para>Now use this information to perform the upgrade from
	  <literal>9.3-RELEASE</literal> to the current version of
	  the host system:</para>

	<screen>&prompt.root; <userinput>ezjail-admin update -U -s <replaceable>9.3-RELEASE</replaceable></userinput></screen>

	<para>After updating the basejail, &man.mergemaster.8; must
	  be run to update each jail's configuration files.</para>

	<para>How to use &man.mergemaster.8; depends on the purpose
	  and trustworthiness of a jail.  If a jail's services or
	  users are not trusted, then &man.mergemaster.8; should only
	  be run from within that jail:</para>

	<example xml:id="jails-ezjail-update-mergemaster-untrusted">
	  <title>&man.mergemaster.8; on Untrusted Jail</title>

	  <para>Delete the link from the jail's
	    <filename>/usr/src</filename> into the basejail and
	    create a new <filename>/usr/src</filename> in the jail
	    as a mountpoint.  Mount the host computer's
	    <filename>/usr/src</filename> read-only on the jail's
	    new <filename>/usr/src</filename> mountpoint:</para>

	  <screen>&prompt.root; <userinput>rm /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput>
&prompt.root; <userinput>mkdir /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput>
&prompt.root; <userinput>mount -t nullfs -o ro /usr/src /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput></screen>

	  <para>Get a console in the jail:</para>

	  <screen>&prompt.root; <userinput>ezjail-admin console <replaceable>jailname</replaceable></userinput></screen>

	  <para>Inside the jail, run <command>mergemaster</command>.
	    Then exit the jail console:</para>

	  <screen>&prompt.root; <userinput>cd /usr/src</userinput>
&prompt.root; <userinput>mergemaster -U</userinput>
&prompt.root; <userinput>exit</userinput></screen>

	  <para>Finally, unmount the jail's
	    <filename>/usr/src</filename>:</para>

	  <screen>&prompt.root; <userinput>umount /usr/jails/<replaceable>jailname</replaceable>/usr/src</userinput></screen>
	</example>

	<example xml:id="jails-ezjail-update-mergemaster-trusted">

	  <title>&man.mergemaster.8; on Trusted Jail</title>

	  <para>If the users and services in a jail are trusted,
	    &man.mergemaster.8; can be run from the host:</para>

	  <screen>&prompt.root; <userinput>mergemaster -U -D /usr/jails/<replaceable>jailname</replaceable></userinput></screen>
	</example>
      </sect3>

      <sect3 xml:id="jails-ezjail-update-ports">
	<title>Updating Ports</title>

	<para>The ports tree in the basejail is shared by the other
	  jails.  Updating that copy of the ports tree gives the other
	  jails the updated version also.</para>

	<para>The basejail ports tree is updated with
	  &man.portsnap.8;:</para>

	<screen>&prompt.root; <userinput>ezjail-admin update -P</userinput></screen>
      </sect3>
    </sect2>

    <sect2 xml:id="jails-ezjail-control">
      <title>Controlling Jails</title>

      <sect3 xml:id="jails-ezjail-control-stop-start">
	<title>Stopping and Starting Jails</title>

	<para><application>ezjail</application> automatically starts
	  jails when the computer is started.  Jails can be manually
	  stopped and restarted with <command>stop</command> and
	  <command>start</command>:</para>

	<screen>&prompt.root; <userinput>ezjail-admin stop <replaceable>sambajail</replaceable></userinput>
Stopping jails: sambajail.</screen>

	<para>By default, jails are started automatically when the
	  host computer starts.  Autostarting can be disabled
	  with <command>config</command>:</para>

	<screen>&prompt.root; <userinput>ezjail-admin config -r norun <replaceable>seldomjail</replaceable></userinput></screen>

	<para>This takes effect the next time the host computer is
	  started.  A jail that is already running will not be
	  stopped.</para>

	<para>Enabling autostart is very similar:</para>

	<screen>&prompt.root; <userinput>ezjail-admin config -r run <replaceable>oftenjail</replaceable></userinput></screen>
      </sect3>

