How to Setup Bind DNS Server in Chroot Jail on CentOS 7

bind dns

BIND (Berkeley Internet Name Daemon) also known as NAMED is the most widely used linux dns server in the internet.

This tutorial will explain how we can setup BIND DNS in a chroot jail in CentOS 7, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will configure BIND dns to run chrooted to the directory /var/named/chroot/.

Well, to BIND dns, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security.

Unlike with earlier versions of BIND, you typically will not need to compile named statically nor install shared libraries under the new root.

Chroot Environment initialization script will mount the above configuration files using the mount –bind command, so that you can manage the configuration outside this environment. There is no need to copy anything into the /var/named/chroot/ directory because it is mounted automatically. This simplifies maintenance since you do not need to take any special care of BIND configuration files if it is run in a chroot environment. You can organize everything as you would with BIND not running in a chroot environment.

Chrooted Bind DNS server was by default configured to /var/named/chroot. You may follow this complete steps to implement Bind Chroot DNS Server on CentOS 7 virtual private server (VPS).

Setup Bind DNS Server in Chroot Jail on CentOS 7

1. Install Bind Chroot DNS server :

# yum install bind-chroot -y

2. To enable the named-chroot service, first check if the named service is running by issuing the following command:

# systemctl status named

If it is running, it must be disabled.
To disable named, issue the following commands as root:

# systemctl stop named
# systemctl disable named

3. Initialize the /var/named/chroot environment by running:

# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
# systemctl stop named
# systemctl disable named
# systemctl start named-chroot
# systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'

The following directories are automatically mounted into the /var/named/chroot/ directory if the corresponding mount point directories underneath /var/named/chroot/ are empty:

Verify Chroot Environment :

# ll /var/named/chroot/etc
total 28
-rw-r--r-- 1 root root   372 Dec  1 23:04 localtime
drwxr-x--- 2 root named 4096 Nov 22 01:28 named
-rw-r----- 1 root named 1705 Mar 22  2016 named.conf
-rw-r--r-- 1 root named 2389 Nov 22 01:28 named.iscdlv.key
-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones
-rw-r--r-- 1 root named  487 Jul 19  2010 named.root.key
drwxr-x--- 3 root named 4096 Jan  4 22:12 pki
# ll /var/named/chroot/var/named
total 32
drwxr-x--- 7 root  named 4096 Jan  4 22:12 chroot
drwxrwx--- 2 named named 4096 Nov 22 01:28 data
drwxrwx--- 2 named named 4096 Nov 22 01:28 dynamic
-rw-r----- 1 root  named 2076 Jan 28  2013 named.ca
-rw-r----- 1 root  named  152 Dec 15  2009 named.empty
-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost
-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx--- 2 named named 4096 Nov 22 01:28 slaves

4. Create bind dns related files into chrooted directory :

# touch /var/named/chroot/var/named/data/cache_dump.db
# touch /var/named/chroot/var/named/data/named_stats.txt
# touch /var/named/chroot/var/named/data/named_mem_stats.txt
# touch /var/named/chroot/var/named/data/named.run
# mkdir /var/named/chroot/var/named/dynamic
# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

5. Bind lock file should be writeable, therefore set the permission to make it writable as below :

# chmod -R 777 /var/named/chroot/var/named/data
# chmod -R 777 /var/named/chroot/var/named/dynamic

6. Copy /etc/named.conf chrooted bind config folder :

# cp -p /etc/named.conf /var/named/chroot/etc/named.conf

7.Configure main bind configuration in /etc/named.conf. Append the example.local zone information to the file :

# vi /var/named/chroot/etc/named.conf

Create forward and reverse zone into named.conf:

..
..
zone "example.local" {
    type master;
    file "example.local.zone";
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
};
..
..

Full named.conf configuration :

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        /*
         - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion.
         - If you are building a RECURSIVE (caching) DNS server, you need to enable
           recursion.
         - If your recursive DNS server has a public IP address, you MUST enable access
           control to limit queries to your legitimate users. Failing to do so will
           cause your server to become part of large scale DNS amplification
           attacks. Implementing BCP38 within your network would greatly
           reduce such attack surface
        */
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "example.local" {
    type master;
    file "example.local.zone";
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

8. Create Forward and Reverse zone files for domain example.local.

a) Create Forward Zone :

# vi /var/named/chroot/var/named/example.local.zone

Add the following and save :

;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.local. hostmaster.example.local. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns1.example.local.
               IN      NS      ns2.example.local.
               IN      A       192.168.0.70
               IN      MX      10 mx.example.local.

centos7          IN      A       192.168.0.70
mx               IN      A       192.168.0.50
ns1              IN      A       192.168.0.70
ns2              IN      A       192.168.0.80

b) Create Reverse Zone :

# vi /var/named/chroot/var/named/192.168.0.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.local. hostmaster.example.local. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

0.168.192.in-addr.arpa. IN      NS      centos7.example.local.

70.0.168.192.in-addr.arpa. IN PTR mx.example.local.
70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.
80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.

Bind dns related articles

Reference :
https://www.centos.org/docs/2/rhl-rg-en-7.2/ch-bind.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/ch-bind.html
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/7/html/Networking_Guide/sec-BIND.html

How to Install and Configure Bind Chroot DNS Server on CentOS 6.4 VPS

This article will explain the steps to install and configure the DNS Server chroot binding on CentOS 6.4 virtual private server (VPS) or dedicated server. Usually if you plan to install email server or your own web server, it is good to have your own domain name service (DNS), so that you will have full control of the domain and subdomain. BIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address and ip address to domain name. Beside having full control of our registered domain name, it will also help to improve the speed of domain lookups. All these steps has been tested on CentOS 6.4 64 bit. When you run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. As an example, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security. Bind Chroot DNS server was by default configured to /var/named/chroot.

1. Install Bind Chroot DNS server :

[root@centos64 ~]# yum install bind-chroot bind -y

2. Copy all bind related files to prepare bind chrooted environments :

[root@centos64 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/

3. Create bind related files into chrooted directory :

[root@centos64 ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@centos64 ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@centos64 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@centos64 ~]# touch /var/named/chroot/var/named/data/named.run
[root@centos64 ~]# mkdir /var/named/chroot/var/named/dynamic
[root@centos64 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

4. Bind lock file should be writeable, therefore set the permission to make it writable as below :

[root@centos64 ~]# chmod -R 777 /var/named/chroot/var/named/data
[root@centos64 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic

5. Set if you do not use IPv6 :

[root@centos64 ~]# echo 'OPTIONS="-4"' >> /etc/sysconfig/named

6. Copy /etc/named.conf chrooted bind config folder :

[root@centos64 ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf

7.Configure main bind configuration in /etc/named.conf. Append the ehowstuff.local information to the file :

[root@centos64 ~]# vi /var/named/chroot/etc/named.conf

a. Add bind DNS IP addresses :

..
listen-on port 53 { 127.0.0.1;192.168.2.62;192.168.2.63; };
..

b. Create forward and reverse zone :

..
..
zone "ehowstuff.local" {
    type master;
    file "ehowstuff.local.zone";
};

zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.2.zone";
};
..
..

