Walkthrough for setting up a BIND DNS server in a chroot environment for Red Hat (RHEL / CentOS) 7

A translation of the article was prepared for students of the Linux Security course. Is it interesting to develop in this direction? Watch the recording of the broadcast of the master class by Ivan Piskunov “Security in Linux in comparison with Windows and MacOS”

In this article, I will describe the steps for setting up a DNS server on RHEL 7 or CentOS 7. For demonstration, I used Red Hat Enterprise Linux 7.4. Our goal is to create one A record and one PTR record for the forward and reverse lookup zones, respectively.

First install the necessary rpm packages for the DNS server.

NOTE: For RHEL, you must have an active RHN subscription , or you can configure a local offline repository with which the yum package manager can install the necessary rpm packages and dependencies.

# yum install bind bind-chroot caching-nameserver 

My settings:

 # hostname golinuxhub-client.example  IP- 192.168.1.7 # ip address | egrep 'inet.*enp0s3' inet 192.168.1.7/24 brd 192.168.1.255 scope global dynamic enp0s3 

Since we will use chroot, we need to disable the service.

 # systemctl stop named # systemctl disable named 

Then copy the necessary files to the chroot directory.
NOTE. Use the -p argument to the cp command to preserve ownership and ownership.

 [root@golinuxhub-client ~]# cp -rpvf /usr/share/doc/bind-9.9.4/sample/etc/* /var/named/chroot/etc/ '/usr/share/doc/bind-9.9.4/sample/etc/named.conf' -> '/var/named/chroot/etc/named.conf' '/usr/share/doc/bind-9.9.4/sample/etc/named.rfc1912.zones' -> '/var/named/chroot/etc/named.rfc1912.zones' 

Then copy the files associated with the zone to a new location.

 [root@golinuxhub-client ~]# cp -rpvf /usr/share/doc/bind-9.9.4/sample/var/named/* /var/named/chroot/var/named/ '/usr/share/doc/bind-9.9.4/sample/var/named/data' -> '/var/named/chroot/var/named/data' '/usr/share/doc/bind-9.9.4/sample/var/named/my.external.zone.db' -> '/var/named/chroot/var/named/my.external.zone.db' '/usr/share/doc/bind-9.9.4/sample/var/named/my.internal.zone.db' -> '/var/named/chroot/var/named/my.internal.zone.db' '/usr/share/doc/bind-9.9.4/sample/var/named/named.ca' -> '/var/named/chroot/var/named/named.ca' '/usr/share/doc/bind-9.9.4/sample/var/named/named.empty' -> '/var/named/chroot/var/named/named.empty' '/usr/share/doc/bind-9.9.4/sample/var/named/named.localhost' -> '/var/named/chroot/var/named/named.localhost' '/usr/share/doc/bind-9.9.4/sample/var/named/named.loopback' -> '/var/named/chroot/var/named/named.loopback' '/usr/share/doc/bind-9.9.4/sample/var/named/slaves' -> '/var/named/chroot/var/named/slaves' '/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.ddns.internal.zone.db' -> '/var/named/chroot/var/named/slaves/my.ddns.internal.zone.db' '/usr/share/doc/bind-9.9.4/sample/var/named/slaves/my.slave.internal.zone.db' -> '/var/named/chroot/var/named/slaves/my.slave.internal.zone.db' ```bash       . ```bash # cd /var/named/chroot/etc/ 

Clear the contents of named.conf and paste the following.

 [root@golinuxhub-client etc]# vim named.conf options { listen-on port 53 { 127.0.0.1; any; }; # listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; any; }; allow-query-cache { localhost; any; }; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; view my_resolver { match-clients { localhost; any; }; recursion yes; include "/etc/named.rfc1912.zones"; }; 

Information related to the zone should be added to /var/named/chroot/etc/named.rfc1912.zones . Add the entries below. The example.zone file is the forward lookup file, and example.rzone is the reverse zone file.