      <sect3 xml:id="jails-ezjail-control-backup">
	<title>Archiving and Restoring Jails</title>

	<para>Use <command>archive</command> to create a
	  <filename>.tar.gz</filename> archive of a jail.  The file
	  name is composed from the name of the jail and the current
	  date.  Archive files are written to the archive directory,
	  <filename>/usr/jails/ezjail_archives</filename>.  A
	  different archive directory can be chosen by setting
	  <varname>ezjail_archivedir</varname> in the configuration
	  file.</para>

	<para>The archive file can be copied elsewhere as a backup, or
	  an existing jail can be restored from it with
	  <command>restore</command>.  A new jail can be created from
	  the archive, providing a convenient way to clone existing
	  jails.</para>

	<para>Stop and archive a jail named
	  <literal>wwwserver</literal>:</para>

	<screen>&prompt.root; <userinput>ezjail-admin stop <replaceable>wwwserver</replaceable></userinput>
Stopping jails: wwwserver.
&prompt.root; <userinput>ezjail-admin archive <replaceable>wwwserver</replaceable></userinput>
&prompt.root; <userinput>ls /usr/jails/ezjail-archives/</userinput>
wwwserver-201407271153.13.tar.gz</screen>

	<para>Create a new jail named
	  <literal>wwwserver-clone</literal> from the archive created
	  in the previous step.  Use the <filename>em1</filename>
	  interface and assign a new <acronym>IP</acronym> address to
	  avoid conflict with the original:</para>

	<screen>&prompt.root; <userinput>ezjail-admin create -a /usr/jails/ezjail_archives/wwwserver-201407271153.13.tar.gz <replaceable>wwwserver-clone</replaceable> 'lo1|127.0.3.1,em1|192.168.1.51'</userinput></screen>
      </sect3>
    </sect2>

    <sect2 xml:id="jails-ezjail-example-bind">
      <title>Full Example: <application>BIND</application> in a
	Jail</title>

      <para>Putting the <application>BIND</application>
	<acronym>DNS</acronym> server in a jail improves security by
	isolating it.  This example creates a simple caching-only name
	server.</para>

      <itemizedlist xml:id="jails-ezjail-example-bind-assumptions">
	<listitem>
	  <para>The jail will be called
	    <literal>dns1</literal>.</para>
	</listitem>

	<listitem>
	  <para>The jail will use <acronym>IP</acronym> address
	    <literal>192.168.1.240</literal> on the host's
	    <literal>re0</literal> interface.</para>
	</listitem>

	<listitem>
	  <para>The upstream <acronym>ISP</acronym>'s DNS servers are
	    at <literal>10.0.0.62</literal> and
	    <literal>10.0.0.61</literal>.</para>
	</listitem>

	<listitem>
	  <para>The basejail has already been created and a ports tree
	    installed as shown in
	    <xref linkend="jails-ezjail-initialsetup"/>.</para>
	</listitem>
      </itemizedlist>

      <example xml:id="jails-ezjail-example-bind-steps">
	<title>Running BIND in a Jail</title>

	<para>Create a cloned loopback interface by adding a line to
	  <filename>/etc/rc.conf</filename>:</para>

	<programlisting>cloned_interfaces="lo1"</programlisting>

	<para>Immediately create the new loopback interface:</para>

	<screen>&prompt.root; <userinput>service netif cloneup</userinput>
Created clone interfaces: lo1.</screen>

	<para>Create the jail:</para>

	<screen>&prompt.root; <userinput>ezjail-admin create dns1 'lo1|127.0.2.1,re0|192.168.1.240'</userinput></screen>

	<para>Start the jail, connect to a console running on it, and
	  perform some basic configuration:</para>