Full configuration for named.conf :

//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1;192.168.2.62;192.168.2.63; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "ehowstuff.local" {
    type master;
    file "ehowstuff.local.zone";
};

zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.2.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

8. Create Forward and Reverse zone files for domain ehowstuff.local.

a) Create Forward Zone :

[root@centos64 ~]# vi /var/named/chroot/var/named/ehowstuff.local.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013042201      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns1.ehowstuff.local.
               IN      NS      ns2.ehowstuff.local.
               IN      A       192.168.2.62
               IN      MX      10 mail.ehowstuff.local.

centos64           IN      A       192.168.2.62
mail            IN      A       192.168.2.62
ns1              IN      A       192.168.2.62
ns2              IN      A       192.168.2.63

b) Create Reverse Zone :

[root@centos64 ~]# vi /var/named/chroot/var/named/192.168.2.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013042201      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

2.168.192.in-addr.arpa. IN      NS      centos64.ehowstuff.local.

62.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local.
62.2.168.192.in-addr.arpa. IN PTR ns1.ehowstuff.local.
63.2.168.192.in-addr.arpa. IN PTR ns2.ehowstuff.local.

9. Start Bind service :

[root@centos64 ~]# /etc/init.d/named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

10. Configure Bind auto start at boot :

[root@centos64 ~]# chkconfig --levels 235 named on

11. Test and verify Bind DNS setup :
a. Test and verify using host command :

[root@centos64 ~]# host -t ns ehowstuff.local
ehowstuff.local name server ns1.ehowstuff.local.
ehowstuff.local name server ns2.ehowstuff.local.
[root@centos64 ~]# host -t mx ehowstuff.local
ehowstuff.local mail is handled by 10 mail.ehowstuff.local.

b. Test and verify using nslookup command :

[root@centos64 ~]# nslookup
> set type=any
> ehowstuff.local
Server:         192.168.2.62
Address:        192.168.2.62#53

ehowstuff.local
        origin = ehowstuff.local
        mail addr = hostmaster.ehowstuff.local
        serial = 2013042201
        refresh = 43200
        retry = 3600
        expire = 3600000
        minimum = 2592000
ehowstuff.local nameserver = ns1.ehowstuff.local.
ehowstuff.local nameserver = ns2.ehowstuff.local.
Name:   ehowstuff.local
Address: 192.168.2.62
ehowstuff.local mail exchanger = 10 mail.ehowstuff.local.
> exit

c. Test and verify using dig command :

[root@centos64 ~]# dig ehowstuff.local

; < <>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 < <>> ehowstuff.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 6958
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ehowstuff.local.               IN      A

;; ANSWER SECTION:
ehowstuff.local.        2592000 IN      A       192.168.2.62

;; AUTHORITY SECTION:
ehowstuff.local.        2592000 IN      NS      ns1.ehowstuff.local.
ehowstuff.local.        2592000 IN      NS      ns2.ehowstuff.local.

;; ADDITIONAL SECTION:
ns1.ehowstuff.local.    2592000 IN      A       192.168.2.62
ns2.ehowstuff.local.    2592000 IN      A       192.168.2.63

;; Query time: 1 msec
;; SERVER: 192.168.2.62#53(192.168.2.62)
;; WHEN: Wed Apr  3 00:03:40 2013
;; MSG SIZE  rcvd: 117

How to Setup Bind Chroot DNS Server on CentOS 6.3 x86_64

bindBIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address and ip address to domain name. There are essentially a few reasons to running your own internet DNS Server. First, of course we need to have full control of our registered domain name and second is to improve the speed of domain lookups. This post covers the steps on how to install Bind Chroot DNS Server on CentOS 6.3 64 Bit. It will describes some extra security precautions that you can take when you install BIND. The idea of chroot is fairly simple. When you run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security.

Where is Bind chrooted directory set ?

[root@CentOS63 ~]# more /etc/sysconfig/named

It was by default configured to /var/named/chroot as below :

..
..
ROOTDIR=/var/named/chroot

It is assumed that you already know how to install, configure and use BIND. If not, I would recommend that you read the Bind DNS HOWTO first.

1. Install Bind-Chroot :

[root@CentOS63 ~]# yum install bind-chroot bind -y

2. Copy all bind related files to prepare bind chrooted environments :

 
[root@CentOS63 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/

3. Create bind related files into chrooted directory :

[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@CentOS63 ~]# touch /var/named/chroot/var/named/data/named.run
[root@CentOS63 ~]# mkdir /var/named/chroot/var/named/dynamic
[root@CentOS63 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

4. Bind lock file should be writeable, therefore set the permission to make it writable as below :

[root@CentOS63 ~]# chmod -R 777 /var/named/chroot/var/named/data
[root@CentOS63 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic

5. Set if you do not use IPv6 :

[root@CentOS63 ~]# echo 'OPTIONS="-4"' >> /etc/sysconfig/named

6. Configure main bind configuration in /etc/named.conf. Append the ehowstuff.local information to the file :

[root@CentOS63 ~]# vi /var/named/chroot/etc/named.conf
//
// named.conf
//
// Provided by Red Hat bind package to configure the ISC BIND named(8) DNS
// server as a caching only nameserver (as a localhost DNS resolver only).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
        listen-on port 53 { 127.0.0.1;192.168.2.58; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { localhost; };
        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        /* Path to ISC DLV key */
        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "ehowstuff.local" {
    type master;
    file "ehowstuff.local.zone";
};

zone "2.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.2.zone";
};

include "/etc/rndc.key";
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

7. Create Forward and Reverse zone files for domain ehowstuff.local.

a) Create Forward Zone :

[root@CentOS63 ~]# vi /var/named/chroot/var/named/ehowstuff.local.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013022401      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns.ehowstuff.local.
               IN      A       192.168.2.58
               IN      MX      10 mail.ehowstuff.local.

mail            IN      A       192.168.2.58
ns              IN      A       192.168.2.58

b) Create Reverse Zone :

[root@CentOS63 ~]# vi /var/named/chroot/var/named/192.168.2.zone
;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                               2013022402      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

2.168.192.in-addr.arpa. IN      NS      centos63.ehowstuff.local.

