Bobcares
Client Area
Emergency Support
Latest | Server Management

Setup Bind DNS Server in Chroot Jail on CentOS 7 with ease

by | Sep 22, 2021

Wondering how to setup Bind DNS Server in Chroot Jail on CentOS 7? Our Support Engineers are here to offer their words of advice.

Recently one of our customers wanted to Setup Bind DNS Server in Chroot Jail on CentOS 7. Let’s find out how the Support Team at Bobcares helped with this query.

All about setting up Bind DNS Server in Chroot Jail on CentOS 7

Did you know that Bind is also known as NAMED? Well, it is one of the most used Linux DNS servers. Today, we will learn how to setup Bind DNS in chroot jail in CentOS 7. We will do this by configuring bind DNS to run chrooted to configure Bind DNS to run chrooted to the directory /var/named/chroot/ directory.

The contents of this particular directory will appear in the root directory. The term jail is used to describe a software mechanism where the process’s access to outside resources is limited. Furthermore, it enhances security.

According to our Support Engineers, you had to compile names statically and also install shared libraries under the new root for the previous versions of Bind required. This is no longer required.

The mount –bind command is used by Chroot Environment initialization script to mount the configuration files. This enables you to manage the configuration outside the environment. Since it is mounted automatically, you do not have to copy anything to the /var/named/chroot/ directory. Furthermore, maintenance is simple as you do not have to take extra care of bind configuration files when it is run in a chroot environment. It allows you to organize everything as if Bind is not running in a chroot environment.

The chrooted Bind DNS server is configured to /var/named/chroot by default. The next section deals with implementing Bind Chroot DNS server on CentOS 7 VPS.

Steps to setup Bind DNS server in Chroot Jail on CentOS 7

  1. First, install Bind Chroot DNS server with the command: 
    # yum install bind-chroot -y
  2. Next, verify the named service is running with this command: 
    # systemctl status named

    In case it is running, disable it with the following commands:

    # systemctl stop named
# systemctl disable named
  3. After that, run the following command to initialize /var/named/chroot environment: 
    # /usr/libexec/setup-named-chroot.sh /var/named/chroot on
# systemctl stop named
# systemctl disable named
# systemctl start named-chroot
# systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'

    This will automatically mount directories to /var/named/chroot/ directory in case the corresponding directories under /var/named/chroot/ directory are empty.

    Then, run this command to verify chroot environment:

    # ll /var/named/chroot/etc
total 28
-rw-r--r-- 1 root root   372 Dec  3 22:04 localtime
drwxr-x--- 2 root named 4095 Nov 24 02:28 named
-rw-r----- 1 root named 1704 Mar 12  2014 named.conf
-rw-r--r-- 1 root named 2383 Nov 12 01:28 named.iscdlv.key
-rw-r----- 1 root named  932 Jun 11  2008 named.rfc1912.zones
-rw-r--r-- 1 root named  486 Jul 18  2011 named.root.key
drwxr-x--- 3 root named 4094 Jan  4 22:12 pki
    # ll /var/named/chroot/var/named
total 32
drwxr-x--- 7 root  named 4096 Jan  3 23:12 chroot
drwxrwx--- 2 named named 4096 Nov 21 01:28 data
drwxrwx--- 2 named named 4096 Nov 21 01:28 dynamic
-rw-r----- 1 root  named 2076 Jan 27  2014 named.ca
-rw-r----- 1 root  named  152 Dec 16  2007 named.empty
-rw-r----- 1 root  named  152 Jun 22  2009 named.localhost
-rw-r----- 1 root  named  168 Dec 14  2008 named.loopback
drwxrwx--- 2 named named 4096 Nov 22 01:28 slaves
  4. Next, create bind DNS related files in chrooted directory with this command: 
    # touch /var/named/chroot/var/named/data/cache_dump.db
# touch /var/named/chroot/var/named/data/named_stats.txt
# touch /var/named/chroot/var/named/data/named_mem_stats.txt
# touch /var/named/chroot/var/named/data/named.run
# mkdir /var/named/chroot/var/named/dynamic
# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
  5. Now, ensure the Bind lock file is writeable with the commands: 
    # chmod -R 777 /var/named/chroot/var/named/data
# chmod -R 777 /var/named/chroot/var/named/dynamic
  6. After that, copy the /etc/named.conf chrooted bind config folder. 
    # cp -p /etc/named.conf /var/named/chroot/etc/named.conf
  7. Then, configure the main bind congratulation. You also need to add example.local zone information to /etc/named.conf. 
    # vi /var/named/chroot/etc/named.conf

    Then, create reverse and forward zone into named.conf:

    ..
..
zone "example.local" {
    type master;
    file "example.local.zone";
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
};
..
..

    The full named-conf configuration file will be as seen below:

    //
// named.conf
//


options {
        listen-on port 53 { any; };
        listen-on-v6 port 53 { ::1; };
        directory       "/var/named";
        dump-file       "/var/named/data/cache_dump.db";
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-query     { any; };

        recursion yes;

        dnssec-enable yes;
        dnssec-validation yes;
        dnssec-lookaside auto;

        bindkeys-file "/etc/named.iscdlv.key";

        managed-keys-directory "/var/named/dynamic";

        pid-file "/run/named/named.pid";
        session-keyfile "/run/named/session.key";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

zone "." IN {
        type hint;
        file "named.ca";
};

zone "example.local" {
    type master;
    file "example.local.zone";
};

zone "0.168.192.in-addr.arpa" IN {
        type master;
        file "192.168.0.zone";
};

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
  8. Next, create Reverse and Forward cone files for example.local domain.
    Create Reverse Zone:

    # vi /var/named/chroot/var/named/192.168.0.zone

    Then, add the following:

    ;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.local. hostmaster.example.local. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

0.168.192.in-addr.arpa. IN      NS      centos7.example.local.

