BIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address and ip address to domain name. There are essentially a few reasons to running your own internet DNS Server. First, of course we need to have full control of our registered domain name and second is to improve the speed of domain lookups. This post covers the steps on how to install Bind Chroot DNS Server on CentOS 6.3 64 Bit. It will describes some extra security precautions that you can take when you install BIND. The idea of chroot is fairly simple. When you run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security.
Where is Bind chrooted directory set ?
[root@CentOS63 ~]# more /etc/sysconfig/named
It was by default configured to /var/named/chroot as below :
.. .. ROOTDIR=/var/named/chroot
It is assumed that you already know how to install, configure and use BIND. If not, I would recommend that you read the Bind DNS HOWTO first.
1. Install Bind-Chroot :
[root@CentOS63 ~]# yum install bind-chroot bind -y
2. Copy all bind related files to prepare bind chrooted environments :
[root@CentOS63 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/
3. Create bind related files into chrooted directory :
[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/cache_dump.db [root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named_stats.txt [root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt [root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named.run [root@CentOS63 ~]# mkdir /var/named/chroot/var/named/dynamic [root@CentOS63 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
4. Bind lock file should be writeable, therefore set the permission to make it writable as below :
[root@CentOS63 ~]# chmod -R 777 /var/named/chroot/var/named/data [root@CentOS63 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic
5. Set if you do not use IPv6 :
[root@CentOS63 ~]# echo 'OPTIONS="-4"' >> /etc/sysconfig/named
6. Configure main bind configuration in /etc/named.conf. Append the ehowstuff.local information to the file :
[root@CentOS63 ~]# vi /var/named/chroot/etc/named.conf
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1;192.168.2.58; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "ehowstuff.local" { type master; file "ehowstuff.local.zone"; }; zone "2.168.192.in-addr.arpa" IN { type master; file "192.168.2.zone"; }; include "/etc/rndc.key"; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
7. Create Forward and Reverse zone files for domain ehowstuff.local.
a) Create Forward Zone :
[root@CentOS63 ~]# vi /var/named/chroot/var/named/ehowstuff.local.zone
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA ehowstuff.local. hostmaster.ehowstuff.local. ( 2013022401 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum ; Define the nameservers and the mail servers IN NS ns.ehowstuff.local. IN A 192.168.2.58 IN MX 10 mail.ehowstuff.local. mail IN A 192.168.2.58 ns IN A 192.168.2.58
b) Create Reverse Zone :
[root@CentOS63 ~]# vi /var/named/chroot/var/named/192.168.2.zone
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA ehowstuff.local. hostmaster.ehowstuff.local. ( 2013022402 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum 2.168.192.in-addr.arpa. IN NS centos63.ehowstuff.local. 58.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local. 58.2.168.192.in-addr.arpa. IN PTR ns.ehowstuff.local.
8. RHEL 6 and CentOS 6 apparently no longer generates the rndc.key during installation. Instead, the key is automatically generated on the first start of named service.
Start Bind service :
[root@CentOS6 ~]# service named start Generating /etc/rndc.key: [ OK ] Starting named: [ OK ]
9. Configure Bind auto start at boot :
[root@CentOS63 ~]# chkconfig --levels 235 named on
10. Verifying permissions and ownership. Created the files required inside the jail, but the matter of setting the permissions and ownership should remains.
