Building BIND Box
Install the binaries
Install the chrooted version of bind
yum -y install bind-chroot
initialize the chrooted version of named, and make sure that the non-chrooted versions are not active.
/usr/libexec/setup-named-chroot.sh /var/named/chroot on
systemctl stop named
systemctl disable named
systemctl start named-chroot
systemctl enable named-chroot
ln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'
once you make the above changes, the bind directories should all be setup properly. Confirm and make sure they all have the following files/directories:
[root@ns02 ~]# ll /var/named/chroot/etc
total 688
-rw-r--r--. 10 root root 118 Jan 30 08:49 localtime
drwxr-x---. 2 root named 6 Jan 22 13:30 named
-rw-r-----. 1 root named 1705 Mar 22 2016 named.conf
-rw-r--r--. 1 root named 3923 Jan 22 13:30 named.iscdlv.key
-rw-r-----. 1 root named 931 Jun 21 2007 named.rfc1912.zones
-rw-r--r--. 1 root named 1587 May 22 2017 named.root.key
drwxr-x---. 3 root named 25 Feb 25 01:50 pki
-rw-r--r--. 1 root root 6545 Jun 7 2013 protocols
-rw-r-----. 1 root named 77 Feb 25 01:56 rndc.key
-rw-r--r--. 1 root root 670293 Jun 7 2013 services
[root@ns02 ~]#
[root@ns02 ~]# ll /var/named/chroot/var/named
total 16
drwxr-x---. 7 root named 61 Feb 25 01:50 chroot
drwxrwx---. 2 named named 23 Feb 25 01:56 data
drwxrwx---. 2 named named 60 Feb 25 01:56 dynamic
-rw-r-----. 1 root named 2281 May 22 2017 named.ca
-rw-r-----. 1 root named 152 Dec 15 2009 named.empty
-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost
-rw-r-----. 1 root named 168 Dec 15 2009 named.loopback
drwxrwx---. 2 named named 6 Jan 22 13:30 slaves
[root@ns02 ~]#
NOTE: If the files and directories are missing, that means that bind did not start up properly. Go back and debug bind, and figure out what is making it not work. (all the files "magically" appear once bind-chroot loads
Create the directories for the zone files which will be created later
touch /var/named/chroot/var/named/data/cache_dump.db
touch /var/named/chroot/var/named/data/named_stats.txt
touch /var/named/chroot/var/named/data/named_mem_stats.txt
touch /var/named/chroot/var/named/data/named.run
mkdir /var/named/chroot/var/named/dynamic
mkdir /var/named/chroot/etc/named/zones
touch /var/named/chroot/var/named/dynamic/managed-keys.bind
chmod -R 777 /var/named/chroot/var/named/data
chmod -R 777 /var/named/chroot/var/named/dynamic
Config and Zone Files
The overall file topology within the chroot environment (/var/named/chroot/
) is the following. The "named.conf
" file is the primary configuration file that controls are the major variables for running bind. It points to the "named.conf.local
" file which is responsible for pointing to all of the forward and reverse zone files. The two control files are kept within the etc/
directory in the chrooted environment. The zone files are kept within the var/named/
directory, and then within their datacenter LOC codes.
named.conf
The file /var/named/chroot/etc/named.conf
file is where you store the configs for who can do zone transfers, and where the zone files are stored.
copy the original file to the chrooted location
cp -p /etc/named.conf /var/named/chroot/etc/named.conf
Edit the named.conf file
vim /var/named/chroot/etc/named.conf
Make sure you enter in the IP addresses that bind will listen on. (just add the servers IP)
listen-on port 53 { 127.0.0.1;
192.168.1.2;
};
Define what networks can talk to the server
allow-query { localhost;
192.168.1.0/24;
};
allow-query-cache { localhost;
192.168.1.0/15;
};
forwarders { 8.8.8.8;
8.8.4.4;
};
Add the following includes (at the bottom of the config file) to tell the bind server where to look for resolving names:
include "/etc/named/named.conf.local";
named.conf.local
This used to be just a part of the named.conf file, but we're breaking it out to a separate file to help keep everything cleaner. Create the new file
vim /var/named/chroot/etc/named/named.conf.local
and add the following
# Forward Zone Files:
zone "cmed.us" {
type master;
file "/var/named/zones/domain.com";
};
# Reverse Zone Files:
zone "1.168.192.in-addr.arpa" {
type master;
file "/var/named/zones/db.192.168.0";
};
Forward Zone File
You can have a single zone file for all of your hosts that are in the same namespace.
Create the file noted above in the .local file:
vim /var/named/chroot/var/named/zone/domain.com
and add the following header to the file. Note that "ns1.domain.com.
" is the fqdn of this server, and "admin.domain.com" is the email admin email address associated to the domain. Note that a semi-colon ";
" is the beginning of a comment. Every time you modify this file, you will need to update the "Serial" number. To keep track of this, we use the date format for the serial number of the change.
$ORIGIN .
$TTL 38400 ; 10 hours 40 minutes
domain.com IN SOA ns01.domain.com. admin.domain.com. (
1801041130 ; Serial YY MM DD HH MM
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
; the following is within the X.domain.com zone.
