There are a lot of great articles on setting up Bind and some of them even go in great details

on setting up secure DNS server using Bind. I have used one them time after time called:
Linux Howto: Chroot Bind How To. One of the things I do not like about it is that I had to read
over things which I really do not need to know or already know. So I have put together this
quick wow To based on this great how to. Setting up secure DNS server using bind is not very
complicated.

Let us dive into this. First we create user and set up directory structure.

echo "named:x:200:200:Nameserver:/chroot/named:/bin/false" >> /etc/passwd

echo "named:x:200:" >> /etc/group
mkdir -p /chroot/named
cd /chroot/named
mkdir -p dev etc/namedb/slave var/run
chown -R named:named /chroot/named/etc/namedb/slave
chown named:named /chroot/named/var/run
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
chmod 666 /chroot/named/dev/{null,random}
cp /etc/localtime /chroot/named/etc/

vi /etc/sysconfig/syslog
edit the line which starts with SYSLOGD_OPTIONS and edit it to look like:
SYSLOGD_OPTIONS=”-m 0 -a /chroot/named/dev/log”
Let us restart syslog to use new settings and let us secure the physical files on the server.

/etc/rc.d/init.d/syslog stop
/etc/rc.d/init.d/syslog start
chown root /chroot
chmod 700 /chroot
chown named:named /chroot/named
chmod 700 /chroot/named
cd /chroot/named
chattr +i etc/localtime var

Let us clean up previous bind install since most linux installations have named (bind) pre-
installed.
rpm -qa |grep bind
rpm -e --nodeps <copy-paste-all-the-packages-separated-by-space>

Let us get the source files for bind and install it. At time of writing, bind 9.4.1 is the latest.

wget http://ftp.isc.org/isc/bind9/9.4.1/bind-9.4.1.tar.gz
tar zxpfv bind-*.gz
cd bind*
./configure
make && make install

copy following content to/etc/init.d/named

#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
#
# Source function library.
. /etc/rc.d/init.d/functions
#
# Source networking configuration.
. /etc/sysconfig/network
#
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
#
[ -f /usr/local/sbin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
#
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /usr/local/sbin/named -u named -t /chroot/named -c /etc/named.conf
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
kill `pidof named`
echo
rm -f /var/lock/subsys/named
;;
status)
status named
exit $?
;;
restart)
$0 stop
$0 start
exit $?
;;
reload)
/usr/local/sbin/rndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/rndc reload >/dev/null 2>&1 || echo start
exit 0
;;
#
*)
echo "Usage: named {start|stop|status|restart|reload}"
exit 1
esac
#
exit 0

Make it executable:chmod +x /etc/init.d/named

Let us set it so “named” will automatically start at boot up:chkconfig --add named

Save follow code into/chroot/named/etc/named.conf

options {
recursion no; // this will disable lookups against our server recursion no;
directory "/etc/namedb"; // Working directory
pid-file "/var/run/named.pid"; // Put pid file in working dir
forwarders {
10.10.10.10; //ip of dns server to forward requests to
};
statistics-file "/var/run/named.stats";
query-source address * port 53;
version "Bind 10";
};
controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
// Root server hints
zone "." {
type hint;
file "root.hint";
};
// Provide a reverse mapping for the loopback address 127.0.0.1
zone "0.0.127.in-addr.arpa" {
type master;
file "db.127.0.0";
notify no;
};

Save following in /chroot/named/etc/namedb/root.hint

; This file holds the information on root name servers needed to

; initialize cache of Internet domain name servers
; (e.g. reference this file in the "cache . <file>"
; configuration file of BIND domain name servers).
;
; This file is made available by InterNIC
; under anonymous FTP as
; file /domain/named.root
; on server FTP.INTERNIC.NET
;
; last update: Nov 5, 2002
; related version of root zone: 2002110501
;
;
; formerly NS.INTERNIC.NET
;
. 3600000 IN NS A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A 198.41.0.4
;
; formerly NS1.ISI.EDU
;
. 3600000 NS B.ROOT-SERVERS.NET.
B.ROOT-SERVERS.NET. 3600000 A 128.9.0.107
;
; formerly C.PSI.NET
;
. 3600000 NS C.ROOT-SERVERS.NET.
C.ROOT-SERVERS.NET. 3600000 A 192.33.4.12
;
; formerly TERP.UMD.EDU
;
. 3600000 NS D.ROOT-SERVERS.NET.
D.ROOT-SERVERS.NET. 3600000 A 128.8.10.90
;
; formerly NS.NASA.GOV
;
. 3600000 NS E.ROOT-SERVERS.NET.
E.ROOT-SERVERS.NET. 3600000 A 192.203.230.10
;
; formerly NS.ISC.ORG
;
. 3600000 NS F.ROOT-SERVERS.NET.
F.ROOT-SERVERS.NET. 3600000 A 192.5.5.241
;
; formerly NS.NIC.DDN.MIL
;
. 3600000 NS G.ROOT-SERVERS.NET.
G.ROOT-SERVERS.NET. 3600000 A 192.112.36.4
;
; formerly AOS.ARL.ARMY.MIL
;
. 3600000 NS H.ROOT-SERVERS.NET.
H.ROOT-SERVERS.NET. 3600000 A 128.63.2.53
;
; formerly NIC.NORDU.NET
;
. 3600000 NS I.ROOT-SERVERS.NET.
I.ROOT-SERVERS.NET. 3600000 A 192.36.148.17
;
; operated by VeriSign, Inc.
;
. 3600000 NS J.ROOT-SERVERS.NET.
J.ROOT-SERVERS.NET. 3600000 A 192.58.128.30
;
; housed in LINX, operated by RIPE NCC
;
. 3600000 NS K.ROOT-SERVERS.NET.
K.ROOT-SERVERS.NET. 3600000 A 193.0.14.129
;
; operated by IANA
;
. 3600000 NS L.ROOT-SERVERS.NET.
L.ROOT-SERVERS.NET. 3600000 A 198.32.64.12
;
; housed in Japan, operated by WIDE
;
. 3600000 NS M.ROOT-SERVERS.NET.
M.ROOT-SERVERS.NET. 3600000 A 202.12.27.33
; End of File