Go to chroot/var/named/ directory :
[root@CentOS63 ~]# cd /var/named/chroot/var/named/
Change owner as below :
[root@CentOS63 named]# chown root:named ehowstuff.local.zone [root@CentOS63 named]# chown root:named 192.168.2.zone [root@CentOS63 named]# chown root:named my.external.zone.db [root@CentOS63 named]# chown root:named my.internal.zone.db [root@CentOS63 named]# chown root:named named.ca [root@CentOS63 named]# chown root:named named.localhost [root@CentOS63 named]# chown root:named named.loopback
Verify permissions and ownership rest of the chrooted directories :
[root@CentOS63 ~]# ll /var/named/
total 32 drwxr-x--- 6 root named 4096 Feb 24 13:51 chroot drwxrwx--- 2 named named 4096 Dec 7 04:49 data drwxrwx--- 2 named named 4096 Dec 7 04:49 dynamic -rw-r----- 1 root named 1892 Feb 18 2008 named.ca -rw-r----- 1 root named 152 Dec 15 2009 named.empty -rw-r----- 1 root named 152 Jun 21 2007 named.localhost -rw-r----- 1 root named 168 Dec 15 2009 named.loopback drwxrwx--- 2 named named 4096 Dec 7 04:49 slaves
[root@CentOS63 ~]# ll /var/named/chroot/
total 16 drwxr-x--- 2 root named 4096 Feb 24 13:51 dev drwxr-x--- 4 root named 4096 Feb 24 14:40 etc drwxr-x--- 3 root named 4096 Feb 24 13:51 usr drwxr-x--- 6 root named 4096 Feb 24 13:51 var
[root@CentOS63 ~]# ll /var/named/chroot/etc
total 32 -rw-r--r-- 1 root root 372 Feb 20 06:51 localtime drwxr-x--- 2 root named 4096 Dec 7 04:49 named -rw-r--r-- 1 root named 1201 Feb 24 14:16 named.conf -rw-r--r-- 1 root named 2389 Dec 7 04:49 named.iscdlv.key -rw-r----- 1 root named 931 Jun 21 2007 named.rfc1912.zones -rw-r--r-- 1 root named 487 Jul 19 2010 named.root.key drwxr-x--- 3 root named 4096 Feb 24 13:51 pki -rw-r----- 1 root named 77 Feb 24 14:00 rndc.key
[root@CentOS63 ~]# ll /var/named/chroot/var/named/
total 44 -rw-r-xr-x 1 root named 551 Feb 24 15:28 192.168.2.zone drwxrwxrwx 2 named named 4096 Feb 24 14:04 data drwxrwxrwx 2 named named 4096 Feb 24 15:30 dynamic -rw-r-xr-x 1 root named 681 Feb 24 15:28 ehowstuff.local.zone -rw-r--r-- 1 root named 56 Feb 24 13:54 my.external.zone.db -rw-r--r-- 1 root named 56 Feb 24 13:54 my.internal.zone.db -rw-r--r-- 1 root named 1892 Feb 24 13:54 named.ca -rw-r--r-- 1 root root 152 Feb 24 13:54 named.empty -rw-r--r-- 1 root named 152 Feb 24 13:54 named.localhost -rw-r--r-- 1 root named 168 Feb 24 13:54 named.loopback drwxr-xr-x 2 named named 4096 Feb 24 13:54 slaves
11. Test and make sure it’s working.
[root@CentOS63 ~]# host -t mx ehowstuff.local ehowstuff.local mail is handled by 10 mail.ehowstuff.local. [root@CentOS63 ~]# nslookup > set type=any > ehowstuff.local Server: 192.168.2.58 Address: 192.168.2.58#53 ehowstuff.local origin = ehowstuff.local mail addr = hostmaster.ehowstuff.local serial = 2013023401 refresh = 43200 retry = 3600 expire = 3600000 minimum = 2592000 ehowstuff.local nameserver = ns.ehowstuff.local. Name: ehowstuff.local Address: 192.168.2.58 ehowstuff.local mail exchanger = 10 mail.ehowstuff.local. >
12. If your server does not have nslookup, host or dig command, then you should install bind-utils. All this utilities are the friendly and useful utilities to test and diagnose the DNS issue.
[root@CentOS6 ~]# yum install bind-utils Loaded plugins: fastestmirror Loading mirror speeds from cached hostfile * base: centos.biz.net.id * extras: centos.biz.net.id * updates: centos.biz.net.id Setting up Install Process Resolving Dependencies --> Running transaction check ---> Package bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6 will be installed --> Finished Dependency Resolution Dependencies Resolved ======================================================================================================================== Package Arch Version Repository Size ======================================================================================================================== Installing: bind-utils x86_64 32:9.8.2-0.10.rc1.el6_3.6 updates 182 k Transaction Summary ======================================================================================================================== Install 1 Package(s) Total download size: 182 k Installed size: 438 k Is this ok [y/N]: y Downloading Packages: bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64.rpm | 182 kB 00:02 Running rpm_check_debug Running Transaction Test Transaction Test Succeeded Running Transaction Installing : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64 1/1 Verifying : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64 1/1 Installed: bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6 Complete!