How to Install and Configure Bind Chroot DNS Server on CentOS 6.4 VPS

This article will explain the steps to install and configure the DNS Server chroot binding on CentOS 6.4 virtual private server (VPS) or dedicated server. Usually if you plan to install email server or your own web server, it is good to have your own domain name service (DNS), so that you will have full control of the domain and subdomain. BIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address and ip address to domain name. Beside having full control of our registered domain name, it will also help to improve the speed of domain lookups. All these steps has been tested on CentOS 6.4 64 bit. When you run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. As an example, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security. Bind Chroot DNS server was by default configured to /var/named/chroot.

See also  How to Verify the LDAP or slapd Process in Zimbra

1. Install Bind Chroot DNS server :

[root@centos64 ~]# yum install bind-chroot bind -y

2. Copy all bind related files to prepare bind chrooted environments :

[root@centos64 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/

3. Create bind related files into chrooted directory :

[root@centos64 ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@centos64 ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@centos64 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@centos64 ~]# touch /var/named/chroot/var/named/data/named.run
[root@centos64 ~]# mkdir /var/named/chroot/var/named/dynamic
[root@centos64 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

4. Bind lock file should be writeable, therefore set the permission to make it writable as below :

[root@centos64 ~]# chmod -R 777 /var/named/chroot/var/named/data
[root@centos64 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic

5. Set if you do not use IPv6 :

[root@centos64 ~]# echo 'OPTIONS="-4"' >> /etc/sysconfig/named

6. Copy /etc/named.conf chrooted bind config folder :

[root@centos64 ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf

7.Configure main bind configuration in /etc/named.conf. Append the ehowstuff.local information to the file :

[root@centos64 ~]# vi /var/named/chroot/etc/named.conf

a. Add bind DNS IP addresses :

..
listen-on port 53 { 127.0.0.1;192.168.2.62;192.168.2.63; };
..

b. Create forward and reverse zone :

..
..
zone "ehowstuff.local" {
    type master;
    file "ehowstuff.local.zone";
};

zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.2.zone";
};
..
..

Full configuration for named.conf :

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1;192.168.2.62;192.168.2.63; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "ehowstuff.local" {
    type master;
    file "ehowstuff.local.zone";
};

zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.2.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

8. Create Forward and Reverse zone files for domain ehowstuff.local.

See also  How to Install "man" Command on Linux CentOS 6.2

a) Create Forward Zone :

[root@centos64 ~]# vi /var/named/chroot/var/named/ehowstuff.local.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013042201      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns1.ehowstuff.local.
               IN      NS      ns2.ehowstuff.local.
               IN      A       192.168.2.62
               IN      MX      10 mail.ehowstuff.local.

centos64           IN      A       192.168.2.62
mail            IN      A       192.168.2.62
ns1              IN      A       192.168.2.62
ns2              IN      A       192.168.2.63

b) Create Reverse Zone :

[root@centos64 ~]# vi /var/named/chroot/var/named/192.168.2.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013042201      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

2.168.192.in-addr.arpa. IN      NS      centos64.ehowstuff.local.

62.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local.
62.2.168.192.in-addr.arpa. IN PTR ns1.ehowstuff.local.
63.2.168.192.in-addr.arpa. IN PTR ns2.ehowstuff.local.

9. Start Bind service :

[root@centos64 ~]# /etc/init.d/named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

10. Configure Bind auto start at boot :

[root@centos64 ~]# chkconfig --levels 235 named on

11. Test and verify Bind DNS setup :
a. Test and verify using host command :

[root@centos64 ~]# host -t ns ehowstuff.local
ehowstuff.local name server ns1.ehowstuff.local.
ehowstuff.local name server ns2.ehowstuff.local.
[root@centos64 ~]# host -t mx ehowstuff.local
ehowstuff.local mail is handled by 10 mail.ehowstuff.local.

b. Test and verify using nslookup command :

[root@centos64 ~]# nslookup
> set type=any
> ehowstuff.local
Server:         192.168.2.62
Address:        192.168.2.62#53

ehowstuff.local
        origin = ehowstuff.local
        mail addr = hostmaster.ehowstuff.local
        serial = 2013042201
        refresh = 43200
        retry = 3600
        expire = 3600000
        minimum = 2592000
ehowstuff.local nameserver = ns1.ehowstuff.local.
ehowstuff.local nameserver = ns2.ehowstuff.local.
Name:   ehowstuff.local
Address: 192.168.2.62
ehowstuff.local mail exchanger = 10 mail.ehowstuff.local.
> exit

c. Test and verify using dig command :

[root@centos64 ~]# dig ehowstuff.local

; < <>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 < <>> ehowstuff.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 6958
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ehowstuff.local.               IN      A

;; ANSWER SECTION:
ehowstuff.local.        2592000 IN      A       192.168.2.62

;; AUTHORITY SECTION:
ehowstuff.local.        2592000 IN      NS      ns1.ehowstuff.local.
ehowstuff.local.        2592000 IN      NS      ns2.ehowstuff.local.

