chroot DNS with bind

Posted by Sébastien Wains on December 13th 2007 to BIND, CentOS, Howto, Linux

Howto for CentOS 4 here : http://www.wains.be/index.php/2007/02/04/centos-chroot-dns-with-bind/

1. Install packages :

yum install bind bind-chroot bind-libs bind-utils caching-nameserver

2. Configure RNDC :

cd /var/named/chroot/etc rndc-confgen > rndc.key chown root:named rndc.key

Edit rndc.key so it looks like this :

key "rndckey" { algorithm hmac-md5; secret "SGsvd1dF+mv+yU4ywCCkkg=="; };

You DON’T NEED anything else in the file (you must remove some option lines !)

A symlink in /etc exists and points to the rndc.key file we’ve just created, named expects that file there in order to be able to authenticate against rndc.

3. Configure /var/named/chroot/etc/named.conf

// we include the rndckey (copy-paste from rndc.key created earlier)
key "rndckey" {
      algorithm hmac-md5;
      secret "SGsvd1dF+mv+yU4ywCCkkg==";
};

// we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls {
        inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndckey"; };
        inet 192.168.254.207 allow { 192.168.254.0/24; } keys { "rndckey"; };
};

options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";

        recursion yes;

        allow-recursion {
                127.0.0.1;
                192.168.254.0/24;
                };

        // these are the opendns servers (optional)
        forwarders {
                208.67.222.222;
                208.67.220.220;
        };

        listen-on {
                127.0.0.1;
                192.168.254.207;
                };

        /*
         * If there is a firewall between you and nameservers you want
         * to talk to, you might need to uncomment the query-source
         * directive below.  Previous versions of BIND always asked
         * questions using port 53, but BIND 8.1 uses an unprivileged
         * port by default.
         */
        query-source address * port 53;

        // so people can't try to guess what version you're running
        version "REFUSED";

        allow-query {
                127.0.0.1;
                192.168.254.0/24;
                };
        };

server 192.168.254.207 {
        keys { rndckey; };
        };

zone "." IN {
        type hint;
        file "named.ca";
        };

// we assume we have a slave dns server with the IP 192.168.254.101
zone "test.be" IN {
        type master;
        file "data/test.be.zone";
        allow-update { none; };
        allow-transfer { 192.168.254.101; };
        };

4. First zone

Create your first zone under /var/named/chroot/var/named/data/test.be.zone

Here’s an example :

$ttl 38400
test.be.       IN      SOA     ns.test.be. admin.test.be. (
                       2007020400   ; Serial
                       10800           ; Refresh after 3 hours
                       3600            ; Retry after 1 hour
                       604800          ; Expire after 1 week
                       86400 )         ; Minimum TTL of 1 day
test.be.       IN      NS      ns.test.be.

test.be.               IN      MX      1       mx.test.be.
test.be.               IN      MX      5       mx2.test.be.

ns.test.be.           IN      A       192.168.100.10
mx.test.be.          IN      A       192.168.100.20
mx2.test.be.         IN      A       192.168.100.21
mail.test.be.          IN      CNAME   mx.test.be.

5. Start the service and make sure it’ll start at boot

service named start chkconfig named on

Make sure it’s running :
# rndc status number of zones: 1 debug level: 0 xfers running: 0 xfers deferred: 0 soa queries in progress: 0 query logging is OFF recursive clients: 0/1000 tcp clients: 0/100 server is up and running

6. Query

# nslookup mx.test.be. 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Name:   mx.test.be
Address: 192.168.100.20

# nslookup www.google.com. 127.0.0.1
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
www.google.com  canonical name = www.l.google.com.
Name:   www.l.google.com
Address: 216.239.59.99
Name:   www.l.google.com
Address: 216.239.59.103
Name:   www.l.google.com
Address: 216.239.59.104
Name:   www.l.google.com
Address: 216.239.59.147

15 Responses to “CentOS 5 : chroot DNS with bind”

Sébastien Wains » CentOS 4 : chroot DNS with BIND

December 13th, 2007 | 14:13

[…] Howto available for CentOS 5 : http://www.wains.be/index.php/2007/12/13/centos-5-chroot-dns-with-bind/ […]

Jamal

January 3rd, 2008 | 14:32

Thanks for your Sebastien Declaration Bind chroot with CentOS 5

I did ask a few questions. Can you please answer the questions.

I need your help

Jamal

Sébastien Wains

January 3rd, 2008 | 22:08

Hi Jamal, I’m sorry I don’t understand. Which questions are you talking about ?

amri

January 15th, 2008 | 17:45

i need help .. named cannot be started .. i just folowed the sample file and made a change to my enviroment.

updatedb didn’t show any error .. any workaround ..

regards

amri

January 15th, 2008 | 17:46

just found this error ..

rndc: connect failed: 127.0.0.1#953: connection refused

Sébastien Wains

January 15th, 2008 | 17:49

Make sure the daemon is listening.
Also make sure you don’t have your firewall blocking connections..
Check the logs or start the daemon manually with verbose option set.

I might have missed something in this article, but as far as I remember, I set it up on a fresh install..

let me know so we can figure it out

amri

January 15th, 2008 | 18:20

sorry if this was a spam post ..

but i’ve managed to start the named service after chages some lines ..

[code]
server 192.168.254.207 {
keys { rndckey; };
};
[/code]

[code]
server 127.0.0.1 {
keys { rndckey; };
};
[/code]

but currently it can’t nslookup to other domain .. will try find the solution .. i gr8 to achive this far ..

thank you so much for this gr8 how to

regards

Nathalie

January 22nd, 2008 | 16:42

Hello Sébastien,
I am just on placement in a company and I’ve been assigned a task of setting up a DNS server with bind on Centos5. Your article would have just been of paramount help to me if only while installing with the string you provided: “yum install bind bind-chroot bind-libs bind-utils caching-nameserver” I got this error message:yum install bind bind-chroot bind-libs bind-utils caching-nameserver
===
It was therefore impossible for me to proceed with step 3.
Could you pls help me?
Many thanks
Nathalie

bstaggs

February 14th, 2008 | 22:00

Greetings,

I have a fresh install of CentOS 5.1 and I don’t beleive that named.conf is generated by default as it was in version 4.x. I don’t want the GUI stuff so I can’t run system-config-bind. What gives? Did they change something or what am I missing?

Thanks,

bstaggs

Sébastien Wains

February 14th, 2008 | 22:49

Hi bstaggs

Under section “3. Configure /var/named/chroot/etc/named.conf” you get a working named.conf.

A sample config file is provided by the package named (rpm -ql bind | grep named.conf)

gaurav

February 29th, 2008 | 13:03

sir, i need named.conf file always i get the problem to download it provide me a named.conf file so that i can complete dns server

Alberto

March 1st, 2008 | 21:46

Excuseme where i can find this addres on my web server?…. “we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls”.
“we assume we have a slave dns server with the IP 192.168.254.101″
thanks for replay

Sébastien Wains

March 1st, 2008 | 22:20

Hello Roberto,
Don’t get me wrong but I’m not sure how you want to set up a chrooted dns server if you don’t know where to find the IP address of your machine.

Here’s the command… ifconfig (there are others)

You may not want to add the “allow transfer” line in the zone if you don’t have a slave server

Alberto

March 2nd, 2008 | 3:53

thanks Sébastien for reply
i know ifconfig command
this is the result

inet addr:68.9.198.188 Bcast:68.9.198.255 Mask:255.255.255.0

i know 68.9.198.188 is server ip but subnet
controls ip?

Sébastien Wains

March 3rd, 2008 | 19:56