IMPORTANT NOTE: The reverse lookup zone contains 1.168.192, since my IP address is 192.168.1.7

 zone "example" IN { type master; file "example.zone"; allow-update { none; }; }; zone "1.168.192.in-addr.arpa" IN { type master; file "example.rzone"; allow-update { none; }; }; 

The files associated with the zones are located here:

 # cd /var/named/chroot/var/named/ 

Next, create files for the forward and reverse zones. The file names will be the same as above in the named.rfc1912.zones file. We already have some default templates that we can use.

 # cp -p named.localhost example.zone # cp -p named.loopback example.rzone 

As you can see, the current permissions on all files and directories belong to root .

 [root@golinuxhub-client named]# ll total 32 drwxr-xr-x. 2 root root 6 May 22 2017 data -rw-r--r--. 1 root root 168 May 22 2017 example.rzone -rw-r--r--. 1 root root 152 May 22 2017 example.zone -rw-r--r--. 1 root root 56 May 22 2017 my.external.zone.db -rw-r--r--. 1 root root 56 May 22 2017 my.internal.zone.db -rw-r--r--. 1 root root 2281 May 22 2017 named.ca -rw-r--r--. 1 root root 152 May 22 2017 named.empty -rw-r--r--. 1 root root 152 May 22 2017 named.localhost -rw-r--r--. 1 root root 168 May 22 2017 named.loopback drwxr-xr-x. 2 root root 71 Feb 12 21:02 slaves 

Change the rights of all files, specifying root and the named group as the owner of the user.

 # chown root:named * 

But for data, the owner must be named: named .

 # chown -R named:named data # ls -l total 32 drwxr-xr-x. 2 named named 6 May 22 2017 data -rw-r--r--. 1 root named 168 May 22 2017 example.rzone -rw-r--r--. 1 root named 152 May 22 2017 example.zone -rw-r--r--. 1 root named 56 May 22 2017 my.external.zone.db -rw-r--r--. 1 root named 56 May 22 2017 my.internal.zone.db -rw-r--r--. 1 root named 2281 May 22 2017 named.ca -rw-r--r--. 1 root named 152 May 22 2017 named.empty -rw-r--r--. 1 root named 152 May 22 2017 named.localhost -rw-r--r--. 1 root named 168 May 22 2017 named.loopback drwxr-xr-x. 2 root named 71 Feb 12 21:02 slaves 

Add the following content to the forward zone file. Here we create an A record for localhost (golinuxhub-client) and another one for the server (golinuxhub-server).

 # vim example.zone $TTL 1D @ IN SOA example. root ( 1 ; serial 3H ; refresh 15M ; retry 1W ; expire 1D ) ; minimum IN NS example. IN A 192.168.1.7 golinuxhub-server IN A 192.168.1.5 golinuxhub-client IN A 192.169.1.7 

Next, add the contents to the reverse zone file. Here we create a PTR record for golinuxhub-client and for golinuxhub-server.

 # vim example.rzone $TTL 1D @ IN SOA example. root.example. ( 1997022700 ; serial 28800 ; refresh 14400 ; retry 3600000 ; expire 86400 ) ; minimum IN NS example. 5 IN PTR golinuxhub-server.example. 7 IN PTR golinuxhub-client.example. 

Before we start the named-chroot service , check the configuration of the zone file.

 [root@golinuxhub-client named]# named-checkzone golinuxhub-client.example example.zone zone golinuxhub-client.example/IN: loaded serial 1 OK [root@golinuxhub-client named]# named-checkzone golinuxhub-client.example example.rzone zone golinuxhub-client.example/IN: loaded serial 1997022700 OK 

Everything looks good. Now check the configuration file using the following command.

 [root@golinuxhub-client named]# named-checkconf -t /var/named/chroot/ /etc/named.conf 

So, everything is successful.

 [root@golinuxhub-client named]# echo $? 0 

IMPORTANT NOTE: my SELinux is in permissive mode

 # getenforce Permissive 

Everything looks good, so it's time to start our named-chroot service .

