Setting up BIND v9

Introduction

You can either run this into a docker container or use the CentOS7 named-chroot-setup.service service that takes care of populating and destroying the chrooted env.

Requirements

Check your time setup (using date +%s as serial),

ntpdate ...
vi /etc/ntp.conf
systemctl status ntpd
ntpq -p

Install

Slackware

slackpkg search libuv
slackpkg search lmdb
slackpkg search json-c
slackpkg install bind
ldd `which named`

CentOS/RHEL7

yum search bind|grep ^bind
yum install bind-chroot bind-utils

and make you have v9

named -v
named -V

Identify conf file and zone folder location

Slackware

mv -i /etc/named.conf /etc/named.conf.dist
vi /etc/named.conf

cd /var/named/
vi DOMAIN.db

CentOS/RHEL7

cp -pi /usr/share/doc/bind-9.9.4/sample/etc/named.conf /etc/named.conf.sample

/etc/named.* and rndc.key
/var/named/*
/var/named/data/
/var/named/dynamic/
/run/named/

(named-chroot-setup.service does the job of copying/destroying files)

/var/named/chroot/etc/named* and rndc.key
/var/named/chroot/var/named/*
/var/named/chroot/var/named/data/
/var/named/chroot/var/named/dynamic/
/var/named/chroot/run/named/

FreeBSD (chroot)

/etc/namedb --> /var/named/etc/namedb/
/etc/namedb/working/
/etc/namedb/master/localhost-forward.db
/etc/namedb/master/localhost-reverse.db

Authoritative on local network

options {
        directory               "/var/named";
        dump-file               "data/cache_dump.db";
        statistics-file         "data/named_stats.txt";
        memstatistics-file      "data/named_mem_stats.txt";

        listen-on port 53       { any; };
        listen-on-v6 port 53    { any; };

        allow-query             { localhost; 192.168.2.0/28; };
        allow-query-cache       { localhost; 192.168.2.0/28; };

        recursion no;
        //obsolete dnssec-enable no;
        dnssec-validation no;

        pid-file "/run/named/named.pid";
        //session-keyfile "/run/named/session.key";
        //managed-keys-directory "/var/named/dynamic";
};

logging {
        channel default_debug {
                file "data/named.run";
                severity dynamic;
        };
};

include "/etc/named.rfc1912.zones";

zone "example.local" {
        type master;
        file "example.local.db";
        allow-update { none; };
};

zone "2.168.192.in-addr.arpa" {
        file "192.168.2.db";
        type master;
        allow-update { none; };
};

write your authoritative zone files,

cd /var/named/chroot/var/named/
date +%s # for serial

vi example.local.db

$TTL 86400
@               IN      SOA     ns.example.local. abuse.example.local. (
                        1496230362 ; serial
                        21600      ; refresh after 6 hours
                        3600       ; retry after 1 hour
                        604800     ; expire after 1 week
                        86400 )    ; minimum TTL of 1 day
;
                IN NS      ns.example.local.
host1           IN A       192.168.2.1
host2           IN A       192.168.2.2
ns      IN A       192.168.2.253
alias1          IN CNAME   host1

vi 192.168.2.db

$TTL 86400
@       IN      SOA     ns.example.local. abuse.example.local. (
                        1496230362 ; serial
                        21600      ; refresh after 6 hours
                        3600       ; retry after 1 hour
                        604800     ; expire after 1 week
                        86400 )    ; minimum TTL of 1 day
;
@       IN NS      ns.example.local.
1       IN PTR     host1.example.local.
2       IN PTR     host2.example.local.
253     IN PTR     ns.example.local.

Note. replace both serial numbers accordingly.

And here’s a fun script to convert static name resolution to zone files: https://pub.nethence.com/bin/daemons/named.ksh.txt

Enable Forwarding

Add this to the main options stanza,

forwarders {
    <nameserver1>;
    <nameserver2>;
};

TODO: is that also enough to enable caching against the forwarded servers?

Ready to go

Check the logs while starting the non-chrooted daemon at first,

tail -F /var/log/messages /var/named/data/* /var/named/chroot/var/named/data/*

systemctl start named
systemctl status named

Is everything’s fine? Then switch to named-chroot-setup,

systemctl stop named
systemctl list-unit-files | grep named
less /usr/lib/systemd/system/named-chroot-setup.service
less /usr/libexec/setup-named-chroot.sh
systemctl start named-chroot-setup.service
systemctl status named-chroot-setup.service
systemctl status named-chroot.service

ls -lhF /etc/rndc.key
ls -lhF /var/named/chroot/etc/rndc.key

ls -lhF /etc/named.*
ls -lhF /var/named/chroot/etc/named.*

ls -lhF /var/named/chroot/var/named/data/
ls -lhF /var/named/chroot/var/named/dynamic/
ls -lhF /var/named/chroot/run/named/

DIY

start

named

status

pgrep -a named

check and reload

named-checkconf /etc/named.conf && echo OK
named-checkzone DOMAIN.TLD /var/named/DOMAIN.db
pkill -HUP named

stop

pkill named

Acceptance

ls -lhF /etc/bind.keys
ls -lhF /var/run/named/
ls -lhF /usr/local/share/GeoIP/

Check that name daemon is listening both on udp/53 and tcp/53

netstat -lntup --inet --inet6

Check that the service (name resolution) works,

host host1.example.local localhost
host host2.example.local localhost
host alias1.example.local localhost
host ns.example.local localhost

host 192.168.2.1 localhost
host 192.168.2.2 localhost
host 192.168.2.253 localhost

Operations

run, apply (reload named-chroot not named-chroot-setup) and check,

named.ksh
service named-chroot reload
service named-chroot-setup status
service named-chroot status

host somethingreal.example.local localhost
host somerealip localhost

References

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s2-bind-zone-examples.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s2-bind-configuration-zone-reverse.html

http://www.ehowstuff.com/bind-dns-server-in-chroot-jail-on-centos-7/

https://www.server-world.info/en/note?os=CentOS_7&p=dns&f=4

http://www.basicconfig.com/slackware_linux_dns_server_setup