Since DNS is within the top 5 network security attack targets I have written the below dirty how to on implementing a secure BIND 9 installation.
This document explains how to configure BIND in a “chroot jail” which means BIND cannot see or access files outside its own directory structure. Also we will configure it to run as a non root user bind to avoid root powers.
When you run BIND in a chroot jail, the BIND process is unable to see any part of the filesystem outside the jail. In BIND’s eyes, the contents of the jail directory will appear to be / or the root directory. All things outside this directory will not have access to it.
Create a user and group:
vi /etc/group
bind:x:53:
vipw
add: bind:x:53:53:Nameserver:/chroot/named:/bin/false
Create your BIND chroot location:
mkdir /usr/local/chroot/bind
Untar and compile to your chroot location:
gunzip -c BINDblah.tar.gz | tar -xvf -
cd into the directory
./configure --prefix=/usr/local/chroot/bind
make
make install
Setup the chroot directory structure for bind:
cd /usr/local/chroot/bind
mkdir /usr/local/chroot/bind/dev
mkdir /usr/local/chroot/bind/etc/namedb
mknod /usr/local/chroot/bind/dev/null c 1 3
mknod /usr/local/chroot/bind/dev/random c 1 8
chmod 666 /usr/local/chroot/bind/dev/{null,random}
cp /etc/localtime /usr/local/chroot/bind/etc/
Secure Directory Permissions:
chown bind:bind /usr/local/chroot/bind/var/run/
chown root /usr/local/chroot/
chmod 700 /usr/local/chroot/
chown bind:bind /usr/local/chroot/bind/
chmod 700 /usr/local/chroot/bind/
Configuration Files:
MAKE SURE YOUR NAMED.CONF has correct chroot paths.
(need named.conf rndc.conf, db.127.0.0, db.cache)
cd /usr/local/chroot/bind/sbin/
ENTER: dnssec-keygen -r /dev/urandom -a hmac-md5 -b 512 -n user rndc
more the file created and copy the key into the below rndc.conf file.
vi /usr/local/chroot/bind/etc/rndc.conf
Example rndc.conf file
# /usr/local/chroot/bind/etc/rndc.conf
#
options {
default-server 127.0.0.1;
default-key "rndc-key";
};
server 127.0.0.1 {
key "rndc-key";
};
key "rndc-key"; {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQ==";
};
#Add the following into the named.conf repeated below for your reference
controls {
inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x} keys { "rndc-key"; };
};
key "rndc-key" {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQ==";
};
Example named.conf file
// BIND configuration file
//primary blah.com db.blah.com
//primary 0.0.127.in-addr.arpa db.127.0.0
//cache . db.cache
options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
//Allow recursion only for trusted servers
recursion yes;
allow-recursion {127.0.0.1; 69.0.X.X; 69.0.X.X; 216.X.X.X; };
//place additional options here.
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x } keys { "rndc-key"; };
};
key "rndc-key" {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQB==";
};
zone "philchen.com" in {
type master;
file "db.philchen.com";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
zone "."in {
type hint;
file "db.cache";
};
How to start DNS in the new chroot environment:
To manual start and test enter:
/usr/local/chroot/bind/sbin/named -u bind -t /usr/local/chroot/bind -c /etc/named.conf &;