Building BIND Box
Install the binaries
Install the chrooted version of bind
yum -y install bind-chrootinitialize the chrooted version of named, and make sure that the non-chrooted versions are not active.
/usr/libexec/setup-named-chroot.sh /var/named/chroot onsystemctl stop namedsystemctl disable namedsystemctl start named-chrootsystemctl enable named-chrootln -s '/usr/lib/systemd/system/named-chroot.service' '/etc/systemd/system/multi-user.target.wants/named-chroot.service'once you make the above changes, the bind directories should all be setup properly. Confirm and make sure they all have the following files/directories:
[root@ns02 ~]# ll /var/named/chroot/etctotal 688-rw-r--r--. 10 root root 118 Jan 30 08:49 localtimedrwxr-x---. 2 root named 6 Jan 22 13:30 named-rw-r-----. 1 root named 1705 Mar 22 2016 named.conf-rw-r--r--. 1 root named 3923 Jan 22 13:30 named.iscdlv.key-rw-r-----. 1 root named 931 Jun 21 2007 named.rfc1912.zones-rw-r--r--. 1 root named 1587 May 22 2017 named.root.keydrwxr-x---. 3 root named 25 Feb 25 01:50 pki-rw-r--r--. 1 root root 6545 Jun 7 2013 protocols-rw-r-----. 1 root named 77 Feb 25 01:56 rndc.key-rw-r--r--. 1 root root 670293 Jun 7 2013 services[root@ns02 ~]#[root@ns02 ~]# ll /var/named/chroot/var/namedtotal 16drwxr-x---. 7 root named 61 Feb 25 01:50 chrootdrwxrwx---. 2 named named 23 Feb 25 01:56 datadrwxrwx---. 2 named named 60 Feb 25 01:56 dynamic-rw-r-----. 1 root named 2281 May 22 2017 named.ca-rw-r-----. 1 root named 152 Dec 15 2009 named.empty-rw-r-----. 1 root named 152 Jun 21 2007 named.localhost-rw-r-----. 1 root named 168 Dec 15 2009 named.loopbackdrwxrwx---. 2 named named 6 Jan 22 13:30 slaves[root@ns02 ~]#NOTE: If the files and directories are missing, that means that bind did not start up properly. Go back and debug bind, and figure out what is making it not work. (all the files "magically" appear once bind-chroot loads
Create the directories for the zone files which will be created later
touch /var/named/chroot/var/named/data/cache_dump.dbtouch /var/named/chroot/var/named/data/named_stats.txttouch /var/named/chroot/var/named/data/named_mem_stats.txttouch /var/named/chroot/var/named/data/named.runmkdir /var/named/chroot/var/named/dynamicmkdir /var/named/chroot/etc/named/zonestouch /var/named/chroot/var/named/dynamic/managed-keys.bindchmod -R 777 /var/named/chroot/var/named/datachmod -R 777 /var/named/chroot/var/named/dynamicConfig and Zone Files
The overall file topology within the chroot environment (/var/named/chroot/) is the following. The "named.conf" file is the primary configuration file that controls are the major variables for running bind. It points to the "named.conf.local" file which is responsible for pointing to all of the forward and reverse zone files. The two control files are kept within the etc/ directory in the chrooted environment. The zone files are kept within the var/named/ directory, and then within their datacenter LOC codes.
named.conf
The file /var/named/chroot/etc/named.conf file is where you store the configs for who can do zone transfers, and where the zone files are stored.
copy the original file to the chrooted location
cp -p /etc/named.conf /var/named/chroot/etc/named.confEdit the named.conf file
vim /var/named/chroot/etc/named.confMake sure you enter in the IP addresses that bind will listen on. (just add the servers IP)
listen-on port 53 { 127.0.0.1; 192.168.1.2; };Define what networks can talk to the server
allow-query { localhost; 192.168.1.0/24; }; allow-query-cache { localhost; 192.168.1.0/15; }; forwarders { 8.8.8.8; 8.8.4.4; };Add the following includes (at the bottom of the config file) to tell the bind server where to look for resolving names:
include "/etc/named/named.conf.local";named.conf.local
This used to be just a part of the named.conf file, but we're breaking it out to a separate file to help keep everything cleaner. Create the new file
vim /var/named/chroot/etc/named/named.conf.localand add the following
# Forward Zone Files:zone "cmed.us" { type master; file "/var/named/zones/domain.com"; };# Reverse Zone Files:zone "1.168.192.in-addr.arpa" { type master; file "/var/named/zones/db.192.168.0"; };Forward Zone File
You can have a single zone file for all of your hosts that are in the same namespace.
Create the file noted above in the .local file:
vim /var/named/chroot/var/named/zone/domain.comand add the following header to the file. Note that "ns1.domain.com." is the fqdn of this server, and "admin.domain.com" is the email admin email address associated to the domain. Note that a semi-colon ";" is the beginning of a comment. Every time you modify this file, you will need to update the "Serial" number. To keep track of this, we use the date format for the serial number of the change.
$ORIGIN .$TTL 38400 ; 10 hours 40 minutesdomain.com IN SOA ns01.domain.com. admin.domain.com. ( 1801041130 ; Serial YY MM DD HH MM 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum TTL of 1 day; the following is within the X.domain.com zone.$ORIGIN domain.com; name servers - NS records IN NS ns01.domain.comand then enter in each entry
host1 IN A 192.168.1.50host2 IN A 198.168.1.51all entries are in the following format:
{hostname} IN A {IP}for A Records{alias} IN CNAME {hostname}for CNAME Records
Reverse Zone Files
These files are separated by networks, not by domains. You will need to create one for each subnet.
vim /var/named/chroot/var/named/zone/db.168.192.1.zone
Enter in the following for the header of the file. If the network is "192.168.1.0/24", then the "in-addr.arpa" section is "1.168.192" (you reverse the network).
