Method of building chroot’s bind DNS server on CentOS

Time:2021-3-5

Bind, also known as named, is the most widely used DNS server program on the Internet. This article will show you how to run bind in chroot prison so that it can’t access other parts of the file system except prison.

For example, in this article, I will change the running root of bind to / var / named / chroot /. Of course, for bind, this directory is / (root directory). “Jail” is a software mechanism, whose function is to make a program unable to access resources outside the specified area, and also to enhance security “Prison”, the so-called “prison” refers to changing the root directory that a process can see through chroot mechanism, that is, limiting a process to a specified directory, ensuring that the process can only operate on the files in the directory and its subdirectories, so as to ensure the security of the whole server). The default “prison” of bind chroot DNS server is / var / named / chroot.

You can follow these steps to deploy the bind chroot DNS server on CentOS 7.0.
1. Install bind chroot DNS server

   

Copy code

The code is as follows:

[[email protected]centos7 ~]# yum install bind-chroot bind -y

2. Copy the bind related files and prepare the bind chroot environment

   

Copy code

The code is as follows:

[[email protected] ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/

3. Create related files in the directory of bind chroot

   

Copy code

The code is as follows:

[[email protected] ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[[email protected] ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[[email protected] ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[[email protected] ~]# touch /var/named/chroot/var/named/data/named.run
[[email protected] ~]# mkdir /var/named/chroot/var/named/dynamic
[[email protected] ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind

4. Make bind lock file writable

   

Copy code

The code is as follows:

[[email protected] ~]# chmod -R 777 /var/named/chroot/var/named/data
[[email protected] ~]# chmod -R 777 /var/named/chroot/var/named/dynamic

5. Will / etc/ named.conf Copy to the bind chroot directory

   

Copy code

The code is as follows:

[[email protected] ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf

6. In / etc/ named.conf Configure bind in.

In named.conf Add at end of file example.local For domain information, create forward zone and reverse zone example.local It is not a real and effective Internet domain name, but a domain name usually used for local testing. If you need to do authoritative DNS resolution, you can configure your domain name as shown here. ):

   

Copy code

The code is as follows:

[[email protected] ~]# vi /var/named/chroot/etc/named.conf</p>
<p> -</p>
<p> ..
..
zone “example.local” {
type master;
file “example.local.zone”;
};

zone “0.168.192.in-addr.arpa” IN {
type master;
file “192.168.0.zone”;
};
..
..</p>
// named.conf
//
//Provided by red hat, ISC bind named (8) DNS server
//Configured as a temporary DNS server (used for local DNS resolution)
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//

options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory “/var/named”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
memstatistics-file “/var/named/data/named_mem_stats.txt”;
allow-query { any; };

/*
-If you want to build an authorized domain name server, do not turn on recursion.
-If you want to build a recursive DNS server, you need to turn on the recursion function.
-If your recursive DNS server has a public IP address, you must turn on the access control function,
Only those legitimate users can send inquiries. If you don’t, then your service
The service will be attacked by DNS amplification. The implementation of bcp38 will effectively resist such attacks.
*/
recursion yes;

dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;

/* Path to ISC DLV key */
bindkeys-file “/etc/named.iscdlv.key”;

managed-keys-directory “/var/named/dynamic”;

pid-file “/run/named/named.pid”;
session-keyfile “/run/named/session.key”;
};

logging {
channel default_debug {
file “data/named.run”;
severity dynamic;
};
};

zone “.” IN {
type hint;
file “named.ca”;
};

zone “example.local” {
type master;
file “example.local.zone”;
};

zone “0.168.192.in-addr.arpa” IN {
type master;
file “192.168.0.zone”;
};

include “/etc/named.rfc1912.zones”;
include “/etc/named.root.key”;

7. For example.local Domain name creation forwarding domain and reverse domain file
a) Create forwarding domain

   

Copy code

The code is as follows:

[[email protected] ~]# vi /var/named/chroot/var/named/example.local.zone

Add and save the following:

   

Copy code

The code is as follows:

;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum

; Define the nameservers and the mail servers

IN NS ns1.example.local.
IN NS ns2.example.local.
IN A 192.168.0.70
IN MX 10 mx.example.local.

centos7 IN A 192.168.0.70
mx IN A 192.168.0.50
ns1 IN A 192.168.0.70
ns2 IN A 192.168.0.80

b) Create reverse domain

   

Copy code

The code is as follows:

[[email protected] ~]# vi /var/named/chroot/var/named/192.168.0.zone</p>
<p> -</p>
<p> ;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum

0.168.192.in-addr.arpa. IN NS centos7.example.local.

70.0.168.192.in-addr.arpa. IN PTR mx.example.local.
70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.
80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.

8. Boot up the bind chroot service

   

Copy code

The code is as follows:

[[email protected] ~]# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
[[email protected] ~]# systemctl stop named
[[email protected] ~]# systemctl disable named
[[email protected] ~]# systemctl start named-chroot
[[email protected] ~]# systemctl enable named-chroot
ln -s ‘/usr/lib/systemd/system/named-chroot.service’ ‘/etc/systemd/system/multi-user.target.wants/named-chroot.service’

Recommended Today

Rust and python: why rust can replace Python

In this guide, we compare the rust and python programming languages. We will discuss the applicable use cases in each case, review the advantages and disadvantages of using rust and python, and explain why rust might replace python. I will introduce the following: What is rust? What is Python? When to use rust When to […]