58.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local.
58.2.168.192.in-addr.arpa. IN PTR ns.ehowstuff.local.

8. RHEL 6 and CentOS 6 apparently no longer generates the rndc.key during installation. Instead, the key is automatically generated on the first start of named service.

Start Bind service :

[root@CentOS6 ~]# service named start
Generating /etc/rndc.key:                                  [  OK  ]
Starting named:                                            [  OK  ]

9. Configure Bind auto start at boot :

[root@CentOS63 ~]# chkconfig --levels 235 named on

10. Verifying permissions and ownership. Created the files required inside the jail, but the matter of setting the permissions and ownership should remains.

Go to chroot/var/named/ directory :

[root@CentOS63 ~]# cd /var/named/chroot/var/named/

Change owner as below :

[root@CentOS63 named]# chown root:named ehowstuff.local.zone
[root@CentOS63 named]# chown root:named 192.168.2.zone
[root@CentOS63 named]# chown root:named my.external.zone.db
[root@CentOS63 named]# chown root:named my.internal.zone.db
[root@CentOS63 named]# chown root:named named.ca
[root@CentOS63 named]# chown root:named named.localhost
[root@CentOS63 named]# chown root:named named.loopback

Verify permissions and ownership rest of the chrooted directories :

[root@CentOS63 ~]# ll /var/named/
total 32
drwxr-x--- 6 root  named 4096 Feb 24 13:51 chroot
drwxrwx--- 2 named named 4096 Dec  7 04:49 data
drwxrwx--- 2 named named 4096 Dec  7 04:49 dynamic
-rw-r----- 1 root  named 1892 Feb 18  2008 named.ca
-rw-r----- 1 root  named  152 Dec 15  2009 named.empty
-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost
-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback
drwxrwx--- 2 named named 4096 Dec  7 04:49 slaves
[root@CentOS63 ~]# ll /var/named/chroot/
total 16
drwxr-x--- 2 root named 4096 Feb 24 13:51 dev
drwxr-x--- 4 root named 4096 Feb 24 14:40 etc
drwxr-x--- 3 root named 4096 Feb 24 13:51 usr
drwxr-x--- 6 root named 4096 Feb 24 13:51 var
[root@CentOS63 ~]# ll /var/named/chroot/etc
total 32
-rw-r--r-- 1 root root   372 Feb 20 06:51 localtime
drwxr-x--- 2 root named 4096 Dec  7 04:49 named
-rw-r--r-- 1 root named 1201 Feb 24 14:16 named.conf
-rw-r--r-- 1 root named 2389 Dec  7 04:49 named.iscdlv.key
-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones
-rw-r--r-- 1 root named  487 Jul 19  2010 named.root.key
drwxr-x--- 3 root named 4096 Feb 24 13:51 pki
-rw-r----- 1 root named   77 Feb 24 14:00 rndc.key
[root@CentOS63 ~]# ll /var/named/chroot/var/named/
total 44
-rw-r-xr-x 1 root  named  551 Feb 24 15:28 192.168.2.zone
drwxrwxrwx 2 named named 4096 Feb 24 14:04 data
drwxrwxrwx 2 named named 4096 Feb 24 15:30 dynamic
-rw-r-xr-x 1 root  named  681 Feb 24 15:28 ehowstuff.local.zone
-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.external.zone.db
-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.internal.zone.db
-rw-r--r-- 1 root  named 1892 Feb 24 13:54 named.ca
-rw-r--r-- 1 root  root   152 Feb 24 13:54 named.empty
-rw-r--r-- 1 root  named  152 Feb 24 13:54 named.localhost
-rw-r--r-- 1 root  named  168 Feb 24 13:54 named.loopback
drwxr-xr-x 2 named named 4096 Feb 24 13:54 slaves

11. Test and make sure it’s working.

[root@CentOS63 ~]# host -t mx ehowstuff.local
ehowstuff.local mail is handled by 10 mail.ehowstuff.local.
[root@CentOS63 ~]# nslookup
> set type=any
> ehowstuff.local
Server:         192.168.2.58
Address:        192.168.2.58#53

ehowstuff.local
        origin = ehowstuff.local
        mail addr = hostmaster.ehowstuff.local
        serial = 2013023401
        refresh = 43200
        retry = 3600
        expire = 3600000
        minimum = 2592000
ehowstuff.local nameserver = ns.ehowstuff.local.
Name:   ehowstuff.local
Address: 192.168.2.58
ehowstuff.local mail exchanger = 10 mail.ehowstuff.local.
>

12. If your server does not have nslookup, host or dig command, then you should install bind-utils. All this utilities are the friendly and useful utilities to test and diagnose the DNS issue.

[root@CentOS6 ~]# yum install bind-utils
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: centos.biz.net.id
 * extras: centos.biz.net.id
 * updates: centos.biz.net.id
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

========================================================================================================================
 Package                   Arch                  Version                                   Repository              Size
========================================================================================================================
Installing:
 bind-utils                x86_64                32:9.8.2-0.10.rc1.el6_3.6                 updates                182 k

Transaction Summary
========================================================================================================================
Install       1 Package(s)

Total download size: 182 k
Installed size: 438 k
Is this ok [y/N]: y
Downloading Packages:
bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64.rpm                                                     | 182 kB     00:02
Running rpm_check_debug
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1/1
  Verifying  : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1/1

Installed:
  bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6

Complete!

How to Configure Bind-Chroot Logging on CentOS 6.2

bindIn this post, i will show on how to turn on Bind DNS server logging in order to log all the dns queries on CentOS 6.2 linux server. Assumed that the bind9 chroot has been properly configured.

1. Create Soft link, symlink or symbolic link to /var/log :

[root@ns1 ~]# ln -sf /var/named/chroot/var/log/dns.log /var/log/dns.log
[root@ns1 ~]# ln -sf /var/named/chroot/var/log/dns_queries.log /var/log/dns_queries.log

2. Open named.conf :

[root@ns1 ~]# vim /var/named/chroot/etc/named.conf

3. Add the following bind logging script into named.conf :

..
..
logging {
        channel log_dns {
                file "/var/log/dns.log" versions 3 size 10m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel log_queries {
                file "/var/log/dns_queries.log" versions 3 size 20m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category default {log_dns;};
        category queries {log_queries;};
        category lame-servers { null;};
        category edns-disabled { null; };
};
..
..

