{"id":4372,"date":"2013-02-24T15:42:49","date_gmt":"2013-02-24T07:42:49","guid":{"rendered":"https:\/\/webhostinggeeks.com\/howto\/?p=4372"},"modified":"2023-04-28T09:48:56","modified_gmt":"2023-04-28T09:48:56","slug":"how-to-setup-bind-chroot-dns-server-on-centos-6-3-x86_64","status":"publish","type":"post","link":"https:\/\/webhostinggeeks.com\/howto\/how-to-setup-bind-chroot-dns-server-on-centos-6-3-x86_64\/","title":{"rendered":"How to Setup Bind Chroot DNS Server on CentOS 6.3 x86_64"},"content":{"rendered":"

\"bind\"BIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address and ip address to domain name. There are essentially a few reasons to running your own internet DNS Server. First, of course we need to have full control of our registered domain name and second is to improve the speed of domain lookups. This post covers the steps on how to install Bind Chroot DNS Server on CentOS 6.3 64 Bit. It will describes some extra security precautions that you can take when you install BIND. The idea of chroot is fairly simple. When you run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting up BIND to run chrooted to the directory \/var\/named\/chroot\/<\/strong>. Well, to BIND, the contents of this directory will appear to be \/<\/strong>, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security.<\/p>\n

Where is Bind chrooted directory set ?<\/p>\n

\n[root@CentOS63 ~]# more \/etc\/sysconfig\/named\n<\/pre>\n
It was by default configured to \/var\/named\/chroot as below :<\/p>\n
\n..\n..\nROOTDIR=\/var\/named\/chroot\n<\/pre>\n
It is assumed that you already know how to install, configure and use BIND. If not, I would recommend that you read the Bind DNS HOWTO<\/a> first.<\/p>\n
1. Install Bind-Chroot :<\/p>\n
\n[root@CentOS63 ~]# yum install bind-chroot bind -y\n<\/pre>\n
2. Copy all bind related files to prepare bind chrooted environments :<\/p>\n
 \n[root@CentOS63 ~]# cp -R \/usr\/share\/doc\/bind-*\/sample\/var\/named\/* \/var\/named\/chroot\/var\/named\/\n<\/pre>\n
3. Create bind related files into chrooted directory :<\/p>\n
\n[root@CentOS63 ~]# touch \/var\/named\/chroot\/var\/named\/data\/cache_dump.db\n[root@CentOS63 ~]# touch \/var\/named\/chroot\/var\/named\/data\/named_stats.txt\n[root@CentOS63 ~]# touch \/var\/named\/chroot\/var\/named\/data\/named_mem_stats.txt\n[root@CentOS63 ~]# touch \/var\/named\/chroot\/var\/named\/data\/named.run\n[root@CentOS63 ~]# mkdir \/var\/named\/chroot\/var\/named\/dynamic\n[root@CentOS63 ~]# touch \/var\/named\/chroot\/var\/named\/dynamic\/managed-keys.bind\n<\/pre>\n
4. Bind lock file should be writeable, therefore set the permission to make it writable as below :<\/p>\n
\n[root@CentOS63 ~]# chmod -R 777 \/var\/named\/chroot\/var\/named\/data\n[root@CentOS63 ~]# chmod -R 777 \/var\/named\/chroot\/var\/named\/dynamic\n<\/pre>\n
5. Set if you do not use IPv6 :<\/p>\n
\n[root@CentOS63 ~]# echo 'OPTIONS=\"-4\"' >> \/etc\/sysconfig\/named\n<\/pre>\n
6. Configure main bind configuration in \/etc\/named.conf. Append the ehowstuff.local information to the file :<\/p>\n
\n[root@CentOS63 ~]# vi \/var\/named\/chroot\/etc\/named.conf\n<\/pre>\n
\n\/\/\n\/\/ named.conf\n\/\/\n\/\/ Provided by Red Hat bind package to configure the ISC BIND named(8) DNS\n\/\/ server as a caching only nameserver (as a localhost DNS resolver only).\n\/\/\n\/\/ See \/usr\/share\/doc\/bind*\/sample\/ for example named configuration files.\n\/\/\n\noptions {\n        listen-on port 53 { 127.0.0.1;192.168.2.58; };\n        listen-on-v6 port 53 { ::1; };\n        directory       \"\/var\/named\";\n        dump-file       \"\/var\/named\/data\/cache_dump.db\";\n        statistics-file \"\/var\/named\/data\/named_stats.txt\";\n        memstatistics-file \"\/var\/named\/data\/named_mem_stats.txt\";\n        allow-query     { localhost; };\n        recursion yes;\n\n        dnssec-enable yes;\n        dnssec-validation yes;\n        dnssec-lookaside auto;\n\n        \/* Path to ISC DLV key *\/\n        bindkeys-file \"\/etc\/named.iscdlv.key\";\n\n        managed-keys-directory \"\/var\/named\/dynamic\";\n};\n\nlogging {\n        channel default_debug {\n                file \"data\/named.run\";\n                severity dynamic;\n        };\n};\n\nzone \".\" IN {\n        type hint;\n        file \"named.ca\";\n};\n\nzone \"ehowstuff.local\" {\n    type master;\n    file \"ehowstuff.local.zone\";\n};\n\nzone \"2.168.192.in-addr.arpa\" IN {\n        type master;\n        file \"192.168.2.zone\";\n};\n\ninclude \"\/etc\/rndc.key\";\ninclude \"\/etc\/named.rfc1912.zones\";\ninclude \"\/etc\/named.root.key\";\n<\/pre>\n
