Posted in DNS Howto Linux Red Hat/CentOS
CentOS 4 : chroot DNS with BIND
I won’t go into the details of what is DNS, or the difference between an A record and a CNAME record.. just a quick howto to set up a chrooted DNS server using Bind under CentOS in a mere 5 minutes..
Howto available for CentOS 5 : http://www.wains.be/index.php/2007/12/13/centos-5-chroot-dns-with-bind/
1. Install packages :
yum install bind bind-chroot bind-libs bind-utils
2. Configure rndc :
The rndc tool allow to get some useful info on your dns server (stats, status, etc.) so you better get it set up.
rndc.conf is staying out of the chroot cage, for clarity we’ll move it into the chroot cage
cp /etc/rndc.conf /var/named/chroot/etc
Let’s make a symbolic link back in /etc, so we get 3 symlinks pointing to files in the cage (rndc.conf, rndc.key, named.conf) :
cd /etc
ln -s /var/named/chroot/etc/rndc.conf -f
Create the rndc key, this command will create your key and store it under /etc/rndc.key :
rndc-confgen -a
/etc/rndc.key looks like this :
key "rndc-key" {
algorithm hmac-md5;
secret "ZK4g84WrfdfsTIQLVs59Eg==";
};
Pay close attention to the key name, rndc-confgen makes a “rndc-key” while /etc/named.conf calls “rndckey”, you’ll have to carefully edit your named.conf
Edit /etc/rndc.conf so it looks like this :
include "/etc/rndc.key";
options {
default-server localhost;
default-key "rndc-key";
};
server localhost {
key "rndc-key";
};
3. Set up BIND
Edit /etc/named.conf so it looks like this :
include "/etc/rndc.key";
// we assume our server has the IP 192.168.100.100 serving the 192.168.100.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { "rndc-key"; };
inet 192.168.100.100 allow { 192.168.100.0/24; } keys { "rndc-key"; };
};
options {
directory "/var/named";
pid-file "/var/run/named/named.pid";
recursion yes;
allow-recursion {
127.0.0.1;
192.168.100.0/24;
};
// these are the opendns servers (optional)
forwarders {
208.67.222.222;
208.67.220.220;
};
listen-on {
127.0.0.1;
192.168.100.100;
};
/*
* If there is a firewall between you and nameservers you want
* to talk to, you might need to uncomment the query-source
* directive below. Previous versions of BIND always asked
* questions using port 53, but BIND 8.1 uses an unprivileged
* port by default.
*/
query-source address * port 53;
// so people can't try to guess what version you're running
version "REFUSED";
allow-query {
127.0.0.1;
192.168.100.0/24;
};
};
server 192.168.100.100 {
keys { rndc-key; };
};
zone "." IN {
type hint;
file "named.root";
};
// we assume we have a slave dns server with the IP 192.168.100.101
zone "test.be" IN {
type master;
file "data/test.be.zone";
allow-update { none; };
allow-transfer { 192.168.100.101; };
};
};4. Your zones
Download named.root under /var/named/chroot/var/named :
wget http://www.internic.net/zones/named.root
Create your first zone under /var/named/chroot/var/named/data/test.be.zone (syntax may not be perfect but is working) :
$ttl 38400
test.be. IN SOA ns.test.be. admin.test.be. (
2007020400 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
test.be. IN NS ns.test.be.
test.be. IN MX 1 mx.test.be.
test.be. IN MX 5 mx2.test.be.
ns.test.be. IN A 192.168.100.10
mx.test.be. IN A 192.168.100.20
mx2.test.be. IN A 192.168.100.21
mail.test.be. IN CNAME mx.test.be.5. Set up your server to query its own dns server
Edit /etc/resolv.conf and add this line at the top of the file :
nameserver 127.0.0.1
6. Start the service
Start the DNS server :
service named start
Make sure the service will start at reboot :
chkconfig named on
7. Query !
Now, you should be able to send your first query to the server :
$ host mx.test.be
mx.test.be has address 192.168.100.20
8. More…
You can install the package “caching-nameserver” along with the base packages.
This is what is provided by the package :
$ rpm -ql caching-nameserver
/etc/named.conf
/usr/share/doc/caching-nameserver-7.3
/usr/share/doc/caching-nameserver-7.3/Copyright
/usr/share/doc/caching-nameserver-7.3/rfc1912.txt
/var/named/localdomain.zone
/var/named/localhost.zone
/var/named/named.broadcast
/var/named/named.ca
/var/named/named.ip6.local
/var/named/named.local
/var/named/named.zero
With that, you don’t have to bother creating your localhost zone or retrieve the named.root file from internic (named here named.ca).
Also, your /etc/named.conf file is already populated with some data
More info : http://www.section6.net/wiki/index.php/Using_DNS_with_BIND
Comments
milas
there should be // insted of ; in named.conf line
; these are the opendns servers (optional)
Sébastien Wains
Fixed, thanks Milas..
