Centos/Redhat BIND normally runs as the named
process owned by the unprivileged named user.Sometimes BIND is also installed
using Linux's chroot feature to not only run named as user named, but also to
limit the files named can see.
When installed, named is fooled into thinking
that the directory /var/named/chroot is actually the root or / directory.
Therefore, named files normally found in the /etc directory are found in
/var/named/chroot/etc directory instead, and those you'd expect to find in
/var/named are actually located in /var/named/chroot/var/named.
The advantage of the chroot feature is that if
a hacker enters your system via a BIND exploit, the hacker's access to the rest
of your system is isolated to the files under the chroot directory and nothing
else. This type of security is also known as a chroot jail.
You can install chroot add-on RPM by using
this command.
[root@LINUXHOWTO-SERVER ~]#
yum install bind bind-chroot
Loaded plugins: fastestmirror
Determining fastest mirrors
myrepo | 1.1 kB 00:00
primary.xml.gz | 878 kB 00:00
myrepo 2508/2508
Setting up Install Process
Parsing package install
arguments
Resolving Dependencies
There are unfinished
transactions remaining. You mightconsider running yum-complete-transaction
first to finish them.
--> Running transaction
check
---> Package
bind-chroot.i386 30:9.3.4-10.P1.el5 set to be updated
---> Package bind.i386
30:9.3.4-10.P1.el5 set to be updated
--> Finished Dependency
Resolution
Dependencies Resolved
==================================================================
Package Arch Version
Repository Size
==================================================================
Installing:
bind i386 30:9.3.4-10.P1.el5
myrepo 953 k
bind-chroot i386
30:9.3.4-10.P1.el5 myrepo 42 k
Transaction Summary
==================================================================
Install 2 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 995 k
Is this ok [y/N]: y
Downloading Packages:
(1/2):
bind-chroot-9.3.4-10.P1.el5.i386.rpm | 42 kB 00:00
(2/2):
bind-9.3.4-10.P1.el5.i386.rpm | 953 kB 00:00
------------------------------------------------------------------
Total 1.8 MB/s | 995 kB 00:00
Running rpm_check_debug
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing : bind [1/2]
Installing : bind-chroot
[2/2]
Installed: bind.i386
30:9.3.4-10.P1.el5 bind-chroot.i386 30:9.3.4-10.P1.el5
Complete!
Now the DNS root will be /var/named/chroot
only. copy the sample configuration file from the sample doc directory.
[root@LINUXHOWTO-SERVER
named]# cp /usr/share/doc/bind-9.3.4/sample/etc/* /var/named/chroot/etc/
[root@LINUXHOWTO-SERVER
named]# cp -a /usr/share/doc/bind-9.3.4/sample/var/named/*
/var/named/chroot/var/named/
cp: overwrite
`/var/named/chroot/var/named/slaves/my.ddns.internal.zone.db'? y
cp: overwrite
`/var/named/chroot/var/named/slaves/my.slave.internal.zone.db'? y
Once sample copy is over, now we have to add
the dns keygen in to the configuration file ie /var/named/chroot/etc/named.conf.
to create the dns keygen use following command.
root@LINUXHOWTO-SERVER
named]# dns-keygen
31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ
Insert above in /var/named/chtoot/etc/named.conf
[root@LINUXHOWTO-SERVER
named]# vi /etc/named.conf
key ddns_key
{
algorithm hmac-md5;
secret
31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ
};
Again edit the
/var/named/chroot/etc/named.conf, enter zone details as per your domain
requorement. The following file is minial configuration to run DNS server.
you can copy and use it for your environment also.
[root@LINUXHOWTO-SERVER
named]# vi /var/named/chroot/etc/named.conf
options
{
directory "/var/named"; // the default
dump-file
"data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
};
logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "linuxhowto.in" IN { -----à Name of the forward Zone
type master;
file "linuxhowto.in.zone"; -----à Name of the file where Zone Saved
allow-update { none; };
};
zone "4.65.10.in-addr.arpa" IN { -----à Name of the reverse Zone
type master;
file "4.65.10.rev.zone"; -----à Name of the file where Zone Saved
allow-update { none; };
};
key ddns_key
{
algorithm hmac-md5;
secret
31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcCY109JoKQnQ;
};
Next you need to have
forward zone file (linuxhowto.in.zone) in the /var/named/chroot/var/named/
directory.
Copy the
/var/named/chroot/var/namded/localhost.zone as
/var/named/chroot/var/named/linuxhowto.in.zone.
[root@LINUXHOWTO-SERVER
named]# cp /var/named/chroot/var/named/localhost.zone
/var/named/chroot/var/named/linuxhowto.in.zone
There are some special
keywords for Zone Files
A - A record
NS - Name Server
MX - Mail for Exchange
CN - Canonical Name
Appropriately edit the
zone file. Ensure the entire domain name end with dot(.).
[root@LINUXHOWTO-SERVER
named]# vi /var/named/chroot/var/named/linuxhowto.in.zone
$TTL 86400
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum
IN NS ns1.linuxhowto.in.
IN A 10.65.4.55
www IN A 10.65.4.55
mail IN A 10.65.4.55
ns1 IN A 10.65.4.55
server IN A 10.65.4.55
linuxhowto.in. IN MX 10
mail.linuxhowto.in.
Next you need to have
reverse zone file (4.65.10.rev.zone) in the /var/named/chroot/var/named/
directory.
Copy the /var/named/chroot/var/namded/named.local
as /var/named/chroot/var/named/4.65.10.rev.zone
[root@LINUXHOWTO-SERVER
named]# cp /var/named/chroot/var/named/named.local
/var/named/chroot/var/named/4.65.10.rev.zone
Appropriately edit this as per your req.
[root@LINUXHOWTO-SERVER
named]# vi /var/named/chroot/var/named/4.65.10.rev.zone
$TTL 86400
1997022700 ; Serial
28800 ; Refresh
14400 ; Retry
3600000 ; Expire
86400 ) ; Minimum
IN NS ns1.linuxhowto.in.
55 IN PTR linuxhowto.in.
55 IN PTR mail.linuxhowto.in.
55 IN PTR www.linuxhowto.in.
55 IN PTR
server.linuxhowto.in.
55 IN PTR ns1.linuxhowto.in.
Restart the service using the following command
[root@LINUXHOWTO-SERVER
named]# service named restart
Simply test the server using command to check forward zone.
[root@LINUXHOWTO-SERVER
named]#host linuxhowto.in
Linuxhowto.in has address
10.65.4.55
Linuhow.in mail is handled by
10 mail.linuxhowto.in
This is for the reverse zone
[root@LINUXHOWTO-SERVER
named]#host 10.65.4.55
55.4.65.10.in.addr.arpa
domain name pointer linuxhowto.in.
No comments:
Post a Comment