	<screen>&prompt.root; <userinput>ezjail-admin start dns1</userinput>
&prompt.root; <userinput>ezjail-admin console dns1</userinput>
&prompt.root; <userinput>passwd</userinput>
Changing local password for root
New Password:
Retype New Password:
&prompt.root; <userinput>tzsetup</userinput>
&prompt.root; <userinput>sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab</userinput>
&prompt.root; <userinput>sed -i .bak -e 's/127.0.0.1/127.0.2.1/g; s/localhost.my.domain/dns1.my.domain dns1/' /etc/hosts</userinput></screen>

	<para>Temporarily set the upstream <acronym>DNS</acronym>
	  servers in <filename>/etc/resolv.conf</filename> so ports
	  can be downloaded:</para>

	<programlisting>nameserver 10.0.0.62
nameserver 10.0.0.61</programlisting>

	<para>Still using the jail console, install
	  <package role="port">dns/bind99</package>.</para>

	<screen>&prompt.root; <userinput>make -C /usr/ports/dns/bind99 install clean</userinput></screen>

	<para>Configure the name server by editing
	  <filename>/usr/local/etc/namedb/named.conf</filename>.</para>

	<para>Create an Access Control List (<acronym>ACL</acronym>)
	  of addresses and networks that are permitted to send
	  <acronym>DNS</acronym> queries to this name server.  This
	  section is added just before the <literal>options</literal>
	  section already in the file:</para>

	<programlisting>...
// or cause huge amounts of useless Internet traffic.

acl "trusted" {
	192.168.1.0/24;
	localhost;
	localnets;
};

options {
...</programlisting>

	<para>Use the jail <acronym>IP</acronym> address in the
	  <literal>listen-on</literal> setting to accept
	  <acronym>DNS</acronym> queries from other computers on the
	  network:</para>

	<programlisting>	listen-on	{ 192.168.1.240; };</programlisting>

	<para>A simple caching-only <acronym>DNS</acronym> name server
	  is created by changing the <literal>forwarders</literal>
	  section.  The original file contains:</para>

	<programlisting>/*
	forwarders {
		127.0.0.1;
	};
*/</programlisting>

	<para>Uncomment the section by removing the
	  <literal>/*</literal> and <literal>*/</literal> lines.
	  Enter the <acronym>IP</acronym> addresses of the upstream
	  <acronym>DNS</acronym> servers.  Immediately after the
	  <literal>forwarders</literal> section, add references to the
	  <literal>trusted</literal> <acronym>ACL</acronym> defined
	  earlier:</para>

	<programlisting>	forwarders {
		10.0.0.62;
		10.0.0.61;
	};

	allow-query       { any; };
	allow-recursion   { trusted; };
	allow-query-cache { trusted; };</programlisting>

	<para>Enable the service in
	  <filename>/etc/rc.conf</filename>:</para>

	<programlisting>named_enable="YES"</programlisting>

	<para>Start and test the name server:</para>

	<screen>&prompt.root; <userinput>service named start</userinput>
wrote key file "/usr/local/etc/namedb/rndc.key"
Starting named.
&prompt.root; <userinput>/usr/local/bin/dig @192.168.1.240 freebsd.org</userinput></screen>

	<para>A response that includes</para>

	<screen>;; Got answer;</screen>

	<para>shows that the new <acronym>DNS</acronym> server is
	  working.  A long delay followed by a response
	  including</para>

	<screen>;; connection timed out; no servers could be reached</screen>

	<para>shows a problem.  Check the configuration settings and
	  make sure any local firewalls allow the new
	  <acronym>DNS</acronym> access to the upstream
	  <acronym>DNS</acronym> servers.</para>

	<para>The new <acronym>DNS</acronym> server can use itself for
	  local name resolution, just like other local computers.  Set
	  the address of the <acronym>DNS</acronym> server in the
	  client computer's
	  <filename>/etc/resolv.conf</filename>:</para>

	<programlisting>nameserver 192.168.1.240</programlisting>

	<para>A local <acronym>DHCP</acronym> server can be configured
	  to provide this address for a local <acronym>DNS</acronym>
	  server, providing automatic configuration on
	  <acronym>DHCP</acronym> clients.</para>
      </example>
    </sect2>
  </sect1>
</chapter>

Return to bug 219421