 [root@golinuxhub-client named]# systemctl restart named-chroot 

 [root@golinuxhub-client named]# systemctl status named-chroot ● named-chroot.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named-chroot.service; disabled; vendor preset: disabled) Active: active (running) since Mon 2018-02-12 21:53:23 IST; 19s ago Process: 5236 ExecStop=/bin/sh -c /usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID (code=exited, status=0/SUCCESS) Process: 5327 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} -t /var/named/chroot $OPTIONS (code=exited, status=0/SUCCESS) Process: 5325 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -t /var/named/chroot -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS) Main PID: 5330 (named) CGroup: /system.slice/named-chroot.service └─5330 /usr/sbin/named -u named -c /etc/named.conf -t /var/named/chroot Feb 12 21:53:23 golinuxhub-client.example named[5330]: managed-keys-zone/my_resolver: loaded serial 0 Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 0.in-addr.arpa/IN/my_resolver: loaded serial 0 Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.0.0.127.in-addr.arpa/IN/my_resolver: loaded serial 0 Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.168.192.in-addr.arpa/IN/my_resolver: loaded serial 1997022700 Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone example/IN/my_resolver: loaded serial 1 Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone localhost/IN/my_resolver: loaded serial 0 Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa/IN/my_resolver: loaded serial 0 Feb 12 21:53:23 golinuxhub-client.example named[5330]: zone localhost.localdomain/IN/my_resolver: loaded serial 0 Feb 12 21:53:23 golinuxhub-client.example named[5330]: all zones loaded Feb 12 21:53:23 golinuxhub-client.example named[5330]: running ```bash ,  resolv.conf   IP-,       DNS-. ```bash # cat /etc/resolv.conf search example nameserver 192.168.1.7 ```bash    DNS-   ,  dig. ```bash [root@golinuxhub-client named]# dig -x 192.168.1.5 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.5 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 40331 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;5.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 5.1.168.192.in-addr.arpa. 86400 IN PTR golinuxhub-server.example. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 86400 IN NS example. ;; ADDITIONAL SECTION: example. 86400 IN A 192.168.1.7 ;; Query time: 1 msec ;; SERVER: 192.168.1.7#53(192.168.1.7) ;; WHEN: Mon Feb 12 22:13:17 IST 2018 ;; MSG SIZE rcvd: 122 

As you can see, we received a positive response (ANSWER) to our request (QUERY).

 [root@golinuxhub-client named]# dig -x 192.168.1.7 ; <<>> DiG 9.9.4-RedHat-9.9.4-50.el7 <<>> -x 192.168.1.7 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55804 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 1, ADDITIONAL: 2 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;7.1.168.192.in-addr.arpa. IN PTR ;; ANSWER SECTION: 7.1.168.192.in-addr.arpa. 86400 IN PTR golinuxhub-client.example. ;; AUTHORITY SECTION: 1.168.192.in-addr.arpa. 86400 IN NS example. ;; ADDITIONAL SECTION: example. 86400 IN A 192.168.1.7 ;; Query time: 1 msec ;; SERVER: 192.168.1.7#53(192.168.1.7) ;; WHEN: Mon Feb 12 22:12:54 IST 2018 ;; MSG SIZE rcvd: 122 

Similarly, we can check the direct zone.

 [root@golinuxhub-client named]# nslookup golinuxhub-client.example Server: 192.168.1.7 Address: 192.168.1.7#53 Name: golinuxhub-client.example Address: 192.169.1.7 [root@golinuxhub-client named]# nslookup golinuxhub-server.example Server: 192.168.1.7 Address: 192.168.1.7#53 Name: golinuxhub-server.example Address: 192.168.1.5 

This article is a bit dated since RHEL 7 no longer needs to copy bind configuration files to chroot. Step-by-Step Tutorial: Configure DNS Server using bind chroot (CentOS / RHEL 7) .