Full named.conf configuration :

options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
forwarders { 8.8.8.8; };
};
include "/etc/rndc.key";


logging {
        channel log_dns {
                file "/var/log/dns.log" versions 3 size 10m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        channel log_queries {
                file "/var/log/dns_queries.log" versions 3 size 20m;
                print-category yes;
                print-severity yes;
                print-time yes;
        };
        category default {log_dns;};
        category queries {log_queries;};
        category lame-servers { null;};
        category edns-disabled { null; };
};


// We are the master server for ehowstuff.local
 zone "ehowstuff.local" {
        type master;
        file "/var/named/ehowstuff.local";
        allow-transfer {192.168.1.54;};
        allow-update {none;};
};

4. To display last lines on dns_queries.log, simply execute the following command :

[root@ns1 ~]# tail -f /var/log/dns_queries.log

Examples logged dns queries :

02-Jun-2012 23:45:09.958 queries: info: client 192.168.1.52#64527: query: www.facebook.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.023 queries: info: client 192.168.1.52#55959: query: www.lqconsulting.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.047 queries: info: client 192.168.1.52#60625: query: digg.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.098 queries: info: client 192.168.1.52#51729: query: reddit.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.137 queries: info: client 192.168.1.52#58908: query: www.adroll.com IN A + (192.168.1.44)
02-Jun-2012 23:45:10.966 queries: info: client 192.168.1.52#49432: query: mail.google.com IN A + (192.168.1.44)
02-Jun-2012 23:45:11.077 queries: info: client 192.168.1.52#58493: query: alerts.conduit-services.com IN A + (192.168.1.44)
02-Jun-2012 23:45:13.781 queries: info: client 192.168.1.52#55403: query: plus.google.com IN A + (192.168.1.44)
02-Jun-2012 23:46:20.203 queries: info: client 192.168.1.52#54825: query: realtime.services.disqus.com IN A + (192.168.1.44)
02-Jun-2012 23:46:30.113 queries: info: client 192.168.1.52#52337: query: qq.disqus.com IN A + (192.168.1.44)

How to Setup Private DNS With Bind9 Chroot on CentOS 6.2 VPS

dnsAssumed that you already buy two Virtual Private Server (VPS) but you dont want to point your nameservers on your hosting provider. To look more professional and stylish, you can run and have two private nameservers such as ns1.ehowstuff.local and ns2.ehowstuff.local. This post will show you the steps on how to setup and run your own Bind9 Chroot private nameservers on CentOS 6.2 VPS or dedicated server with atleast 2 IP addresses. To fit you requirement, please replace domain (ehowstuff.local) and ip addresses to your own domain and IPs.

ns1.ehowstuff.local : 192.168.1.44 (Master Private DNS server)
ns2.ehowstuff.local : 192.168.1.54 (Slave Private DNS server)

1. Install Bind Chroot DNS Server on both Primary and Slave server :

Master DNS Server

[root@ns1 ~]# yum install bind-chroot -y

Slave DNS server

[root@ns2 ~]# yum install bind-chroot -y


Master DNS Server



2. Login to Primary DNS server (ns1), and create a file /var/named/chroot/var/named/ehowstuff.local with the following configuration:

[root@ns1 ~]# vim /var/named/chroot/var/named/ehowstuff.local
;
;       Addresses and other host information.
;
$TTL 14400
ehowstuff.local.        IN      SOA     ns1.ehowstuff.local.    admin.ehowstuff.local. (
                                        2012060201      ; Serial
                                        86400      ; Refresh
                                        7200       ; Retry
                                        3600000    ; Expire
                                        86400 )  ; Minimum

;A record for domain mapping domain to IP
ehowstuff.local.        IN      A       192.168.1.44

;Define the atleast 2 private nameservers
ehowstuff.local.        IN      NS      ns1.ehowstuff.local.
ehowstuff.local.        IN      NS      ns2.ehowstuff.local.

; Map 2 private nameservers to IP addressess using A record
ns1     IN      A       192.168.1.44
ns2     IN      A       192.168.1.54

; Specify subdomains if any using CNAME or alias.
www     IN      CNAME   ehowstuff.local.
ftp     IN      CNAME   ehowstuff.local.

; Mail exhanger and map it IP using A record.
ehowstuff.local.        IN      MX      10      mail.ehowstuff.local.

3. Still on ns1, please generate an RNDC key :
The rndc tool is used to managed the named daemon. We need to generate a keyfile called /etc/rndc.key which is referenced both by /etc/rndc.conf and /etc/named.conf To do this we use the following command;

[root@ns1 ~]# rndc-confgen -a -c /etc/rndc.key
wrote key file "/etc/rndc.key"

View the content of the RNDC key :

[root@ns1 ~]# cat /etc/rndc.key
key "rndc-key" {
        algorithm hmac-md5;
        secret "T6tduqyMQ/YbIDXOmE0Fzg==";
};

4. on ns1, edit the /var/named/chroot/etc/named.conf file for ehowstuff.local

[root@ns1 ~]# vi /var/named/chroot/etc/named.conf
options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
forwarders { 8.8.8.8; };
};
include "/etc/rndc.key";
// We are the master server for ehowstuff.local

zone "ehowstuff.local" {
        type master;
        file "/var/named/ehowstuff.local";
        allow-transfer {192.168.1.54;};
        allow-update {none;};
};

5. Start the DNS service using the following command :

[root@ns1 ~]# /etc/init.d/named start
Starting named:                                            [  OK  ]

6. Make named daemon auto start during boot :

[root@ns1 ~]# chkconfig named on


Slave DNS Server



7. Making slave DNS server can be so easy. Login to the other DNS server(ns2) and open the named.conf file. You need not create any file as the slave will automatically download the master zone information through zone transfer. After sometime, you can view the zone file. :

[root@ns2 ~]# vi /var/named/chroot/etc/named.conf
zone "ehowstuff.local" {
type slave;
file "/var/named/slaves/ehowstuff.local";
masters {192.168.1.44;};
};

Note: Bind will not allow you to run master and slave on same server, even-though you have 2 IP addresses

8. Start the DNS service using the following command :

[root@ns2 ~]# /etc/init.d/named start
Starting named:                                            [  OK  ]

9. Make named daemon auto start during boot :

[root@ns2 ~]# chkconfig named on

10. Before testing, make sure your pc or server using the Bind Chroot DNS Server that has been set up :

[root@ns1 ~]# cat /etc/resolv.conf
nameserver 192.168.1.44
nameserver 192.168.1.54
[root@ns2 ~]# cat /etc/resolv.conf
nameserver 192.168.1.44
nameserver 192.168.1.54

11. Test your DNS service :

Test from Master DNS server (ns1)

[root@ns1 ~]# dig ehowstuff.local

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> ehowstuff.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 25783
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ehowstuff.local.               IN      A

;; ANSWER SECTION:
ehowstuff.local.        14400   IN      A       192.168.1.44

;; AUTHORITY SECTION:
ehowstuff.local.        14400   IN      NS      ns1.ehowstuff.local.
ehowstuff.local.        14400   IN      NS      ns2.ehowstuff.local.