Indeed, only the following are accepted for comments :
/* This is a C-style comment */
// This is a C++-style comment
# This is a shell-style comment
Tanweer Akhtar
Failed to start BIND : Starting named: Error in named configuration: /etc/rndc.key:1: unknown option ‘key’ /etc/named.conf:73: unknown option ‘key’ /etc/named.conf:77: unknown option ‘controls’ /etc/named.conf:80: unknown option ‘key’ /etc/named.conf:84: unknown option ‘controls’ /etc/named.conf:87: unknown option ‘key’ /etc/named.conf:91: unknown option ‘controls’ /etc/named.conf:94: ‘}’ expected near end of file [FAILED]
Sébastien Wains
Tanweer,
Can you provide me with the version of bind and system you are running it ?
Tanweer Akhtar
I have uninstall caching-namserver & reinstall it but after reinstalling it i am unable to find rndc.conf & named.conf in /etc/
[root@myhomepc ~]# rpm -e caching-nameserver
warning: /var/named/named.local saved as /var/named/named.local.rpmsave
warning: /var/named/named.ip6.local saved as /var/named/named.ip6.local.rpmsave
warning: /var/named/localdomain.zone saved as /var/named/localdomain.zone.rpmsav
e
[root@myhomepc ~]# yum install caching-nameserver
Loading “installonlyn” plugin
Setting up Install Process
Setting up repositories
Reading repository metadata in from local files
Parsing package install arguments
Resolving Dependencies
–> Populating transaction set with selected packages. Please wait.
—> Package caching-nameserver.i386 30:9.3.3-10.el5 set to be updated
–> Running transaction check
Dependencies Resolved
=============================================================================
Package Arch Version Repository Size
=============================================================================
Installing:
caching-nameserver i386 30:9.3.3-10.el5 base 56 k
Transaction Summary
=============================================================================
Install 1 Package(s)
Update 0 Package(s)
Remove 0 Package(s)
Total download size: 56 k
Is this ok [y/N]: y
Downloading Packages:
Running Transaction Test
Finished Transaction Test
Transaction Test Succeeded
Running Transaction
Installing: caching-nameserver ######################### [1/1]
egrep: /etc/rndc.key: No such file or directory
Installed: caching-nameserver.i386 30:9.3.3-10.el5
Complete!
[root@myhomepc ~]# rpm -ql caching-nameserver
/etc/named.caching-nameserver.conf
/etc/named.rfc1912.zones
/usr/share/doc/caching-nameserver-9.3.3
/usr/share/doc/caching-nameserver-9.3.3/Copyright
/usr/share/doc/caching-nameserver-9.3.3/rfc1912.txt
/var/named/localdomain.zone
/var/named/localhost.zone
/var/named/named.broadcast
/var/named/named.ca
/var/named/named.ip6.local
/var/named/named.local
/var/named/named.zero
[root@myhomepc ~]#
Sébastien Wains » CentOS 5 : chroot DNS with bind
[...] Howto for CentOS 4 here : http://www.wains.be/index.php/2007/02/04/centos-chroot-dns-with-bind/ [...]
gaurav
sir i am unable to download rpm for dns server bind
there is no item in /var/named/chroot/var/named
and also there is no named.conf file how can i get it
Sébastien Wains
bind is in the official repository.
You should simply do “yum install package_name” to download and install it.
There’s nothing in the chroot by default, you must use the examples above for named.conf and your zones. CentOS 5 packages provide sample configs.
gaurav
how can in get /etc/named.conf
Sébastien Wains
Copy and paste the one described under section “3. Set up BIND”
Yoandro Gonzalez
CentOs 5 also includes the caching-nameserver package in comes with the config and zone files hierarchy you need to start up
BHorje
Thanks
Ralf Hartings
Hi, Thanks, for a first -complete- template to get the BIND running on CENTOS!
Please see my situation/question below. I would really appreciate your input/comments on where to look…
My situation:
- I run CENTOS 4.8 on my server.
- I need to set up a nameserver for my internal network
- I installed yum install bind bind-chroot bind-libs bind-utils caching-nameserver
- http/mail/nameserver is 192.168.1.93 , all in one ! My external IP is 87.227.107.21 (shown in nameserver reply below)
- I do not have a MX record (but copied the MX lines anyhow – does not make any difference in the result)
- Only the open/external DNS servers reply on request – not my own nameserver 
- Where is the mistake?? I did check for typo’s (twice) and I did check the internet and tried several changes, with no luck….
