Search The Site

Setup and Configure A Secure DNS Server In CentOS - Redhat and Fedora

Most newbies generally install BIND without any security. When using RedHat - Fedora and CentOS the default BIND install normally runs as the named process owned by the unprivileged named user. The most secure method of a BIND installation is by using the chroot feature. This method will run named as user named and put limitations on the files it can see. When you install BIND with this method named is tricked into thinking that the directory /var/named/chroot is actually the root directory. Named files that are usually placed and found in the /etc directory actually reside in /var/named/chroot/etc plus the files you usually find in /var/named are actually residing in /var/named/chroot/var/named. Can a hacker compromise your system using a BIND exploit now? Not likely, because his access will be limited to the /chroot directory.

In order to setup and configure a secure DNS server in your Redhat - Fedora and CentOS system you must complete the following steps:

  • We will need to install BIND, BIND-CHROOT, and BIND-UTILS from a terminal window using YUM. From a new terminal window do the following:
  • yum install bind bind-chroot bind-utils
  • Next, We copy named.conf - named.rfc1912.zones and named.root.hints to the /var/named/chroot/etc directory. Be sure to change the bind version number for the correct version of your install. To do this type the folowing in a terminal:
  • cd /usr/share/doc/bind-9.3.6/sample/etc
  • cp named.conf /var/named/chroot/etc
  • cp named.rfc1912.zones /var/named/chroot/etc
  • cp named.root.hints /var/named/chroot/etc
  • Next, we need to copy the default zone files that reside in /usr/share/doc/bind-9.3.6/sample/var/named into the /var/named/chroot/var/named directory. To do this enter the following in a terminal:
  • cd /usr/share/doc/bind-9.3.6/sample/var/named
  • cp /var/named/chroot/var/named
  • cp /var/named/chroot/var/named
  • cp /var/named/chroot/var/named
  • cp /var/named/chroot/var/named
  • cp named.broadcast /var/named/chroot/var/named
  • cp named.local /var/named/chroot/var/named
  • cp named.root /var/named/chroot/var/named
  • cp /var/named/chroot/var/named
  • Of course you could copy all the files at once with the following command. cp /usr/share/doc/bind-9.3.6/sample/var/named/{*.db,*zone,*.zero,*.root,*.local,*.broadcast} . -v

Now it is time to create the default named.conf file. In a terminal type the following:

  • cd /var/named/chroot/etc
  • cp /var/named/chroot/etc/named.conf named.conf.local
  • nano named.conf.local

With the named.conf.local file open enter or append the information you see highlighted in Red illustrated in the diagram below.

named-conf-local file for editing

Next, we configure the firewall to protect the DNS Server.

  • nano /etc/sysconfig/iptables
  • With the file /etc/sysconfig/iptables open insert the following lines before the final LOG and DROP lines.
  • -A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
  • -A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT
  • Next, we need to restart iptables, we can do this as follows from a terminal:
  • service iptables restart

Next, we add our domain to the named.conf.local file. We can do this from a terminal as follows:

  • nano /var/named/chroot/etc/named.conf.local and enter the following info:
  • zone "" {
    type master;
    file "/var/named/";
    allow-transfer { key TRANSFER; };

Next, we create the zone for our domain. We can use the default file to do this by editing it and saving it as Let's get started by doing the following:

  • cd /var/named/chroot/var/named
  • cp
  • Now that we have created the zone file we need to append information to it.
  • nano
  • Append the information to the file as illustrated in the diagram below.

zone-seowebz-in file for editing