How to Setup Bind Chroot DNS Server on CentOS 6.3 x86_64

Share this Article :

bindBIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address and ip address to domain name. There are essentially a few reasons to running your own internet DNS Server. First, of course we need to have full control of our registered domain name and second is to improve the speed of domain lookups. This post covers the steps on how to install Bind Chroot DNS Server on CentOS 6.3 64 Bit. It will describes some extra security precautions that you can take when you install BIND. The idea of chroot is fairly simple. When you run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security.

Where is Bind chrooted directory set ?

[[email protected] ~]# more /etc/sysconfig/named

It was by default configured to /var/named/chroot as below :

..
..
ROOTDIR=/var/named/chroot

It is assumed that you already know how to install, configure and use BIND. If not, I would recommend that you read the Bind DNS HOWTO first.

1. Install Bind-Chroot :

[[email protected] ~]# yum install bind-chroot bind -y

2. Copy all bind related files to prepare bind chrooted environments :

 
[[email protected] ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/

3. Create bind related files into chrooted directory :

[[email protected] ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[[email protected] ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[[email protected] ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[[email protected] ~]# touch /var/named/chroot/var/named/data/named.run
[[email protected] ~]# mkdir /var/named/chroot/var/named/dynamic
[[email protected] ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

4. Bind lock file should be writeable, therefore set the permission to make it writable as below :

[[email protected] ~]# chmod -R 777 /var/named/chroot/var/named/data
[[email protected] ~]# chmod -R 777 /var/named/chroot/var/named/dynamic

5. Set if you do not use IPv6 :

[[email protected] ~]# echo 'OPTIONS="-4"' >> /etc/sysconfig/named

6. Configure main bind configuration in /etc/named.conf. Append the ehowstuff.local information to the file :

[[email protected] ~]# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1;192.168.2.58; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "ehowstuff.local" {
    type master;
    file "ehowstuff.local.zone";
};

zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.2.zone";
};

include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

7. Create Forward and Reverse zone files for domain ehowstuff.local.

a) Create Forward Zone :

[[email protected] ~]# vi /var/named/chroot/var/named/ehowstuff.local.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013022401      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns.ehowstuff.local.
               IN      A       192.168.2.58
               IN      MX      10 mail.ehowstuff.local.

mail            IN      A       192.168.2.58
ns              IN      A       192.168.2.58

b) Create Reverse Zone :

[[email protected] ~]# vi /var/named/chroot/var/named/192.168.2.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013022402      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

2.168.192.in-addr.arpa. IN      NS      centos63.ehowstuff.local.

58.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local.
58.2.168.192.in-addr.arpa. IN PTR ns.ehowstuff.local.

8. RHEL 6 and CentOS 6 apparently no longer generates the rndc.key during installation. Instead, the key is automatically generated on the first start of named service.

Start Bind service :

[[email protected] ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

9. Configure Bind auto start at boot :

[[email protected] ~]# chkconfig --levels 235 named on

10. Verifying permissions and ownership. Created the files required inside the jail, but the matter of setting the permissions and ownership should remains.

Go to chroot/var/named/ directory :

[[email protected] ~]# cd /var/named/chroot/var/named/

Change owner as below :

[[email protected] named]# chown root:named ehowstuff.local.zone
[[email protected] named]# chown root:named 192.168.2.zone
[[email protected] named]# chown root:named my.external.zone.db
[[email protected] named]# chown root:named my.internal.zone.db
[[email protected] named]# chown root:named named.ca
[[email protected] named]# chown root:named named.localhost
[[email protected] named]# chown root:named named.loopback

Verify permissions and ownership rest of the chrooted directories :

[[email protected] ~]# ll /var/named/
total 32
drwxr-x--- 6 root  named 4096 Feb 24 13:51 chroot
drwxrwx--- 2 named named 4096 Dec  7 04:49 data
drwxrwx--- 2 named named 4096 Dec  7 04:49 dynamic
-rw-r----- 1 root  named 1892 Feb 18  2008 named.ca
-rw-r----- 1 root  named  152 Dec 15  2009 named.empty
-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost
-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx--- 2 named named 4096 Dec  7 04:49 slaves
[[email protected] ~]# ll /var/named/chroot/
total 16
drwxr-x--- 2 root named 4096 Feb 24 13:51 dev
drwxr-x--- 4 root named 4096 Feb 24 14:40 etc
drwxr-x--- 3 root named 4096 Feb 24 13:51 usr
drwxr-x--- 6 root named 4096 Feb 24 13:51 var
[[email protected] ~]# ll /var/named/chroot/etc
total 32
-rw-r--r-- 1 root root   372 Feb 20 06:51 localtime
drwxr-x--- 2 root named 4096 Dec  7 04:49 named
-rw-r--r-- 1 root named 1201 Feb 24 14:16 named.conf
-rw-r--r-- 1 root named 2389 Dec  7 04:49 named.iscdlv.key
-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones
-rw-r--r-- 1 root named  487 Jul 19  2010 named.root.key
drwxr-x--- 3 root named 4096 Feb 24 13:51 pki
-rw-r----- 1 root named   77 Feb 24 14:00 rndc.key
[[email protected] ~]# ll /var/named/chroot/var/named/
total 44
-rw-r-xr-x 1 root  named  551 Feb 24 15:28 192.168.2.zone
drwxrwxrwx 2 named named 4096 Feb 24 14:04 data
drwxrwxrwx 2 named named 4096 Feb 24 15:30 dynamic
-rw-r-xr-x 1 root  named  681 Feb 24 15:28 ehowstuff.local.zone
-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.external.zone.db
-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.internal.zone.db
-rw-r--r-- 1 root  named 1892 Feb 24 13:54 named.ca
-rw-r--r-- 1 root  root   152 Feb 24 13:54 named.empty
-rw-r--r-- 1 root  named  152 Feb 24 13:54 named.localhost
-rw-r--r-- 1 root  named  168 Feb 24 13:54 named.loopback
drwxr-xr-x 2 named named 4096 Feb 24 13:54 slaves

11. Test and make sure it’s working.

[[email protected] ~]# host -t mx ehowstuff.local
ehowstuff.local mail is handled by 10 mail.ehowstuff.local.
[[email protected] ~]# nslookup
> set type=any
> ehowstuff.local
Server:         192.168.2.58
Address:        192.168.2.58#53

ehowstuff.local
        origin = ehowstuff.local
        mail addr = hostmaster.ehowstuff.local
        serial = 2013023401
        refresh = 43200
        retry = 3600
        expire = 3600000
        minimum = 2592000
ehowstuff.local nameserver = ns.ehowstuff.local.
Name:   ehowstuff.local
Address: 192.168.2.58
ehowstuff.local mail exchanger = 10 mail.ehowstuff.local.
>

12. If your server does not have nslookup, host or dig command, then you should install bind-utils. All this utilities are the friendly and useful utilities to test and diagnose the DNS issue.

[[email protected] ~]# yum install bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.biz.net.id
 * extras: centos.biz.net.id
 * updates: centos.biz.net.id
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================
 Package                   Arch                  Version                                   Repository              Size
========================================================================================================================
Installing:
 bind-utils                x86_64                32:9.8.2-0.10.rc1.el6_3.6                 updates                182 k

Transaction Summary
========================================================================================================================
Install       1 Package(s)

Total download size: 182 k
Installed size: 438 k
Is this ok [y/N]: y
Downloading Packages:
bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64.rpm                                                     | 182 kB     00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1/1
  Verifying  : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1/1

Installed:
  bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6

Complete!

Leave a Reply