Since DNS is within the top 5 network security attack targets I have written the below dirty how to on implementing a secure BIND 9 installation.
This document explains how to configure BIND in a “chroot jail” which means BIND cannot see or access files outside its own directory structure. Also we will configure it to run as a non root user bind to avoid root powers.
When you run BIND in a chroot jail, the BIND process is unable to see any part of the filesystem outside the jail. In BIND’s eyes, the contents of the jail directory will appear to be /
or the root directory. All things outside this directory will not have access to it.
Create a user and group:
vi /etc/group bind:x:53: vipw add: bind:x:53:53:Nameserver:/chroot/named:/bin/false |
Create your BIND chroot location:
mkdir /usr/local/chroot/bind |
Untar and compile to your chroot location:
gunzip -c BINDblah.tar.gz | tar -xvf - cd into the directory ./configure --prefix=/usr/local/chroot/bind make make install |
Setup the chroot directory structure for bind:
cd /usr/local/chroot/bind mkdir /usr/local/chroot/bind/dev mkdir /usr/local/chroot/bind/etc/namedb mknod /usr/local/chroot/bind/dev/null c 1 3 mknod /usr/local/chroot/bind/dev/random c 1 8 chmod 666 /usr/local/chroot/bind/dev/{null,random} cp /etc/localtime /usr/local/chroot/bind/etc/ |
Secure Directory Permissions:
chown bind:bind /usr/local/chroot/bind/var/run/ chown root /usr/local/chroot/ chmod 700 /usr/local/chroot/ chown bind:bind /usr/local/chroot/bind/ chmod 700 /usr/local/chroot/bind/ |
Configuration Files:
MAKE SURE YOUR NAMED.CONF has correct chroot paths.
(need named.conf rndc.conf, db.127.0.0, db.cache)
cd /usr/local/chroot/bind/sbin/ ENTER: dnssec-keygen -r /dev/urandom -a hmac-md5 -b 512 -n user rndc more the file created and copy the key into the below rndc.conf file. vi /usr/local/chroot/bind/etc/rndc.conf |
Example rndc.conf file
# /usr/local/chroot/bind/etc/rndc.conf # options { default-server 127.0.0.1; default-key "rndc-key"; }; server 127.0.0.1 { key "rndc-key"; }; key "rndc-key"; { algorithm "hmac-md5"; secret "30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQ=="; }; #Add the following into the named.conf repeated below for your reference controls { inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x} keys { "rndc-key"; }; }; key "rndc-key" { algorithm "hmac-md5"; secret "30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQ=="; }; |
Example named.conf file
// BIND configuration file //primary blah.com db.blah.com //primary 0.0.127.in-addr.arpa db.127.0.0 //cache . db.cache options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; //Allow recursion only for trusted servers recursion yes; allow-recursion {127.0.0.1; 69.0.X.X; 69.0.X.X; 216.X.X.X; }; //place additional options here. }; controls { inet 127.0.0.1 allow { 127.0.0.1; x.x.x.x } keys { "rndc-key"; }; }; key "rndc-key" { algorithm "hmac-md5"; secret "30IMH+lvixjJWlGaekcDkV8clt64Nwy/lAG7WLzNHnTmvPjZc8yZSWHpHmUF5/RniK6famQsijCRSWik4bkeXQB=="; }; zone "philchen.com" in { type master; file "db.philchen.com"; }; zone "0.0.127.in-addr.arpa" in { type master; file "db.127.0.0"; }; zone "."in { type hint; file "db.cache"; }; |
How to start DNS in the new chroot environment:
To manual start and test enter:
/usr/local/chroot/bind/sbin/named -u bind -t /usr/local/chroot/bind -c /etc/named.conf &; |