Setup bind chroot CentOS 5


References:
http://www.wains.be/index.php/2007/12/13/centos-5-chroot-dns-with-bind/
http://adlinux.blogspot.com/2010/04/chroot-dns-with-bind-centos-5.html

 
-Install Bind
# yum -y install bind bind-chroot bind-libs bind-utils caching-nameserver

-Konfigurasi Permision
# chmod 755 /var/named/
# chmod 775 /var/named/chroot/
# chmod 775 /var/named/chroot/var/
# chmod 775 /var/named/chroot/var/named/
# chmod 775 /var/named/chroot/var/run/
# chmod 777 /var/named/chroot/var/run/named/
# cd /var/named/chroot/var/named/
# ln -s ../../ chroot
# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.local /var/named/chroot/var/named/named.local
# cp /usr/share/doc/bind-9.3.6/sample/var/named/named.root /var/named/chroot/var/named/named.root
# touch /var/named/chroot/etc/named.conf

-Setting RNDC
# cd /var/named/chroot/etc
# rndc-confgen > rndc.key
# chown root:named rndc.key

-Edit File rndc.key:
# vi /var/named/chroot/etc/rndc.key

# Start of rndc.conf
key "rndckey" {
algorithm hmac-md5;
secret "QXkk0JXZDrgi0dJ0DrETKQ==";
};

#options {
# default-key "rndckey";
# default-server 127.0.0.1;
# default-port 953;
#};
# End of rndc.conf

# Use with the following in named.conf, adjusting the allow list as needed:
# key "rndckey" {
# algorithm hmac-md5;
# secret "xwINl5E9kGDva0PcJWCZjQ==";
# };
#
# controls {
# inet 127.0.0.1 port 953
# allow { 127.0.0.1; } keys { "rndckey"; };
# };
# End of named.conf

 
-Konfigurasi /var/named/chroot/etc/named.conf
# vi /var/named/chroot/etc/named.conf

// Red Hat BIND Configuration Tool
// Default initial "Caching Only" name server configuration
// we include the rndckey (copy-paste from rndc.key created earlier)
// include "/var/named/chroot/etc/rndc.key";
key "rndckey" {
algorithm hmac-md5;
secret "QXkk0JXZDrgi0dJ0DrETKQ==";
};

// assume our server has the IP 192.168.0.11 serving the 192.168.0.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndckey"; };
inet 192.168.0.250 allow { 192.168.0.0/24; } keys { "rndckey"; };
};

options {
directory "/var/named";
pid-file "/var/run/named/named.pid";

recursion yes;

allow-recursion {
127.0.0.1;
192.168.0.0/24;
};

// these are the opendns servers (optional)
forwarders {
202.134.0.155;
203.130.193.74;
8.8.8.8;
8.8.4.4;
};

listen-on {
127.0.0.1;
192.168.0.250;
};

/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
// query-source address * port 53;

// so people can't try to guess what version you're running
version "REFUSED";

allow-query {
127.0.0.1;
192.168.0.0/24;
};
};

server 192.168.0.250 {
keys { rndckey; };
};

zone "." IN {
type hint;
file "named.ca";
};

//forward zone
zone "example.net" IN {
type master;
file "data/example.net.zone";
allow-update { none; };
// we assume we have a slave dns server with the IP 192.168.0.251
allow-transfer { 192.168.0.251; };
};

//reserve zone
zone "0.168.192.in-addr.arpa" IN {
type master;
file "data/192.168.0.zone";
allow-update { none; };
// we assume we have a slave dns server with the IP 192.168.0.251
allow-transfer { 192.168.0.251; };
};

 
-Setting Forward Lookup Zone
# cd /var/named/chroot/var/named/data/
# touch example.net.zone
# vi example.net.zone

$ttl 38400
example.net. IN SOA ns.example.net. admin.example.net. (
2012011501 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
;
example.net. IN NS ns.example.net.
ns.example.net. IN A 192.168.0.250
pdc.example.net. IN A 192.168.0.252
cumi.example.net. IN CNAME ns.example.net.
kucing.example.net. IN A 192.168.0.251

 
-Setting Reverse Lookup Zone
# cd /var/named/chroot/var/named/data/
# touch 192.168.0.zone
# vi 192.168.0.zone

$TTL 86400
0.168.192.in-addr.arpa. IN SOA ns.example.net. admin.example.net. (
2012011502
10800
900
604800
3600 )
0.168.192.in-addr.arpa. IN NS ns.example.net.
252.0.168.192.in-addr.arpa. IN PTR pdc.example.net.
250.0.168.192.in-addr.arpa. IN PTR cumi.example.net.
251.0.168.192.in-addr.arpa. IN PTR kucing.example.net.

 
-Restart Bind Service & Setting run level
# service named restart
# chkconfig named on

-Make sure it’s running :
# rndc status

-Edit /etc/resolv.conf & Restart service
# vi /etc/resolv.conf

search example.net
nameserver 127.0.0.1
nameserver 192.168.0.250
nameserver 192.168.0.251

 
-Testing DNS Query:
# nslookup kucing.example.net
# nslookup google.com

Leave a Reply

Your email address will not be published. Required fields are marked *