DNS: Setup bind9 DNS Server in chroot environment

– Install Bind
# yum -y install bind bind-chroot bind-libs bind-utils caching-nameserver

-Confgure Permision
# chmod 755 /var/named/
# chmod 775 /var/named/chroot/
# chmod 775 /var/named/chroot/var/
# chmod 775 /var/named/chroot/var/named/
# chmod 775 /var/named/chroot/var/run/
# chmod 777 /var/named/chroot/var/run/named/
# cd /var/named/chroot/var/named/
# ln -s ../../ chroot
# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/named.local
# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
# touch /var/named/chroot/etc/named.conf

– Setting RNDC
# cd /var/named/chroot/etc
# rndc-confgen > rndc.conf
# chown root:named rndc.conf

– Edit File rndc.key:
# nano /var/named/chroot/etc/rndc.key

# Start of rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "QXkk0JXZDrgi0dJ0DrETKQ==";
};

#options {
# default-key “rndckey”;
# default-server 127.0.0.1;
# default-port 953;
#};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key “rndckey” {
# algorithm hmac-md5;
# secret “xwINl5E9kGDva0PcJWCZjQ==”;
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { “rndckey”; };
# };
# End of named.conf

– Configure /var/named/chroot/etc/named.conf

# nano /var/named/chroot/etc/named.conf


// Red Hat BIND Configuration Tool
// Default initial "Caching Only" name server configuration
// we include the rndckey (copy-paste from rndc.key created earlier)
// include "/var/named/chroot/etc/rndc.key";
key "rndckey" {
algorithm hmac-md5;
secret "QXkk0JXZDrgi0dJ0DrETKQ==";
};

// assume our server has the IP 192.168.0.11 serving the 192.168.0.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { “rndckey”; };
inet 192.168.0.250 allow { 192.168.0.0/24; } keys { “rndckey”; };
};

options {
directory “/var/named”;
pid-file “/var/run/named/named.pid”;

recursion yes;

allow-recursion {
127.0.0.1;
192.168.0.0/24;
};

// these are the opendns servers (optional)
forwarders {
202.134.0.155;
203.130.193.74;
8.8.8.8;
8.8.4.4;
};

listen-on {
127.0.0.1;
192.168.0.250;
};

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

// so people can’t try to guess what version you’re running
version “REFUSED”;

allow-query {
127.0.0.1;
192.168.0.0/24;
};
};

server 192.168.0.250 {
keys { rndckey; };
};

zone “.” IN {
type hint;
file “named.ca”;
};

//forward zone
zone “example.net” IN {
type master;
file “data/example.net.zone”;
allow-update { none; };
// we assume we have a slave dns server with the IP 192.168.0.251
allow-transfer { 192.168.0.251; };
};

//reserve zone
zone “0.168.192.in-addr.arpa” IN {
type master;
file “data/192.168.0.zone”;
allow-update { none; };
// we assume we have a slave dns server with the IP 192.168.0.251
allow-transfer { 192.168.0.251; };
};

-Setting Forward Lookup Zone
# cd /var/named/chroot/var/named/data/
# touch example.net.zone
# nano example.net.zone

-Edit File example.net.zone:

$ttl 38400
example.net. IN SOA ns.example.net. admin.example.net. (
2012011501 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
example.net. IN NS ns.example.net.
ns.example.net. IN A 192.168.0.250

– Setting Reverse Lookup Zone
# cd /var/named/chroot/var/named/data/
# touch 192.168.0.zone
# nano 192.168.0.zone

-Edit File 192.168.0.zone :

$TTL 86400
0.168.192.in-addr.arpa. IN SOA ns.example.net. admin.example.net. (
2012011502
10800
900
604800
3600 )

0.168.192.in-addr.arpa. IN NS ns.example.net.-Restart Bind Service & Setting run level

# service named restart
# chkconfig named on

-Make sure it’s running :
# rndc status

If it is not running link /etc/rndc.conf with /var/named/chroot/etc/rndc.conf and restart named

-Edit /etc/resolv.conf & Restart service
# nano /etc/resolv.conf

search example.net
nameserver 127.0.0.1
nameserver 192.168.0.250
nameserver 192.168.0.251

-Testing DNS Query:
# nslookup google.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s