Bind: Quick install guide to install and setup Bind (DNS server) in secure (chroot) environment in Linux (CentOS, Redhat Enterprise (RHEL), Fedora).

There are a lot of great articles on setting up Bind and some of them even go in great details on setting up secure DNS server using Bind. I have used one them time after time called: Linux Howto: Chroot Bind How To. One of the things I do not like about it is that I had to read over things which I really do not need to know or already know. So I have put together this quick wow To based on this great how to. Setting up secure DNS server using bind is not very complicated.

Let us dive into this. First we create user and set up directory structure.

echo "named:x:200:200:Nameserver:/chroot/named:/bin/false" >> /etc/passwd
echo "named:x:200:" >> /etc/group
mkdir -p /chroot/named
cd /chroot/named
mkdir -p dev etc/namedb/slave var/run
chown -R named:named /chroot/named/etc/namedb/slave
chown named:named /chroot/named/var/run
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
chmod 666 /chroot/named/dev/{null,random}
cp /etc/localtime /chroot/named/etc/

vi /etc/sysconfig/syslog
edit the line which starts with SYSLOGD_OPTIONS and edit it to look like: SYSLOGD_OPTIONS=”-m 0 -a /chroot/named/dev/log”
Let us restart syslog to use new settings and let us secure the physical files on the server.

/etc/rc.d/init.d/syslog stop
/etc/rc.d/init.d/syslog start
chown root /chroot
chmod 700 /chroot
chown named:named /chroot/named
chmod 700 /chroot/named
cd /chroot/named
chattr +i etc/localtime var

Let us clean up previous bind install since most linux installations have named (bind) pre-installed.

rpm -qa |grep bind
rpm -e --nodeps <copy-paste-all-the-packages-separated-by-space>

Let us get the source files for bind and install it. At time of writing, bind 9.4.1 is the latest.

wget http://ftp.isc.org/isc/bind9/9.4.1/bind-9.4.1.tar.gz
tar zxpfv bind-*.gz
cd bind*
./configure
make && make install

copy following content to /etc/init.d/named

#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
#
# Source function library.
. /etc/rc.d/init.d/functions
#
# Source networking configuration.
. /etc/sysconfig/network
#
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
#
[ -f /usr/local/sbin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
#
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /usr/local/sbin/named -u named -t /chroot/named -c /etc/named.conf
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
kill `pidof named`
echo
rm -f /var/lock/subsys/named
;;
status)
status named
exit $?
;;
restart)
$0 stop
$0 start
exit $?
;;
reload)
/usr/local/sbin/rndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
#
*)
echo "Usage: named {start|stop|status|restart|reload}"
exit 1
esac
#
exit 0

Make it executable: chmod +x /etc/init.d/named
Let us set it so “named” will automatically start at boot up: chkconfig --add named

Save follow code into /chroot/named/etc/named.conf
options {
recursion no; // this will disable lookups against our server recursion no;
directory "/etc/namedb"; // Working directory
pid-file "/var/run/named.pid"; // Put pid file in working dir
forwarders {
10.10.10.10; //ip of dns server to forward requests to
};
statistics-file "/var/run/named.stats";
query-source address * port 53;
version "Bind 10";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// Root server hints
zone "." {
type hint;
file "root.hint";
};
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};

Save following in /chroot/named/etc/namedb/root.hint

; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
;
; last update: Nov 5, 2002
; related version of root zone: 2002110501
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by IANA
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

This should get you started. Now just create appropriate zone files and you are good to go.

————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.

15 thoughts on “Bind: Quick install guide to install and setup Bind (DNS server) in secure (chroot) environment in Linux (CentOS, Redhat Enterprise (RHEL), Fedora).

  1. George

    It seems that I can not add /chroot/named/etc/named.conf due to permission restrictions. I am still looking for help. Any ideas?

  2. Bill Holt

    I also, can not add /chroot/named/etc/named.conf due to permission restrictions. I am looking for help. Any ideas?

  3. francisco

    Hey! can you help? I have followed your guide but still one minor problem: error: named dead but subsys locked

    it wont start.

  4. Peter

    I have the same error. “named dead but subsys locked” when executing “./named status” and the application will not start. Did you find a solution to this issue?

  5. Bill Hudson

    Can your above instructions regarding Bind work without chroot? Also, do you have any info on setting up zone files? Thanks for putting the above info together, it’s appreciated.

    Bill

  6. maz

    Hi, this link is very good, i have the same bind9.3.6 on centos 5.4, i am getting this kind of messages in the server
    Sep 19 18:49:07 centos1 named[23130]: client xxx.xxx.xxx.xxx#60923: update ‘backup.com/IN’ denied
    Sep 19 18:49:07 centos1 named[23130]: client 9x.xxx.xx.xxx#55432: update ‘bacups.com./IN’ denied
    Sep 19 18:51:17 centos1 named[23130]: network unreachable resolving ‘ns1.inmel.r
    u/AAAA/IN’: 2001:xxx:1xx:0x:xxx:xxx:xx2:17#53

