Install chroot bind on FreeBSD

Sometimes when you search on the internet you’ll find howto’s that are good enough. This one explained greatly how to install bind in a chroot envirioment. The original how to is located here. Just for my own reference and updates it is copied and altered below.

 

FreeBSD known as one of the most rock solid reliable and perfect operating systems, I personally lover of FreeBSD OS, so I want to publish a very nice howto about dns (Bind).

In this tutorial I’ll describe to you that how to set up secure FreeBSD based master/slave DNS server. You can use this tutorial on both 64-bit and 32-bit platforms.

 

We will use 192.168.0.1 as a Master Server and 192.168.0.2 as Slave Server

Installing and Configuring DNS:

FreeBSD 9.0 will be use for this tutorial. BIND is already installed in FreeBSD installation. You can check installed bind version using this link

1) Update your ports tree, I personally preferred portsnap for ports tree management. After updating ports tree check the version you have in the ports collection.

cat /usr/ports/dns/bind99/Makefile | grep PORTVERSION

If ports version equal your existing installed bind version then we don’t need to installation new bind version otherwise we will install new version.

Installation from Ports: Master/Slave

cd /usr/ports/dns/bind99
make configure ; make clean

You have to select REPLACE_BASE from options menu using press spacebar, you can leave other options.

Configuration:

We need to add “NO_BIND = YES” in /etc/make.conf file on both master/slave, you can do that using the following command:

echo "NO_BIND = YES" >> /etc/make.conf

The above configuration will let the make command not to build the base version of BIND in case you rebuild FreeBSD from the source.

Chroot Environment: master/slave

Now, let’s set up the directory structure for chroot jaild BIND. The directory can be anywhere on your system’s file system. I have planed to use /var/chroot/named as BIND directory. Let’s start by creating the following directory structure.

mkdir -p /var/chroot/named/etc/namedb/log
mkdir -p /var/chroot/named/etc/namedb/master
mkdir -p /var/chroot/named/etc/namedb/slave
mkdir -p /var/chroot/named/dev
mkdir -p /var/chroot/named/var/run

Placing existing Data

We need to copy named.root file into chroot directory, so BIND can easily communicate with root servers. For example:

cp /etc/namedb/named.root /var/chroot/named/etc/namedb/

We need another file in the /etc directory inside the chroot jail. You must copy /etc/localtime, so that BIND logs things with the right time on them.

cp /etc/localtime /var/chroot/named/etc

System Supported Files

When BIND is running in the chroot jail then it will not be able to access files outside the jail. However, few necessary files required for proper working within chroot environment.

cd /var/chroot/named/dev
mknod zero c 2 12
ln -s /dev/random .
mknod null c 2 2
chmod 666 zero random null

When you’ve created the directories, (re)move ore take backup old /etc/namedb directory.

cd /etc
mv namedb old.namedb
ln -s /var/chroot/named/etc/namedb .

Change the ownership newly created directories

cd /var/chroot
chown -R bind:bind named
chmod 700 named

RNDC Key

Now we need to generate rndc.key file and then add its contents into named.conf, rndc.key is an encryption key that rndc utility needs to work, also it’s used in case you are using dynamic DNS together with DHCP.

rndc-confgen -a -c /etc/namedb/rndc.conf -k dnsadmin -b 256

This will create a key named dnsadmin with the size of 256 bits. At least 256 bits is recommended is you’re using this for a public server. When you‚Äôve generated the key, edit /etc/namedb/rndc.conf and add these line end of this file.

options {
    default-key "dnsadmin";
    default-server 127.0.0.1;
};

That’s all every thing is now configured and placed now we need to create named.conf files for both master and slave server, lets create named.conf file on master and slave dns server.

named.conf – master/slave

 vi /etc/named.conf

First we will create ACL for our slave servers

acl "slaves" {
        192.168.1.2;
        };

Set general options like base directory, pid file and other controlling options

options {
        directory "/etc/namedb";
        pid-file "/var/run/named.pid";
        };

In above configuration we have defined /etc/namedb as a base directory which is linked from /var/chroot/named/etc/namedb & then pid file path has been mentioned.