;; ADDITIONAL SECTION:
ns1.ehowstuff.local.    14400   IN      A       192.168.1.44
ns2.ehowstuff.local.    14400   IN      A       192.168.1.54

;; Query time: 0 msec
;; SERVER: 192.168.1.44#53(192.168.1.44)
;; WHEN: Sat Jun  2 14:46:46 2012
;; MSG SIZE  rcvd: 117
[root@ns1 ~]# host -t mx ehowstuff.local
ehowstuff.local mail is handled by 10 mail.ehowstuff.local.
[root@ns1 ~]# host -t ns ehowstuff.local
ehowstuff.local name server ns2.ehowstuff.local.
ehowstuff.local name server ns1.ehowstuff.local.

Test from Slave DNS server (ns2)

[root@ns2 ~]# dig ehowstuff.local

; <<>> DiG 9.7.3-P3-RedHat-9.7.3-8.P3.el6_2.2 <<>> ehowstuff.local
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11526
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2

;; QUESTION SECTION:
;ehowstuff.local.               IN      A

;; ANSWER SECTION:
ehowstuff.local.        14400   IN      A       192.168.1.44

;; AUTHORITY SECTION:
ehowstuff.local.        14400   IN      NS      ns2.ehowstuff.local.
ehowstuff.local.        14400   IN      NS      ns1.ehowstuff.local.

;; ADDITIONAL SECTION:
ns1.ehowstuff.local.    14400   IN      A       192.168.1.44
ns2.ehowstuff.local.    14400   IN      A       192.168.1.54

;; Query time: 3 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sat Jun  2 15:26:19 2012
;; MSG SIZE  rcvd: 117
[root@ns2 ~]# host -t mx ehowstuff.local
ehowstuff.local mail is handled by 10 mail.ehowstuff.local.
[root@ns2 ~]# host -t ns ehowstuff.local
ehowstuff.local name server ns2.ehowstuff.local.
ehowstuff.local name server ns1.ehowstuff.local.

How to Install Bind Utilities on Fedora 16

Question :
When i try to test mx record using host command and other bind utility command such as nslookup, i get this error :

[root@fedora16 ~]# host -t mx fedora16.local
-bash: host: command not found

Solution :
BIND Utilities is not a separate package, it is a collection of the client side programs that are included with BIND-9. The BIND package includes the client side programs nslookup, dig and host.

Simply run the following command to install bind-utils on Fedora 16 :

[root@fedora16 ~]# yum install bind-utils -y

Examples :

[root@fedora16 ~]# yum install bind-utils -y
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-utils.i686 32:9.8.2-1.fc16 will be installed
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                 Arch              Version                       Repository            Size
====================================================================================================
Installing:
 bind-utils              i686              32:9.8.2-1.fc16               updates              179 k

Transaction Summary
====================================================================================================
Install       1 Package

Total download size: 179 k
Installed size: 411 k
Downloading Packages:
bind-utils-9.8.2-1.fc16.i686.rpm                                             | 179 kB     00:01
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Installing : 32:bind-utils-9.8.2-1.fc16.i686                                                  1/1

Installed:
  bind-utils.i686 32:9.8.2-1.fc16

Complete!

Test DNS using host command example :

[root@fedora16 ~]# host -t mx fedora16.local
fedora16.local mail is handled by 10 mail.fedora16.local.

Test DNS using nslookup command example:

[root@fedora16 ~]# nslookup
> ns.fedora16.local
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   ns.fedora16.local
Address: 192.168.1.47
> mail.fedora16.local
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   mail.fedora16.local
Address: 192.168.1.51

How to Install and Configure Bind Chroot DNS Server on Fedora 16

DNS is the Domain Name System that maintains a database that can help user’s computer to translate domain names such as www.ehowstuff.com to IP addresses such as 184.173.214.97. DNS on CentOS and Fedora is based on the named daemon, which is built on the BIND package developed through the Internet Software Consortium. (More information is available from the BIND home page at www.isc.org/products/BIND.) However, these are RPM packages associated with DNS. But not all required to build Bind Chroot DNS Server. bind Includes the basic name server software, including /usr/sbin/named. bind-chroot Includes directories that isolate BIND in a so-called “chroot jail,” which limits access if DNS is compromised. In this post, i will guide you on how to install and configure Bind Chroot DNS server on linux Fedora 16 server.

1. Simply run this command to install Bind Chroot DNS Server :

[root@fedora16 ~]# yum install bind-chroot -y

Examples :

[root@fedora16 ~]# yum install bind-chroot -y
Fedora16-Repository                                                          | 3.7 kB     00:00 ...
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-chroot.i686 32:9.8.2-1.fc16 will be installed
--> Processing Dependency: bind = 32:9.8.2-1.fc16 for package: 32:bind-chroot-9.8.2-1.fc16.i686
--> Running transaction check
---> Package bind.i686 32:9.8.2-1.fc16 will be installed
--> Processing Dependency: bind-libs = 32:9.8.2-1.fc16 for package: 32:bind-9.8.2-1.fc16.i686
--> Processing Dependency: liblwres.so.80 for package: 32:bind-9.8.2-1.fc16.i686
--> Processing Dependency: libisccfg.so.82 for package: 32:bind-9.8.2-1.fc16.i686
--> Processing Dependency: libisccc.so.80 for package: 32:bind-9.8.2-1.fc16.i686
--> Processing Dependency: libisc.so.83 for package: 32:bind-9.8.2-1.fc16.i686
--> Processing Dependency: libdns.so.81 for package: 32:bind-9.8.2-1.fc16.i686
--> Processing Dependency: libbind9.so.80 for package: 32:bind-9.8.2-1.fc16.i686
--> Running transaction check
---> Package bind-libs.i686 32:9.8.2-1.fc16 will be installed
--> Processing Dependency: bind-license = 32:9.8.2-1.fc16 for package: 32:bind-libs-9.8.2-1.fc16.i686
--> Running transaction check
---> Package bind-license.noarch 32:9.8.1-2.fc16 will be updated
--> Processing Dependency: bind-license = 32:9.8.1-2.fc16 for package: 32:bind-libs-lite-9.8.1-2.fc16.i686
---> Package bind-license.noarch 32:9.8.2-1.fc16 will be an update
--> Running transaction check
---> Package bind-libs-lite.i686 32:9.8.1-2.fc16 will be updated
---> Package bind-libs-lite.i686 32:9.8.2-1.fc16 will be an update
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                   Arch              Version                       Repository          Size
====================================================================================================
Installing:
 bind-chroot               i686              32:9.8.2-1.fc16               updates             71 k
Installing for dependencies:
 bind                      i686              32:9.8.2-1.fc16               updates            2.0 M
 bind-libs                 i686              32:9.8.2-1.fc16               updates            860 k
Updating for dependencies:
 bind-libs-lite            i686              32:9.8.2-1.fc16               updates            621 k
 bind-license              noarch            32:9.8.2-1.fc16               updates             72 k