From /var/log/messages:
Jan 31 11:38:44 server named[31244]: starting BIND 9.2.4 -u named -t /var/named/chroot
Jan 31 11:38:44 server named[31244]: using 2 CPUs
Jan 31 11:38:44 server named[31244]: loading configuration from ‘/etc/named.conf’
Jan 31 11:38:44 server named[31244]: listening on IPv4 interface lo, 127.0.0.1#53
Jan 31 11:38:44 server named[31244]: listening on IPv4 interface eth0, 192.168.1.93#53
Jan 31 11:38:44 server named[31244]: command channel listening on 127.0.0.1#953
Jan 31 11:38:44 server named[31244]: command channel listening on 192.168.1.93#953
Jan 31 11:38:44 server named[31244]: running
Jan 31 11:38:44 server named: named startup succeeded
[root@server etc]# rndc status
number of zones: 1
debug level: 0
xfers running: 0
xfers deferred: 0
soa queries in progress: 0
query logging is OFF
server is up and running
[root@server etc]#
[root@server etc]# more /var/named/chroot/var/named/data/hartings.se.zone
$ttl 38400
hartings.se. IN SOA ns.hartings.se. (
2007020400 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
hartings.se. IN NS ns.hartings.se.
http://www.hartings.se. IN A 192.168.1.93
ns.hartings.se. IN A 192.168.1.93
[root@server etc]#
[root@server etc]# nslookup hartings.se 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
Non-authoritative answer:
Name: hartings.se
Address: 87.227.107.21
[root@server etc]#
What could be wrong here?? Thanks for any hints that could help me! I appreciate you took your time to read this!
/Ralf
Ralf Hartings
Please note that the line ” http://www.hartings.se” in my first comment is not the original line in the file. In the file it is www dot hartings dot se (replace dot by “.”).
While pasting the line on the website, it became automatically an URL address, beyond my control. So this is not a typo 
Thanks
/Ralf
Sébastien Wains
Ralf,
Can you show me the content of your named.conf file ?
(I’m aware of the URL rewritten in the comments, I need to fix that)
Thanks
Ralf Hartings
Sébastien,
Thanks for looking into this!. Here is my named.conf:
//
// named.conf for Red Hat caching-nameserver
//
key “rndckey” {
algorithm hmac-md5;
secret “PtBS0MY+OXRXjk/iRgtlcw==”;
};
// we assume our server has the IP 192.168.254.207 serving the 192.168.254.0/24 subnet
controls {
inet 127.0.0.1 allow { 127.0.0.1; } keys { “rndckey”; };
inet 192.168.1.93 allow { 192.168.1.0/24; } keys { “rndckey”; };
};
options {
directory “/var/named”;
pid-file “/var/run/named/named.pid”;
dump-file “/var/named/data/cache_dump.db”;
statistics-file “/var/named/data/named_stats.txt”;
recursion yes;
allow-recursion {
127.0.0.1;
192.168.1.0/24;
};
// these are the opendns servers (optional)
forwarders {
213.50.29.170;
81.216.65.12;
195.58.112.157;
};
listen-on {
127.0.0.1;
192.168.1.93;
};
//query-source address * port 53;
// so people can’t try to guess what version you’re running
version “REFUSED”;
allow-query {
127.0.0.1;
192.168.1.0/24;
};
};
server 192.168.1.93 {
keys { rndckey; };
};
zone “.” IN {
type hint;
file “named.ca”;
};
#zone “hartings.se” IN {
#type master;
#file “data/hartings.se.zone”;
#allow-transfer { key TRANSFER; };
#};
———
When I uncomment the last section, the result is:
[root@server etc]# nslookup hartings.se 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53
** server can’t find hartings.se: SERVFAIL
[root@server etc]#
I thought for a moment that this section should be in there, but this is not correct it seems.
/Ralf
Sébastien Wains
You need that section, please uncomment and restart named and check the logs.
I believe it’s a permission error on the zone file.
Ralf Hartings
That was a very quick reply !!
I un-commented that section, added the logging function (new code section added to named.conf) created the logging files (query.log and security.log) owned by named in /var/named/chroot/var/named/log and restarted named. The result in the System Log:
Feb 1 20:45:09 server named[6019]: starting BIND 9.2.4 -u named -t /var/named/chroot
Feb 1 20:45:09 server named[6019]: using 2 CPUs
Feb 1 20:45:09 server named[6019]: loading configuration from ‘/etc/named.conf’
Feb 1 20:45:09 server named[6019]: listening on IPv4 interface lo, 127.0.0.1#53
Feb 1 20:45:09 server named[6019]: listening on IPv4 interface eth0, 192.168.1.93#53
Feb 1 20:45:09 server named[6019]: command channel listening on 127.0.0.1#953
Feb 1 20:45:09 server named[6019]: command channel listening on 192.168.1.93#953
Feb 1 20:45:09 server named[6019]: general: error: dns_rdata_fromtext: data/hartings.se.zone:7: near eol: unexpected end of input
Feb 1 20:45:09 server named[6019]: general: error: zone hartings.se/IN: loading master file data/hartings.se.zone: unexpected end of input
Feb 1 20:45:09 server named[6019]: general: notice: running
Feb 1 20:45:09 server named: named startup succeeded
The content of the query.log is:
Feb 01 20:43:54.183 client 127.0.0.1#50433: query: hartings.se IN A
The security.log file is still empty.
