Completely disable BIND?

[cmadams]

Is there a way to completely turn off BIND in Plesk (10.4.4 on RHEL 6)? I don't want it running at all. I'm not using Plesk to manage DNS for my domains (we have dedicated DNS servers and a version control system for zone management). I don't want an unused service (especially BIND, given its security history) listening on network ports. I'd also like to set up Unbound as a local caching resolver (I trust it a lot more than BIND), just listening on localhost, but BIND grabs port 53 (on all IPs).

Doing a "chkconfig named off" doesn't help, as the "psa" service manually starts BIND.

There are several "hacks" I could use to short-circuit Plesk's attempts to start BIND, but I'd prefer to see an "official" way to configure Plesk (rather than hack around behind its back).

 

[IgorG]

Did you read Plesk Administration Guide?

http://download1.parallels.com/Plesk/PP10/10.4/Doc/en-US/online/plesk-administrator-guide/59440.htm

If you are using third-party DNS servers, and are not running your own DNS server, you should switch off your control panel's DNS server

 

[cmadams]

That doesn't actually stop the BIND service though. It stops Plesk from configuring zones for hosted domains (although Plesk still creates a bogus reverse zone for the server's install IP, which is part of why I don't want to use the Plesk-configured BIND for recursive DNS), but the Plesk startup script (/etc/init.d/psa) always starts BIND (service named).

 

[IgorG]

Not sure that you can completely disable BIND for Plesk because DIND is tightly integrated to Plesk as important part of Plesk behaviour.
You can just firewall BIND port for security reason as you want.

 

[cmadams]

Firewalling it means a bloated service with a poor security history is always running, and that I can't start a different local resolver (because port 53 is already taken). There's nothing in Plesk that requires BIND to be running (it is relatively easy to hack around Plesk's forced starting of BIND and run without it). I can't use the Plesk-configured BIND as a local resolver because Plesk configures a bogus reverse zone for the initial install IP that I don't see any way to configure.

 

[paulieG]

Hi cmadams,

I realise this isn't what you wanted, but I thought I'd tell you what we do

On our VPS's where we don't want to run bind we switch it off in chkconfig / watchdog (which I don't trust to keep it off tbh) and we edit the /etc/init.d/psa file apparently with this command :

sed -i 's/named_service="named"/named_service=""/' /etc/init.d/psa

Though of course if Plesk overwrites the file it needs doing again etc etc

We've been doing this for several months, but thinking on it I haven't checked to see whether bind is staying off or not . I'll add that to my todo list...

Paul.

 

[cmadams]

Well, to share my work-around (should work on RHEL/Fedora/similar systems):

- The psa init script checks for /var/lock/subsys/named (the standard init-script "I'm running" flag file), so I created the following init script as /etc/init.d/fake-named (mode 0755):

#!/bin/sh
# chkconfig: - 12 88
# description: Fake starting BIND (to keep Plesk from running it)
touch /var/lock/subsys/named
exit 0

Then do "chkconfig --add fake-named" and "chkconfig fake-named on". The psa init script will now always think BIND is running and not attempt to start it.

- As a safety-check beyond that, the named init script always sources /etc/sysconfig/named to get additional config, so I added an "exit 0" to the end (so the init script always exits before doing anything).