Transaction Summary
====================================================================================================
Install       3 Packages
Upgrade       2 Packages

Total download size: 3.6 M
Downloading Packages:
(1/5): bind-9.8.2-1.fc16.i686.rpm                                            | 2.0 MB     00:18
(2/5): bind-chroot-9.8.2-1.fc16.i686.rpm                                     |  71 kB     00:00
(3/5): bind-libs-9.8.2-1.fc16.i686.rpm                                       | 860 kB     00:07
(4/5): bind-libs-lite-9.8.2-1.fc16.i686.rpm                                  | 621 kB     00:04
(5/5): bind-license-9.8.2-1.fc16.noarch.rpm                                  |  72 kB     00:00
----------------------------------------------------------------------------------------------------
Total                                                               113 kB/s | 3.6 MB     00:32
Running Transaction Check
Running Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating   : 32:bind-license-9.8.2-1.fc16.noarch                                              1/7
  Installing : 32:bind-libs-9.8.2-1.fc16.i686                                                   2/7
  Installing : 32:bind-9.8.2-1.fc16.i686                                                        3/7
  Installing : 32:bind-chroot-9.8.2-1.fc16.i686                                                 4/7
  Updating   : 32:bind-libs-lite-9.8.2-1.fc16.i686                                              5/7
  Cleanup    : 32:bind-libs-lite-9.8.1-2.fc16.i686                                              6/7
  Cleanup    : 32:bind-license-9.8.1-2.fc16.noarch                                              7/7

Installed:
  bind-chroot.i686 32:9.8.2-1.fc16

Dependency Installed:
  bind.i686 32:9.8.2-1.fc16                      bind-libs.i686 32:9.8.2-1.fc16

Dependency Updated:
  bind-libs-lite.i686 32:9.8.2-1.fc16              bind-license.noarch 32:9.8.2-1.fc16

Complete!

2. Create a file /var/named/chroot/var/named/fedora16.local with the following configuration:

[root@fedora16 ~]# vi /var/named/chroot/var/named/fedora16.local

Examples :

;
;       Addresses and other host information.
;
@       IN      SOA     fedora16.local. hostmaster.fedora16.local. (
                               2012051901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns.fedora16.local.
               IN      A       192.168.1.47
               IN      MX      10 mail.fedora16.local.

mail            IN      A       192.168.1.51
ns              IN      A       192.168.1.47

3. Generate an RNDC key :
The rndc tool is used to managed the named daemon. We need to generate a keyfile called /etc/rndc.key which is referenced both by /etc/rndc.conf and /etc/named.conf To do this we use the following command :

[root@fedora16 ~]# rndc-confgen -a -c /etc/rndc.key
wrote key file "/etc/rndc.key"

View the content of the RNDC key :

[root@fedora16 ~]# cat /etc/rndc.key
key "rndc-key" {
        algorithm hmac-md5;
        secret "B2rQEFnrdcAzAt2BiUmBug==";
};

4. Edit the /var/named/chroot/etc/named.conf file for fedora16.local

[root@fedora16 ~]# vi /var/named/chroot/etc/named.conf
options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
forwarders { 8.8.8.8; };
};
include "/etc/rndc.key";
// We are the master server for fedora16.local

zone "fedora16.local" {
    type master;
    file "fedora16.local";
};

5. Start the DNS service using the following command :

[root@fedora16 ~]# /etc/init.d/named start
Starting named (via systemctl):                            [  OK  ]

6. Make named daemon auto start during boot :

[root@fedora16 ~]# chkconfig named on

7. Before testing, make sure your pc or server using the Bind Chroot DNS Server that has been set up :

Test DNS using host command :

[root@fedora16 ~]# host -t mx fedora16.local
fedora16.local mail is handled by 10 mail.fedora16.local.

Test DNS using nslookup command :

[root@fedora16 ~]# nslookup
> ns.fedora16.local
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   ns.fedora16.local
Address: 192.168.1.47
> mail.fedora16.local
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   mail.fedora16.local
Address: 192.168.1.51

How to Configure Bind Chroot DNS Server on Linux CentOS 5.7 Server

In this post, i will guide you on how to configure Bind Chroot DNS server on Linux CentOS 5.7 Server. DNS is the Domain Name System that maintains a database that can help user’s computer to translate domain names such as www.ehowstuff.com to IP addresses such as 184.173.214.97. DNS on CentOS is based on the named daemon, which is built on the BIND package developed through the Internet Software Consortium. (More information is available from the BIND home page at www.isc.org/products/BIND.) This steps has been tested on linux CentOS 5.7 but it may working on other version such as CentOS 5.1, CentOS 5.2, CentOS 5.3, CentOS 5.4, CentOS 5.5 and CentOS 5.6.

1. Install Bind Chroot DNS Server :

[root@CentOS57 ~]# yum install bind-chroot -y

2. Create a file /var/named/chroot/var/named/bloggerbaru.local with the following configuration :

[root@CentOS57 ~]# vi /var/named/chroot/var/named/bloggerbaru.local
;
;       Addresses and other host information.
;
@       IN      SOA     bloggerbaru.local. hostmaster.bloggerbaru.local. (
                               2011030801      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the nameservers and the mail servers

               IN      NS      ns.bloggerbaru.local.
               IN      A       192.168.1.45
               IN      MX      10 mail.bloggerbaru.local.

mail            IN      A       192.168.1.45
ns              IN      A       192.168.1.45

3. Generate an RNDC key :
The rndc tool is used to managed the named daemon. We need to generate a keyfile called /etc/rndc.key which is referenced both by /etc/rndc.conf and /etc/named.conf. Execute the following command to generate the RNDC key :

[root@CentOS57 ~]# rndc-confgen -a -c /etc/rndc.key
wrote key file "/etc/rndc.key"

4. View the content of the RNDC key :

[root@CentOS57 ~]# cat /etc/rndc.key
key "rndckey" {
        algorithm hmac-md5;
        secret "jwsFpL7OJR+x9w+YRkGrXA==";
};