This should get you started. Now just create appropriate zone files and you are good to go.

————————————-
DISCLAIMER: Please be smart and use code found on internet carefully. Make backups often. And yeah.. last but
not least.. I am not responsible for any damage caused by this posting. Use at your own risk.

Comments (13)

13 Responses to “ Bind: Quick install guide to install and

setup Bind (DNS server) in secure (chroot)
environment in Linux (CentOS, Redhat Enterprise
(RHEL), Fedora). ”

1. George

July 30th, 2007 | 6:12 am

It seems that I can not add /chroot/named/etc/named.conf due to permission restrictions. I am still
looking for help. Any ideas?

2. Bill Holt

July 31st, 2007 | 9:47 am

I also, can not add /chroot/named/etc/named.conf due to permission restrictions. I am looking for help.
Any ideas?

3. CrazyToon

August 1st, 2007 | 12:05 pm

if that is happening, do:

cd /chroot/named
chattr -i etc
let me know if that works for you.

4. George

August 2nd, 2007 | 4:10 pm

Yes, it worked.
Now should I set chattr +i etc again?
Thanks.

5. CrazyToon

August 5th, 2007 | 11:50 am

If you would like to make it more secure then you should. I have a lot of clients who prefer to not have +i
set up on etc.

6. francisco

October 14th, 2007 | 6:14 pm

Hey! can you help? I have followed your guide but still one minor problem: error: named dead but subsys
locked
it wont start.

7. Peter

September 24th, 2008 | 7:48 am

I have the same error. “named dead but subsys locked” when executing “./named status” and the
application will not start. Did you find a solution to this issue?

8. Bill Hudson

October 2nd, 2008 | 4:52 pm

Can your above instructions regarding Bind work without chroot? Also, do you have any info on setting up
zone files? Thanks for putting the above info together, it’s appreciated.
Bill

9. maz

September 19th, 2010 | 11:59 pm

Hi, this link is very good, i have the same bind9.3.6 on centos 5.4, i am getting this kind of messages in
the server
Sep 19 18:49:07 centos1 named[23130]: client xxx.xxx.xxx.xxx#60923: update ‘backup.com/IN’ denied
Sep 19 18:49:07 centos1 named[23130]: client 9x.xxx.xx.xxx#55432: update ‘bacups.com./IN’ denied
Sep 19 18:51:17 centos1 named[23130]: network unreachable resolving ‘ns1.inmel.r
u/AAAA/IN’: 2001:xxx:1xx:0x:xxx:xxx:xx2:17#53
BR,
MAZ

