Doug Jaworski

BIND (Berkley Internet Name Domain) is the most common of all DNS servers and generally a standard on most Linux and UNIX distributions.

For a more detailed look at Bind and its technical history take a look at the Wikipedia article on Bind.

CHROOT is commonly referred to as JAIL and is often used to change the root of an application to another location for the reasons of security. Often times CHROOT is used for services that run under root user and can be insecure so it is a way of protecting the root operating system in the event of an application compromise.

In this HowTo, we will be installing BIND9 and CHROOTing bind to live in an restricted portion of the Linux file system. For the purposes of this HowTo we will be using a running installation of Debian Etch.

Assumptions

1. Bind will be configured as an authoritative DNS master resolving for specific domain names

2. You have limited knowledge of Linux editors such as vi

3. Utilization of Sudo. If you do not use sudo, simply eliminate sudo from any commands however you will need to be logged in as a root user

Install Bind 9

sudo apt-get install bind9

CHROOT Bind 9

sudo /etc/init.d/bind9 stop

Edit /etc/default/bind9 and configure bind to run as an unprivileged user and chrooted to /var/lib/named as follows:

OPTIONS=”-u bind -t /var/lib/named”

# Set RESOLVCONF=no to not run resolvconf

RESOLVCONF=yes

Create the necessary directories /var/lib

sudo mkdir -p /var/lib/named/etc

sudo mkdir /var/lib/named/dev

sudo mkdir -p /var/lib/named/var/cache/bind

sudo mkdir -p /var/lib/named/var/run/bind/run

Move the default bind config directory from /etc to /var/lib/named/etc

sudo mv /etc/bind /var/lib/named/etc

Create a symbolic link to the new config directory form the old location to the new locations

sudo ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices and set the correct file permissions

sudo mknod /var/lib/named/dev/null c 1 3

sudo mknod /var/lib/named/dev/random c 1 8

sudo chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random

sudo chown -R bind:bind /var/lib/named/var/*

sudo chown -R bind:bind /var/lib/named/etc/bind

Modify syslogd to log to the right location

sudo vi /etc/default/syslogd

Modify the line SYSLOGD=”” so it reads SYSLOGD=”-a /var/lib/named/dev/log”

#

# Top configuration file for syslogd

#

#

# Full documentation of possible arguments are found in the manpage

# syslogd(8).

#

#

# For remote UDP logging use SYSLOGD=”-r”

#

SYSLOGD=”-a /var/lib/named/dev/log”

Restart syslogd and start bind

sudo /etc/init.d/sysklogd restart

sudo /etc/init.d/bind9 start

Check for logs by tailing /var/log/syslog for any error messages

sudo cat /var/log/syslog

or

sudo tail –f /var/log/syslog

Testing

Now that Bind 9 is installed, you will want to test and this can be done with the following command:

dig @localhost www.yahoo.com

Configure Bind 9

The next step is to create a master zone directory followed by a zone template. It is extremely important to be cognizant of file permissions. If you get these wrongs, Bind will not resolve for your domains. Each zone file needs to be owned by the user and group bind. So if you create a new zone make sure to assign the right permissions to the new zone file

sudo mkdir -p /etc/bind/zones

sudo chown bind:bind /etc/bind/zones

sudo chmod 700 /etc/bind/zones

Create a template zone file

sudo vi /etc/bind/zones/template

;

; SOA

;

$TTL    1h

@               IN      SOA     dns1.example.com. hostmaster.example.com. (

                        2007010101      ; Serial number

                        1h              ; Slave refresh

                        15m             ; Slave retry

                        2w              ; Slave expire

                        1h              ; Negative Cache TTL

                        )

;

; NS RECORDS

;

@               IN      NS              dns1.example.com.

@               IN      NS              dns2.example.com.

;

; MAIL RECORDS

;

                IN      MX      10      mx01.example.com.

                IN      MX      10      mx02.example.com.

;

; MAIL HOSTS

;

mx01            IN      A               1.2.3.4

mx02            IN      A               1.2.3.4

mail01          IN      A               1.2.3.4

mail02          IN      A               1.2.3.4

;

; WWW RECORDS

;

@               IN      A               1.2.3.4

www             IN      A               1.2.3.4

blog            IN      A               1.2.3.4

;

; CUSTOM RECORDS

;

server-a        IN      A               1.2.3.4

server-b        IN      A               1.2.3.4

Again, ensure you have the right permissions for the zone file.

sudo chown bind:bind /etc/bind/zones/template

sudo chmod 600 /etc/bind/zones/template

Create a New Zone

Copy the zone file template from above and edit as needed.

sudo cp -p /etc/bind/zones/template db.example.com

At the very minimum the serial number and edit the file as needed.

Next, enable the zone file in /etc/bind/named.local

sudo /etc/bind/named.conf.local

zone “example.com” {

        type master;

        file “/etc/bind/zones/db.example.com”;

        notify yes;

     };

Reload Bind and test

sudo tail -f /var/log/syslog

sudo tail -f /var/log/daemon.log

dig @localhost example.com MX

Feel free to contact me with any questions or revisions.

Special thanks to the following sites for contrbuting information:

http://doc.ubuntu.com/ubuntu/serverguide/C/dns-configuration.html

http://www.howtoforge.org/perfect_setup_debian_etch_p4

http://www.besy.co.uk/debian/how_to_setup_a_bind_9_dns_server