BIND (Berkeley Internet Name Daemon) also known as NAMED is the most widely used DNS server in the internet. This tutorial will descibes how we can run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting up BIND to run chrooted to the directory \/var\/named\/chroot\/. Well, to BIND, the contents of this directory will appear to be \/, the root directory. A \u201cjail\u201d is a software mechanism for limiting the ability of a process to access resources outside a very limited area,
\nand it\u2019s purposely to enhance the security. Bind Chroot DNS server was by default configured to \/var\/named\/chroot<\/p>\n
1. Install Bind Chroot DNS server :<\/p>\n
[root@keeplive ~]# yum install bind-chroot bind -y<\/p>\n
2. Copy all bind related files to prepare bind chrooted environments :<\/p>\n
[root@keeplive ~]# cp -R \/usr\/share\/doc\/bind-*\/sample\/var\/named\/* \/var\/named\/chroot\/var\/named\/<\/p>\n
3. Create bind related files into chrooted directory :<\/p>\n
[root@keeplive ~]# touch \/var\/named\/chroot\/var\/named\/data\/cache_dump.db
\n[root@keeplive ~]# touch \/var\/named\/chroot\/var\/named\/data\/named_stats.txt
\n[root@keeplive ~]# touch \/var\/named\/chroot\/var\/named\/data\/named_mem_stats.txt
\n[root@keeplive ~]# touch \/var\/named\/chroot\/var\/named\/data\/named.run
\n[root@keeplive ~]# mkdir \/var\/named\/chroot\/var\/named\/dynamic
\n[root@keeplive ~]# touch \/var\/named\/chroot\/var\/named\/dynamic\/managed-keys.bind<\/p>\n
4. Bind lock file should be writeable, therefore set the permission to make it writable as below :
\n[root@keeplive ~]# chmod -R 777 \/var\/named\/chroot\/var\/named\/data
\n[root@keeplive ~]# chmod -R 777 \/var\/named\/chroot\/var\/named\/dynamic<\/p>\n
5. Copy \/etc\/named.conf chrooted bind config folder :
\n[root@keeplive ~]# cp -p \/etc\/named.conf \/var\/named\/chroot\/etc\/named.conf<\/p>\n
6.Configure main bind configuration in \/etc\/named.conf. Append the example.local zone information to the file :
\n[root@keeplive ~]# vi \/var\/named\/chroot\/etc\/named.conf<\/p>\n
zone “rmohan.com” {
\n type master;
\n file “rmohan.zone”;
\n};<\/p>\n
zone “1.168.192.in-addr.arpa” IN {
\n type master;
\n file “192.168.1.zone”;
\n};<\/p>\n
7. Create Forward and Reverse zone files for domain example.local.<\/p>\n
a) Create Forward Zone :
\n[root@keeplive ~]# vi \/var\/named\/chroot\/var\/named\/rmohan.zone<\/p>\n
Add the following and save :
\n;
\n; Addresses and other host information.
\n;
\n$TTL 86400
\n@ IN SOA rmohan.com. hostmaster.rmohan.com. (
\n 2014101901 ; Serial
\n 43200 ; Refresh
\n 3600 ; Retry
\n 3600000 ; Expire
\n 2592000 ) ; Minimum<\/p>\n
; Define the nameservers and the mail servers<\/p>\n
IN NS ns1.rmohan.com.
\n IN NS ns2.rmohan.com.
\n IN A 192.168.1.13
\n IN MX 10 mx.rmohan.com.<\/p>\n
keeplive IN A 192.168.1.13
\nmx IN A 192.168.1.13
\nns1 IN A 192.168.1.14
\nns2 IN A 192.168.1.15<\/p>\n
b) Create Reverse Zone :
\n[root@keepalive ~]# vi \/var\/named\/chroot\/var\/named\/192.168.1.zone<\/p>\n
;
\n; Addresses and other host information.
\n;
\n$TTL 86400
\n@ IN SOA rmohan.com. hostmaster.rmohan.com. (
\n 2014101901 ; Serial
\n 43200 ; Refresh
\n 3600 ; Retry
\n 3600000 ; Expire
\n 2592000 ) ; Minimum<\/p>\n
1.168.192.in-addr.arpa. IN NS keepalive.rmohan.com.<\/p>\n
13.0.168.192.in-addr.arpa. IN PTR mx.rmohan.com.
\n14.0.168.192.in-addr.arpa. IN PTR ns1.rmohan.com.
