Bind: Quick install guide to install and setup Bind (DNS server) in secure (chroot) environment in Linux (CentOS, Redhat Enterprise (RHEL), Fedora).
There are a lot of great articles on setting up Bind and some of them even go in great details on setting up secure DNS server using Bind. I have used one them time after time called: Linux Howto: Chroot Bind How To. One of the things I do not like about it is that I had to read over things which I really do not need to know or already know. So I have put together this quick wow To based on this great how to. Setting up secure DNS server using bind is not very complicated.
Let us dive into this. First we create user and set up directory structure.
echo "named:x:200:200:Nameserver:/chroot/named:/bin/false" >> /etc/passwd
echo "named:x:200:" >> /etc/group
mkdir -p /chroot/named
cd /chroot/named
mkdir -p dev etc/namedb/slave var/run
chown -R named:named /chroot/named/etc/namedb/slave
chown named:named /chroot/named/var/run
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
chmod 666 /chroot/named/dev/{null,random}
cp /etc/localtime /chroot/named/etc/
vi /etc/sysconfig/syslog
edit the line which starts with SYSLOGD_OPTIONS and edit it to look like: SYSLOGD_OPTIONS=”-m 0 -a /chroot/named/dev/log”
Let us restart syslog to use new settings and let us secure the physical files on the server.
/etc/rc.d/init.d/syslog stop
/etc/rc.d/init.d/syslog start
chown root /chroot
chmod 700 /chroot
chown named:named /chroot/named
chmod 700 /chroot/named
cd /chroot/named
chattr +i etc/localtime var
Let us clean up previous bind install since most linux installations have named (bind) pre-installed.
rpm -qa |grep bind
rpm -e --nodeps <copy-paste-all-the-packages-separated-by-space>
Let us get the source files for bind and install it. At time of writing, bind 9.4.1 is the latest.
wget http://ftp.isc.org/isc/bind9/9.4.1/bind-9.4.1.tar.gz
tar zxpfv bind-*.gz
cd bind*
./configure
make && make install
copy following content to /etc/init.d/named
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
#
# Source function library.
. /etc/rc.d/init.d/functions
#
# Source networking configuration.
. /etc/sysconfig/network
#
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
#
[ -f /usr/local/sbin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
#
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /usr/local/sbin/named -u named -t /chroot/named -c /etc/named.conf
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
kill `pidof named`
echo
rm -f /var/lock/subsys/named
;;
status)
status named
exit $?
;;
restart)
$0 stop
$0 start
exit $?
;;
reload)
/usr/local/sbin/rndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
#
*)
echo "Usage: named {start|stop|status|restart|reload}"
exit 1
esac
#
exit 0
Make it executable: chmod +x /etc/init.d/named
Let us set it so “named” will automatically start at boot up: chkconfig --add named
Save follow code into /chroot/named/etc/named.conf
options {
recursion no; // this will disable lookups against our server recursion no;
directory "/etc/namedb"; // Working directory
pid-file "/var/run/named.pid"; // Put pid file in working dir
forwarders {
10.10.10.10; //ip of dns server to forward requests to
};
statistics-file "/var/run/named.stats";
query-source address * port 53;
version "Bind 10";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// Root server hints
zone "." {
type hint;
file "root.hint";
};
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
Save following in /chroot/named/etc/namedb/root.hint
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
;
; last update: Nov 5, 2002
; related version of root zone: 2002110501
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by IANA
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
This should get you started. Now just create appropriate zone files and you are good to go.
————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.
It seems that I can not add /chroot/named/etc/named.conf due to permission restrictions. I am still looking for help. Any ideas?
I also, can not add /chroot/named/etc/named.conf due to permission restrictions. I am looking for help. Any ideas?
if that is happening, do:
cd /chroot/named
chattr -i etc
let me know if that works for you.
Yes, it worked.
Now should I set chattr +i etc again?
Thanks.
If you would like to make it more secure then you should. I have a lot of clients who prefer to not have +i set up on etc.
Hey! can you help? I have followed your guide but still one minor problem: error: named dead but subsys locked
it wont start.
I have the same error. “named dead but subsys locked” when executing “./named status” and the application will not start. Did you find a solution to this issue?
Can your above instructions regarding Bind work without chroot? Also, do you have any info on setting up zone files? Thanks for putting the above info together, it’s appreciated.
Bill