Setting up BIND v9

IntroductionIntroduction

You can either run this into a docker container or use the CentOS7 named-chroot-setup.service service that takes care of populating and destroying the chrooted env.

RequirementsRequirements

Check your time setup (using date +%s as serial),

ntpdate ...
vi /etc/ntp.conf
systemctl status ntpd
ntpq -p

InstallInstall

Slackware

slackpkg search libuv
slackpkg search lmdb
slackpkg search json-c
slackpkg install bind
ldd `which named`

CentOS/RHEL7

yum search bind|grep ^bind
yum install bind-chroot bind-utils

and make you have v9

named -v
named -V

Identify conf file and zone folder locationIdentify conf file and zone folder location

Slackware

mv -i /etc/named.conf /etc/named.conf.dist
vi /etc/named.conf

cd /var/named/
vi DOMAIN.db

CentOS/RHEL7

cp -pi /usr/share/doc/bind-9.9.4/sample/etc/named.conf /etc/named.conf.sample

/etc/named.* and rndc.key
/var/named/*
/var/named/data/
/var/named/dynamic/
/run/named/

(named-chroot-setup.service does the job of copying/destroying files)

/var/named/chroot/etc/named* and rndc.key
/var/named/chroot/var/named/*
/var/named/chroot/var/named/data/
/var/named/chroot/var/named/dynamic/
/var/named/chroot/run/named/

FreeBSD (chroot)

/etc/namedb --> /var/named/etc/namedb/
/etc/namedb/working/
/etc/namedb/master/localhost-forward.db
/etc/namedb/master/localhost-reverse.db

Authoritative on local networkAuthoritative on local network

options {
    directory          "/var/named";
    dump-file          "data/cache_dump.db";
    statistics-file  "data/named_stats.txt";
    memstatistics-file      "data/named_mem_stats.txt";

    listen-on port 53       { any; };
    listen-on-v6 port 53    { any; };

    allow-query      { localhost; 192.168.2.0/28; };
    allow-query-cache       { localhost; 192.168.2.0/28; };

    recursion no;
    //obsolete dnssec-enable no;
    dnssec-validation no;

    pid-file "/run/named/named.pid";
    //session-keyfile "/run/named/session.key";
    //managed-keys-directory "/var/named/dynamic";
};

logging {
    channel default_debug {
        file "data/named.run";
        severity dynamic;
    };
};

include "/etc/named.rfc1912.zones";

zone "example.local" {
    type master;
    file "example.local.db";
    allow-update { none; };
};

zone "2.168.192.in-addr.arpa" {
    file "192.168.2.db";
    type master;
    allow-update { none; };
};

write your authoritative zone files,

cd /var/named/chroot/var/named/
date +%s # for serial

vi example.local.db

$TTL 86400
@          IN      SOA     ns.example.local. abuse.example.local. (
            1496230362 ; serial
            21600      ; refresh after 6 hours
            3600       ; retry after 1 hour
            604800     ; expire after 1 week
            86400 )    ; minimum TTL of 1 day
;
        IN NS      ns.example.local.
host1      IN A       192.168.2.1
host2      IN A       192.168.2.2
ns      IN A       192.168.2.253
alias1    IN CNAME   host1

vi 192.168.2.db

$TTL 86400
@       IN      SOA     ns.example.local. abuse.example.local. (
            1496230362 ; serial
            21600      ; refresh after 6 hours
            3600       ; retry after 1 hour
            604800     ; expire after 1 week
            86400 )    ; minimum TTL of 1 day
;
@       IN NS      ns.example.local.
1       IN PTR     host1.example.local.
2       IN PTR     host2.example.local.
253     IN PTR     ns.example.local.

Note. replace both serial numbers accordingly.

And here’s a fun script to convert static name resolution to zone files: https://pub.nethence.com/bin/daemons/named.ksh.txt

Enable ForwardingEnable Forwarding

Add this to the main options stanza,

forwarders {
    <nameserver1>;
    <nameserver2>;
};

TODO: is that also enough to enable caching against the forwarded servers?

Ready to goReady to go

Check the logs while starting the non-chrooted daemon at first,

tail -F /var/log/messages /var/named/data/* /var/named/chroot/var/named/data/*

systemctl start named
systemctl status named

Is everything’s fine? Then switch to named-chroot-setup,

systemctl stop named
systemctl list-unit-files | grep named
less /usr/lib/systemd/system/named-chroot-setup.service
less /usr/libexec/setup-named-chroot.sh
systemctl start named-chroot-setup.service
systemctl status named-chroot-setup.service
systemctl status named-chroot.service

ls -lhF /etc/rndc.key
ls -lhF /var/named/chroot/etc/rndc.key

ls -lhF /etc/named.*
ls -lhF /var/named/chroot/etc/named.*

ls -lhF /var/named/chroot/var/named/data/
ls -lhF /var/named/chroot/var/named/dynamic/
ls -lhF /var/named/chroot/run/named/

DIYDIY

start

named

status

pgrep -a named

check and reload

named-checkconf /etc/named.conf && echo OK
named-checkzone DOMAIN.TLD /var/named/DOMAIN.db
pkill -HUP named

stop

pkill named

AcceptanceAcceptance

ls -lhF /etc/bind.keys
ls -lhF /var/run/named/
ls -lhF /usr/local/share/GeoIP/

Check that name daemon is listening both on udp/53 and tcp/53

netstat -lntup --inet --inet6

Check that the service (name resolution) works,

host host1.example.local localhost
host host2.example.local localhost
host alias1.example.local localhost
host ns.example.local localhost

host 192.168.2.1 localhost
host 192.168.2.2 localhost
host 192.168.2.253 localhost

OperationsOperations

run, apply (reload named-chroot not named-chroot-setup) and check,

named.ksh
service named-chroot reload
service named-chroot-setup status
service named-chroot status

host somethingreal.example.local localhost
host somerealip localhost

ReferencesReferences

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s2-bind-zone-examples.html

https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/5/html/Deployment_Guide/s2-bind-configuration-zone-reverse.html

http://www.ehowstuff.com/bind-dns-server-in-chroot-jail-on-centos-7/

https://www.server-world.info/en/note?os=CentOS_7&p=dns&f=4

http://www.basicconfig.com/slackware_linux_dns_server_setup


HOME | GUIDES | LECTURES | LAB | SMTP HEALTH | HTML5 | CONTACT
Licensed under MIT