There are a lot of great articles on setting up Bind and some of them even go in great details on setting up secure DNS server using Bind. I have used one them time after time called: Linux Howto: Chroot Bind How To. One of the things I do not like about it is that I had to read over things which I really do not need to know or already know. So I have put together this quick wow To based on this great how to. Setting up secure DNS server using bind is not very complicated.
Let us dive into this. First we create user and set up directory structure.
echo "named:x:200:200:Nameserver:/chroot/named:/bin/false" >> /etc/passwd
echo "named:x:200:" >> /etc/group
mkdir -p /chroot/named
cd /chroot/named
mkdir -p dev etc/namedb/slave var/run
chown -R named:named /chroot/named/etc/namedb/slave
chown named:named /chroot/named/var/run
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
chmod 666 /chroot/named/dev/{null,random}
cp /etc/localtime /chroot/named/etc/
vi /etc/sysconfig/syslog
edit the line which starts with SYSLOGD_OPTIONS and edit it to look like: SYSLOGD_OPTIONS=”-m 0 -a /chroot/named/dev/log”
Let us restart syslog to use new settings and let us secure the physical files on the server.
/etc/rc.d/init.d/syslog stop
/etc/rc.d/init.d/syslog start
chown root /chroot
chmod 700 /chroot
chown named:named /chroot/named
chmod 700 /chroot/named
cd /chroot/named
chattr +i etc/localtime var
Let us clean up previous bind install since most linux installations have named (bind) pre-installed.
rpm -qa |grep bind
rpm -e --nodeps <copy-paste-all-the-packages-separated-by-space>
Let us get the source files for bind and install it. At time of writing, bind 9.4.1 is the latest.
wget http://ftp.isc.org/isc/bind9/9.4.1/bind-9.4.1.tar.gz
tar zxpfv bind-*.gz
cd bind*
./configure
make && make install
copy following content to /etc/init.d/named
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
#
# Source function library.
. /etc/rc.d/init.d/functions
#
# Source networking configuration.
. /etc/sysconfig/network
#
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
#
[ -f /usr/local/sbin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
#
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /usr/local/sbin/named -u named -t /chroot/named -c /etc/named.conf
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
kill `pidof named`
echo
rm -f /var/lock/subsys/named
;;
status)
status named
exit $?
;;
restart)
$0 stop
$0 start
exit $?
;;
reload)
/usr/local/sbin/rndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
#
*)
echo "Usage: named {start|stop|status|restart|reload}"
exit 1
esac
#
exit 0
Make it executable: chmod +x /etc/init.d/named
Let us set it so “named” will automatically start at boot up: chkconfig --add named
Save follow code into /chroot/named/etc/named.conf
options {
recursion no; // this will disable lookups against our server recursion no;
directory "/etc/namedb"; // Working directory
pid-file "/var/run/named.pid"; // Put pid file in working dir
forwarders {
10.10.10.10; //ip of dns server to forward requests to
};
statistics-file "/var/run/named.stats";
query-source address * port 53;
version "Bind 10";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// Root server hints
zone "." {
type hint;
file "root.hint";
};
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};
Save following in /chroot/named/etc/namedb/root.hint
; This file holds the information on root name servers needed to
; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
;
; last update: Nov 5, 2002
; related version of root zone: 2002110501
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by IANA
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File
This should get you started. Now just create appropriate zone files and you are good to go.
————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but not least.. I am not responsible for any damage caused by this posting. Use at your own risk.
It seems that I can not add /chroot/named/etc/named.conf due to permission restrictions. I am still looking for help. Any ideas?
I also, can not add /chroot/named/etc/named.conf due to permission restrictions. I am looking for help. Any ideas?
if that is happening, do:
cd /chroot/named
chattr -i etc
let me know if that works for you.
Yes, it worked.
Now should I set chattr +i etc again?
Thanks.
If you would like to make it more secure then you should. I have a lot of clients who prefer to not have +i set up on etc.
Hey! can you help? I have followed your guide but still one minor problem: error: named dead but subsys locked
it wont start.
I have the same error. “named dead but subsys locked” when executing “./named status” and the application will not start. Did you find a solution to this issue?
Can your above instructions regarding Bind work without chroot? Also, do you have any info on setting up zone files? Thanks for putting the above info together, it’s appreciated.