7. Create Forward and Reverse zone files for domain ehowstuff.local.<\/p>\n
a) Create Forward Zone :<\/p>\n
\n[root@CentOS63 ~]# vi \/var\/named\/chroot\/var\/named\/ehowstuff.local.zone\n<\/pre>\n
\n;\n;       Addresses and other host information.\n;\n$TTL 86400\n@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (\n                               2013022401      ; Serial\n                               43200      ; Refresh\n                               3600       ; Retry\n                               3600000    ; Expire\n                               2592000 )  ; Minimum\n\n;       Define the nameservers and the mail servers\n\n               IN      NS      ns.ehowstuff.local.\n               IN      A       192.168.2.58\n               IN      MX      10 mail.ehowstuff.local.\n\nmail            IN      A       192.168.2.58\nns              IN      A       192.168.2.58\n<\/pre>\n
b) Create Reverse Zone :<\/p>\n
\n[root@CentOS63 ~]# vi \/var\/named\/chroot\/var\/named\/192.168.2.zone\n<\/pre>\n
\n;\n;       Addresses and other host information.\n;\n$TTL 86400\n@       IN      SOA     ehowstuff.local. hostmaster.ehowstuff.local. (\n                               2013022402      ; Serial\n                               43200      ; Refresh\n                               3600       ; Retry\n                               3600000    ; Expire\n                               2592000 )  ; Minimum\n\n2.168.192.in-addr.arpa. IN      NS      centos63.ehowstuff.local.\n\n58.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local.\n58.2.168.192.in-addr.arpa. IN PTR ns.ehowstuff.local.\n<\/pre>\n
8. RHEL 6 and CentOS 6 apparently no longer generates the rndc.key during installation. Instead, the key is automatically generated on the first start of named service.<\/p>\n
Start Bind service :<\/p>\n
\n[root@CentOS6 ~]# service named start\nGenerating \/etc\/rndc.key:                                  [  OK  ]\nStarting named:                                            [  OK  ]\n<\/pre>\n
9. Configure Bind auto start at boot :<\/p>\n
\n[root@CentOS63 ~]# chkconfig --levels 235 named on\n<\/pre>\n
10. Verifying permissions and ownership. Created the files required inside the jail, but the matter of setting the permissions and ownership should remains.<\/p>\n
Go to chroot\/var\/named\/ directory :<\/p>\n
\n[root@CentOS63 ~]# cd \/var\/named\/chroot\/var\/named\/\n<\/pre>\n
Change owner as below :<\/p>\n
\n[root@CentOS63 named]# chown root:named ehowstuff.local.zone\n[root@CentOS63 named]# chown root:named 192.168.2.zone\n[root@CentOS63 named]# chown root:named my.external.zone.db\n[root@CentOS63 named]# chown root:named my.internal.zone.db\n[root@CentOS63 named]# chown root:named named.ca\n[root@CentOS63 named]# chown root:named named.localhost\n[root@CentOS63 named]# chown root:named named.loopback\n<\/pre>\n
Verify permissions and ownership rest of the chrooted directories :<\/p>\n
\n[root@CentOS63 ~]# ll \/var\/named\/\n<\/pre>\n
\ntotal 32\ndrwxr-x--- 6 root  named 4096 Feb 24 13:51 chroot\ndrwxrwx--- 2 named named 4096 Dec  7 04:49 data\ndrwxrwx--- 2 named named 4096 Dec  7 04:49 dynamic\n-rw-r----- 1 root  named 1892 Feb 18  2008 named.ca\n-rw-r----- 1 root  named  152 Dec 15  2009 named.empty\n-rw-r----- 1 root  named  152 Jun 21  2007 named.localhost\n-rw-r----- 1 root  named  168 Dec 15  2009 named.loopback\ndrwxrwx--- 2 named named 4096 Dec  7 04:49 slaves\n<\/pre>\n
\n[root@CentOS63 ~]# ll \/var\/named\/chroot\/\n<\/pre>\n
\ntotal 16\ndrwxr-x--- 2 root named 4096 Feb 24 13:51 dev\ndrwxr-x--- 4 root named 4096 Feb 24 14:40 etc\ndrwxr-x--- 3 root named 4096 Feb 24 13:51 usr\ndrwxr-x--- 6 root named 4096 Feb 24 13:51 var\n<\/pre>\n
\n[root@CentOS63 ~]# ll \/var\/named\/chroot\/etc\n<\/pre>\n
\ntotal 32\n-rw-r--r-- 1 root root   372 Feb 20 06:51 localtime\ndrwxr-x--- 2 root named 4096 Dec  7 04:49 named\n-rw-r--r-- 1 root named 1201 Feb 24 14:16 named.conf\n-rw-r--r-- 1 root named 2389 Dec  7 04:49 named.iscdlv.key\n-rw-r----- 1 root named  931 Jun 21  2007 named.rfc1912.zones\n-rw-r--r-- 1 root named  487 Jul 19  2010 named.root.key\ndrwxr-x--- 3 root named 4096 Feb 24 13:51 pki\n-rw-r----- 1 root named   77 Feb 24 14:00 rndc.key\n<\/pre>\n
\n[root@CentOS63 ~]# ll \/var\/named\/chroot\/var\/named\/\n<\/pre>\n
