Wondering how to setup Bind DNS Server in Chroot Jail on CentOS 7? Our Support Engineers are here to offer their words of advice.
Recently one of our customers wanted to Setup Bind DNS Server in Chroot Jail on CentOS 7. Let’s find out how the Support Team at Bobcares helped with this query.
All about setting up Bind DNS Server in Chroot Jail on CentOS 7
Did you know that Bind is also known as NAMED? Well, it is one of the most used Linux DNS servers. Today, we will learn how to setup Bind DNS in chroot jail in CentOS 7. We will do this by configuring bind DNS to run chrooted to configure Bind DNS to run chrooted to the directory /var/named/chroot/ directory.
The contents of this particular directory will appear in the root directory. The term jail is used to describe a software mechanism where the process’s access to outside resources is limited. Furthermore, it enhances security.
According to our Support Engineers, you had to compile names statically and also install shared libraries under the new root for the previous versions of Bind required. This is no longer required.
The mount –bind command is used by Chroot Environment initialization script to mount the configuration files. This enables you to manage the configuration outside the environment. Since it is mounted automatically, you do not have to copy anything to the /var/named/chroot/ directory. Furthermore, maintenance is simple as you do not have to take extra care of bind configuration files when it is run in a chroot environment. It allows you to organize everything as if Bind is not running in a chroot environment.
The chrooted Bind DNS server is configured to /var/named/chroot by default. The next section deals with implementing Bind Chroot DNS server on CentOS 7 VPS.
Steps to setup Bind DNS server in Chroot Jail on CentOS 7
- First, install Bind Chroot DNS server with the command:
# yum install bind-chroot -y
- Next, verify the named service is running with this command:
# systemctl status named
In case it is running, disable it with the following commands:
# systemctl stop named # systemctl disable named
- After that, run the following command to initialize /var/named/chroot environment:
# /usr/libexec/setup-named-chroot.sh /var/named/chroot on # systemctl stop named # systemctl disable named # systemctl start named-chroot # systemctl enable named-chroot ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
This will automatically mount directories to /var/named/chroot/ directory in case the corresponding directories under /var/named/chroot/ directory are empty.
Then, run this command to verify chroot environment:
# ll /var/named/chroot/etc total 28 -rw-r--r-- 1 root root 372 Dec 3 22:04 localtime drwxr-x--- 2 root named 4095 Nov 24 02:28 named -rw-r----- 1 root named 1704 Mar 12 2014 named.conf -rw-r--r-- 1 root named 2383 Nov 12 01:28 named.iscdlv.key -rw-r----- 1 root named 932 Jun 11 2008 named.rfc1912.zones -rw-r--r-- 1 root named 486 Jul 18 2011 named.root.key drwxr-x--- 3 root named 4094 Jan 4 22:12 pki
# ll /var/named/chroot/var/named total 32 drwxr-x--- 7 root named 4096 Jan 3 23:12 chroot drwxrwx--- 2 named named 4096 Nov 21 01:28 data drwxrwx--- 2 named named 4096 Nov 21 01:28 dynamic -rw-r----- 1 root named 2076 Jan 27 2014 named.ca -rw-r----- 1 root named 152 Dec 16 2007 named.empty -rw-r----- 1 root named 152 Jun 22 2009 named.localhost -rw-r----- 1 root named 168 Dec 14 2008 named.loopback drwxrwx--- 2 named named 4096 Nov 22 01:28 slaves
- Next, create bind DNS related files in chrooted directory with this command:
# touch /var/named/chroot/var/named/data/cache_dump.db # touch /var/named/chroot/var/named/data/named_stats.txt # touch /var/named/chroot/var/named/data/named_mem_stats.txt # touch /var/named/chroot/var/named/data/named.run # mkdir /var/named/chroot/var/named/dynamic # touch /var/named/chroot/var/named/dynamic/managed-keys.bind
- Now, ensure the Bind lock file is writeable with the commands:
# chmod -R 777 /var/named/chroot/var/named/data # chmod -R 777 /var/named/chroot/var/named/dynamic
- After that, copy the /etc/named.conf chrooted bind config folder.
# cp -p /etc/named.conf /var/named/chroot/etc/named.conf
- Then, configure the main bind congratulation. You also need to add example.local zone information to /etc/named.conf.
# vi /var/named/chroot/etc/named.conf
Then, create reverse and forward zone into named.conf:
.. .. zone "example.local" { type master; file "example.local.zone"; }; zone "0.168.192.in-addr.arpa" IN { type master; file "192.168.0.zone"; }; .. ..The full named-conf configuration file will be as seen below:
// // named.conf // options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.local" { type master; file "example.local.zone"; }; zone "0.168.192.in-addr.arpa" IN { type master; file "192.168.0.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key"; - Next, create Reverse and Forward cone files for example.local domain.
Create Reverse Zone:# vi /var/named/chroot/var/named/192.168.0.zone
Then, add the following:
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA example.local. hostmaster.example.local. ( 2014101901 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum 0.168.192.in-addr.arpa. IN NS centos7.example.local. 70.0.168.192.in-addr.arpa. IN PTR mx.example.local. 70.0.168.192.in-addr.arpa. IN PTR ns1.example.local. 80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.Create Forward zone:
# vi /var/named/chroot/var/named/example.local.zone
Then, add the following:
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA example.local. hostmaster.example.local. ( 2014101901 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum ; Define the mail servers and nameservers IN NS ns1.example.local. IN NS ns2.example.local. IN A 192.168.0.70 IN MX 10 mx.example.local. centos7 IN A 192.168.0.70 mx IN A 192.168.0.50 ns1 IN A 192.168.0.70 ns2 IN A 192.168.0.80
[Need a hand? We are just a click away.]
Conclusion
In short, we learned all about setting up bind DNS server in chroot jail on CentOS 7 from the proficient Support Team at Bobcares.
PREVENT YOUR SERVER FROM CRASHING!
Never again lose customers to poor server speed! Let us help you.
Our server experts will monitor & maintain your server 24/7 so that it remains lightning fast and secure.
0 Comments