Bill
Hi, this link is very good, i have the same bind9.3.6 on centos 5.4, i am getting this kind of messages in the server
Sep 19 18:49:07 centos1 named[23130]: client xxx.xxx.xxx.xxx#60923: update ‘backup.com/IN’ denied
Sep 19 18:49:07 centos1 named[23130]: client 9x.xxx.xx.xxx#55432: update ‘bacups.com./IN’ denied
Sep 19 18:51:17 centos1 named[23130]: network unreachable resolving ‘ns1.inmel.r
u/AAAA/IN’: 2001:xxx:1xx:0x:xxx:xxx:xx2:17#53
BR,
MAZ
ok this didnt work for me? give me auth errors on just about everything when I try to start named
and key errors but the ke is in the rndc.conf
///////////////////////////////////////////////////////////////
messages:Feb 10 19:01:17 server1 rsyslogd: Warning: backward compatibility layer added to following directive to rsyslog.conf: addunixlistensocket /chroot/named/dev/log
messages:Feb 10 19:01:24 server1 kernel: warning: `named’ uses 32-bit capabilities (legacy support in use)
messages:Feb 10 19:01:24 server1 named[4379]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
messages:Feb 10 19:01:24 server1 named[4379]: built with ‘–without-openssl’
messages:Feb 10 19:01:24 server1 named[4379]: using up to 4096 sockets
messages:Feb 10 19:01:24 server1 named[4379]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:01:24 server1 named[4379]: /etc/named.conf:15: unknown key ‘rndc-key’
messages:Feb 10 19:01:24 server1 named[4379]: loading configuration: failure
messages:Feb 10 19:01:24 server1 named[4379]: exiting (due to fatal error)
messages:Feb 10 19:03:26 server1 named[5442]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
messages:Feb 10 19:03:26 server1 named[5442]: built with ‘–without-openssl’
messages:Feb 10 19:03:26 server1 named[5442]: using up to 4096 sockets
messages:Feb 10 19:03:26 server1 named[5442]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:03:26 server1 named[5442]: /etc/named.conf:15: unknown key ‘rndc-key’
messages:Feb 10 19:03:26 server1 named[5442]: loading configuration: failure
messages:Feb 10 19:03:26 server1 named[5442]: exiting (due to fatal error)
messages:Feb 10 19:10:30 server1 named[5918]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
messages:Feb 10 19:10:30 server1 named[5918]: built with ‘–without-openssl’
messages:Feb 10 19:10:30 server1 named[5918]: using up to 4096 sockets
messages:Feb 10 19:10:30 server1 named[5918]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:10:30 server1 named[5918]: /etc/named.conf:15: unknown key ‘rndc-key’
messages:Feb 10 19:10:30 server1 named[5918]: loading configuration: failure
messages:Feb 10 19:10:30 server1 named[5918]: exiting (due to fatal error)
messages:Feb 10 19:32:50 server1 named[7405]: starting BIND 9.7.2-P3 -u named -t /chroot/named -c /etc/named.conf
messages:Feb 10 19:32:50 server1 named[7405]: built with ‘–without-openssl’
messages:Feb 10 19:32:50 server1 named[7405]: using up to 4096 sockets
messages:Feb 10 19:32:50 server1 named[7405]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:32:50 server1 named[7405]: /etc/named.conf:22: unknown key ‘rndc-key’
messages:Feb 10 19:32:50 server1 named[7405]: loading configuration: failure
messages:Feb 10 19:32:50 server1 named[7405]: exiting (due to fatal error)
//////////////////////////////////////////////////////////////////
Love BSD Not so shure about this expensive RHEL with sad excuse for support….
Thanks for any help in advance!
~D
salut tout le monde
je suis entraint de faire une simulation virtuelle a travers VMware d’un serveur DNS (primaire,secondaire et cache)
j’ai configuré le serveur primaire et je le tester (ça marche bien)
jai configuré le serveur secondaire mais il n’est pas capable de charger les informations de zone depuis le serveur primaire
voici mon configuration au niveau du serveur primaire
vi /etc/named.conf
zone “.” IN {
type hint;
file “named.ca”;
};
zone “rnu.tn” IN {
type master;
file “rnu.tn.zone”;
allow-update { none; };
allow-transfer { 192.168.127.133; };
};
vi /var/named/rnu.tn.zone
TTL 1D
@ IN SOA ns1.rnu.tn. admin.rnu.tn. (
0 ; seria
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.rnu.tn.
