in this post, i will setting up BIND to run chrooted to the directory /var/named/chroot/. Well, to BIND, the contents of this directory will appear to be /, the root directory. A “jail” is a software mechanism for limiting the ability of a process to access resources outside a very limited area, and it’s purposely to enhance the security. Bind Chroot DNS server was by default configured to /var/named/chroot. Follow these steps to setup Bind Chroot DNS Server on CentOS 6.4.
1. Install Bind Chroot DNS server :
[root@centos64 ~]# yum install bind-chroot bind -y
2. Copy all bind related files to prepare bind chrooted environments :
[root@centos64 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/
3. Create bind related files into chrooted directory :
[root@centos64 ~]# touch /var/named/chroot/var/named/data/cache_dump.db [root@centos64 ~]# touch /var/named/chroot/var/named/data/named_stats.txt [root@centos64 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt [root@centos64 ~]# touch /var/named/chroot/var/named/data/named.run [root@centos64 ~]# mkdir /var/named/chroot/var/named/dynamic [root@centos64 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
4. Bind lock file should be writeable, therefore set the permission to make it writable as below :
[root@centos64 ~]# chmod -R 777 /var/named/chroot/var/named/data [root@centos64 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic
5. Set if you do not use IPv6 :
[root@centos64 ~]# echo 'OPTIONS="-4"' >> /etc/sysconfig/named
6. Copy /etc/named.conf chrooted bind config folder :
[root@centos64 ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf
7.Configure main bind configuration in /etc/named.conf. Append the ehowstuff.local information to the file :
[root@centos64 ~]# vi /var/named/chroot/etc/named.conf
a. Add bind DNS IP addresses :
.. listen-on port 53 { 127.0.0.1;192.168.2.62;192.168.2.63; }; ..
b. Create forward and reverse zone :
.. .. zone "ehowstuff.local" { type master; file "ehowstuff.local.zone"; }; zone "2.168.192.in-addr.arpa" IN { type master; file "192.168.2.zone"; }; .. ..
Full configuration for named.conf :
// // named.conf // // Provided by Red Hat bind package to configure the ISC BIND named(8) DNS // server as a caching only nameserver (as a localhost DNS resolver only). // // See /usr/share/doc/bind*/sample/ for example named configuration files. // options { listen-on port 53 { 127.0.0.1;192.168.2.62;192.168.2.63; }; listen-on-v6 port 53 { ::1; }; directory "/var/named"; dump-file "/var/named/data/cache_dump.db"; statistics-file "/var/named/data/named_stats.txt"; memstatistics-file "/var/named/data/named_mem_stats.txt"; allow-query { localhost; }; recursion yes; dnssec-enable yes; dnssec-validation yes; dnssec-lookaside auto; /* Path to ISC DLV key */ bindkeys-file "/etc/named.iscdlv.key"; managed-keys-directory "/var/named/dynamic"; }; logging { channel default_debug { file "data/named.run"; severity dynamic; }; }; zone "." IN { type hint; file "named.ca"; }; zone "ehowstuff.local" { type master; file "ehowstuff.local.zone"; }; zone "2.168.192.in-addr.arpa" IN { type master; file "192.168.2.zone"; }; include "/etc/named.rfc1912.zones"; include "/etc/named.root.key";
8. Create Forward and Reverse zone files for domain ehowstuff.local.
a) Create Forward Zone :
[root@centos64 ~]# vi /var/named/chroot/var/named/ehowstuff.local.zone
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA ehowstuff.local. hostmaster.ehowstuff.local. ( 2013042201 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum ; Define the nameservers and the mail servers IN NS ns1.ehowstuff.local. IN NS ns2.ehowstuff.local. IN A 192.168.2.62 IN MX 10 mail.ehowstuff.local. centos64 IN A 192.168.2.62 mail IN A 192.168.2.62 ns1 IN A 192.168.2.62 ns2 IN A 192.168.2.63
b) Create Reverse Zone :
[root@centos64 ~]# vi /var/named/chroot/var/named/192.168.2.zone
; ; Addresses and other host information. ; $TTL 86400 @ IN SOA ehowstuff.local. hostmaster.ehowstuff.local. ( 2013042201 ; Serial 43200 ; Refresh 3600 ; Retry 3600000 ; Expire 2592000 ) ; Minimum 2.168.192.in-addr.arpa. IN NS centos64.ehowstuff.local. 62.2.168.192.in-addr.arpa. IN PTR mail.ehowstuff.local. 62.2.168.192.in-addr.arpa. IN PTR ns1.ehowstuff.local. 63.2.168.192.in-addr.arpa. IN PTR ns2.ehowstuff.local.
9. Start Bind service :
[root@centos64 ~]# /etc/init.d/named start Generating /etc/rndc.key: [ OK ] Starting named: [ OK ]
10. Configure Bind auto start at boot :
[root@centos64 ~]# chkconfig --levels 235 named on
11. Test and verify Bind DNS setup :
a. Test and verify using host command :
a. Test and verify using host command :
[root@centos64 ~]# host -t ns ehowstuff.local ehowstuff.local name server ns1.ehowstuff.local. ehowstuff.local name server ns2.ehowstuff.local. [root@centos64 ~]# host -t mx ehowstuff.local ehowstuff.local mail is handled by 10 mail.ehowstuff.local.
b. Test and verify using nslookup command :
[root@centos64 ~]# nslookup > set type=any > ehowstuff.local Server: 192.168.2.62 Address: 192.168.2.62#53 ehowstuff.local origin = ehowstuff.local mail addr = hostmaster.ehowstuff.local serial = 2013042201 refresh = 43200 retry = 3600 expire = 3600000 minimum = 2592000 ehowstuff.local nameserver = ns1.ehowstuff.local. ehowstuff.local nameserver = ns2.ehowstuff.local. Name: ehowstuff.local Address: 192.168.2.62 ehowstuff.local mail exchanger = 10 mail.ehowstuff.local. > exit
c. Test and verify using dig command :
[root@centos64 ~]# dig ehowstuff.local ; < <>> DiG 9.8.2rc1-RedHat-9.8.2-0.17.rc1.el6_4.4 < <>> ehowstuff.local ;; global options: +cmd ;; Got answer: ;; ->>HEADER< <- opcode: QUERY, status: NOERROR, id: 6958 ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 2 ;; QUESTION SECTION: ;ehowstuff.local. IN A ;; ANSWER SECTION: ehowstuff.local. 2592000 IN A 192.168.2.62 ;; AUTHORITY SECTION: ehowstuff.local. 2592000 IN NS ns1.ehowstuff.local. ehowstuff.local. 2592000 IN NS ns2.ehowstuff.local. ;; ADDITIONAL SECTION: ns1.ehowstuff.local. 2592000 IN A 192.168.2.62 ns2.ehowstuff.local. 2592000 IN A 192.168.2.63 ;; Query time: 1 msec ;; SERVER: 192.168.2.62#53(192.168.2.62) ;; WHEN: Wed Apr 3 00:03:40 2013 ;; MSG SIZE rcvd: 117
No comments:
Post a Comment