Friday, August 17, 2012

How to Configure DNS Server with chroot

Centos/Redhat BIND normally runs as the named process owned by the unprivileged named user.Sometimes BIND is also installed using Linux's chroot feature to not only run named as user named, but also to limit the files named can see.

When installed, named is fooled into thinking that the directory /var/named/chroot is actually the root or / directory. Therefore, named files normally found in the /etc directory are found in /var/named/chroot/etc directory instead, and those you'd expect to find in /var/named are actually located in /var/named/chroot/var/named.

The advantage of the chroot feature is that if a hacker enters your system via a BIND exploit, the hacker's access to the rest of your system is isolated to the files under the chroot directory and nothing else. This type of security is also known as a chroot jail.

You can install chroot add-on RPM by using this command.

To install we need to configure the Yum Repository.

[root@LINUXHOWTO-SERVER ~]# yum install bind bind-chroot
Loaded plugins: fastestmirror
Determining fastest mirrors
myrepo | 1.1 kB 00:00
primary.xml.gz | 878 kB 00:00
myrepo 2508/2508
Setting up Install Process
Parsing package install arguments
Resolving Dependencies
There are unfinished transactions remaining. You mightconsider running yum-complete-transaction first to finish them.
--> Running transaction check
---> Package bind-chroot.i386 30:9.3.4-10.P1.el5 set to be updated
---> Package bind.i386 30:9.3.4-10.P1.el5 set to be updated
--> Finished Dependency Resolution
Dependencies Resolved
Package Arch Version Repository Size
bind i386 30:9.3.4-10.P1.el5 myrepo 953 k
bind-chroot i386 30:9.3.4-10.P1.el5 myrepo 42 k
Transaction Summary
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 995 k
Is this ok [y/N]: y
Downloading Packages:
(1/2): bind-chroot-9.3.4-10.P1.el5.i386.rpm | 42 kB 00:00
(2/2): bind-9.3.4-10.P1.el5.i386.rpm | 953 kB 00:00
Total 1.8 MB/s | 995 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : bind [1/2]
Installing : bind-chroot [2/2]
Installed: bind.i386 30:9.3.4-10.P1.el5 bind-chroot.i386 30:9.3.4-10.P1.el5
Now the DNS root will be /var/named/chroot only. copy the sample configuration file from the sample doc directory.

[root@LINUXHOWTO-SERVER named]# cp /usr/share/doc/bind-9.3.4/sample/etc/* /var/named/chroot/etc/
[root@LINUXHOWTO-SERVER named]# cp -a /usr/share/doc/bind-9.3.4/sample/var/named/* /var/named/chroot/var/named/
cp: overwrite `/var/named/chroot/var/named/slaves/'? y
cp: overwrite `/var/named/chroot/var/named/slaves/'? y

Once sample copy is over, now we have to add the dns keygen in to the configuration file ie /var/named/chroot/etc/named.conf. to create the dns keygen use following command.

root@LINUXHOWTO-SERVER named]# dns-keygen

Insert above in /var/named/chtoot/etc/named.conf

[root@LINUXHOWTO-SERVER named]# vi /etc/named.conf
key ddns_key
algorithm hmac-md5;
secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ

Again edit the /var/named/chroot/etc/named.conf, enter zone details as per your domain requorement. The following file is minial configuration to run DNS server. you can copy and use it for your environment also.

[root@LINUXHOWTO-SERVER named]# vi /var/named/chroot/etc/named.conf
     directory "/var/named"; // the default
     dump-file          "data/cache_dump.db";
statistics-file    "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
channel default_debug {
file "data/";
severity dynamic;
zone "" IN { -----à Name of the forward Zone
type master;
file ""; -----à Name of the file where Zone Saved
allow-update { none; };
zone "" IN { -----à Name of the reverse Zone
type master;
file ""; -----à Name of the file where Zone Saved
allow-update { none; };
key ddns_key
     algorithm hmac-md5;
     secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ;

Next you need to have forward zone file ( in the /var/named/chroot/var/named/ directory.
Copy the /var/named/chroot/var/namded/ as /var/named/chroot/var/named/

[root@LINUXHOWTO-SERVER named]# cp /var/named/chroot/var/named/ /var/named/chroot/var/named/

There are some special keywords for Zone Files
A - A record
NS - Name Server
MX - Mail for Exchange
CN - Canonical Name
Appropriately edit the zone file. Ensure the entire domain name end with dot(.).

[root@LINUXHOWTO-SERVER named]# vi /var/named/chroot/var/named/
$TTL 86400
@ IN SOA (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
www IN A
mail IN A
ns1 IN A
server IN A IN MX 10

Next you need to have reverse zone file ( in the /var/named/chroot/var/named/ directory.
Copy the /var/named/chroot/var/namded/named.local as /var/named/chroot/var/named/

[root@LINUXHOWTO-SERVER named]# cp /var/named/chroot/var/named/named.local /var/named/chroot/var/named/

Appropriately edit this as per your req.

[root@LINUXHOWTO-SERVER named]# vi /var/named/chroot/var/named/
$TTL 86400
@ IN SOA (
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum

Restart the service using the following command

[root@LINUXHOWTO-SERVER named]# service named restart

Simply test the server using command to check forward zone.

[root@LINUXHOWTO-SERVER named]#host has address mail is handled by 10

This is for the reverse zone

[root@LINUXHOWTO-SERVER named]#host domain name pointer

These above command are good enough to check the DNS. To know more about DNS resolving details we can use dig or nslookup.

No comments:

Post a Comment