How to build DNS server on CentOS7.0
- 2020-06-03 09:08:14
- OfStack
BIND, also known as NAMED, is the most widely used DNS server program on the Internet today. This article will show you how to run BIND in chroot prison so that it does not have access to any part of the file system other than the prison.
For example, in this article, I will change the running root of BIND to /var/named/chroot/. Of course, for BIND, this directory is/(root). "jail" (prison, similarly hereinafter) is a software system, its function is to make a program to access rule area outside resources, as well as to enhance security (LCTT, chroot "prison", the so-called "prison" is refers to by chroot mechanism to change a process can see the root directory, the process of a certain limit in the specified directory, ensure that the process can only be in the directory and its subdirectories of files, to ensure the safety of the server). The default prison for Bind Chroot DNS server is /var/named/chroot.
You can deploy the Bind Chroot DNS server on CentOS 7.0 by following these steps.
1. Install Bind Chroot DNS server
[root@centos7 ~]# yum install bind-chroot bind -y
2. Copy bind related files and prepare bind chroot environment
[root@centos7 ~]# cp -R /usr/share/doc/bind-*/sample/var/named/* /var/named/chroot/var/named/
3. Create related files in the directory of bind chroot
[root@centos7 ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@centos7 ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@centos7 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@centos7 ~]# touch /var/named/chroot/var/named/data/named.run
[root@centos7 ~]# mkdir /var/named/chroot/var/named/dynamic
[root@centos7 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
4. Set the Bind lock file to writable
[root@centos7 ~]# chmod -R 777 /var/named/chroot/var/named/data
[root@centos7 ~]# chmod -R 777 /var/named/chroot/var/named/dynamic
5. Copy /etc/ named. conf to bind chroot directory
[root@centos7 ~]# cp -p /etc/named.conf /var/named/chroot/etc/named.conf
6. Configure bind in /etc/ ES65en.conf.
Add the example.local domain information to the end of the named.conf file to create the forward domain (Forward Zone) and the reverse domain (Reverse Zone). If you need to do authoritative DNS parsing, you can configure the domain you own as shown here. :
[root@centos7 ~]# vi /var/named/chroot/etc/named.conf
..
..
zone "example.local" {
type master;
file "example.local.zone";
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};
..
..
named. conf is fully configured as follows:
//
// named.conf
//
// by Red Hat Will provide, ISC BIND named(8) DNS The server
// Configure for staging the domain name server ( Used to be local DNS parsing ).
//
// See /usr/share/doc/bind*/sample/ for example named configuration files.
//
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query { any; };
/*
- If you're going to build 1 a Authorized domain name server The server , So don't open it recursion (recursive) Function.
- If you're going to build 1 a recursive DNS The server , So you need to turn it on recursion Function.
- If you recurse DNS The server has a public network IP address , You have to turn on access control,
Only legitimate users can post queries . If you don't, then your clothes
The service will be received DNS Magnify the attack. implementation BCP38 Will be effective against such attacks.
*/
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
dnssec-lookaside auto;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
zone "example.local" {
type master;
file "example.local.zone";
};
zone "0.168.192.in-addr.arpa" IN {
type master;
file "192.168.0.zone";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
7. Create forward domain and reverse domain files for ES91en.local domain name
a) to create the forward domain
[root@centos7 ~]# vi /var/named/chroot/var/named/example.local.zone
Add the following and save:
;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum
; Define the nameservers and the mail servers
IN NS ns1.example.local.
IN NS ns2.example.local.
IN A 192.168.0.70
IN MX 10 mx.example.local.
centos7 IN A 192.168.0.70
mx IN A 192.168.0.50
ns1 IN A 192.168.0.70
ns2 IN A 192.168.0.80
b) creates the reverse domain
[root@centos7 ~]# vi /var/named/chroot/var/named/192.168.0.zone
;
; Addresses and other host information.
;
$TTL 86400
@ IN SOA example.local. hostmaster.example.local. (
2014101901 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
2592000 ) ; Minimum
0.168.192.in-addr.arpa. IN NS centos7.example.local.
70.0.168.192.in-addr.arpa. IN PTR mx.example.local.
70.0.168.192.in-addr.arpa. IN PTR ns1.example.local.
80.0.168.192.in-addr.arpa. IN PTR ns2.example.local. .
8. Start bind-chroot service after startup
[root@centos7 ~]# touch /var/named/chroot/var/named/data/cache_dump.db
[root@centos7 ~]# touch /var/named/chroot/var/named/data/named_stats.txt
[root@centos7 ~]# touch /var/named/chroot/var/named/data/named_mem_stats.txt
[root@centos7 ~]# touch /var/named/chroot/var/named/data/named.run
[root@centos7 ~]# mkdir /var/named/chroot/var/named/dynamic
[root@centos7 ~]# touch /var/named/chroot/var/named/dynamic/managed-keys.bind
0