BIND (Berkeley Internet Name Daemon) also known as NAMED is the most widely used DNS server in the internet. This tutorial will descibes how we can run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area,
and it’s purposely to enhance the security. Bind Chroot DNS server was by default configured to /var/named/chroot
1. Install Bind Chroot DNS server :
[root@keeplive ~]# yum install bind-chroot bind -y
2. Copy all bind related files to prepare bind chrooted environments :
[root@keeplive ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/
3. Create bind related files into chrooted directory :
[root@keeplive ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@keeplive ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@keeplive ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@keeplive ~]# touch /var/named/chroot/var/named/data/named.run
[root@keeplive ~]# mkdir /var/named/chroot/var/named/dynamic
[root@keeplive ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
4. Bind lock file should be writeable, therefore set the permission to make it writable as below :
[root@keeplive ~]# chmod -R 777 /var/named/chroot/var/named/data
[root@keeplive ~]# chmod -R 777 /var/named/chroot/var/named/dynamic
5. Copy /etc/named.conf chrooted bind config folder :
[root@keeplive ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf
6.Configure main bind configuration in /etc/named.conf. Append the example.local zone information to the file :
[root@keeplive ~]# vi /var/named/chroot/etc/named.conf
zone “rmohan.com” {
type master;
file “rmohan.zone”;
};
zone “1.168.192.in-addr.arpa” IN {
type master;
file “192.168.1.zone”;
};
7. Create Forward and Reverse zone files for domain example.local.
a) Create Forward Zone :
[root@keeplive ~]# vi /var/named/chroot/var/named/rmohan.zone
Add the following and save :
;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA rmohan.com. hostmaster.rmohan.com. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum
; Define the nameservers and the mail servers
IN NS ns1.rmohan.com.
IN NS ns2.rmohan.com.
IN A 192.168.1.13
IN MX 10 mx.rmohan.com.
keeplive IN A 192.168.1.13
mx IN A 192.168.1.13
ns1 IN A 192.168.1.14
ns2 IN A 192.168.1.15
b) Create Reverse Zone :
[root@keepalive ~]# vi /var/named/chroot/var/named/192.168.1.zone
;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA rmohan.com. hostmaster.rmohan.com. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum
1.168.192.in-addr.arpa. IN NS keepalive.rmohan.com.
13.0.168.192.in-addr.arpa. IN PTR mx.rmohan.com.
14.0.168.192.in-addr.arpa. IN PTR ns1.rmohan.com.
15.0.168.192.in-addr.arpa. IN PTR ns2.rmohan.com.
8. Stop and disable named service. Start and enable bind-chroot service at boot :
[root@keeplive ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
[root@keeplive ~]# systemctl stop named
[root@keeplive ~]# systemctl disable named
[root@keeplive ~]# systemctl start named
[root@keeplive ~]# systemctl status named
named.service – Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; disabled)
Active: active (running) since Mon 2014-11-17 08:55:08 SGT; 38s ago
Process: 16016 ExecStart=/usr/sbin/named -u named $OPTIONS (code=exited, status=0/SUCCESS)
Process: 16014 ExecStartPre=/usr/sbin/named-checkconf -z /etc/named.conf (code=exited, status=0/SUCCESS)
Main PID: 16018 (named)
CGroup: /system.slice/named.service
??16018 /usr/sbin/named -u named
Nov 17 08:55:09 keeplive named[16018]: error (network unreachable) resolving ‘ns.isc.afilias-nst.info/AAAA/IN’: 2001:500:49::1#53
Nov 17 08:55:09 keeplive named[16018]: error (network unreachable) resolving ‘ns1.isc.ultradns.net/A/IN’: 2001:500:2d::d#53
Nov 17 08:55:09 keeplive named[16018]: error (network unreachable) resolving ‘ns1.isc.ultradns.net/AAAA/IN’: 2001:500:2d::d#53
Nov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.co.uk/A/IN’: 2001:503:ba3e::2:30#53
Nov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.co.uk/AAAA/IN’: 2001:503:ba3e::2:30#53
Nov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.org/A/IN’: 2001:500:e::1#53
Nov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.org/AAAA/IN’: 2001:500:e::1#53
Nov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘ns2.isc.ultradns.net/AAAA/IN’: 2610:a1:1014::e8#53
Nov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.org/AAAA/IN’: 2001:502:4612::e8#53
Nov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.com/A/IN’: 2610:a1:1016::e8#53
[root@keeplive ~]# systemctl status named-chroot.service
named-chroot.service – Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled)
Active: failed (Result: exit-code) since Mon 2014-11-17 08:56:15 SGT; 11s ago
Process: 16052 ExecStart=/usr/sbin/named -u named -t /var/named/chroot $OPTIONS (code=exited, status=1/FAILURE)
Process: 16050 ExecStartPre=/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf (code=exited, status=0/SUCCESS)
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: A.E.F.IP6.ARPA
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: B.E.F.IP6.ARPA
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 17 08:56:15 keeplive named[16054]: couldn’t add command channel 127.0.0.1#953: address in use
Nov 17 08:56:15 keeplive named[16054]: couldn’t add command channel ::1#953: address in use
Nov 17 08:56:15 keeplive named[16054]: isc_stdio_open ‘data/named.run’ failed: permission denied
Nov 17 08:56:15 keeplive named[16054]: configuring logging: permission denied
Nov 17 08:56:15 keeplive systemd[1]: named-chroot.service: control process exited, code=exited status=1
Nov 17 08:56:15 keeplive systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Nov 17 08:56:15 keeplive systemd[1]: Unit named-chroot.service entered failed state.
[root@keeplive ~]# systemctl enable named-chroot
ln -s ‘/usr/lib/systemd/system/named-chroot.service’ ‘/etc/systemd/system/multi-user.target.wants/named-chroot.service’
[root@keeplive ~]# systemctl status named-chroot.service
named-chroot.service – Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; enabled)
Active: failed (Result: exit-code) since Mon 2014-11-17 08:56:15 SGT; 30s ago
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: A.E.F.IP6.ARPA
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: B.E.F.IP6.ARPA
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
Nov 17 08:56:15 keeplive named[16054]: couldn’t add command channel 127.0.0.1#953: address in use
Nov 17 08:56:15 keeplive named[16054]: couldn’t add command channel ::1#953: address in use
Nov 17 08:56:15 keeplive named[16054]: isc_stdio_open ‘data/named.run’ failed: permission denied
Nov 17 08:56:15 keeplive named[16054]: configuring logging: permission denied
Nov 17 08:56:15 keeplive systemd[1]: named-chroot.service: control process exited, code=exited status=1
Nov 17 08:56:15 keeplive systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
Nov 17 08:56:15 keeplive systemd[1]: Unit named-chroot.service entered failed state.
[root@keeplive ~]# systemctl enable named-chroot
ln -s ‘/usr/lib/systemd/system/named-chroot.service’ ‘/etc/systemd/system/multi-user.target.wants/named-chroot.service’
Recent Comments