It seems something in wrong in the zone definition file, as you suggested:
general: error: dns_rdata_fromtext: data/hartings.se.zone:7: near eol: unexpected end of input
general: error: zone hartings.se/IN: loading master file data/hartings.se.zone: unexpected end of input
Any clue on what is wrong/missing?
Sébastien Wains
I can’t really tell where the zone file could be wrong from what you pasted in the comments.
Make sure to copy paste my zone file and replace what needs to be replaced.
Ralf Hartings
When I copy your zone file from your original post, find/replace “test.be” by “hartings.se” (not changing the IP numbers to make sure I don’t introduce new errors) and restart named, the System Log shows:
Feb 1 20:57:38 server named[6096]: starting BIND 9.2.4 -u named -t /var/named/chroot
Feb 1 20:57:38 server named[6096]: using 2 CPUs
Feb 1 20:57:38 server named[6096]: loading configuration from ‘/etc/named.conf’
Feb 1 20:57:38 server named[6096]: listening on IPv4 interface lo, 127.0.0.1#53
Feb 1 20:57:38 server named[6096]: listening on IPv4 interface eth0, 192.168.1.93#53
Feb 1 20:57:38 server named[6096]: command channel listening on 127.0.0.1#953
Feb 1 20:57:38 server named[6096]: command channel listening on 192.168.1.93#953
Feb 1 20:57:38 server named[6096]: general: error: dns_master_load: data/hartings.se.zone:2: unexpected end of line
Feb 1 20:57:38 server named[6096]: general: error: dns_master_load: data/hartings.se.zone:1: unexpected end of input
Feb 1 20:57:38 server named[6096]: general: error: zone hartings.se/IN: loading master file data/hartings.se.zone: unexpected end of input
Feb 1 20:57:38 server named[6096]: general: notice: running
Feb 1 20:57:38 server named: named startup succeeded
It seems as if the errors are on line 1 and 2? “unexpected end of input” and “unexpected end of line” ????
Or what does “1:” and “2:” mean?
As your file worked, I don’t understand why my “version” would not …..
I am lost!
Sébastien Wains
1 and 2 are the line numbers as far as I know.
Here’s another example of zone file under section 12.3.3
http://www.redhat.com/docs/manuals/linux/RHL-9-Manual/ref-guide/s1-bind-zone.html
Leave Comment
Please consider visiting the partners below if you enjoyed this article :If this post saved you time and money, please consider checking my Amazon wishlist.
Search
About me
-
Internet & Technology junkie.
Photographer.
Backpacker.
I'm the Linux registered user #350986 and RedHat Certified Engineer #804007797825578 (Verify).
This « blog » is some kind of personal notebook about my discoveries in the IT world.
While some tips may seem obvious (we learn a new thing every day eh), hopefully you'll find some of them informative !
Check out my wishlist at Amazon !
Categories
- Apache (18)
- Apple/Mac OS (6)
- Asterisk (5)
- Bash (15)
- DNS (7)
- Debian/Ubuntu (25)
- Firefox (5)
- Gnome (7)
- Hardware (16)
- High-Availability (1)
- Howto (112)
- Iptables (7)
- LDAP (9)
- Linux (237)
- Linux-Anti-Theft (1)
- Misc (11)
- NSLU2 (5)
- Networking (14)
- Postfix (24)
- Proxy (10)
- RADIUS (2)
- RHCE (22)
- RRDWeather (5)
- Red Hat/CentOS (30)
- Rewards (2)
- SQL (12)
- SSH (11)
- Scripts (4)
- Security (63)
- Tools (14)
- VPN (6)
- Versioning (10)
- Virtualization (1)
- VoIP (6)
- Wifi (9)
- Windows (12)
Links
- Belgian spammers
- Christopher Murray
- Dedicated Servers
- Open Source Heaven
- RRDWeather
- The Admin Blogger
- Yannick
My favorite projects
bubarooni
i have a CentOS 5 install.
for some reason after i did the yum install for bind there is no named.conf in chroot, it’s in:
etc/dbus-1/system.d/
usr/share/doc/bind-9.3.3/sample/etc/
usr/share/logwatch/default.conf/services/
rndc.conf is in:
usr/share/doc/bind-9.3.3/sample/etc/
do i need to move those to move those out of the
usr/share/doc/bind-9.3.3/sample/etc/
and into the chroot?