1. Please take a little time for this simple survey! Thank you for participating!
    Dismiss Notice
  2. Dear Pleskians, please read this carefully! New attachments and other rules Thank you!
    Dismiss Notice
  3. Dear Pleskians, I really hope that you will share your opinion in this Special topic for chatter about Plesk in the Clouds. Thank you!
    Dismiss Notice

Completely disable BIND?

Discussion in 'Plesk 10.x for Linux Issues, Fixes, How-To' started by cmadams, Dec 14, 2011.

  1. cmadams

    cmadams Guest

    0
     
    Is there a way to completely turn off BIND in Plesk (10.4.4 on RHEL 6)? I don't want it running at all. I'm not using Plesk to manage DNS for my domains (we have dedicated DNS servers and a version control system for zone management). I don't want an unused service (especially BIND, given its security history) listening on network ports. I'd also like to set up Unbound as a local caching resolver (I trust it a lot more than BIND), just listening on localhost, but BIND grabs port 53 (on all IPs).

    Doing a "chkconfig named off" doesn't help, as the "psa" service manually starts BIND.

    There are several "hacks" I could use to short-circuit Plesk's attempts to start BIND, but I'd prefer to see an "official" way to configure Plesk (rather than hack around behind its back).
     
  2. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,556
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
  3. cmadams

    cmadams Guest

    0
     
    That doesn't actually stop the BIND service though. It stops Plesk from configuring zones for hosted domains (although Plesk still creates a bogus reverse zone for the server's install IP, which is part of why I don't want to use the Plesk-configured BIND for recursive DNS), but the Plesk startup script (/etc/init.d/psa) always starts BIND (service named).
     
  4. IgorG

    IgorG Forums Analyst Staff Member

    49
    24%
    Joined:
    Oct 27, 2009
    Messages:
    24,556
    Likes Received:
    1,241
    Location:
    Novosibirsk, Russia
    Not sure that you can completely disable BIND for Plesk because DIND is tightly integrated to Plesk as important part of Plesk behaviour.
    You can just firewall BIND port for security reason as you want.
     
  5. cmadams

    cmadams Guest

    0
     
    Firewalling it means a bloated service with a poor security history is always running, and that I can't start a different local resolver (because port 53 is already taken). There's nothing in Plesk that requires BIND to be running (it is relatively easy to hack around Plesk's forced starting of BIND and run without it). I can't use the Plesk-configured BIND as a local resolver because Plesk configures a bogus reverse zone for the initial install IP that I don't see any way to configure.
     
  6. paulieG

    paulieG Regular Pleskian

    25
     
    Joined:
    Mar 5, 2009
    Messages:
    164
    Likes Received:
    0
    Location:
    Lancaster
    Hi cmadams,

    I realise this isn't what you wanted, but I thought I'd tell you what we do :)

    On our VPS's where we don't want to run bind we switch it off in chkconfig / watchdog (which I don't trust to keep it off tbh) and we edit the /etc/init.d/psa file apparently with this command :

    sed -i 's/named_service="named"/named_service=""/' /etc/init.d/psa

    Though of course if Plesk overwrites the file it needs doing again etc etc

    We've been doing this for several months, but thinking on it I haven't checked to see whether bind is staying off or not :( . I'll add that to my todo list...

    Paul.
     
  7. cmadams

    cmadams Guest

    0
     
    Well, to share my work-around (should work on RHEL/Fedora/similar systems):

    - The psa init script checks for /var/lock/subsys/named (the standard init-script "I'm running" flag file), so I created the following init script as /etc/init.d/fake-named (mode 0755):

    Then do "chkconfig --add fake-named" and "chkconfig fake-named on". The psa init script will now always think BIND is running and not attempt to start it.

    - As a safety-check beyond that, the named init script always sources /etc/sysconfig/named to get additional config, so I added an "exit 0" to the end (so the init script always exits before doing anything).
     
Loading...