How to Setup Bind Chroot DNS Server on CentOS 6.3 x86_64

bindBIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address and ip address to domain name. There are essentially a few reasons to running your own internet DNS Server. First, of course we need to have full control of our registered domain name and second is to improve the speed of domain lookups. This post covers the steps on how to install Bind Chroot DNS Server on CentOS 6.3 64 Bit. It will describes some extra security precautions that you can take when you install BIND. The idea of chroot is fairly simple. When you run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security.

Where is Bind chrooted directory set ?

[root@CentOS63 ~]# more /etc/sysconfig/named

It was by default configured to /var/named/chroot as below :

..
..
ROOTDIR=/var/named/chroot

It is assumed that you already know how to install, configure and use BIND. If not, I would recommend that you read the Bind DNS HOWTO first.

1. Install Bind-Chroot :

[root@CentOS63 ~]# yum install bind-chroot bind -y

2. Copy all bind related files to prepare bind chrooted environments :

 
[root@CentOS63 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/

3. Create bind related files into chrooted directory :

[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named.run
[root@CentOS63 ~]# mkdir /var/named/chroot/var/named/dynamic
[root@CentOS63 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

4. Bind lock file should be writeable, therefore set the permission to make it writable as below :

[root@CentOS63 ~]# chmod -R 777 /var/named/chroot/var/named/data
[root@CentOS63 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic

5. Set if you do not use IPv6 :

[root@CentOS63 ~]# echo 'OPTIONS="-4"' >> /etc/sysconfig/named

6. Configure main bind configuration in /etc/named.conf. Append the ehowstuff.local information to the file :

[root@CentOS63 ~]# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1;192.168.2.58; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "ehowstuff.local" {
    type master;
    file "ehowstuff.local.zone";
};

zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.2.zone";
};

include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

7. Create Forward and Reverse zone files for domain ehowstuff.local.

See also  How to Deny ICMP Ping Request on CentOS 6.2

a) Create Forward Zone :

[root@CentOS63 ~]# vi /var/named/chroot/var/named/ehowstuff.local.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013022401      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns.ehowstuff.local.
               IN      A       192.168.2.58
               IN      MX      10 mail.ehowstuff.local.

mail            IN      A       192.168.2.58
ns              IN      A       192.168.2.58

b) Create Reverse Zone :

[root@CentOS63 ~]# vi /var/named/chroot/var/named/192.168.2.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013022402      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

2.168.192.in-addr.arpa. IN      NS      centos63.ehowstuff.local.

58.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local.
58.2.168.192.in-addr.arpa. IN PTR ns.ehowstuff.local.

8. RHEL 6 and CentOS 6 apparently no longer generates the rndc.key during installation. Instead, the key is automatically generated on the first start of named service.

See also  How to Use Fail2ban to Stop/Prevent SSH Brute Force on Linux

Start Bind service :

[root@CentOS6 ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

9. Configure Bind auto start at boot :

[root@CentOS63 ~]# chkconfig --levels 235 named on

10. Verifying permissions and ownership. Created the files required inside the jail, but the matter of setting the permissions and ownership should remains.

Go to chroot/var/named/ directory :

[root@CentOS63 ~]# cd /var/named/chroot/var/named/

Change owner as below :

[root@CentOS63 named]# chown root:named ehowstuff.local.zone
[root@CentOS63 named]# chown root:named 192.168.2.zone
[root@CentOS63 named]# chown root:named my.external.zone.db
[root@CentOS63 named]# chown root:named my.internal.zone.db
[root@CentOS63 named]# chown root:named named.ca
[root@CentOS63 named]# chown root:named named.localhost
[root@CentOS63 named]# chown root:named named.loopback

Verify permissions and ownership rest of the chrooted directories :