\ntotal 44\n-rw-r-xr-x 1 root  named  551 Feb 24 15:28 192.168.2.zone\ndrwxrwxrwx 2 named named 4096 Feb 24 14:04 data\ndrwxrwxrwx 2 named named 4096 Feb 24 15:30 dynamic\n-rw-r-xr-x 1 root  named  681 Feb 24 15:28 ehowstuff.local.zone\n-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.external.zone.db\n-rw-r--r-- 1 root  named   56 Feb 24 13:54 my.internal.zone.db\n-rw-r--r-- 1 root  named 1892 Feb 24 13:54 named.ca\n-rw-r--r-- 1 root  root   152 Feb 24 13:54 named.empty\n-rw-r--r-- 1 root  named  152 Feb 24 13:54 named.localhost\n-rw-r--r-- 1 root  named  168 Feb 24 13:54 named.loopback\ndrwxr-xr-x 2 named named 4096 Feb 24 13:54 slaves\n<\/pre>\n
11. Test and make sure it’s working.<\/p>\n
\n[root@CentOS63 ~]# host -t mx ehowstuff.local\nehowstuff.local mail is handled by 10 mail.ehowstuff.local.\n[root@CentOS63 ~]# nslookup\n> set type=any\n> ehowstuff.local\nServer:         192.168.2.58\nAddress:        192.168.2.58#53\n\nehowstuff.local\n        origin = ehowstuff.local\n        mail addr = hostmaster.ehowstuff.local\n        serial = 2013023401\n        refresh = 43200\n        retry = 3600\n        expire = 3600000\n        minimum = 2592000\nehowstuff.local nameserver = ns.ehowstuff.local.\nName:   ehowstuff.local\nAddress: 192.168.2.58\nehowstuff.local mail exchanger = 10 mail.ehowstuff.local.\n>\n<\/pre>\n
12. If your server does not have nslookup, host or dig command, then you should install bind-utils. All this utilities are the friendly and useful utilities to test and diagnose the DNS issue.<\/p>\n
\n[root@CentOS6 ~]# yum install bind-utils\nLoaded plugins: fastestmirror\nLoading mirror speeds from cached hostfile\n * base: centos.biz.net.id\n * extras: centos.biz.net.id\n * updates: centos.biz.net.id\nSetting up Install Process\nResolving Dependencies\n--> Running transaction check\n---> Package bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6 will be installed\n--> Finished Dependency Resolution\n\nDependencies Resolved\n\n========================================================================================================================\n Package                   Arch                  Version                                   Repository              Size\n========================================================================================================================\nInstalling:\n bind-utils                x86_64                32:9.8.2-0.10.rc1.el6_3.6                 updates                182 k\n\nTransaction Summary\n========================================================================================================================\nInstall       1 Package(s)\n\nTotal download size: 182 k\nInstalled size: 438 k\nIs this ok [y\/N]: y\nDownloading Packages:\nbind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64.rpm                                                     | 182 kB     00:02\nRunning rpm_check_debug\nRunning Transaction Test\nTransaction Test Succeeded\nRunning Transaction\n  Installing : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1\/1\n  Verifying  : 32:bind-utils-9.8.2-0.10.rc1.el6_3.6.x86_64                                                          1\/1\n\nInstalled:\n  bind-utils.x86_64 32:9.8.2-0.10.rc1.el6_3.6\n\nComplete!\n<\/pre>\n","protected":false},"excerpt":{"rendered":"
BIND (the Berkeley Internet Name Domain) also known as NAMED is the most widely used DNS server in the internet. Bind DNS helps to resolve domain name to ip address…<\/p>\n","protected":false},"author":6,"featured_media":3276,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"wds_primary_category":0,"footnotes":""},"categories":[1111,2055,1138],"tags":[1228,1254,1280,1337,1536,1670],"class_list":["post-4372","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-bind9","category-centos","category-dns","tag-bind","tag-centos-6-3","tag-chroot","tag-dns","tag-linux","tag-private-nameservers"],"_links":{"self":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/4372","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/users\/6"}],"replies":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/comments?post=4372"}],"version-history":[{"count":0,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/posts\/4372\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media\/3276"}],"wp:attachment":[{"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/media?parent=4372"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/categories?post=4372"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/webhostinggeeks.com\/howto\/wp-json\/wp\/v2\/tags?post=4372"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}