Now wee need to define control clause and key section for rndc connection and port where bind will be listen.

controls {
        inet 127.0.0.1 port 953 allow { 127.0.0.1; } keys { dnsadmin; };
        };
key "dnsadmin" {
        algorithm hmac-md5;
        secret "o/cb6L1GDSbJWfRBpY3L=";
        };

In the above configuration we have created key “dnsadmin” for rndc connection, you may need to copy secret line from /etc/namedb/rndc.conf file and then place within key { } section mentioned above.

For caching name server we need to define root server’s file

zone "." {
        type hint;
        file "named.root";
        };

Our named.conf file has been configured on both servers, lets configure /etc/rc.conf file on master/slave servers so bind can start on system startup.

named_enable="YES"
named_program="/usr/sbin/named"
named_chrootdir="/var/chroot/named"
named_flags="-u bind -c /etc/named.conf"

Let’s configure our domain’s forward and reverse lookup zone on master server and then start bind server

For forward lookup zone add the following into named.conf file

zone "techbabu.com" {
        type master;
        file "master/techbabu.com";
        allow-transfer { slaves; };
};

Now we need to add the reverse lookup zone, same thing need to be add after forward zone section into named.conf file

zone "0.168.192.in-addr.arpa" {
        type master;
        file "master/techbabu.rev";
        allow-transfer { slaves; };
};

Creating forward lookup zone files

cd /var/chroot/named/etc/namedb/master/
vi techbabu.com

Add these lines

$TTL 3600
$ORIGIN techbabu.com.
@       IN      SOA     ns1.techbabu.com. postmaster.techbabu.com.  (
               300000328  ; serial
               28800      ; refresh (8 hours)
               7200       ; retry (2 hours)
               604800     ; expire (1 week)
               86400      ; minimum (1 day)
               )
              NS      ns1.techbabu.com.
              NS      ns2.techbabu.com.
              MX      10 mailbox.techbabu.com.
ns1       A       192.168.0.1
ns2       A       192.168.0.2

Creating reverse lookup zone files

cd /var/chroot/named/etc/namedb/master/
vi techbabu.rev

Add these lines

$TTL 3600
$ORIGIN 0.168.192.in-addr.arpa.
@       IN      SOA     ns1.techbabu.com. postmaster.techbabu.com.  (
           300000328  ; serial
           28800      ; refresh (8 hours)
           7200       ; retry (2 hours)
           604800     ; expire (1 week)
           86400      ; minimum (1 day)
           )
              NS      ns1.techbabu.com.
              NS      ns2.techbabu.com.
1       PTR      ns1.techbabu.com.
2       PTR      ns2.techbabu.com.

Our Master server has been configured completely now start our server.

/etc/rc.d/named start

Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.1 then try to dig your domain’s NS (A) record to make sure that Master DNS server running.

dig ns1.techbabu.com

If you saw the output something like this:

;; ANSWER SECTION:
ns1.techbabu.com.  3600  IN	 A  192.168.0.1

So this means your DNS server is working fine.

You can try then to ping outside domains to check either caching is working or not.

That is our Master DNS server is fully functional and ready to use now configure slave named.conf file for slave dns

vi /etc/namedb/name.conf

For forward lookup zone add these lines

zone "techbabu.com" {
        type slave;
        file "slave/techbabu.com";
        masters { 192.168.0.1; };
        allow-notify { 192.168.0.1; };
};

And for reverse lookup

zone "0.168.192.in-addr.arpa" {
        type slave;
        file "slave/techbabu.rev";
        masters { 192.168.0.1; };
        allow-notify { 192.168.0.1; };
};

Our Salve server also configured now start slave server.

/etc/rc.d/named start

Now edit your /etc/resolv.conf file and set the nameserver 192.168.0.2 then try to dig your domain’s NS (A) record to make sure that Slave DNS server running.

If you get the response the its means your slave dns is also functional and ready to use.

Congratulation you have successfully configured Secure Master/Slave DNS server

If you have any suggestion regarding this tutorial please tell us, your comments will be very helpful for us

Leave a Comment


NOTE - You can use these HTML tags and attributes:
<a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>