How to secure DNS (BIND 9) on Linux using a chroot jail

March 12, 2007

Since DNS is within the top 5 network security attack targets I have written the below dirty how to on implementing a secure BIND 9 installation.

This document explains how to configure BIND in a “chroot jail” which means BIND cannot see or access files outside its own directory structure. Also we will configure it to run as a non root user bind to avoid root powers.

When you run BIND in a chroot jail, the BIND process is unable to see any part of the filesystem outside the jail. In BIND’s eyes, the contents of the jail directory will appear to be / or the root directory. All things outside this directory will not have access to it.

Create a user and group:

vi /etc/group
bind:x:53:
vipw
add: bind:x:53:53:Nameserver:/chroot/named:/bin/false

Create your BIND chroot location:

mkdir /usr/local/chroot/bind

Untar and compile to your chroot location:

gunzip -c BINDblah.tar.gz | tar -xvf -
cd into the directory
./configure --prefix=/usr/local/chroot/bind
make
make install

Setup the chroot directory structure for bind:

cd /usr/local/chroot/bind
mkdir /usr/local/chroot/bind/dev
mkdir /usr/local/chroot/bind/etc/namedb
mknod /usr/local/chroot/bind/dev/null c 1 3
mknod /usr/local/chroot/bind/dev/random c 1 8
chmod 666 /usr/local/chroot/bind/dev/{null,random}
cp /etc/localtime /usr/local/chroot/bind/etc/

Secure Directory Permissions:

chown bind:bind /usr/local/chroot/bind/var/run/
chown root /usr/local/chroot/
chmod 700 /usr/local/chroot/
chown bind:bind /usr/local/chroot/bind/
chmod 700 /usr/local/chroot/bind/

Configuration Files:

MAKE SURE YOUR NAMED.CONF has correct chroot paths.
(need named.conf rndc.conf, db.127.0.0, db.cache)

cd /usr/local/chroot/bind/sbin/
ENTER: dnssec-keygen -r /dev/urandom -a hmac-md5 -b 512 -n user rndc
more the file created and copy the key into the below rndc.conf file.
vi /usr/local/chroot/bind/etc/rndc.conf

Example rndc.conf file

# /usr/local/chroot/bind/etc/rndc.conf
#
options {
default-server 127.0.0.1;
default-key "rndc-key";
};
server 127.0.0.1 {
key "rndc-key";
};
key "rndc-key"; {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQ==";
};
#Add the following into the named.conf repeated below for your reference
 
controls {
inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x} keys { "rndc-key"; };
};
key "rndc-key" {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQ==";
};


Example named.conf file

// BIND configuration file
//primary blah.com db.blah.com
//primary 0.0.127.in-addr.arpa db.127.0.0
//cache . db.cache
options {
directory "/etc/namedb";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
//Allow recursion only for trusted servers
recursion yes;
allow-recursion {127.0.0.1; 69.0.X.X; 69.0.X.X; 216.X.X.X; };
//place additional options here.
};
controls {
inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x } keys { "rndc-key"; };
};
key "rndc-key" {
algorithm "hmac-md5";
secret
"30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQB==";
};
zone "philchen.com" in {
type master;
file "db.philchen.com";
};
zone "0.0.127.in-addr.arpa" in {
type master;
file "db.127.0.0";
};
zone "."in {
type hint;
file "db.cache";
};

How to start DNS in the new chroot environment:

To manual start and test enter:

/usr/local/chroot/bind/sbin/named -u bind -t /usr/local/chroot/bind -c /etc/named.conf &;

Comments are closed.