70.0.168.192.in-addr.arpa. IN PTR mx.example.local.
70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.
80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.

    Create Forward zone:

    # vi /var/named/chroot/var/named/example.local.zone

    Then, add the following:

    ;
;       Addresses and other host information.
;
$TTL 86400
@       IN      SOA     example.local. hostmaster.example.local. (
                               2014101901      ; Serial
                               43200      ; Refresh
                               3600       ; Retry
                               3600000    ; Expire
                               2592000 )  ; Minimum

;       Define the mail servers and nameservers

               IN      NS      ns1.example.local.
               IN      NS      ns2.example.local.
               IN      A       192.168.0.70
               IN      MX      10 mx.example.local.

centos7          IN      A       192.168.0.70
mx               IN      A       192.168.0.50
ns1              IN      A       192.168.0.70
ns2              IN      A       192.168.0.80

[Need a hand? We are just a click away.]

Conclusion

In short, we learned all about setting up bind DNS server in chroot jail on CentOS 7 from the proficient Support Team at Bobcares.

PREVENT YOUR SERVER FROM CRASHING!

Never again lose customers to poor server speed! Let us help you.

Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.

GET STARTED

Related posts:

  1. Install Prometheus on CentOS 7 for Monitoring Server – How we do it
  2. Install Metricbeat on CentOS 7 – How To Gather Infrastructure Metrics
  3. SELinux on CentOS 7 – How to set up
  4. SolusVM Master Installation – How we can install easily?

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

server management

Spend time on your business, not on your servers.

TALK TO US

Or click here to learn more.

Related Articles

  1. Install Prometheus on CentOS 7 for Monitoring Server – How we do it
  2. Install Metricbeat on CentOS 7 – How To Gather Infrastructure Metrics
  3. SELinux on CentOS 7 – How to set up
  4. SolusVM Master Installation – How we can install easily?

Never again lose customers to poor
server speed! Let us help you.

GET STARTED

Privacy Preference Center

Consent Management

When you visit any website, it may store or retrieve information on your browser, mostly in the form of cookies. This information might be about you, your preferences or your device and is mostly used to make the site work as you expect it to. The information does not usually directly identify you, but it can give you a more personalized web experience.

Because we respect your right to privacy, you can choose not to allow some types of cookies. Click on the different category headings to find out more and change our default settings. However, blocking some types of cookies may impact your experience of the site and the services we are able to offer.

Privacy Policy

Required
By using this site, you agree to our Privacy Policy.

Necessary

Necessary cookies help make a website usable by enabling basic functions like page navigation and access to secure areas of the website. The website cannot function properly without these cookies.

PHPSESSID - Preserves user session state across page requests.

gdpr[consent_types] - Used to store user consents.

gdpr[allowed_cookies] - Used to store user allowed cookies.

Cookies Used

Required
PHPSESSID, gdpr[consent_types], gdpr[allowed_cookies]

livechat.bobcares.com

Opt Out
PHPSESSID

my.bobcares.com

Opt Out
WHMCSpKDlPzh2chML

Statistics

Statistic cookies help website owners to understand how visitors interact with websites by collecting and reporting information anonymously.

_ga - Preserves user session state across page requests.

_gat - Used by Google Analytics to throttle request rate

_gid - Registers a unique ID that is used to generate statistical data on how you use the website.

smartlookCookie - Used to collect user device and location information of the site visitors to improve the websites User Experience.

Cookies Used

_ga, _gat, _gid

google.com

Opt Out
_ga, _gat, _gid

manager.smartlook.com

Opt Out
smartlookCookie

clarity.microsoft.com

Opt Out
_clck, _clsk, CLID, ANONCHK, MR, MUID, SM

Marketing

Marketing cookies are used to track visitors across websites. The intention is to display ads that are relevant and engaging for the individual user and thereby more valuable for publishers and third party advertisers.

IDE - Used by Google DoubleClick to register and report the website user's actions after viewing or clicking one of the advertiser's ads with the purpose of measuring the efficacy of an ad and to present targeted ads to the user.

test_cookie - Used to check if the user's browser supports cookies.

1P_JAR - Google cookie. These cookies are used to collect website statistics and track conversion rates.

NID - Registers a unique ID that identifies a returning user's device. The ID is used for serving ads that are most relevant to the user.

DV - Google ad personalisation

_reb2bgeo - The visitor's geographical location

_reb2bloaded - Whether or not the script loaded for the visitor

_reb2bref - The referring URL for the visit

_reb2bsessionID - The visitor's RB2B session ID

_reb2buid - The visitor's RB2B user ID

Cookies Used

IDE, test_cookie, 1P_JAR, NID, DV, NID

doubleclick.net

Opt Out
IDE, test_cookie

google.co.in

Opt Out
1P_JAR, NID, DV

google.com

Opt Out
NID

olark.com

Opt Out
hblid

rb2b.com

Opt Out
_reb2bgeo, _reb2bloaded, _reb2bref, _reb2bsessionID, _reb2buid

Security

These are essential site cookies, used by the google reCAPTCHA. These cookies use an unique identifier to verify if a visitor is human or a bot.

Cookies Used

SID, APISID, HSID, NID, PREF

google.com

Opt Out
SID, APISID, HSID, NID, PREF