5. Edit the /var/named/chroot/etc/named.conf file for bloggerbaru.local :

[root@CentOS57 ~]# vi /var/named/chroot/etc/named.conf
options {
       directory "/var/named";
       dump-file "/var/named/data/cache_dump.db";
       statistics-file "/var/named/data/named_stats.txt";
forwarders { 8.8.8.8; };
};
include "/etc/rndc.key";
// We are the master server for bloggerbaru.local

zone "bloggerbaru.local" {
    type master;
    file "bloggerbaru.local";
};

6. Start the DNS service using the following command :

[root@CentOS57 ~]# /etc/init.d/named start
Starting named:                                            [  OK  ]

or

[root@CentOS57 ~]# service named start
Starting named:                                            [  OK  ]

7. To ensure the named daemon will start at boot, execute the following chkconfig :

[root@CentOS57 ~]# chkconfig named on

8. Before testing, make sure your pc or server pointing to the DNS Server that has been set up. In this case, i want to ensure that CentOS 5.7 poiting to itself :

[root@CentOS57 ~]# cat /etc/resolv.conf
nameserver 127.0.0.1

9. Test your DNS service :

[root@CentOS57 ~]# host -t mx bloggerbaru.local
bloggerbaru.local mail is handled by 10 mail.bloggerbaru.local.
[root@CentOS57 ~]# host -t mx bloggerbaru.local
bloggerbaru.local mail is handled by 10 mail.bloggerbaru.local.

How to Install Bind Chroot DNS Server on Linux CentOS 5.7 Server

DNS is the Domain Name System that maintains a database that can help user’s computer to translate domain names such as www.ehowstuff.com to IP addresses such as 184.173.214.97. DNS on CentOS is based on the named daemon, which is built on the BIND package developed through the Internet Software Consortium. (More information is available from the BIND home page at www.isc.org/products/BIND.) In this post, i will guide you on how to install Bind Chroot DNS server on linux CentOS 5.7 server. This steps may working on other version such as CentOS 5.1, CentOS 5.2, CentOS 5.3, CentOS 5.4, CentOS 5.5 and CentOS 5.6.

1. Install Bind Chroot DNS Server on Linux CentOS 5.7 Server

[root@CentOS57 ~]# yum install bind-chroot -y
Loaded plugins: fastestmirror
Loading mirror speeds from cached hostfile
 * base: mirror.oscc.org.my
 * extras: mirror.oscc.org.my
 * rpmforge: ftp-stud.fht-esslingen.de
 * updates: mirror.oscc.org.my
Setting up Install Process
Resolving Dependencies
--> Running transaction check
---> Package bind-chroot.i386 30:9.3.6-20.P1.el5 set to be updated
--> Processing Dependency: bind = 30:9.3.6-20.P1.el5 for package: bind-chroot
--> Running transaction check
---> Package bind.i386 30:9.3.6-20.P1.el5 set to be updated
--> Processing Dependency: bind-libs = 30:9.3.6-20.P1.el5 for package: bind
--> Running transaction check
--> Processing Dependency: bind-libs = 30:9.3.6-16.P1.el5_7.1 for package: bind-utils
---> Package bind-libs.i386 30:9.3.6-20.P1.el5 set to be updated
--> Running transaction check
---> Package bind-utils.i386 30:9.3.6-20.P1.el5 set to be updated
--> Finished Dependency Resolution

Dependencies Resolved

====================================================================================================
 Package                  Arch              Version                         Repository         Size
====================================================================================================
Installing:
 bind-chroot              i386              30:9.3.6-20.P1.el5              base               47 k
Installing for dependencies:
 bind                     i386              30:9.3.6-20.P1.el5              base              981 k
Updating for dependencies:
 bind-libs                i386              30:9.3.6-20.P1.el5              base              863 k
 bind-utils               i386              30:9.3.6-20.P1.el5              base              174 k

Transaction Summary
====================================================================================================
Install       2 Package(s)
Upgrade       2 Package(s)

Total download size: 2.0 M
Downloading Packages:
(1/4): bind-chroot-9.3.6-20.P1.el5.i386.rpm                                  |  47 kB     00:00
(2/4): bind-utils-9.3.6-20.P1.el5.i386.rpm                                   | 174 kB     00:01
(3/4): bind-libs-9.3.6-20.P1.el5.i386.rpm                                    | 863 kB     00:07
(4/4): bind-9.3.6-20.P1.el5.i386.rpm                                         | 981 kB     00:08
----------------------------------------------------------------------------------------------------
Total                                                               111 kB/s | 2.0 MB     00:18
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
  Updating       : bind-libs                                                                    1/6
  Installing     : bind                                                                         2/6
  Installing     : bind-chroot                                                                  3/6
  Updating       : bind-utils                                                                   4/6
  Cleanup        : bind-libs                                                                    5/6
  Cleanup        : bind-utils                                                                   6/6

Installed:
  bind-chroot.i386 30:9.3.6-20.P1.el5

Dependency Installed:
  bind.i386 30:9.3.6-20.P1.el5

Dependency Updated:
  bind-libs.i386 30:9.3.6-20.P1.el5                bind-utils.i386 30:9.3.6-20.P1.el5

Complete!

2. Check the DNS named service :

[root@CentOS57 ~]# service named status
rndc: connect failed: 127.0.0.1#953: connection refused
named is stopped

named daemon service is stop, You must configure the bind chroot before you start it.

How to Configure Bind Chroot DNS Server on CentOS 6.2

In this post, i will show you on how to configure Bind Chroot DNS Server on CentOS 6.2. Assumed that you have installed Bind Chroot DNS.

1. Install Bind Chroot DNS Server

    [root@centos62 ~]# yum install bind-chroot -y
    

2. Create a file /var/named/chroot/var/named/ehowstuff.local with the following configuration:

    [root@centos62 ~]# vi /var/named/chroot/var/named/ehowstuff.local
    
    ;
    ;       Addresses and other host information.
    ;
    @       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (
                                   2011030801      ; Serial
                                   43200      ; Refresh
                                   3600       ; Retry
                                   3600000    ; Expire
                                   2592000 )  ; Minimum
     
    ;       Define the nameservers and the mail servers
     
                   IN      NS      ns.ehowstuff.local.
                   IN      A       192.168.1.44
                   IN      MX      10 mail.ehowstuff.local.
     
    mail            IN      A       192.168.1.42
    ns              IN      A       192.168.1.44
    

3. Generate an RNDC key :
The rndc tool is used to managed the named daemon. We need to generate a keyfile called /etc/rndc.key which is referenced both by /etc/rndc.conf and /etc/named.conf To do this we use the following command;

    [root@centos62 ~]# rndc-confgen -a -c /etc/rndc.key
    wrote key file "/etc/rndc.key"
    

View the content of the RNDC key :