    BR,
    MAZ

  7. david

    ok this didnt work for me? give me auth errors on just about everything when I try to start named

    and key errors but the ke is in the rndc.conf

    ///////////////////////////////////////////////////////////////

    messages:Feb 10 19:01:17 server1 rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: addunixlistensocket /chroot/named/dev/log
    messages:Feb 10 19:01:24 server1 kernel: warning: `named’ uses 32-bit capabilities (legacy support in use)
    messages:Feb 10 19:01:24 server1 named[4379]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
    messages:Feb 10 19:01:24 server1 named[4379]: built with ‘–without-openssl’
    messages:Feb 10 19:01:24 server1 named[4379]: using up to 4096 sockets
    messages:Feb 10 19:01:24 server1 named[4379]: loading configuration from ‘/etc/named.conf’
    messages:Feb 10 19:01:24 server1 named[4379]: /etc/named.conf:15: unknown key ‘rndc-key’
    messages:Feb 10 19:01:24 server1 named[4379]: loading configuration: failure
    messages:Feb 10 19:01:24 server1 named[4379]: exiting (due to fatal error)
    messages:Feb 10 19:03:26 server1 named[5442]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
    messages:Feb 10 19:03:26 server1 named[5442]: built with ‘–without-openssl’
    messages:Feb 10 19:03:26 server1 named[5442]: using up to 4096 sockets
    messages:Feb 10 19:03:26 server1 named[5442]: loading configuration from ‘/etc/named.conf’
    messages:Feb 10 19:03:26 server1 named[5442]: /etc/named.conf:15: unknown key ‘rndc-key’
    messages:Feb 10 19:03:26 server1 named[5442]: loading configuration: failure
    messages:Feb 10 19:03:26 server1 named[5442]: exiting (due to fatal error)
    messages:Feb 10 19:10:30 server1 named[5918]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
    messages:Feb 10 19:10:30 server1 named[5918]: built with ‘–without-openssl’
    messages:Feb 10 19:10:30 server1 named[5918]: using up to 4096 sockets
    messages:Feb 10 19:10:30 server1 named[5918]: loading configuration from ‘/etc/named.conf’
    messages:Feb 10 19:10:30 server1 named[5918]: /etc/named.conf:15: unknown key ‘rndc-key’
    messages:Feb 10 19:10:30 server1 named[5918]: loading configuration: failure
    messages:Feb 10 19:10:30 server1 named[5918]: exiting (due to fatal error)
    messages:Feb 10 19:32:50 server1 named[7405]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
    messages:Feb 10 19:32:50 server1 named[7405]: built with ‘–without-openssl’
    messages:Feb 10 19:32:50 server1 named[7405]: using up to 4096 sockets
    messages:Feb 10 19:32:50 server1 named[7405]: loading configuration from ‘/etc/named.conf’
    messages:Feb 10 19:32:50 server1 named[7405]: /etc/named.conf:22: unknown key ‘rndc-key’
    messages:Feb 10 19:32:50 server1 named[7405]: loading configuration: failure
    messages:Feb 10 19:32:50 server1 named[7405]: exiting (due to fatal error)
    //////////////////////////////////////////////////////////////////

    Love BSD Not so shure about this expensive RHEL with sad excuse for support….
    Thanks for any help in advance!
    ~D

  8. islamay

    salut tout le monde

    je suis entraint de faire une simulation virtuelle a travers VMware d’un serveur DNS (primaire,secondaire et cache)
    j’ai configuré le serveur primaire et je le tester (ça marche bien)
    jai configuré le serveur secondaire mais il n’est pas capable de charger les informations de zone depuis le serveur primaire

    voici mon configuration au niveau du serveur primaire
    vi /etc/named.conf

    zone “.” IN {
    type hint;
    file “named.ca”;
    };

    zone “rnu.tn” IN {
    type master;
    file “rnu.tn.zone”;
    allow-update { none; };
    allow-transfer { 192.168.127.133; };
    };

    vi /var/named/rnu.tn.zone

    TTL 1D
    @ IN SOA ns1.rnu.tn. admin.rnu.tn. (

    0 ; seria
    1D ; refresh
    1H ; retry
    1W ; expire
    3H ) ; minimum

    IN NS ns1.rnu.tn.

    IN NS ns2.rnu.tn.

    IN MX 10 mail.rnu
    IN A 192.168.127.134
    ns1 IN A 192.168.127.134
    ns2 IN A 192.168.127.133
    www IN A 192.168.127.134
    mail IN A 192.168.127.134
    IN A 127.0.0.1

    confifuration au niveau du serveur secondaire

    vi /etc/named.conf
    zone “.” IN {

    type hint;

    file “named.ca”;

    };

    zone “rnu.tn” IN {

    type slave;

    file “rnu.tn.zone”;

    masters { 192.168.127.134; };

    };

    information
    fodora 14
    bind 9.7.2
    l’adresse IP de machine serveur primaire 192.168.127.134
    l’adresse IP de machine serveuR secondaire 192.168.127.133

    svp expliquer moi le problem et guidez moi a realiser un serveur cache
    jattent vos reponse
    merci d’avance

  9. Cage

    CrazyToon,

    I hope you are still around and get this.
    I just wanted to say thank you!

    After digging and researching for over 60 hrs on multiple setups to rebuild every aspect of a server for the first time alone, DNS being my most challenging daemon…

    You Rock!

    You wright the best clear cut clean directions without all the extra stuff we don’t need when pressed.

    I hope you do more in the future. I just take my hat off to ya. You should put a book out, heck, I would help!

    Latter
    George L.
    Minnesota, USA

  10. Pingback: Mail Sent but not delivered to inbox - Page 2 - Zimbra :: Forums

  11. imgur

    Enterprises having a large website with a lot of traffic influx will require
    the reseller hosting package. One should keep in mind that communication lines for live support are kept open for paid
    accounts, who are given top priority. There are thousands of web-hosting service
    providers and all of them claim to be the best.

Leave a Reply

Your email address will not be published. Required fields are marked *