Shulou(Shulou.com)06/01 Report--

This article mainly introduces "how to build Chroot Bind DNS server on CentOS". In daily operation, I believe many people have doubts about how to build Chroot Bind DNS server on CentOS. Xiaobian consulted all kinds of materials and sorted out simple and easy-to-use operation methods. I hope it will be helpful to answer the questions of "how to set up Chroot Bind DNS server on CentOS". Next, please follow the editor to study!

BIND (Berkeley internet Name Daemon), also known as NAMED, is the most widely used DNS server program on the Internet. This article will show you how to run BIND in a chroot prison so that it cannot access parts of the file system other than the "prison".

For example, in this article, I will change the running root of BIND to / var/named/chroot/. Of course, for BIND, this directory is / (root). "jail" (the same below) is a software mechanism that prevents a program from accessing resources outside a specified area, as well as to enhance security (LCTT: chroot "prison"). The so-called "prison" refers to changing the root directory that a process can see through the chroot mechanism, that is, restricting a process to a specified directory, ensuring that the process can only operate on the files in that directory and its subdirectories. To ensure the security of the entire server. The default "prison" for Bind Chroot DNS servers is / var/named/chroot.

You can follow these steps to deploy the Bind Chroot DNS server on CentOS 7. 0.

1. Install the Bind Chroot DNS server

The code is as follows:

[root@centos7 ~] # yum install bind-chroot bind- y

2. Copy bind-related files and prepare bind chroot environment

The code is as follows:

[root@centos7] # cp-R / usr/share/doc/bind-*/sample/var/named/* / var/named/chroot/var/named/

3. Create related files in the directory of bind chroot

The code is as follows:

[root@centos7 ~] # touch / var/named/chroot/var/named/data/cache_dump.db

[root@centos7 ~] # touch / var/named/chroot/var/named/data/named_stats.txt

[root@centos7 ~] # touch / var/named/chroot/var/named/data/named_mem_stats.txt

[root@centos7 ~] # touch / var/named/chroot/var/named/data/named.run

[root@centos7 ~] # mkdir / var/named/chroot/var/named/dynamic

[root@centos7 ~] # touch / var/named/chroot/var/named/dynamic/managed-keys.bind

4. Set the Bind locked file to writeable

The code is as follows:

[root@centos7] # chmod-R 777 / var/named/chroot/var/named/data

[root@centos7] # chmod-R 777 / var/named/chroot/var/named/dynamic

5. Copy / etc/named.conf to the bind chroot directory

The code is as follows:

[root@centos7] # cp-p / etc/named.conf / var/named/chroot/etc/named.conf

6. Configure bind in / etc/named.conf.

Add example.local domain information to the end of the named.conf file to create a forwarding domain (Forward Zone) and a reverse domain (Reverse Zone) (LCTT translation note: example.local is not a real and valid Internet domain name, but a domain name usually used for local testing; if you need to do authoritative DNS resolution, you can resolve your domain name as shown here. ):

The code is as follows:

[root@centos7 ~] # vi / var/named/chroot/etc/named.conf

-

..

..

Zone "example.local" {

Type master

File "example.local.zone"

}

Zone "0.168.192.in-addr.arpa" IN {

Type master

File "192.168.0.zone"

}

..

..

Named.conf is fully configured as follows:

/ /

/ / named.conf

/ /

/ / provided by Red Hat, ISC BIND named (8) DNS server

/ / configured as a temporary domain name server (used for local DNS resolution).

/ /

/ / See / usr/share/doc/bind*/sample/ for example named configuration files.

/ /

Options {

Listen-on port 53 {any;}

Listen-on-v6 port 53 {:: 1;}

Directory "/ var/named"

Dump-file "/ var/named/data/cache_dump.db"

Statistics-file "/ var/named/data/named_stats.txt"

Memstatistics-file "/ var/named/data/named_mem_stats.txt"

Allow-query {any;}

/ *

-if you want to set up an authorized domain name server, do not turn on the recursion (recursion) function.

-if you want to build a recursive DNS server, you need to turn on the recursion function.

-if your recursive DNS server has a public network IP address, you must enable the access control function

Only those legitimate users can send inquiries. If you don't, then your suit

The service is subjected to DNS magnification attacks. Implementing BCP38 will effectively defend against such attacks.

, /

Recursion yes

Dnssec-enable yes

Dnssec-validation yes

Dnssec-lookaside auto

/ * Path to ISC DLV key * /

Bindkeys-file "/ etc/named.iscdlv.key"

Managed-keys-directory "/ var/named/dynamic"

Pid-file "/ run/named/named.pid"

Session-keyfile "/ run/named/session.key"

}

Logging {

Channel default_debug {

File "data/named.run"

Severity dynamic

}

}

Zone "." IN {

Type hint

File "named.ca"

}

Zone "example.local" {

Type master

File "example.local.zone"

}

Zone "0.168.192.in-addr.arpa" IN {

Type master

File "192.168.0.zone"

}

Include "/ etc/named.rfc1912.zones"

Include "/ etc/named.root.key"

7. Create forwarding domain and reverse domain file for example.local domain name

A) create a forwarding domain

The code is as follows:

[root@centos7 ~] # vi / var/named/chroot/var/named/example.local.zone

Add the following and save:

The code is as follows:

; Addresses and other host information.

$TTL 86400

@ IN SOA example.local. Hostmaster.example.local. (

2014101901; Serial

43200; Refresh

3600; Retry

3600000; Expire

2592000); Minimum

; Define the nameservers and the mail servers

IN NS ns1.example.local.

IN NS ns2.example.local.

IN A 192.168.0.70

IN MX 10 mx.example.local.

Centos7 IN A 192.168.0.70

Mx IN A 192.168.0.50

Ns1 IN A 192.168.0.70

Ns2 IN A 192.168.0.80

B) create a reverse domain

The code is as follows:

[root@centos7 ~] # vi / var/named/chroot/var/named/192.168.0.zone

-

; Addresses and other host information.

$TTL 86400

@ IN SOA example.local. Hostmaster.example.local. (

2014101901; Serial

43200; Refresh

3600; Retry

3600000; Expire

2592000); Minimum

0.168.192.in-addr.arpa. IN NS centos7.example.local.

70.0.168.192.in-addr.arpa. IN PTR mx.example.local.

70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.

80.0.168.192.in-addr.arpa. IN PTR ns2.example.local.

.

8. Boot self-starting bind-chroot service

The code is as follows:

[root@centos7] # / usr/libexec/setup-named-chroot.sh / var/named/chroot on

[root@centos7 ~] # systemctl stop named

[root@centos7 ~] # systemctl disable named

[root@centos7 ~] # systemctl start named-chroot

[root@centos7 ~] # systemctl enable named-chroot

Ln-s'/ usr/lib/systemd/system/named-chroot.service''/ etc/systemd/system/multi-user.target.wants/named-chroot.service'

At this point, the study on "how to set up the Bind DNS server of Chroot on CentOS" is over. I hope to be able to solve your doubts. The collocation of theory and practice can better help you learn, go and try it! If you want to continue to learn more related knowledge, please continue to follow the website, the editor will continue to work hard to bring you more practical articles!

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.