    [root@centos62 ~]# cat /etc/rndc.key
    key "rndc-key" {
            algorithm hmac-md5;
            secret "T6tduqyMQ/YbIDXOmE0Fzg==";
    };
    

4. Edit the /var/named/chroot/etc/named.conf file for ehowstuff.local

    [root@centos62 ~]# vi /var/named/chroot/etc/named.conf
    
    options {
           directory "/var/named";
           dump-file "/var/named/data/cache_dump.db";
           statistics-file "/var/named/data/named_stats.txt";
    forwarders { 8.8.8.8; };
    };
    include "/etc/rndc.key";
    // We are the master server for ehowstuff.local
    
    zone "ehowstuff.local" {
        type master;
        file "ehowstuff.local";
    };
    

5. Start the DNS service using the following command :

    [root@centos62 ~]# /etc/init.d/named start
    Starting named:                                            [  OK  ]
    

6. Make named daemon auto start during boot :

    [root@centos62 ~]# chkconfig named on
    

7. Before testing, make sure your pc or server using the Bind Chroot DNS Server that has been set up :

    [root@centos62 ~]# cat /etc/resolv.conf
    nameserver 192.168.1.44
    

8. Test your DNS service :

    [root@centos62 ~]# host -t mx ehowstuff.local
    ehowstuff.local mail is handled by 10 mail.ehowstuff.local.
    
    [root@centos62 ~]# host -t ns ehowstuff.local
    ehowstuff.local name server ns.ehowstuff.local.
    

How to Install Bind Chroot DNS Server on CentOS 6.2

In this post, i will guide you on how to install Bind Chroot DNS server on CentOS 6.2. DNS is the Domain Name System that maintains a database that can help user’s computer to translate domain names such as www.ehowstuff.com to IP addresses such as 184.173.214.97. DNS on CeentOS is based on the named daemon, which is built on the BIND package developed through the Internet Software Consortium. (More information is available from the BIND home page at www.isc.org/products/BIND.) However, these are RPM packages associated with DNS. But not all required to build Bind Chroot DNS Server.

bind Includes the basic name server software, including /usr/sbin/named.

bind-chroot Includes directories that isolate BIND in a so-called “chroot jail,” which limits access if DNS is compromised.

bind-devel Includes development libraries for BIND.

bind-libbind-devel Contains the libbind BIND resolver library.

bind-libs Adds library files used by the bind and bind-utils RPMs.

bind-sdb Supports alternative databases, such as LDAP. Per the Red Hat Exam Prep guide and course outlines, I see no evidence that such relationships are covered on the Red Hat exams.

bind-utils Contains tools such as dig and host that provide information about a specific Internet host. It should already be installed in any minimum installation of RHEL.

caching-nameserver Includes files associated with a caching nameserver.

system-config-bind A GUI configuration tool useful for adding host and reverse address lookup data. It’s not officially a part of the DNS Name Server package group.

Simply run this command to install Bind Chroot DNS Server :

    [root@centos62 ~]# yum install bind-chroot -y
    Loaded plugins: fastestmirror
    Loading mirror speeds from cached hostfile
     * base: centos.maulvi.net
     * extras: centos.maulvi.net
     * rpmforge: fr2.rpmfind.net
     * updates: centos.maulvi.net
    rpmforge                                                                     | 1.1 kB     00:00
    rpmforge/primary                                                             | 1.5 MB     00:18
    rpmforge                                                                                  4233/4233
    Setting up Install Process
    Resolving Dependencies
    --> Running transaction check
    ---> Package bind-chroot.i686 32:9.7.3-8.P3.el6_2.2 will be installed
    --> Processing Dependency: bind = 32:9.7.3-8.P3.el6_2.2 for package: 32:bind-chroot-9.7.3-8.P3.el6_2.2.i686
    --> Running transaction check
    ---> Package bind.i686 32:9.7.3-8.P3.el6_2.2 will be installed
    --> Processing Dependency: bind-libs = 32:9.7.3-8.P3.el6_2.2 for package: 32:bind-9.7.3-8.P3.el6_2.2.i686
    --> Processing Dependency: libdns.so.69 for package: 32:bind-9.7.3-8.P3.el6_2.2.i686
    --> Processing Dependency: libbind9.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.2.i686
    --> Processing Dependency: libisccc.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.2.i686
    --> Processing Dependency: libisccfg.so.62 for package: 32:bind-9.7.3-8.P3.el6_2.2.i686
    --> Processing Dependency: liblwres.so.60 for package: 32:bind-9.7.3-8.P3.el6_2.2.i686
    --> Processing Dependency: libisc.so.62 for package: 32:bind-9.7.3-8.P3.el6_2.2.i686
    --> Running transaction check
    ---> Package bind-libs.i686 32:9.7.3-8.P3.el6_2.2 will be installed
    --> Finished Dependency Resolution
    
    Dependencies Resolved
    
    ====================================================================================================
     Package                Arch            Version                            Repository          Size
    ====================================================================================================
    Installing:
     bind-chroot            i686            32:9.7.3-8.P3.el6_2.2              updates             68 k
    Installing for dependencies:
     bind                   i686            32:9.7.3-8.P3.el6_2.2              updates            3.9 M
     bind-libs              i686            32:9.7.3-8.P3.el6_2.2              updates            850 k
    
    Transaction Summary
    ====================================================================================================
    Install       3 Package(s)
    
    Total download size: 4.8 M
    Installed size: 9.2 M
    Downloading Packages:
    (1/3): bind-9.7.3-8.P3.el6_2.2.i686.rpm                                      | 3.9 MB     00:35
    (2/3): bind-chroot-9.7.3-8.P3.el6_2.2.i686.rpm                               |  68 kB     00:00
    (3/3): bind-libs-9.7.3-8.P3.el6_2.2.i686.rpm                                 | 850 kB     00:08
    ----------------------------------------------------------------------------------------------------
    Total                                                               109 kB/s | 4.8 MB     00:45
    Running rpm_check_debug
    Running Transaction Test
    Transaction Test Succeeded
    Running Transaction
    Warning: RPMDB altered outside of yum.
      Installing : 32:bind-libs-9.7.3-8.P3.el6_2.2.i686                                             1/3
      Installing : 32:bind-9.7.3-8.P3.el6_2.2.i686                                                  2/3
      Installing : 32:bind-chroot-9.7.3-8.P3.el6_2.2.i686                                           3/3
    
    Installed:
      bind-chroot.i686 32:9.7.3-8.P3.el6_2.2
    
    Dependency Installed:
      bind.i686 32:9.7.3-8.P3.el6_2.2                bind-libs.i686 32:9.7.3-8.P3.el6_2.2
    
    Complete!
    

Next : How to Configure Bind Chroot DNS Server on CentOS 6.2