[root@CentOS63 ~]# ll /var/named/
total 32
drwxr-x--- 6 root  named 4096 Feb 24 13:51 chroot
drwxrwx--- 2 named named 4096 Dec  7 04:49 data
drwxrwx--- 2 named named 4096 Dec  7 04:49 dynamic
-rw-r----- 1 root  named 1892 Feb 18  2008 named.ca
-rw-r----- 1 root  named  152 Dec 15  2009 named.empty
-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost
-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx--- 2 named named 4096 Dec  7 04:49 slaves
[root@CentOS63 ~]# ll /var/named/chroot/
total 16
drwxr-x--- 2 root named 4096 Feb 24 13:51 dev
drwxr-x--- 4 root named 4096 Feb 24 14:40 etc
drwxr-x--- 3 root named 4096 Feb 24 13:51 usr
drwxr-x--- 6 root named 4096 Feb 24 13:51 var
[root@CentOS63 ~]# ll /var/named/chroot/etc
total 32
-rw-r--r-- 1 root root   372 Feb 20 06:51 localtime
drwxr-x--- 2 root named 4096 Dec  7 04:49 named
-rw-r--r-- 1 root named 1201 Feb 24 14:16 named.conf
-rw-r--r-- 1 root named 2389 Dec  7 04:49 named.iscdlv.key
-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones
-rw-r--r-- 1 root named  487 Jul 19  2010 named.root.key
drwxr-x--- 3 root named 4096 Feb 24 13:51 pki
-rw-r----- 1 root named   77 Feb 24 14:00 rndc.key
[root@CentOS63 ~]# ll /var/named/chroot/var/named/
total 44
-rw-r-xr-x 1 root  named  551 Feb 24 15:28 192.168.2.zone
drwxrwxrwx 2 named named 4096 Feb 24 14:04 data
drwxrwxrwx 2 named named 4096 Feb 24 15:30 dynamic
-rw-r-xr-x 1 root  named  681 Feb 24 15:28 ehowstuff.local.zone
-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.external.zone.db
-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.internal.zone.db
-rw-r--r-- 1 root  named 1892 Feb 24 13:54 named.ca
-rw-r--r-- 1 root  root   152 Feb 24 13:54 named.empty
-rw-r--r-- 1 root  named  152 Feb 24 13:54 named.localhost
-rw-r--r-- 1 root  named  168 Feb 24 13:54 named.loopback
drwxr-xr-x 2 named named 4096 Feb 24 13:54 slaves

11. Test and make sure it’s working.

[root@CentOS63 ~]# host -t mx ehowstuff.local
ehowstuff.local mail is handled by 10 mail.ehowstuff.local.
[root@CentOS63 ~]# nslookup
> set type=any
> ehowstuff.local
Server:         192.168.2.58
Address:        192.168.2.58#53

ehowstuff.local
        origin = ehowstuff.local
        mail addr = hostmaster.ehowstuff.local
        serial = 2013023401
        refresh = 43200
        retry = 3600
        expire = 3600000
        minimum = 2592000
ehowstuff.local nameserver = ns.ehowstuff.local.
Name:   ehowstuff.local
Address: 192.168.2.58
ehowstuff.local mail exchanger = 10 mail.ehowstuff.local.
>

12. If your server does not have nslookup, host or dig command, then you should install bind-utils. All this utilities are the friendly and useful utilities to test and diagnose the DNS issue.

[root@CentOS6 ~]# yum install bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.biz.net.id
 * extras: centos.biz.net.id
 * updates: centos.biz.net.id
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================
 Package                   Arch                  Version                                   Repository              Size
========================================================================================================================
Installing:
 bind-utils                x86_64                32:9.8.2-0.10.rc1.el6_3.6                 updates                182 k

Transaction Summary
========================================================================================================================
Install       1 Package(s)

Total download size: 182 k
Installed size: 438 k
Is this ok [y/N]: y
Downloading Packages:
bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64.rpm                                                     | 182 kB     00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1/1
  Verifying  : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1/1

Installed:
  bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6

Complete!

How to Reset the Directory Manager Password on RHEL 7 / CentOS 7
How to Reset the Directory Manager Password on RHEL 7 / CentOS 7

It is best practice to remember passwords, but because too many passwords, sometimes we forget. We are not encouraged to write the password on any paper or share the password...

How to Find Big Files Size on Linux RHEL/CentOS
How to Find Big Files Size on Linux RHEL/CentOS

As the linux administrator, sometimes we have to identify which files are most take much space in the linux server resulting in low free space. Low disk space can also...

Why Linux users should worry about malware and what they can do about it
Why Linux users should worry about malware and what they can do about it

Don’t drop your guard just because you’re running Linux. Preventing the spread of malware and/or dealing with the consequences of infection are a fact of life when using computers. If...

How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7
How to Reset Forgotten Root Password on Linux RHEL 7/CentOS 7

This article will explain the steps to reset a lost root password or to reset forgotten root password on Linux RHEL 7 or CentOS 7. Basically, the steps will adding...

How to Update CentOS or Upgrade CentOS to the Latest Version
How to Update CentOS or Upgrade CentOS to the Latest Version

Recently, the latest version of CentOS 7.3 was released. All users of CentOS 7.0, 7.1 and 7.2 can upgrade their system to the most recent. This quick guide will explain...

How to Change your WordPress Username, Nickname and Display Name in MySQL
How to Change your WordPress Username, Nickname and Display Name in MySQL

After you create an account log in WordPress, you may want to change your WordPress username, as appropriate or due to security reason. However, you can not do this from...

How to Enable SSH Root Login on Ubuntu 16.04
How to Enable SSH Root Login on Ubuntu 16.04

As what we wrote in the previous article on how to allow SSH root on Ubuntu 14.04, after installing a fresh new copy of Ubuntu 16.04 LTS, we find that...

How to Change UUID of Linux Partition on CentOS 7
How to Change UUID of Linux Partition on CentOS 7

UUID (Universally Unique IDentifier) should be unique and it is used to identify storage devices on a linux system. If you cloned a virtual machine from vCenter, the metadata containing...

Leave a Reply

Your email address will not be published. Required fields are marked *