Since DNS is within the top 5 network security attack targets I have written the below dirty how to on implementing a secure BIND 9 installation.
This document explains how jerseys to configure BIND in a “chroot jail” which means BIND cannot see or access files outside its own directory structure. Also we will configure it to run as a non root user bind to avoid root powers.
When you run BIND in a chroot jail, the BIND process is unable to see any part of the filesystem outside the jail. In BIND’s eyes, the cheap jerseys contents of the jail directory will appear to be /
or the root directory. All things outside this directory will not have access to it.
Create a user and group:
vi /etc/group bind:x:53: vipw add: bind:x:53:53:Nameserver:/chroot/named:/bin/false
Create your BIND chroot location:
mkdir /usr/local/chroot/bind
Untar and compile to your chroot location:
gunzip -c wholesale nfl jerseys BINDblah.tar.gz | tar -xvf - cd into the directory ./configure --prefix=/usr/local/chroot/bind make make install
Setup the chroot directory structure for bind:
cd /usr/local/chroot/bind mkdir /usr/local/chroot/bind/dev mkdir /usr/local/chroot/bind/etc/namedb mknod /usr/local/chroot/bind/dev/null c 1 3 mknod /usr/local/chroot/bind/dev/random c Narratives 1 8 chmod 666 /usr/local/chroot/bind/dev/{null,random} cp /etc/localtime /usr/local/chroot/bind/etc/
Secure Directory Permissions:
chown bind:bind /usr/local/chroot/bind/var/run/ chown root /usr/local/chroot/ chmod 700 /usr/local/chroot/ chown bind:bind /usr/local/chroot/bind/ chmod 700 /usr/local/chroot/bind/
Configuration Files:
MAKE SURE YOUR NAMED.CONF has correct chroot paths.
(need named.conf rndc.conf, db.127.0.0, db.cache)
cd /usr/local/chroot/bind/sbin/ ENTER: dnssec-keygen -r /dev/urandom -a hmac-md5 -b 512 -n user rndc more the file created and copy the key into the below rndc.conf file. vi /usr/local/chroot/bind/etc/rndc.conf
Example rndc.conf file
# /usr/local/chroot/bind/etc/rndc.conf # options { default-server 127.0.0.1; default-key cheap mlb jerseys "rndc-key"; }; server 127.0.0.1 { key "rndc-key"; }; key "rndc-key" { algorithm "hmac-md5"; secret "30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeX Q=="; }; #Add the following into the Types named.conf repeated below for wholesale jerseys China your reference controls { inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x} keys { "rndc-key"; }; }; key "rndc-key" { algorithm "hmac-md5"; secret "30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeX Q=="; };
Example named.conf file
// BIND configuration file //primary blah.com wholesale jerseys db.blah.com //primary 0.0.127.in-addr.arpa db.127.0.0 //cache . db.cache options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; //Allow recursion only guys for trusted servers recursion yes; allow-recursion {127.0.0.1; 69.0.X.X; 69.0.X.X; 216.X.X.X; }; //place additional options here. }; controls { inet 127.0.0.1 allow { jerseys 127.0.0.1; x.x.x.x } keys { "rndc-key"; }; }; key "rndc-key" { algorithm "hmac-md5"; secret "30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeX QB=="; }; zone "philchen.com" in { type master; file "db.philchen.com"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; zone "." in { type hint; file "db.cache"; };
How to start DNS in the new chroot environment:
To manual start and test enter:
/usr/local/chroot/bind/sbin/named -u bind -t /usr/local/chroot/bind -c /etc/named.conf &;