\n15.0.168.192.in-addr.arpa. IN PTR ns2.rmohan.com.<\/p>\n
8. Stop and disable named service. Start and enable bind-chroot service at boot :
\n[root@keeplive ~]# \/usr\/libexec\/setup-named-chroot.sh \/var\/named\/chroot on
\n[root@keeplive ~]# systemctl stop named
\n[root@keeplive ~]# systemctl disable named
\n[root@keeplive ~]# systemctl start named
\n[root@keeplive ~]# systemctl status named
\nnamed.service – Berkeley Internet Name Domain (DNS)
\n Loaded: loaded (\/usr\/lib\/systemd\/system\/named.service; disabled)
\n Active: active (running) since Mon 2014-11-17 08:55:08 SGT; 38s ago
\n Process: 16016 ExecStart=\/usr\/sbin\/named -u named $OPTIONS (code=exited, status=0\/SUCCESS)
\n Process: 16014 ExecStartPre=\/usr\/sbin\/named-checkconf -z \/etc\/named.conf (code=exited, status=0\/SUCCESS)
\n Main PID: 16018 (named)
\n CGroup: \/system.slice\/named.service
\n ??16018 \/usr\/sbin\/named -u named<\/p>\n
Nov 17 08:55:09 keeplive named[16018]: error (network unreachable) resolving ‘ns.isc.afilias-nst.info\/AAAA\/IN’: 2001:500:49::1#53
\nNov 17 08:55:09 keeplive named[16018]: error (network unreachable) resolving ‘ns1.isc.ultradns.net\/A\/IN’: 2001:500:2d::d#53
\nNov 17 08:55:09 keeplive named[16018]: error (network unreachable) resolving ‘ns1.isc.ultradns.net\/AAAA\/IN’: 2001:500:2d::d#53
\nNov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.co.uk\/A\/IN’: 2001:503:ba3e::2:30#53
\nNov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.co.uk\/AAAA\/IN’: 2001:503:ba3e::2:30#53
\nNov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.org\/A\/IN’: 2001:500:e::1#53
\nNov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.org\/AAAA\/IN’: 2001:500:e::1#53
\nNov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘ns2.isc.ultradns.net\/AAAA\/IN’: 2610:a1:1014::e8#53
\nNov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.org\/AAAA\/IN’: 2001:502:4612::e8#53
\nNov 17 08:55:10 keeplive named[16018]: error (network unreachable) resolving ‘pdns196.ultradns.com\/A\/IN’: 2610:a1:1016::e8#53<\/p>\n
[root@keeplive ~]# systemctl status named-chroot.service
\nnamed-chroot.service – Berkeley Internet Name Domain (DNS)
\n Loaded: loaded (\/usr\/lib\/systemd\/system\/named-chroot.service; disabled)
\n Active: failed (Result: exit-code) since Mon 2014-11-17 08:56:15 SGT; 11s ago
\n Process: 16052 ExecStart=\/usr\/sbin\/named -u named -t \/var\/named\/chroot $OPTIONS (code=exited, status=1\/FAILURE)
\n Process: 16050 ExecStartPre=\/usr\/sbin\/named-checkconf -t \/var\/named\/chroot -z \/etc\/named.conf (code=exited, status=0\/SUCCESS)<\/p>\n
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: A.E.F.IP6.ARPA
\nNov 17 08:56:15 keeplive named[16054]: automatic empty zone: B.E.F.IP6.ARPA
\nNov 17 08:56:15 keeplive named[16054]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
\nNov 17 08:56:15 keeplive named[16054]: couldn’t add command channel 127.0.0.1#953: address in use
\nNov 17 08:56:15 keeplive named[16054]: couldn’t add command channel ::1#953: address in use
\nNov 17 08:56:15 keeplive named[16054]: isc_stdio_open ‘data\/named.run’ failed: permission denied
\nNov 17 08:56:15 keeplive named[16054]: configuring logging: permission denied
\nNov 17 08:56:15 keeplive systemd[1]: named-chroot.service: control process exited, code=exited status=1
\nNov 17 08:56:15 keeplive systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
\nNov 17 08:56:15 keeplive systemd[1]: Unit named-chroot.service entered failed state.
\n[root@keeplive ~]# systemctl enable named-chroot
\nln -s ‘\/usr\/lib\/systemd\/system\/named-chroot.service’ ‘\/etc\/systemd\/system\/multi-user.target.wants\/named-chroot.service’
\n[root@keeplive ~]# systemctl status named-chroot.service
\nnamed-chroot.service – Berkeley Internet Name Domain (DNS)
\n Loaded: loaded (\/usr\/lib\/systemd\/system\/named-chroot.service; enabled)
\n Active: failed (Result: exit-code) since Mon 2014-11-17 08:56:15 SGT; 30s ago<\/p>\n
Nov 17 08:56:15 keeplive named[16054]: automatic empty zone: A.E.F.IP6.ARPA
\nNov 17 08:56:15 keeplive named[16054]: automatic empty zone: B.E.F.IP6.ARPA
\nNov 17 08:56:15 keeplive named[16054]: automatic empty zone: 8.B.D.0.1.0.0.2.IP6.ARPA
\nNov 17 08:56:15 keeplive named[16054]: couldn’t add command channel 127.0.0.1#953: address in use
\nNov 17 08:56:15 keeplive named[16054]: couldn’t add command channel ::1#953: address in use
\nNov 17 08:56:15 keeplive named[16054]: isc_stdio_open ‘data\/named.run’ failed: permission denied
\nNov 17 08:56:15 keeplive named[16054]: configuring logging: permission denied
\nNov 17 08:56:15 keeplive systemd[1]: named-chroot.service: control process exited, code=exited status=1
\nNov 17 08:56:15 keeplive systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
\nNov 17 08:56:15 keeplive systemd[1]: Unit named-chroot.service entered failed state.<\/p>\n
[root@keeplive ~]# systemctl enable named-chroot
\nln -s ‘\/usr\/lib\/systemd\/system\/named-chroot.service’ ‘\/etc\/systemd\/system\/multi-user.target.wants\/named-chroot.service’<\/p>\n","protected":false},"excerpt":{"rendered":"
BIND (Berkeley Internet Name Daemon) also known as NAMED is the most widely used DNS server in the internet. This tutorial will descibes how we can run BIND in a chroot jail, the process is simply unable to see any part of the filesystem outside the jail. For example, in this post, i will setting […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5,4,50],"tags":[],"_links":{"self":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3739"}],"collection":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3739"}],"version-history":[{"count":1,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3739\/revisions"}],"predecessor-version":[{"id":3740,"href":"https:\/\/mohan.sg\/index.php?rest_route=\/wp\/v2\/posts\/3739\/revisions\/3740"}],"wp:attachment":[{"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3739"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3739"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mohan.sg\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3739"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}