install bind from source
This server will be the master for the domains it hosts. One of the DNS servers at the local ISP (ns1.isp.net) will be the slave.
I am going to install BIND and verify it works, and then install it in a chroot jail for added security.
We will also ensure that only ns1.isp.net will be allowed to do zone transfers. The following instructions primarily come from 6. I'm going to modify them slightly because I prefer to have the various configuration files under /etc/named. Download bind-9.2.3.tar.gz from one of the mirror sites at http://www.isc.org
Create a user and group for Bind:
- groupadd -g 25 named > /dev/null 2>&1 || :
- useradd -c "BIND DNS Server" -d /var/named -g 25 -s /bin/false -u 25 named > /
dev/null 2>&1 || :
- tar xvzf bind-9.2.3.tar.gz
- cd bind-9.2.3
- vi +105 bin/named/include/named/globals.h
Change "/run/named.pid"); to "/run/named/named.pid"); Change (two lines down) "/run/lwresd.pid"); to "/run/named/lwresd.pid");
- CFLAGS="-O2 -march=i686 -funroll-loops"; export CFLAGS
- ./configure \
> --prefix=/usr \ > --sysconfdir=/etc \ > --localstatedir=/var \ > --mandir=/usr/share/man \ > --with-libtool \ > --disable-ipv6
- make install
- strip /usr/sbin/named
- mkdir -p /etc/named
20 © SANS Institute 2004, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
- mkdir -p /var/run/named
- install -c -m0600 bin/rndc/rndc.conf /etc/
- chown named.named /etc/rndc.conf
- chown named.named /etc/named
- chown named.named /var/run/named/
Note: I removed –with-openssl as the ISP does not support SSL.
- vi /etc/named.conf
See Appendix A for the /etc/named.conf file. The entry for 192.168.0.0/16 under the known fake addresses will have to be uncommented when the server is put into service.
- chmod 600 /etc/named.conf
- chown named.named /etc/named.conf
Now it time to create the /var/named/db.cache file which is the Root Server Hints File.
- dig @a.root-servers.net . ns > db.cache
- mv db.cache /etc/named/
- chmod 644 /etc/named/db.cache
- chown named.named /etc/named/db.cache
- vi /etc/named/db.localhost
Add the following: $TTL 86400 @ IN SOA localhost. root.localhost. ( 00 ; Serial 10800 ; Refresh after 3 hours 3600 ; Retry after 1 hour 604800 ; Expire after 1 week 86400 ) ; Minimum IN NS localhost. localhost IN A 127.0.0.1
- chmod 644 /etc/named/db.localhost
- chown named.named /etc/named/db.localhost
Create /etc/named/0.0.127.in-addr.arpa: The Reverse Mapping File 21 © SANS Institute 2004, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
- chmod 644 /etc/named/0.0.127.in-addr.arpa
- chown named.named /etc/named/0.0.127.in-addr.arpa
Create the BIND System Configuration File
- vi /etc/sysconfig/named
Add the following:
- This option will run named in a chroot environment.
- These additional options will be passed to named at startup.
- Don't add .t here, use ROOTDIR instead.
Create the named initialization script
- vi /etc/init.d/named
See Appendix B for a complete listing of /etc/init.d/named
- chmod 700 /etc/init.d/named
- chown root.root /etc/init.d/named
- vi /etc/named/db.domain.com
$TTL 4H @ IN SOA domain.com. webmaster.domain.com. ( 2004013001 ; serial YYYYMMDD## 1H ; Refresh after 3 hours 2H ; Retry after 1 hour 1209600S ; Expire after 1 week 1S ) ; Minimum TTL of 1 day
- ***** Nameserver (NS) records. ******************************
domain.com. IN NS ns1.domain.com.
- domain.com. IN NS ns2.isp.com.
- ***** Mail Exchange (MX) Records ****************************
MX 10 mail
- ***** Address (A) Records ***********************************
localhost A 127.0.0.1 server A 192.168.0.50
22 © SANS Institute 2004, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights.
- ***** Canonical Name (CNAME) records ************************
ns1 CNAME server mail CNAME server www CNAME server
- vi /etc/named/db.0.168.192
Add the following: $TTL 3h 0.168.192.in-addr.arpa. IN SOA server.domain.com. webmaster.domain.com. ( 2004013001 ; Serial YYYYMMDD## 3h ; Refresh after 3 hours 1h ; Retry after 1 hour 1w ; Expire after 1 week 1h ) ; Negative caching TTL of 1 hour
0.168.192.in-addr.arpa. IN NS server.domain.com.
Addresses point to canonical name
220.127.116.11.in-addr.arpa. IN PTR server.domain.com.
- chmod 644 /etc/named/*
- chown named.named /etc/named/*
Now we start Bind and verify that we can resolve names from it.
- /etc/init.d/named start
- ping server.domain.com
You should see the name resolve to the correct IP Address. Chroot Jailing BIND Now to improve the security of Bind we are going to run it in a chroot jailed environment.7 What is a chroot jail? 23 © SANS Institute 2004, Author retains full rights. Key fingerprint = AF19 FA27 2F94 998D FDB5 DE3D F8B5 06E4 A169 4E46 © SANS Institute 2004, As part of GIAC practical repository. Author retains full rights. Application jails, also known as "change root jails" or "chroot jails," are another effective countermeasure. Supported by all Linux and Unix systems, application jails put up a nearly impenetrable barrier between the "jailed" software and the rest of the system. And because a jail is enforced by the operating system and not by an application, it can provide an enormous level of safety. A chroot jail "incarcerates" untrusted applications, and acts like a guard, almost literally, for applications that already have substantial security measures built-in.8
- /etc/init.d/named stop
- mkdir -p /chroot/named
- cd /chroot/named
- mkdir -p dev etc/named var/run/named
- mknod /chroot/named/dev/null c 1 3
- mknod /chroot/named/dev/random c 1 8
- chmod 666 /chroot/named/dev/null
- chmod 666 /chroot/named/dev/random
- cp /etc/localtime /chroot/named/etc/
- mv /etc/named.conf /chroot/named/etc/
- mv /etc/named/* /chroot/named/etc/named/
- chown -R named.named /chroot/named
Now we need to tell BIND to run in the chroot jail.
- vi /etc/sysconfig/named
Uncomment the line that reads
Restart BIND and verify that it is working.
- /etc/init.d/bind restart