Friday, August 17, 2012

How to Configure DNS Server with chroot


Centos/Redhat BIND normally runs as the named process owned by the unprivileged named user.Sometimes BIND is also installed using Linux's chroot feature to not only run named as user named, but also to limit the files named can see.

When installed, named is fooled into thinking that the directory /var/named/chroot is actually the root or / directory. Therefore, named files normally found in the /etc directory are found in /var/named/chroot/etc directory instead, and those you'd expect to find in /var/named are actually located in /var/named/chroot/var/named.

The advantage of the chroot feature is that if a hacker enters your system via a BIND exploit, the hacker's access to the rest of your system is isolated to the files under the chroot directory and nothing else. This type of security is also known as a chroot jail.

You can install chroot add-on RPM by using this command.

To install we need to configure the Yum Repository.

[root@LINUXHOWTO-SERVER ~]# yum install bind bind-chroot
Loaded plugins: fastestmirror
Determining fastest mirrors
myrepo | 1.1 kB 00:00
primary.xml.gz | 878 kB 00:00
myrepo 2508/2508
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
There are unfinished transactions remaining. You mightconsider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package bind-chroot.i386 30:9.3.4-10.P1.el5 set to be updated
---> Package bind.i386 30:9.3.4-10.P1.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
==================================================================
Package Arch Version Repository Size
==================================================================
Installing:
bind i386 30:9.3.4-10.P1.el5 myrepo 953 k
bind-chroot i386 30:9.3.4-10.P1.el5 myrepo 42 k
Transaction Summary
==================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 995 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): bind-chroot-9.3.4-10.P1.el5.i386.rpm | 42 kB 00:00
(2/2): bind-9.3.4-10.P1.el5.i386.rpm | 953 kB 00:00
------------------------------------------------------------------
Total 1.8 MB/s | 995 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : bind [1/2]
Installing : bind-chroot [2/2]
Installed: bind.i386 30:9.3.4-10.P1.el5 bind-chroot.i386 30:9.3.4-10.P1.el5
Complete!
Now the DNS root will be /var/named/chroot only. copy the sample configuration file from the sample doc directory.

[root@LINUXHOWTO-SERVER named]# cp /usr/share/doc/bind-9.3.4/sample/etc/* /var/named/chroot/etc/
[root@LINUXHOWTO-SERVER named]# cp -a /usr/share/doc/bind-9.3.4/sample/var/named/* /var/named/chroot/var/named/
cp: overwrite `/var/named/chroot/var/named/slaves/my.ddns.internal.zone.db'? y
cp: overwrite `/var/named/chroot/var/named/slaves/my.slave.internal.zone.db'? y

Once sample copy is over, now we have to add the dns keygen in to the configuration file ie /var/named/chroot/etc/named.conf. to create the dns keygen use following command.

root@LINUXHOWTO-SERVER named]# dns-keygen
31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ

Insert above in /var/named/chtoot/etc/named.conf

[root@LINUXHOWTO-SERVER named]# vi /etc/named.conf
key ddns_key
{
algorithm hmac-md5;
secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ
};

Again edit the /var/named/chroot/etc/named.conf, enter zone details as per your domain requorement. The following file is minial configuration to run DNS server. you can copy and use it for your environment also.

[root@LINUXHOWTO-SERVER named]# vi /var/named/chroot/etc/named.conf
options
{
     directory "/var/named"; // the default
     dump-file          "data/cache_dump.db";
statistics-file    "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};  
};
zone "linuxhowto.in" IN { -----à Name of the forward Zone
type master;
file "linuxhowto.in.zone"; -----à Name of the file where Zone Saved
allow-update { none; };
};
zone "4.65.10.in-addr.arpa" IN { -----à Name of the reverse Zone
type master;
file "4.65.10.rev.zone"; -----à Name of the file where Zone Saved
allow-update { none; };
};
key ddns_key
{
     algorithm hmac-md5;
     secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ;
};

Next you need to have forward zone file (linuxhowto.in.zone) in the /var/named/chroot/var/named/ directory.
Copy the /var/named/chroot/var/namded/localhost.zone as /var/named/chroot/var/named/linuxhowto.in.zone.

[root@LINUXHOWTO-SERVER named]# cp /var/named/chroot/var/named/localhost.zone /var/named/chroot/var/named/linuxhowto.in.zone

There are some special keywords for Zone Files
A - A record
NS - Name Server
MX - Mail for Exchange
CN - Canonical Name
Appropriately edit the zone file. Ensure the entire domain name end with dot(.).

[root@LINUXHOWTO-SERVER named]# vi /var/named/chroot/var/named/linuxhowto.in.zone
$TTL 86400
@ IN SOA ns1.linuxhowto.in. root@linuxhowto.in. (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.linuxhowto.in.
IN A 10.65.4.55
www IN A 10.65.4.55
mail IN A 10.65.4.55
ns1 IN A 10.65.4.55
server IN A 10.65.4.55
linuxhowto.in. IN MX 10 mail.linuxhowto.in.

Next you need to have reverse zone file (4.65.10.rev.zone) in the /var/named/chroot/var/named/ directory.
Copy the /var/named/chroot/var/namded/named.local as /var/named/chroot/var/named/4.65.10.rev.zone

[root@LINUXHOWTO-SERVER named]# cp /var/named/chroot/var/named/named.local /var/named/chroot/var/named/4.65.10.rev.zone

Appropriately edit this as per your req.

[root@LINUXHOWTO-SERVER named]# vi /var/named/chroot/var/named/4.65.10.rev.zone
$TTL 86400
@ IN SOA ns1.linuxhowto.in. root@linuxhowto.in. (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns1.linuxhowto.in.
55 IN PTR linuxhowto.in.
55 IN PTR mail.linuxhowto.in.
55 IN PTR www.linuxhowto.in.
55 IN PTR server.linuxhowto.in.
55 IN PTR ns1.linuxhowto.in.


Restart the service using the following command

[root@LINUXHOWTO-SERVER named]# service named restart

Simply test the server using command to check forward zone.

[root@LINUXHOWTO-SERVER named]#host linuxhowto.in
Linuxhowto.in has address 10.65.4.55
Linuhow.in mail is handled by 10 mail.linuxhowto.in

This is for the reverse zone

[root@LINUXHOWTO-SERVER named]#host 10.65.4.55
55.4.65.10.in.addr.arpa domain name pointer linuxhowto.in.

These above command are good enough to check the DNS. To know more about DNS resolving details we can use dig or nslookup.







No comments:

Post a Comment