IN NS ns2.rnu.tn.
IN MX 10 mail.rnu
IN A 192.168.127.134
ns1 IN A 192.168.127.134
ns2 IN A 192.168.127.133
www IN A 192.168.127.134
mail IN A 192.168.127.134
IN A 127.0.0.1
confifuration au niveau du serveur secondaire
vi /etc/named.conf
zone “.” IN {
type hint;
file “named.ca”;
};
zone “rnu.tn” IN {
type slave;
file “rnu.tn.zone”;
masters { 192.168.127.134; };
};
information
fodora 14
bind 9.7.2
l’adresse IP de machine serveur primaire 192.168.127.134
l’adresse IP de machine serveuR secondaire 192.168.127.133
svp expliquer moi le problem et guidez moi a realiser un serveur cache
jattent vos reponse
merci d’avance
CrazyToon,
I hope you are still around and get this.
I just wanted to say thank you!
After digging and researching for over 60 hrs on multiple setups to rebuild every aspect of a server for the first time alone, DNS being my most challenging daemon…
You Rock!
You wright the best clear cut clean directions without all the extra stuff we don’t need when pressed.
I hope you do more in the future. I just take my hat off to ya. You should put a book out, heck, I would help!
Latter
George L.
Minnesota, USA
Thanks for the kind words George. Glad i could help you out.
Pingback: Mail Sent but not delivered to inbox - Page 2 - Zimbra :: Forums
Enterprises having a large website with a lot of traffic influx will require
the reseller hosting package. One should keep in mind that communication lines for live support are kept open for paid
accounts, who are given top priority. There are thousands of web-hosting service
providers and all of them claim to be the best.
Needed to send you this very little observation to finally give thanks yet again for these superb advice you have provided above. This has been simply incredibly generous with people like you to deliver freely precisely what a lot of folks would have supplied as an ebook to make some dough for their own end, particularly since you could possibly have done it in the event you wanted. These principles in addition worked to become great way to fully grasp that the rest have the identical dream like mine to understand way more with respect to this problem. I am sure there are millions of more enjoyable times up front for individuals that discover your blog post.
I would like to express some appreciation to this writer just for rescuing me from this particular challenge. After scouting through the internet and obtaining strategies that were not productive, I believed my life was done. Existing without the approaches to the problems you have fixed all through your write-up is a serious case, and those that might have negatively affected my entire career if I had not noticed your blog post. Your own capability and kindness in playing with every item was valuable. I am not sure what I would’ve done if I had not discovered such a stuff like this. I’m able to at this moment look ahead to my future. Thanks so much for this expert and sensible guide. I won’t be reluctant to propose your web page to anyone who needs and wants support on this topic.
I wish to voice my passion for your generosity supporting persons that have the need for help with the situation. Your real dedication to getting the solution all around came to be astonishingly productive and have all the time enabled employees just like me to get to their ambitions. Your amazing insightful advice signifies this much to me and a whole lot more to my peers. Thanks a ton; from all of us.
Thanks for all of your labor on this web page. My mum really loves doing investigations and it’s easy to see why. Most people learn all relating to the compelling ways you convey helpful solutions through your website and as well inspire contribution from the others on this concern so our favorite daughter is studying a great deal. Take pleasure in the rest of the new year. You’re the one doing a powerful job.
I actually wanted to type a simple note to express gratitude to you for all of the remarkable strategies you are placing here. My incredibly long internet lookup has now been rewarded with good quality concept to share with my family. I ‘d repeat that many of us website visitors actually are rather fortunate to live in a good network with very many outstanding people with useful tricks. I feel really privileged to have discovered your entire webpage and look forward to plenty of more excellent times reading here. Thanks a lot again for everything.
I must show some appreciation to the writer just for bailing me out of this difficulty. After browsing throughout the world-wide-web and meeting ideas which are not beneficial, I figured my life was done. Existing devoid of the solutions to the issues you have solved by means of your article is a critical case, and the ones that would have in a negative way affected my entire career if I had not encountered your web blog. The capability and kindness in maneuvering all areas was very useful. I’m not sure what I would’ve done if I hadn’t discovered such a solution like this. I’m able to now look forward to my future. Thank you so much for this skilled and effective help. I will not think twice to recommend your web sites to any person who would need guidelines on this situation.