;; ADDITIONAL SECTION:
ns1.ehowstuff.local.    2592000 IN      A       192.168.2.62
ns2.ehowstuff.local.    2592000 IN      A       192.168.2.63

;; Query time: 1 msec
;; SERVER: 192.168.2.62#53(192.168.2.62)
;; WHEN: Wed Apr  3 00:03:40 2013
;; MSG SIZE  rcvd: 117

How to Reset the Directory Manager Password on RHEL 7 / CentOS 7
How to Reset the Directory Manager Password on RHEL 7 / CentOS 7

It is best practice to remember passwords, but because too many passwords, sometimes we forget. We are not encouraged to write the password on any paper or share the password...

How to Find Big Files Size on Linux RHEL/CentOS
How to Find Big Files Size on Linux RHEL/CentOS

As the linux administrator, sometimes we have to identify which files are most take much space in the linux server resulting in low free space. Low disk space can also...

Why Linux users should worry about malware and what they can do about it
Why Linux users should worry about malware and what they can do about it

Don’t drop your guard just because you’re running Linux. Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If...

How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7
How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7

This article will explain the steps to reset a lost root password or to reset forgotten root password on Linux RHEL 7 or CentOS 7. Basically, the steps will adding...

How to Update CentOS or Upgrade CentOS to the Latest Version
How to Update CentOS or Upgrade CentOS to the Latest Version

Recently, the latest version of CentOS 7.3 was released. All users of CentOS 7.0, 7.1 and 7.2 can upgrade their system to the most recent. This quick guide will explain...

How to Change your WordPress Username, Nickname and Display Name in MySQL
How to Change your WordPress Username, Nickname and Display Name in MySQL

After you create an account log in WordPress, you may want to change your WordPress username, as appropriate or due to security reason. However, you can not do this from...

How to Enable SSH Root Login on Ubuntu 16.04
How to Enable SSH Root Login on Ubuntu 16.04

As what we wrote in the previous article on how to allow SSH root on Ubuntu 14.04, after installing a fresh new copy of Ubuntu 16.04 LTS, we find that...

How to Change UUID of Linux Partition on CentOS 7
How to Change UUID of Linux Partition on CentOS 7

UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system. If you cloned a virtual machine from vCenter, the metadata containing...

6 Comments

  • Avatar for Widya Gama Widya Gama says:

    Help me please.. I have followed your instruction above carefully and completely.

    Named looks OK when I type “/etc/init.d/named start” same as shown above.

    I have also created virtual host based on tutorial on digitalocean.com.
    But my domain is still not connected with my VPS. This is the 4th failed installation and configuration I have tried.

    I’m running on centOS 6.4 64bit nginx 1 IP.
    Thank You.

    • Avatar for Widya Gama Widya Gama says:

      NB : Why are the commands “nslookup, host, dig” not working? I’m using mydomain.com as zone, not mydomain.local like your instruction above. And login as root. Are they the cause?

      • Avatar for skytech skytech says:

        In order to to use bind utilities like nslookup, host and dig, you have to install bind utilities package. Run the following command to install :

        # yum install bind-utils -y

    • Avatar for skytech skytech says:

      May i know a little bit your virtual host based configuration ? Please make sure bind dns can do query on the configured domain. I would recommend you do verification by using bind utilities tool to verify such as nslookup or dig command. Then proceed to troubleshoot on the web server (nginx) setting.. Hope this help. You may email to me admin[at]ehowstuff.com on the details, so we can do further troubleshooting..

  • Avatar for Prasad Saxena Prasad Saxena says:

    Hello,
    I have an account with servermania.com . The problem is that whenever I put the nslookup it shows me the localhost ip.
    It doesn’t show me the configured ip.
    I am running Centos 6.x X64.

  • Avatar for jm jm says:

    there are quite a few mistakes in this tutorial for example no TTL in the zone files, IN not specified after the showstuff.local zone among others. I followed this tutorial to the letter to see if it worked but got heaps of errors.

Leave a Reply

Your email address will not be published. Required fields are marked *