How to secure DNS (BIND 9) on Linux using a chroot jail

Since DNS is within the top 5 network security attack targets I have written the below dirty how to on implementing a secure BIND 9 installation.

This document explains how jerseys to configure BIND in a “chroot jail” which means BIND cannot see or access files outside its own directory structure. Also we will configure it to run as a non root user bind to avoid root powers.

When you run BIND in a chroot jail, the BIND process is unable to see any part of the filesystem outside the jail. In BIND’s eyes, the cheap jerseys contents of the jail directory will appear to be / or the root directory. All things outside this directory will not have access to it.

Create a user and group:

vi /etc/group
bind:x:53:
vipw
add: bind:x:53:53:Nameserver:/chroot/named:/bin/false

Create your BIND chroot location:

mkdir /usr/local/chroot/bind

Untar and compile to your chroot location:

gunzip -c  wholesale nfl jerseys  BINDblah.tar.gz | tar -xvf -
cd into the directory
./configure --prefix=/usr/local/chroot/bind
make
make install

Setup the chroot directory structure for bind:

cd /usr/local/chroot/bind
mkdir /usr/local/chroot/bind/dev
mkdir /usr/local/chroot/bind/etc/namedb
mknod /usr/local/chroot/bind/dev/null c 1 3
mknod /usr/local/chroot/bind/dev/random c  Narratives  1 8
chmod 666 /usr/local/chroot/bind/dev/{null,random}
cp /etc/localtime /usr/local/chroot/bind/etc/

Secure Directory Permissions:

chown bind:bind /usr/local/chroot/bind/var/run/
chown root /usr/local/chroot/
chmod 700 /usr/local/chroot/
chown bind:bind /usr/local/chroot/bind/
chmod 700 /usr/local/chroot/bind/

Configuration Files:

MAKE SURE YOUR NAMED.CONF has correct chroot paths.
(need named.conf rndc.conf, db.127.0.0, db.cache)

cd /usr/local/chroot/bind/sbin/
ENTER: dnssec-keygen -r /dev/urandom -a hmac-md5 -b 512 -n user rndc
more the file created and copy the key into the below rndc.conf file.
vi /usr/local/chroot/bind/etc/rndc.conf

Example rndc.conf file

# /usr/local/chroot/bind/etc/rndc.conf
#
options {
default-server 127.0.0.1;
default-key  cheap mlb jerseys  "rndc-key";
};
server 127.0.0.1 {
key "rndc-key";
};
key "rndc-key" {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeX
Q==";
};
#Add the following into the  Types  named.conf repeated below for  wholesale jerseys China  your reference

controls {
inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x} keys { "rndc-key"; };
};
key "rndc-key" {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeX
Q==";
};

Example named.conf file

// BIND configuration file
//primary blah.com  wholesale jerseys  db.blah.com
//primary 0.0.127.in-addr.arpa db.127.0.0
//cache . db.cache
options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
//Allow recursion only  guys  for trusted servers
recursion yes;
allow-recursion {127.0.0.1; 69.0.X.X; 69.0.X.X; 216.X.X.X; };
//place additional options here.
};
controls {
inet 127.0.0.1 allow {  jerseys  127.0.0.1; x.x.x.x } keys { "rndc-key"; };
};
key "rndc-key" {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeX
QB==";
};
zone "philchen.com" in {
type master;
file "db.philchen.com";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
zone "." in {
type hint;
file "db.cache";
};

How to start DNS in the new chroot environment:

To manual start and test enter:

/usr/local/chroot/bind/sbin/named -u bind -t /usr/local/chroot/bind -c /etc/named.conf &;