The point of no return

Chrooted Master and Slave DNS Configuration on CentOS 6

16th July 2013 by Ali Erdinç Köroğlu

As I already explained in Chrooted PHP-FPM with Nginx on CentOS 6, chroot is about creating a virtualized environment in Linux operating system to separate it from the main operating system and directory structure. Why chroot in a DNS Server? Since DNS is within the top network security attack targets, chroot considered as a security precaution to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND (the Berkeley Internet Name Domain).

Scenario

We’ll create two chrooted authoritative (non-recursive) only name server as ns1.koroglu.org (1.1.1.1) and ns2.koroglu.org (2.2.2.2). ns1 will be configured as master and ns2 as slave dns server, taking its zone data from ns1.

Installation

Let’s begin, bytheway please don’t forget to do this installation on both server..

[root@8bitplus-dns ~]# yum install bind-chroot bind bind-utils bind-libs

Chroot environment comes with bind-chroot RPM, so you dont have to figure out the structure :)

[root@8bitplus-dns ~]# rpm -ql bind-chroot
/var/named/chroot
/var/named/chroot/dev
/var/named/chroot/dev/null
/var/named/chroot/dev/random
/var/named/chroot/dev/zero
/var/named/chroot/etc
/var/named/chroot/etc/localtime
/var/named/chroot/etc/named
/var/named/chroot/etc/named.conf
/var/named/chroot/etc/pki
/var/named/chroot/etc/pki/dnssec-keys
/var/named/chroot/usr
/var/named/chroot/usr/lib64
/var/named/chroot/usr/lib64/bind
/var/named/chroot/var
/var/named/chroot/var/log
/var/named/chroot/var/named
/var/named/chroot/var/run
/var/named/chroot/var/run/named
/var/named/chroot/var/tmp

Configuration

Copy related config files into chroot environment on both server..

[root@8bitplus-dns ~]# cp /usr/share/doc/bind-9.8.2/sample/var/named/named.* /var/named/chroot/var/named/
[root@8bitplus-dns ~]# mkdir /var/named/chroot/var/named/data
[root@8bitplus-dns ~]# chown -R named:named /var/named/chroot/var/named/

Master Name Server

named.conf is the configuration file for BIND DNS server.

/var/named/chroot/etc/named.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
// Koroglu.org Master DNS Configuration
 
options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        version "not currently available";
        recursion no;
        zone-statistics yes;
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        dnssec-enable yes;
        notify yes;
        also-notify { 2.2.2.2; };
        allow-transfer { 2.2.2.2; };
};
 
controls { };
 
logging {
        channel master_log {
                file "/var/log/named/master.log" versions 3 size 5m;
                severity info;
                print-severity yes;
                print-time yes;
                print-category yes;
        };
        category default {
                master_log;
        };
};
 
zone "." IN {
        type hint;
        file "named.ca";
};
 
zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};
 
zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};
 
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};
 
zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};
 
zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};
 
zone "koroglu.org" {
        type master;
        file "koroglu.org";
};

And the zone file.. It’s a text file that describes a portion of a domain name space using the Domain Name System. The format of a zone file is defined in RFC 1035 section 5 and RFC 1034 section 3.6. We’ll define our DNS servers and four subdomain; ns1, ns2, www and ae

/var/named/chroot/var/named/koroglu.org
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$TTL 86400
@               IN      SOA     ns1.koroglu.org. erdinc.8bitplus.com. (
                              2012030703 ; serial
                              43200      ; refresh (12hours)
                              3600       ; retry (1hour)
                              1209600    ; expire (2week)
                              6200)      ; TTL minimum (2hour)
 
                        IN      NS      ns1.koroglu.org.
                        IN      NS      ns2.koroglu.org.
                        IN      A       2.2.2.2
 
ns1                     IN      A       1.1.1.1
ns2                     IN      A       2.2.2.2
www                     IN      A       2.2.2.2
ae                      IN      CNAME   www.koroglu.org.

Slave Name Server

named.conf configuration for slave DNS

/var/named/chroot/etc/named.conf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
// Koroglu.org Slave DNS Configuration
options {
        directory "/var/named";
        pid-file "/var/run/named/named.pid";
        version "not currently available";
        recursion no;
        dump-file "/var/named/data/cache_dump.db";
        zone-statistics yes;
        statistics-file "/var/named/data/named_stats.txt";
        memstatistics-file "/var/named/data/named_mem_stats.txt";
        allow-notify { 1.1.1.1; };
};
 
controls { };
 
logging {
        channel slave_log {
                file "/var/log/named/slave.log" versions 3 size 5m;
                severity info;
                print-severity yes;
                print-time yes;
                print-category yes;
        };
        category default {
                slave_log;
        };
};
 
zone "." IN {
        type hint;
        file "named.ca";
};
 
zone "localhost.localdomain" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};
 
zone "localhost" IN {
        type master;
        file "named.localhost";
        allow-update { none; };
};
 
zone "1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.ip6.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};
 
zone "1.0.0.127.in-addr.arpa" IN {
        type master;
        file "named.loopback";
        allow-update { none; };
};
 
zone "0.in-addr.arpa" IN {
        type master;
        file "named.empty";
        allow-update { none; };
};
 
zone "koroglu.org" {
        type slave;
        file "slaves/koroglu.org";
        masters { 1.1.1.1; };
};

No zone file created manually, because slave dns server will be taking its zone data from master.

Advices

  1. At least two DNS server should be configured
  2. Master and slave servers should not be on the same subnet, may cause single point of failure
  3. Be carefull about the file permissions in chroot environment
  4. Always check named log file in case of any problem
  5. I didn’t apply RNDC on both server cause I would like to minimize the risk