Chroot-DNS
Setup Bind Chroot DNS Server on CentOS 7
[root@mail ~]# yum -y install bind-chroot
[root@mail ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
[root@mail ~]# ll /var/named/chroot/etc
total 24
-rw-r--r-- 1 root root 331 Jul 10 14:46 localtime
drwxr-x--- 2 root named 6 Jun 10 17:13 named
-rw-r----- 1 root named 2211 Jul 10 14:13 named.conf
-rw-r--r-- 1 root named 2389 Jun 10 17:13 named.iscdlv.key
-rw-r----- 1 root named 931 Jun 21 2007 named.rfc1912.zones
-rw-r--r-- 1 root named 487 Jul 19 2010 named.root.key
drwxr-x--- 3 root named 24 Jul 10 14:46 pki
-rw-r----- 1 root named 77 Jul 10 14:39 rndc.key
[root@mail ~]# ll /var/named/chroot/var/named
total 28
-rw-r--r-- 1 root root 358 Jul 10 14:31 0.0.10.db
drwxr-x--- 7 root named 56 Jul 10 14:46 chroot
drwxrwx--- 2 named named 22 Jul 10 14:39 data
drwxrwx--- 2 named named 4096 Jul 10 14:42 dynamic
-rw-r----- 1 root named 2076 Jan 28 2013 named.ca
-rw-r----- 1 root named 152 Dec 15 2009 named.empty
-rw-r----- 1 root named 152 Jun 21 2007 named.localhost
-rw-r----- 1 root named 168 Dec 15 2009 named.loopback
-rw-r--r-- 1 root root 350 Jul 10 14:30 srv.world.lan
drwxrwx--- 2 named named 6 Jun 10 17:13 slaves
1. Install Bind Chroot DNS server :
[root@centos7 ~]# yum install bind-chroot bind -y
2. Copy all bind related files to prepare bind chrooted environments :
[root@centos7 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/
3. Create bind related files into chrooted directory :
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
4. Bind lock file should be writeable, therefore set the permission to make it writable as below :
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
5. Copy /etc/named.conf chrooted bind config folder :
[root@centos7 ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf
6.Configure main bind configuration in /etc/named.conf. Append the example.local zone information to the file :
[root@mail ~]# vi /var/named/chroot/etc/named.conf
-----------------------------------------------------------------
##Line no:
10 options {
11 listen-on port 53 { 127.0.0.1; any; };
12 listen-on-v6 port 53 { ::1; };
13 directory "/var/named";
14 dump-file "/var/named/data/cache_dump.db";
15 statistics-file "/var/named/data/named_stats.txt";
16 memstatistics-file "/var/named/data/named_mem_stats.txt";
17 allow-query { localhost; any; };
18 allow-query-cache { localhost; any; };
53 file "named.ca";
54 };
55
56 zone "worldcm.net" {
57 type master;
58 file "worldcm.net.for";
59 };
60
61 zone "140.20.103.in-addr.arpa" IN {
62 type master;
63 file "worldcm.net.rev";
64 };
65
66 include "/etc/named.rfc1912.zones";
------------------------------------------------------------------
[root@centos7 ~]# vi /var/named/chroot/etc/named.conf
Create forward and reverse zone into named.conf:
.. .. zone "example.local" { type master; file "example.local.zone"; }; zone "0.168.192.in-addr.arpa" IN { type master; file "192.168.0.zone"; }; .. ..
Full named.conf configuration :
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { any; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { any; }; /* - If you are building an AUTHORITATIVE DNS server, do NOT enable recursion. - If you are building a RECURSIVE (caching) DNS server, you need to enable recursion. - If your recursive DNS server has a public IP address, you MUST enable access control to limit queries to your legitimate users. Failing to do so will cause your server to become part of large scale DNS amplification attacks. Implementing BCP38 within your network would greatly reduce such attack surface */ recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; pid-file "/run/named/named.pid"; session-keyfile "/run/named/session.key"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "example.local" { type master; file "example.local.zone"; }; zone "0.168.192.in-addr.arpa" IN { type master; file "192.168.0.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
7. Create Forward and Reverse zone files for domain example.local.
a) Create Forward Zone :
[root@mail ~]# vi /var/named/chroot/var/named/worldcm.net.for
$TTL 86400
@ IN SOA mail.worldcm.net. root.worldcm.net. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS mail.worldcm.net.
mail IN A 192.168.80.1
@ IN MX 10 mail.worldcm.net.
worldcm.net. IN MX 10 mail.worldcm.net.
www IN CNAME mail
ftp IN CNAME mail
~
-----------------------------------------------------------
[root@centos7 ~]# vi /var/named/chroot/var/named/example.local.zone
Add the following and save :
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA example.local. hostmaster.example.local. ( 2014101901 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum ; Define the nameservers and the mail servers IN NS ns1.example.local. IN NS ns2.example.local. IN A 192.168.0.70 IN MX 10 mx.example.local. centos7 IN A 192.168.0.70 mx IN A 192.168.0.50 ns1 IN A 192.168.0.70 ns2 IN A 192.168.0.80
b) Create Reverse Zone :
[root@mail ~]# vi /var/named/chroot/var/named/worldcm.net.rev
$TTL 86400
@ IN SOA mail.worldcm.net. root.worldcm.net. (
2011071001 ;Serial
3600 ;Refresh
1800 ;Retry
604800 ;Expire
86400 ;Minimum TTL
)
@ IN NS mail.worldcm.net.
@ IN PTR worldcm.net.
24 IN PTR mail.worldcm.net.
mail IN A 192.168.80.1
---------------------------------------------------------
[root@centos7 ~]# vi /var/named/chroot/var/named/192.168.0.zone
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA example.local. hostmaster.example.local. ( 2014101901 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum 0.168.192.in-addr.arpa. IN NS centos7.example.local. 70.0.168.192.in-addr.arpa. IN PTR mx.example.local. 70.0.168.192.in-addr.arpa. IN PTR ns1.example.local. 80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.
8. Stop and disable named service. Start and enable bind-chroot service at boot :
[root@centos7 ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
[root@mail named]# nslookup mail.worldcm.net
Server: 192.168.80.82
Address: 192.168.80.81
Name: mail.worldcm.net
Address: 172.25.11.200+X
[root@mail named]# dig -x 192.168.80.81 ; here -X is option
status: NOERROR
[root@mail named]# dig mail.worldcm.net
status: NOERROR
[root@mail named]# ping www.google.com
-----