| BIND (Berkeley internet Name Daemon), also known as NAMED, is the most widely used DNS server program on the Internet today. This article will describe how to run BIND in a chroot jail so that it cannot access other parts of the file system other than the "jail". |
BIND, also known as NAMED, is the most widely used DNS server program on the Internet today. This article will describe how to run BIND in a chroot jail so that it cannot access other parts of the file system other than the "jail".
For example, in this article, I will change BIND's running root directory to /var/named/chroot/. Of course, for BIND, this directory is / (root directory). "Jail" (prison, the same below) is a software mechanism, its function is to prevent a program from accessing resources outside the specified area, and also to enhance security (LCTT translation annotation: chroot "jail", the so-called "jail" refers to changing the root directory that a process can see through the chroot mechanism, that is, restricting a process to a specified directory, ensuring that the process can only operate on files in this directory and its subdirectories, so as to ensure the security of the entire server). The default "jail" for the Bind Chroot DNS server is /var/named/chroot.
You can follow the steps below to deploy Bind Chroot DNS server on CentOS 7.0.
1. Install Bind Chroot DNS server
[root@centos7 ~]# yum install bind-chroot bind -y
2. Copy the bind related files and prepare the bind chroot environment
[root@centos7 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/
3. Create relevant files in the bind chroot directory
[root@centos7 ~]# touch /var/named/chroot/var/named/data/cache_dump.db [root@centos7 ~]# touch /var/named/chroot/var/named/data/named_stats.txt [root@centos7 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt [root@centos7 ~]# touch /var/named/chroot/var/named/data/named.run [root@centos7 ~]# mkdir /var/named/chroot/var/named/dynamic [root@centos7 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
4. Set the Bind lock file to writable
[root@centos7 ~]# chmod -R 777 /var/named/chroot/var/named/data [root@centos7 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic
5. Copy /etc/named.conf to the bind chroot directory
[root@centos7 ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf
6. Configure bind in /etc/named.conf.
Add the example.local domain information at the end of the named.conf file to create a forward zone (Forward Zone) and a reverse zone (Reverse Zone) (LCTT Annotation: here example.local is not a real and effective Internet domain name, but a domain name usually used for local testing; if you need to do authoritative DNS resolution, you can configure the resolution of your own domain name as shown here.) :
[root@centos7 ~]# vi /var/named/chroot/etc/named.conf
-
..
..
zone "example.local" {
type master;
file "example.local.zone";
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};
..
..
named.conf is fully configured as follows:
//
// named.conf
//
// Provided by Red Hat, configure the ISC BIND named(8) DNS server
// as a temporary domain name server (for local DNS resolution).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files. // options {
listen
-
on port 53 { any; }; listen-on
-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
,
then do not enable the recursion function.
- If you want to build a recursive DNS server, you need to enable the recursion function.
file "data/named.
- If your recursive DNS server has a public IP address, you must enable access control so
that only legitimate users can send queries. If you don't do this, your service
will be subject to DNS amplification attacks. Implementing BCP38 will effectively defend against this type of attack.
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.p id";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
severity dynamic;
};
};
zone ".
type hint;
file "named.ca";
};
zone "example.local" {
type master;
file "example.local.zone";
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
7. Create forwarding domain and reverse domain files for example.local domain name
a) Create a forwarding domain
[root@centos7 ~]# vi /var/named/chroot/var/named/example.local.zone
Add the following content and save:
;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum
; Define the nameservers and the mail servers
IN NS ns1.example.local.
IN NS ns2.example.local.
IN A 192.168.0.70
IN MX 10 mx.example.local.
centos7 IN A 192.168.0.70
mx IN A 192.168.0.50
ns1 IN A 192.168.0.70
ns2 IN A 192.168.0.80
b) Create reverse domain
[root@centos7 ~]# vi /var/named/chroot/var/named/192.168.0.zone
-
;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum
0.168.192.in-addr.arpa. IN NS centos7.example.local.
70.0.168.192.in-addr.arpa. IN PTR mx.example.local.
70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.
80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.。
8. Start the bind-chroot service automatically after booting
[root@centos7 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on [root@centos7 ~]# systemctl stop named [root@centos7 ~]# systemctl disable named [root@centos7 ~]# systemctl start named-chroot [root@centos7 ~]# systemctl enable named-chroot ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'