10. david

February 10th, 2011 | 8:41 pm

ok this didnt work for me? give me auth errors on just about everything when I try to start named
and key errors but the ke is in the rndc.conf
///////////////////////////////////////////////////////////////
messages:Feb 10 19:01:17 server1 rsyslogd: Warning: backward compatibility layer added to following
directive to rsyslog.conf: addunixlistensocket /chroot/named/dev/log
messages:Feb 10 19:01:24 server1 kernel: warning: `named’ uses 32-bit capabilities (legacy support in
use)
messages:Feb 10 19:01:24 server1 named[4379]: starting BIND 9.7.2-P3 -u named -t /chroot/named
-c /etc/named.conf
messages:Feb 10 19:01:24 server1 named[4379]: built with ‘–without-openssl’
messages:Feb 10 19:01:24 server1 named[4379]: using up to 4096 sockets
messages:Feb 10 19:01:24 server1 named[4379]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:01:24 server1 named[4379]: /etc/named.conf:15: unknown key ‘rndc-key’
messages:Feb 10 19:01:24 server1 named[4379]: loading configuration: failure
messages:Feb 10 19:01:24 server1 named[4379]: exiting (due to fatal error)
messages:Feb 10 19:03:26 server1 named[5442]: starting BIND 9.7.2-P3 -u named -t /chroot/named
-c /etc/named.conf
messages:Feb 10 19:03:26 server1 named[5442]: built with ‘–without-openssl’
messages:Feb 10 19:03:26 server1 named[5442]: using up to 4096 sockets
messages:Feb 10 19:03:26 server1 named[5442]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:03:26 server1 named[5442]: /etc/named.conf:15: unknown key ‘rndc-key’
messages:Feb 10 19:03:26 server1 named[5442]: loading configuration: failure
messages:Feb 10 19:03:26 server1 named[5442]: exiting (due to fatal error)
messages:Feb 10 19:10:30 server1 named[5918]: starting BIND 9.7.2-P3 -u named -t /chroot/named
-c /etc/named.conf
messages:Feb 10 19:10:30 server1 named[5918]: built with ‘–without-openssl’
messages:Feb 10 19:10:30 server1 named[5918]: using up to 4096 sockets
messages:Feb 10 19:10:30 server1 named[5918]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:10:30 server1 named[5918]: /etc/named.conf:15: unknown key ‘rndc-key’
messages:Feb 10 19:10:30 server1 named[5918]: loading configuration: failure
messages:Feb 10 19:10:30 server1 named[5918]: exiting (due to fatal error)
messages:Feb 10 19:32:50 server1 named[7405]: starting BIND 9.7.2-P3 -u named -t /chroot/named
-c /etc/named.conf
messages:Feb 10 19:32:50 server1 named[7405]: built with ‘–without-openssl’
messages:Feb 10 19:32:50 server1 named[7405]: using up to 4096 sockets
messages:Feb 10 19:32:50 server1 named[7405]: loading configuration from ‘/etc/named.conf’
messages:Feb 10 19:32:50 server1 named[7405]: /etc/named.conf:22: unknown key ‘rndc-key’
messages:Feb 10 19:32:50 server1 named[7405]: loading configuration: failure
messages:Feb 10 19:32:50 server1 named[7405]: exiting (due to fatal error)
//////////////////////////////////////////////////////////////////
Love BSD Not so shure about this expensive RHEL with sad excuse for support….
Thanks for any help in advance!
~D

11. islamay

April 4th, 2011 | 1:19 pm

salut tout le monde

je suis entraint de faire une simulation virtuelle a travers VMware d’un serveur DNS (primaire,secondaire
et cache)
j’ai configuré le serveur primaire et je le tester (ça marche bien)
jai configuré le serveur secondaire mais il n’est pas capable de charger les informations de zone depuis le
serveur primaire
voici mon configuration au niveau du serveur primaire
vi /etc/named.conf
zone “.” IN {
type hint;
file “named.ca”;
};
zone “rnu.tn” IN {
type master;
file “rnu.tn.zone”;
allow-update { none; };
allow-transfer { 192.168.127.133; };
};
vi /var/named/rnu.tn.zone
TTL 1D
@ IN SOA ns1.rnu.tn. admin.rnu.tn. (
0 ; seria
1D ; refresh
1H ; retry
1W ; expire
3H ) ; minimum
IN NS ns1.rnu.tn.
IN NS ns2.rnu.tn.
IN MX 10 mail.rnu
IN A 192.168.127.134
ns1 IN A 192.168.127.134
ns2 IN A 192.168.127.133
www IN A 192.168.127.134
mail IN A 192.168.127.134
IN A 127.0.0.1
confifuration au niveau du serveur secondaire
vi /etc/named.conf
zone “.” IN {
type hint;
file “named.ca”;
};
zone “rnu.tn” IN {
type slave;
file “rnu.tn.zone”;
masters { 192.168.127.134; };
};
information
fodora 14
bind 9.7.2
l’adresse IP de machine serveur primaire 192.168.127.134
l’adresse IP de machine serveuR secondaire 192.168.127.133
svp expliquer moi le problem et guidez moi a realiser un serveur cache
jattent vos reponse
merci d’avance

12. Cage

May 21st, 2011 | 5:03 am

CrazyToon,
I hope you are still around and get this.
I just wanted to say thank you!
After digging and researching for over 60 hrs on multiple setups to rebuild every aspect of a server for the
first time alone, DNS being my most challenging daemon…
You Rock!
You wright the best clear cut clean directions without all the extra stuff we don’t need when pressed.
I hope you do more in the future. I just take my hat off to ya. You should put a book out, heck, I would
help!
Latter
George L.
Minnesota, USA

13. Sunny Walia

May 21st, 2011 | 2:45 pm

Thanks for the kind words George. Glad i could help you out.

Read more: http://crazytoon.com/2007/06/21/bind-quick-install-guide-to-install-and-setup-

bind-dns-server-in-secure-chroot-environment-in-linux-centos-redhat-enterprise-rhel-
fedora/#ixzz1NRd9RgOD