$ORIGIN domain.com
; name servers - NS records
IN NS ns01.domain.com
and then enter in each entry
host1 IN A 192.168.1.50
host2 IN A 198.168.1.51
all entries are in the following format:
{hostname} IN A {IP}
for A Records{alias} IN CNAME {hostname}
for CNAME Records
Reverse Zone Files
These files are separated by networks, not by domains. You will need to create one for each subnet.
vim /var/named/chroot
/var/named/zone/db.168.192.1.zone
Enter in the following for the header of the file. If the network is "192.168.1.0/24", then the "in-addr.arpa" section is "1.168.192" (you reverse the network).
$ORIGIN .
$TTL 86400 ; 1 day
1.168.192.in-addr.arpa IN SOA ns01.domanin. admin.domain.com. (
1801041130 ; Serial YY MM DD HH MM
43200 ; Refresh (12 hours)
900 ; Retry (15 min)
1814400 ; Expire (3 weeks)
10800 ; Min (3 hours)
)
;
; name servers - NS records
NS ns01.domain.com
;
; - Address point to canonical names
$ORIGIN 1.168.192.in-addr.arpa.
Where:
- "
1.168.192
" is the network. - "
ns01.domain.com
" is the fwdn of the primary nameserver - "
admin.domain.com
" is the email address for the admin of this domain (techops@variantyx.com)
and then enter in each entry
1 IN PTR gateway.domain.com
50 IN PTR host1.domain.com
51 IN PTR host2.domain.com
Start/Restart Service
Check files
Start by getting within the chroot directory:
[root@ns01 ~]# cd /var/named/chroot
First confirm that all the named.conf* files are correct.
[root@ns01 chroot]# named-checkconf
[root@ns01 chroot]#
Then confirm that the forward zone files are correct, where "cmed.us" is the domain, and "/etc/named/zones/db.domain.com" is the forward zone file.
[root@ns01 chroot]# named-checkzone domain.com etc/named/zones/db.domain.com
/etc/named/zones/db.domain.com:13: record with inherited owner (domain.com) immediately after $ORIGIN (domain.com)
zone cmed.us/IN: loaded serial 2018010401
OK
[root@ns01 chroot]#
and confirm that the reverse zone files are correct. where "1.168.192in-addr.arpa" is the reverse for the zone, and "/etc/named/zones/db.192.168.1" is the file to check
[root@ns01 chroot]# named-checkzone 1.168.192.in-addr.arpa etc/named/zones/db.192.168.1
zone 1.168.192.in-addr.arpa/IN: loaded serial 2018010401
OK
[root@ns01 chroot]#
Start Bind
[root@ns01 ~]# systemctl start named-chroot
[root@ns01 ~]# systemctl enable named-chroot
Created symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.
[root@ns01 ~]#
[root@ns01 ~]# systemctl status named
-chroot
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: active (running) since Fri 2018-01-05 16:55:45 GMT; 26s ago
Main PID: 23453 (named)
CGroup: /system.slice/named.service
└─23453 /usr/sbin/named -u named -c /etc/named.conf
Jan 05 16:55:45 ns01 named[23453]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0
Jan 05 16:55:45 ns01 named[23453]: zone localhost/IN: loaded serial 0
Jan 05 16:55:45 ns01 named[23453]: zone 3.18.198.in-addr.arpa/IN: loaded serial 2018010401
Jan 05 16:55:45 ns01 named[23453]: zone 0.18.198.in-addr.arpa/IN: loaded serial 2018010401
Jan 05 16:55:45 ns01 named[23453]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.i...ial 0
Jan 05 16:55:45 ns01 named[23453]: zone localhost.localdomain/IN: loaded serial 0
Jan 05 16:55:45 ns01 named[23453]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2018010401
Jan 05 16:55:45 ns01 named[23453]: all zones loaded
Jan 05 16:55:45 ns01 named[23453]: running
Hint: Some lines were ellipsized, use -l to show in full.
[root@ns01 ~]#
Firewall Configurations
You need to enable queries into the server, so you will need to modify the local firewall rules by entering the following
[root@ns01 ~]# firewall-cmd --add-service=dns --permanent
success
[root@ns01 ~]# firewall-cmd --reload
success
[root@ns01 ~]# firewall-cmd --list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: eth0
sources:
services: ssh dhcpv6-client dns
ports:
protocols:
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:
[root@ns01 ~]#
Change local resolve.conf
Review what your current lookup is set to. Note that the following is no good. You want the host to point to itself.
[root@ns01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search domain.com
nameserver 8.8.8.8
nameserver 8.8.4.4
[root@ns01 ~]#
Then confim what your connection name is, and for that connection, overwrite the dns lookup setting
[root@ns01 ~]# nmcli dev status
DEVICE TYPE STATE CONNECTION
eth0 ethernet connected System eth0
lo loopback unmanaged --
[root@ns01 ~]# nmcli con mod System\ eth0 ipv4.dns 192.168.1.2
[root@ns01 ~]# nmcli con up System\ eth0
Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)
[root@ns01 ~]#
Then confirm that the changes were successful
[root@ns01 ~]# cat /etc/resolv.conf
# Generated by NetworkManager
search cmed.us
nameserver 192.168.1.2
[root@ns01 ~]#
References
- Bind9 on Centos 7:
- How to Setup Bind DNS Server in Chroot Jail on CentOS 7: eHowstuff, Skytech, Oct 2014
- BIND Manual Pages, BIND 9 User Guide: