CentOS 6.5 Bind with Chroot

This article describes my experience installing and configuring a BIND DNS server on CentOS 6.5 with bind-chroot as a proof of concept. I am not going to go into great detail (in this article) about first securing the underlying OS but please ensure that if this is going to be Internet facing that you take the time to secure the server. It is also HIGHLY recommended that you have multiple DNS servers for redundancy purposes that allow secure zone transfers between each other if you plan to use this article as a starting point for a production environment. In this article, we are going to setup a single DNS server as a POC (Proof of Concept) so I am not going to detail these (or many other) configurations beyond the very basic installation.

-Enjoy.

DISCLAIMER:
I take no responsibility for any damage that may result from following this guide. Ensuring that you take the appropriate measures to secure your server/infrastructure is paramount. This is also a VERY basic guide. Bind is a complicated animal and explaining all of the configuration options is outside the scope of this document.

PREREQUISITES:
1. A basic (Preferably intermediate) understanding and ability to administer Linux.
2. A decent understanding of DNS and how it works.
3. A basic understanding of Networking.

UPDATE THE OPERATING SYSTEM:
One of the most important aspects of keeping any operating system secure is protecting against the latest threats in the applications that are installed on the server, including the operating system. Since this is CentOS Minimal, there is not a lot of additional software installed out of the gate. None the less, it is a good idea to run a complete update before we start.

#> yum update -y

The command above will check for and automatically install all available updates. If you do not want to install ALL updates and would rather be more granular, first run:

#> yum check-update

From the list produced, you can choose the individual updates to install.

SECURING THE SERVER:
As mentioned in the introduction, I am not going to go into great detail regarding this topic due to the complexity as well as varying security needs of the individual situation. For reference, there is a great article related to Securing CentOS here that I suggest reading.

INSTALLING BIND:
As the title of this article indicates, we are going to install bind as well as chroot components. Bind (named) is the DNS server while bind-chroot is the package that configures bind to operate in a chroot environment. For more information on chroot, see this article.

#> yum install bind-chroot

The command above will install all of the dependencies needed to run bind. Now that the base components of bind are installed, we are going to install webmin to manage the name server from a web interface. this is optional and is for convenience as managing bind can be quite a task without a graphical tool.

INSTALLING WEBMIN:
WebMin is a web based server configuration tool. It allows easy administration of the server, including directly editing (some) config files as well as the general operations of the server such as configuring the firewall or cron jobs. Another useful note about using webmin with bind is that it will automatically setup the base bind configuration in the chroot location. More on this later!

NOTE: This URL below will vary depending on the latest webmin version. Visit http://www.webmin.com/download.html

#> yum install wget perl -y
#> wget http://prdownloads.sourceforge.net/webadmin/webmin-1.670-1.noarch.rpm
#> rpm -U webmin-1.670-1.noarch.rpm

CONFIGURE IPTABLES:
Once you have completed the above installations successfully, you will need to add some iptables firewall rules to your new server to allow DNS querys as well as access to WebMin. CentOS comes with iptables already installed and configured to allow ssh connections. You can view this configuration with the iptables -L command. You will notice while looking at the default rules that rule number 5 is a deny rule. Below, we are going to insert our rules above this one, ensuring that they are applied before the deny rule:

#> iptables -I INPUT 5 -p udp –dport 53 -j ACCEPT
#> iptables -I INPUT 5 -p tcp –dport 10000 -j ACCEPT
#> service iptables save

BASIC BIND CONFIGURATION:
Once all of the above tasks have been completed, you can log into WebMin by navigating to http://<IPADDRESS>:10000 with root and your password. Once in WebMin, on the Left navigation bar, under Servers, you will find Bind DNS Server. This is where we will configure bind.

For the initial configuration, click Module Config and change the value for ‘Chroot directory to run BIND under’ to /var/named/chroot and scroll down and click ‘Save’. On the resulting page, choose ‘Setup as an internet name server, and download root server information’ (or whatever configuration applies to your deployment). Click ‘Create Primary Configuration File and Start Nameserver’.

From this point forward, it is up to you to configure the DNS server as you see fit, adding the appropriate Zones and Records to resolve the various services that you need resolved.

TEST NAME RESOLUTION:
To test your new DNS server, from a separate machine use nslookup or dig to run a few queries against the server.

Windows:

#> nslookup
#> server <IP OF YOUR DNS SERVER>
#> google.com

You should receive a non-authoritative asnwer with the IP addresses of the Google web servers.

Linux:

#> dig @<IP OF YOUR DNS SERVER> google.com

You should receive a non-authoritative answer with the IP addresses of the Google web servers.

CONCLUSION:
In this article, we have setup a simple Bind DNS Server running in a chroot environment that is capable of answering DNS Queries and resolving domain names both authoritatively and non-authoritatively. The next steps would be to further harden the server, add a second server for redundancy and point your domain to use these servers as the authoritative resolver. I hope you found this brief article informative.

Leave a Reply

Your email address will not be published. Required fields are marked *

Time limit is exhausted. Please reload the CAPTCHA.