CHROOT-BIND

Before starting
This tutorial is written "only for a beginner,by a beginner".NOT FOR PRODUCTION

Why we are using CHROOT-BIND

The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by hacking BIND.
It is for the same reason that we run BIND as a non-root user.



CHROOT-BIND configuration
========================================
/var/named/chroot/---will be the root ("/") directory

ie;/etc/named.conf will be /var/named/chroot/etc/named.conf
/var/named/ will be /var/named/chroot/var/named/

KEEP THIS IN MIND EVERY TIME....
we will not refer original location ie; /var/named/chroot/etc/named.conf
Will refer as /etc/named.conf

=========================================
/etc/named.conf
=========================================
options
{
directory "/var/named";
};

controls {
inet 127.0.0.1 allow { localhost;127.0.0.1;} keys { rndckey; };
};


acl "safe-subnet" { 10.10.40.0/24; };
view "internal" {

match-clients { localnets; localhost; safe-subnet; };
match-destinations { localnets; localhost; safe-subnet; };
recursion yes;

zone "." IN {
type hint;
file "named.ca";
};

zone "localhost" IN {
type master;
file "localhost.zone";
allow-update { none; };
};

zone "0.0.127.in-addr.arpa" IN {
type master;
file "named.local";
allow-update { none; };
};
include "/var/named/zones/internal/internal_zones.conf";
};

include "/etc/rndc.key";
============================================
1.The first line "options" contains only one directive pointing to
where to store default zone related files

2.The "controls" section is used to administer named deamon using "rndc"

3.The "acl" is used to define control list (Just like in squid proxy)

4.The "view" section is used to define internal and external connection
We have only internal view so that internal netwok can query the name server

5.The three zone definitions are needed for a production system
a)The first zone contains all root domains (13 Servers)
b)Forward zone file for local host
c)Revers file for local host

6.The first include directive is pointing to our internal zone(internal view).

7.The last include directive is used for administer named deamon using rndc
The file contains an algorithm and an md5-key for encrypting data while using rndc
from remote server

===============================================
Our Zone file definitions
===============================================
/var/named/zones/internal/internal_zones.conf
===============================================
zone "40.10.10.in-addr.arpa" IN {
type master;
file "/var/named/zones/internal/10-10-40.zone";
allow-update { none; };
};

zone "ansil.com" IN {
type master;
file "/var/named/zones/internal/ansil.com.zone";
allow-update { none; };
};
==============================================
/var/named/zones/internal/10-10-40.zone
==============================================
$TTL 3D
@ IN SOA ns1.ansil.com. root.ansil.com. (
200911101 ; serial number
8H ; refresh, seconds
2H ; retry, seconds
4W ; expire, seconds
1D ) ; minimum, seconds

NS www ; Nameserver Address

211 PTR www.ansil.com.
=============================================
/var/named/zones/internal/ansil.com.zone
=============================================
$TTL 3D
@ IN SOA ns1.ansil.com. root.ansil.com. (
200911101 ; serial#
3600 ; refresh, seconds
3600 ; retry, seconds
3600 ; expire, seconds
3600 ) ; minimum, seconds

NS ns1.ansil.com ; Inet Address of nameserver
ansil.com. MX 10 mail ; Primary Mail Exchanger

localhost A 127.0.0.1
www A 10.10.40.211
mail A 10.10.40.212
ns1 A 10.10.40.213
=============================================
/etc/rndc.key
=============================================
You can create your own rndc key file using
# rndc-confgen >rndc.kye
The file will shown like

key "rndckey" {
algorithm hmac-md5;
secret "YKPl5gxHe1d2J6kyjDGZFg==";
};

options {
default-key "rndckey";
default-server 127.0.0.1;
default-port 953;
};

We will not use options here;because we already mentioned
the same in "controls" section.So just keep "rndckey" entry
At last the file /etc/rndc.key will be like this
============================================
key "rndckey" {
algorithm hmac-md5;
secret "YKPl5gxHe1d2J6kyjDGZFg==";
};
============================================
At last you have to copy some files from/usr/share/doc/bind-9.3.3/sample/var/named
to /var/named/

1.named.root
2.named.local
3.localhost.zone

Rename named.root to named.ca

open /etc/resolve.conf and add
nameserver 127.0.0.1
===========================================

Check your configuration using "host" command
1.Forward Lookup
# host www.ansil.com
www.ansil.com has address 10.10.40.211
2.Reverse lookup
# host 10.10.40.211
211.40.10.10.in-addr.arpa domain name pointer www.ansil.com.

The Reverse internal zone file contains only one pointer www.ansil.com to 10.10.40.211
The Forward internal zone file contains many entries like
1.Mail exchanger
2.Name server
3.A record will give the IP of a domain

Comments

Popular posts from this blog

How to Configure Squid with Mysql DB authentication

Linux OS backup and Restoration using ReaR – Relax & Recover

How to Configure YUM in RHEL6