$ORIGIN .$TTL 86400 ; 1 day1.168.192.in-addr.arpa IN SOA ns01.domanin. admin.domain.com. ( 1801041130 ; Serial YY MM DD HH MM 43200 ; Refresh (12 hours) 900 ; Retry (15 min) 1814400 ; Expire (3 weeks) 10800 ; Min (3 hours));; name servers - NS records NS ns01.domain.com;; - Address point to canonical names$ORIGIN 1.168.192.in-addr.arpa.Where:
- "
1.168.192" is the network. - "
ns01.domain.com" is the fwdn of the primary nameserver - "
admin.domain.com" is the email address for the admin of this domain (techops@variantyx.com)
and then enter in each entry
1 IN PTR gateway.domain.com50 IN PTR host1.domain.com51 IN PTR host2.domain.comStart/Restart Service
Check files
Start by getting within the chroot directory:
[root@ns01 ~]# cd /var/named/chrootFirst confirm that all the named.conf* files are correct.
[root@ns01 chroot]# named-checkconf [root@ns01 chroot]#Then confirm that the forward zone files are correct, where "cmed.us" is the domain, and "/etc/named/zones/db.domain.com" is the forward zone file.
[root@ns01 chroot]# named-checkzone domain.com etc/named/zones/db.domain.com/etc/named/zones/db.domain.com:13: record with inherited owner (domain.com) immediately after $ORIGIN (domain.com)zone cmed.us/IN: loaded serial 2018010401OK[root@ns01 chroot]#and confirm that the reverse zone files are correct. where "1.168.192in-addr.arpa" is the reverse for the zone, and "/etc/named/zones/db.192.168.1" is the file to check
[root@ns01 chroot]# named-checkzone 1.168.192.in-addr.arpa etc/named/zones/db.192.168.1zone 1.168.192.in-addr.arpa/IN: loaded serial 2018010401OK[root@ns01 chroot]#Start Bind
[root@ns01 ~]# systemctl start named-chroot[root@ns01 ~]# systemctl enable named-chrootCreated symlink from /etc/systemd/system/multi-user.target.wants/named.service to /usr/lib/systemd/system/named.service.[root@ns01 ~]#[root@ns01 ~]# systemctl status named-chroot
● named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled) Active: active (running) since Fri 2018-01-05 16:55:45 GMT; 26s ago Main PID: 23453 (named) CGroup: /system.slice/named.service └─23453 /usr/sbin/named -u named -c /etc/named.confJan 05 16:55:45 ns01 named[23453]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial 0Jan 05 16:55:45 ns01 named[23453]: zone localhost/IN: loaded serial 0Jan 05 16:55:45 ns01 named[23453]: zone 3.18.198.in-addr.arpa/IN: loaded serial 2018010401Jan 05 16:55:45 ns01 named[23453]: zone 0.18.198.in-addr.arpa/IN: loaded serial 2018010401Jan 05 16:55:45 ns01 named[23453]: zone 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.i...ial 0Jan 05 16:55:45 ns01 named[23453]: zone localhost.localdomain/IN: loaded serial 0Jan 05 16:55:45 ns01 named[23453]: zone 1.168.192.in-addr.arpa/IN: loaded serial 2018010401Jan 05 16:55:45 ns01 named[23453]: all zones loadedJan 05 16:55:45 ns01 named[23453]: runningHint: Some lines were ellipsized, use -l to show in full.[root@ns01 ~]#Firewall Configurations
You need to enable queries into the server, so you will need to modify the local firewall rules by entering the following
[root@ns01 ~]# firewall-cmd --add-service=dns --permanentsuccess[root@ns01 ~]# firewall-cmd --reloadsuccess[root@ns01 ~]# firewall-cmd --list-allpublic (active) target: default icmp-block-inversion: no interfaces: eth0 sources: services: ssh dhcpv6-client dns ports: protocols: masquerade: no forward-ports: source-ports: icmp-blocks: rich rules:[root@ns01 ~]#Change local resolve.conf
Review what your current lookup is set to. Note that the following is no good. You want the host to point to itself.
[root@ns01 ~]# cat /etc/resolv.conf# Generated by NetworkManagersearch domain.comnameserver 8.8.8.8nameserver 8.8.4.4[root@ns01 ~]# Then confim what your connection name is, and for that connection, overwrite the dns lookup setting
[root@ns01 ~]# nmcli dev statusDEVICE TYPE STATE CONNECTIONeth0 ethernet connected System eth0lo loopback unmanaged --[root@ns01 ~]# nmcli con mod System\ eth0 ipv4.dns 192.168.1.2[root@ns01 ~]# nmcli con up System\ eth0Connection successfully activated (D-Bus active path: /org/freedesktop/NetworkManager/ActiveConnection/6)[root@ns01 ~]#Then confirm that the changes were successful
[root@ns01 ~]# cat /etc/resolv.conf# Generated by NetworkManagersearch cmed.usnameserver 192.168.1.2[root@ns01 ~]#References
- Bind9 on Centos 7:
- How to Setup Bind DNS Server in Chroot Jail on CentOS 7: eHowstuff, Skytech, Oct 2014
- BIND Manual Pages, BIND 9 User Guide: