RHEL / CentOS Bind Tutorial

Guide to the BIND9 DNS of Red Hat Enterprise Linux 5 / CentOS Linux 5.
by Vivek Gite <vivek@nixcraft.com>, © 2008 nixCraft. All rights reserved. <http://www.cyberciti.biz>

Warnings
• Do not attempt to implement any of the recommendations in this guide without first testing
in a nonproduction environment.
• This document is only a guide containing recommended security settings for BIND
software. It is not meant to replace well structured policy or sound judgment. Furthermore
this guide does not address site-specific configuration concerns.
• Configuration changes described in this document apply only to Red Hat Enterprise Linux
5.x or CentOS Linux 5.x. They may or may not translate gracefully to other operating
systems.

BIND DNS Server Software

BIND (Berkeley Internet Name Domain or "named") is the most commonly used DNS server on the
Internet, especially on Linux and Unix-like systems, where it is a de facto standard.

Required packages
You need to install the following packages.
1. bind - BIND includes a DNS server (named), which resolves host names to IP addresses; a
resolver library (routines for applications to use when interfacing with DNS); and tools for
verifying that the DNS server is operating properly.
2. bind-chroot - A chroot runtime environment for the ISC BIND DNS server, named. This
package contains a tree of files which can be used as a chroot jail for the named program
from the BIND package.
3. bind-utils - Bind-utils contains a collection of utilities for querying DNS (Domain Name
System) name servers to find out information about Internet hosts. These tools will provide
you with the IP addresses for given host names, as well as other information about registered
domains and network addresses. You should install bind-utils if you need to get information
from DNS name servers.

Our sample setup

You have two CentOS v5.x or RHEL v5.x server installed as follows with two public IP addresses
as follows:
ns1.nixcraft.com => 202.54.1.1
ns2.nixcraft.com => 190.5.1.1
Register your name server with ISP / Domain Service Provider
You need to register ns1.nixcraft.com and ns1.nixcraft.com and its IP address with your ISP or
domain registrar such as Go Daddy.

How do I install bind server under CentOS / RHEL 5.x?

Type the yum command as follows: # yum install bind bind-chroot bind-utils

Understanding Directory Structure

You must run named in a jail to increase security. In the earlier days of the Internet BIND 4 and
BIND 8 have had a large number of serious security vulnerabilities over the years. BIND 9 was a
complete rewrite, it has still experienced few vulnerabilities.
• /var/named/chroot/ - BIND jail directory. Store all your configuration and zone data here.
• /var/named/chroot/dev/ - Device file directory used by named jail.
• /var/named/chroot/etc/ - You need to store named.conf and other config file here.
• /var/named/chroot/var/named/ - Zone and log data files.

BIND default network ports

The following TCP/IP application layer - DNS protocol number used by BIND 9 dns software:
• TCP port 53 : It is only used when the response data size exceeds 512 bytes, or for such
tasks as zone transfer to slave / secondary servers.
• UDP port 53 : DNS primarily uses UDP on port 53 to serve requests.
Please note that some operating systems such as HP-UX are known to have resolver
implementations that use TCP for all queries, even when UDP would suffice. Therefor you need to
keep open both ports using firewall software such as netfilter.

Understanding the name resolution process

Each client that access name servers are known as resolvers (it is a library). When an application
such as Firefox need information from the DNS, it uses the resolver to send a query against DNS
server such as your own or ISP's dns servers. If authoritative it will return reply; otherwise, it will
search through DNS name space to get the data. This is known as name resolution. Please see this
FAQ about name resolution for further details. You can configure BIND to answer two types of
DNS queries:
1. Non-recursive (iterative) - A non-recursive query is one in which the DNS server may
provide a partial answer to the query (or give an error). In this tutorial you will learn about
setting up non-recursive master and slave server.
2. Recursive - A recursive query is one where the DNS server will fully answer the query (or
give an error). Usually, ISP servers are configured as recursive caching servers.

Understanding Resource Records (RR)

Each resource record has five fields as follows:
Resource
Description
Record
Name The domain name the resource record refers to. For e.g. www
Type The type of the resource record such as A, MX etc
 Resource
Description
Record
TTL The time to live of the RR. Signed time in seconds that RR stays valid.
Class code. It can be IN (Internet). This tutorial only covers IN class for TCP/IP
CLASS internet communication; but other possiblities includes CHAOSnet (CH) and Hesiod
(HS).
RDATA Actual data assoicated with the domain.
An example of PR made of five fields:
ns1 3600 IN A 202.54.1.1

The Main DNS Record Types

Record
Label Description
Type
A Address IPv4 32 bit host IP address such as 202.54.1.2
AAAA IPv6 Address IPv6 address in IPv6 format such as 2001:470:1f0e:b2::2
Canonical Set an alias for a domain name. For e.g. feeds.cyberciti.biz is an alias
CNAME
Name for ghs.google.com
Mail A list of mail servers for domain to which to send for domain name.
MX
eXchanger For e.g. cyberciti.biz mail is send to mail.nixcraft.net.
A list of authoritative name server for the domain. For e.g. theos.in
NS Name server
registered with ns1.nixcraft.net and ns2.nixcraft.net.
PTR Pointer Mostly used to set reverse name resolution.
A text string upto 255 bytes long. It is used to set host description or
TXT Text
anti spam configurations.
Start Of
SOA Set the start of a zone of authority. Usually used on master bind server.
Authority
KEY Set The server's public key for TSIG and DNSSEC.

Master BIND9 Server Configuration

Let us see how to configure the master named using RHEL 5.x.

How Do I Chroot Named?

The default directory /var/named/chroot is the location of the chroot. This will make it much harder
for attackers to exploit newly-discovered vulnerabilities. This section discusses mechanisms for
preventing the DNS server from interfering with other services. This is done both to protect the
remainder of the network should a nameserver be compromised, and to make direct attacks on
nameservers more difficult.

Using the bind-chroot-admin Command

bind-chroot-admin tool can be used to enable or disable the bind-chroot environment. This is a
security feature and you must use it. To turn on BIND jail setup, enter: # bind-chroot-admin
-e Copy required named config files to the bind-chroot, enter:
# cd /var/named/chroot/etc/
# cp /usr/share/doc/bind-9.3.4/sample/etc/
{named.conf,named.rfc1912.zones,named.root.hints} .

Copy required default zone files to the bind-chroot, enter:

# cd /var/named/chroot/var/named
# cp /usr/share/doc/bind-9.3.4/sample/var/named/
{*.db,*.zone,*.zero,*.root,*.local,*.broadcast} . -v

Create default named.conf

Type the following command:
# cd /var/named/chroot/etc/
# vi named.conf

Append following configuration, enter:

options
{
listen-on-v6 { none; };
listen-on { 202.54.1.1; };
directory "/var/named";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
dnssec-enable yes;
recursion no;
allow-notify { 202.54.1.1; 190.5.1.1; };
version "nixCraft dns server";
auth-nxdomain no;
};

logging
{
channel default_debug {
file "data/named.run";
severity dynamic;
};
};

/* Get localhost and other */

include "/etc/named.rfc1912.zones";

/* Get root server */

include "/etc/named.root.hints";

/* Get our zone stuff */

include "/etc/named.conf.local";

Save and close the file.

Understanding BIND main configuration file

named.conf is the configuration file for named. Statements are enclosed in braces and terminated
with a semi-colon. Clauses in the statements are also semi-colon terminated. The usual comment
styles are supported: The "options" statement sets up global options to be used by Bind. Where,
 • listen-on-v6 { none; }; - Disable IPv6 support. To turn on IPv6 support replace none with
actual IPv6 IP address or any keyword.
• listen-on { 202.54.1.1; }; - Listen on 202.54.1.1 IPv4 address.
• directory "/var/named"; - BIND directory to store logs and zone data.
• dump-file "data/cache_dump.db"; - The pathname of the file the server dumps the
database to when instructed to do so with rndc dumpdb command.
• statistics-file "data/named_stats.txt"; - The pathname of the file the server appends
statistics to when instructed to do so using rndc stats.
• memstatistics-file "data/named_mem_stats.txt"; - The pathname of the file the server
writes memory usage statistics to on exit.
• dnssec-enable yes; - Enable DNSSEC support in named.
• recursion no; - Do not provide recursive service to any clients.
• allow-notify { 202.54.1.1; 190.5.1.1; }; - Specifies which hosts are allowed to notify this
server, a slave, of zone changes in addition to the zone masters.
• version "nixCraft dns server"; - Set BIND version number. This is security measure for
Bind not to reveal its version number.
• auth-nxdomain no; - This conform to RFC1035.
• logging { ... }; - BIND provides various fine tuning options for server to log messages. The
severity clause works like syslog’s "priorities", except that they can also be used if you
are writing straight to a file rather than using syslog. Channels with dynamic severity use the
server's global debug level to determine what messages to print.

More about comments

The following is nothing but comment defined using C style:
/* Get localhost and other */

BIND also support C++ style comment:

// Get localhost and other

And, UNIX shell style comment defined as follows:

# Get localhost and other

Configure Iptables Based Firewalls to Protect the BIND DNS

Server
You need to allow remote client / system to connect the DNS server. Open /etc/sysconfig/iptables
file and add the following line before the final LOG and DROP lines: # vi /etc/sysconfig/
iptables.
-A RH-Firewall-1-INPUT -m state --state NEW -p udp --dport 53 -j ACCEPT
-A RH-Firewall-1-INPUT -m state --state NEW -p tcp --dport 53 -j ACCEPT

Finally, restart iptables: # service iptables restart

Add Domain Called TheOS.in on Master

Edit /var/named/chroot/etc/named.conf.local and add your domain. For example, theos.in can be
added as follows:
zone "theos.in" {
type master;
 file "/var/named/zone.theos.in";
allow-transfer { key TRANSFER; };
};

Create /var/named/chroot/var/named/zone.theos.in as follows:

$ORIGIN theos.in.
$TTL 3h
@ IN SOA ns1.nixcraft.com. vivek.nixcraft.com. (
2008071012 ; Serial yyyymmddnn
3h ; Refresh After 3 hours
1h ; Retry Retry after 1 hour
1w ; Expire after 1 week
1h) ; Minimum negative caching of 1 hour

; Name servers
@ 3600 IN NS ns1.nixcraft.com.
@ 3600 IN NS ns2.nixcraft.com.

; SPF for mx
@ 3600 IN TXT "v=spf1 mx ~all"

; Domain IP
@ 3600 IN A 75.126.168.153
www 3600 IN A 75.126.168.153

; Cname alias
feeds 3600 IN CNAME ghs.google.com.

; ipv6 address
@ 3600 IN AAAA 2607:f0d0:1002:11::5
www 3600 IN AAAA 2607:f0d0:1002:11::5

Slave BIND9 Server Configuration

Edit /var/named/chroot/etc/named.conf as follows:
options
{
listen-on { 190.5.1.1; };
directory "/var/named"; // the default
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
dnssec-enable yes;
recursion no;
allow-notify { 202.54.1.1; };
version "nixcraft DNS Server #2";
transfer-source 190.5.1.1;;
use-alt-transfer-source yes;
// Statistics
zone-statistics yes;
};
/* Get localhost and other */
include "/etc/named.rfc1912.zones";

/* Get root server */

include "/etc/named.root.hints";

include "/etc/rndc.key";
 include "/etc/tsig.key";
/* Our own zone */
include "/etc/named.conf.local";

Add Domain Called TheOS.in on Slave Server

Edit /var/named/chroot/etc/named.conf.local and add your domain. For example, theos.in can be
added as follows:
zone "theos.in" {
type slave;
file "slaves/db.slave.theos.in";
masters { 202.54.1.1; };
allow-transfer { none; };
};

Reload Named after configuring TSIG:

# rndc reload

OR
# service named restart

Bind Security: Transaction Signatures (TSIG) Configuration

Transaction signatures (TSIG) is a mechanism used to secure DNS messages and to provide secure
server-to-server communication (usually between master and slave server, but can be extended for
dynamic updates as well). TSIG can protect the following type of transactions between two DNS
servers:
• Zone transfer
• Notify
• Dynamic updates
• Recursive query messages etc
TSIG is available for BIND v8.2 and above. TSIG uses shared secrets and a one-way hash function
to authenticate DNS messages. TSIG is easy and lightweight for resolvers and named.

How it works?
1. Each name server adds a TSIG record the data section of a dns server-to-server queries and
message.
2. The TSIG record signs the DNS message, proving that the message's sender had a
cryptographic key shared with the receiver and that the message wasn't modified after it left
the sender.
3. TSIG uses a one-way hash function to provide authentication and data integrity.
Our sample setup:
• Master nameserver: ns1.nixcraft.com - 202.54.1.1
• Slave nameserver: ns2.nixcraft.com - 190.5.1.1
• BIND configuration is stored in /etc/bind/ directory.
• Zone data is stored in /etc/bind/named.conf file.
How Do I Configure TSIG?
Type the following command on master nameserver (ns1.theos.in) to create the shared keys, using
the dnssec-keygen program, which creates two files, both containing the key generated. #
dnssec-keygen -a HMAC-MD5 -b 128 -n HOST rndc-key Sample output:
Krndc-key.+157+64252

List all files, enter: # ls -l Output:

total 52
-rw-r--r-- 1 root root 237 2009-01-06 12:16 db.0
-rw-r--r-- 1 root root 271 2009-01-06 12:16 db.127
-rw-r--r-- 1 root root 237 2009-01-06 12:16 db.255
-rw-r--r-- 1 root root 353 2009-01-06 12:16 db.empty
-rw-r--r-- 1 root root 256 2009-01-06 12:16 db.local
-rw-r--r-- 1 root root 1506 2009-01-06 12:16 db.root
-rw------- 1 root root 52 2009-01-25 14:13 Krndc-key.+157+64252.key
-rw------- 1 root root 81 2009-01-25 14:13 Krndc-key.+157+64252.private
-rw-r--r-- 1 root bind 1302 2009-01-25 14:13 named.conf
-rw-r--r-- 1 root bind 165 2009-01-06 12:16 named.conf.local
-rw-r--r-- 1 root bind 358 2009-01-25 14:02 named.conf.options
-rw-r----- 1 bind bind 77 2009-01-24 20:37 rndc.key
-rw-r--r-- 1 root root 1317 2009-01-06 12:16 zones.rfc1918

Where,
• -a Specify the encryption algorithm.
• -b Specify the key size.
• -n Specify the nametype. A nametype can be a ZONE, HOST, ENTITY, or USER. Usually,
you need to use HOST or ZONE such as theos.in
The above dnssec-keygen program created two files as follows. Both .key and .private files are
generated for symmetric encryption algorithms such as HMAC-MD5, even though the public and
private key are equivalent:
• Krndc-key.+157+64252.key - Contains the public key. The .key file contains a DNS KEY
record that can be inserted into a zone file.
• Krndc-key.+157+64252.private - Contains the private key. The .private file contains
algorithm-specific fields.

Using TSIG - master server configuration

Run the following command and note down the Key: # cat Krndc-key.
+157+64252.private Sample output:
Private-key-format: v1.2
Algorithm: 157 (HMAC_MD5)
Key: 0jnu3SdsMvzzlmTDPYRceA==
Bits: AAA=

Open /var/named/chroot/etc/tsig.key file, enter: # vi

/var/named/chroot/etc/tsig.key Now you need to create tsig.key file on master server
as follows:
key "TRANSFER" {
algorithm hmac-md5;
secret "0jnu3SdsMvzzlmTDPYRceA==";
};
# Slave server IP # 1
server 190.5.1.1 {
keys {
TRANSFER;
};
};
################################
# If you have 3rd slave server with IP 64.1.2.3
#server 64.1.2.3 {
# keys {
# TRANSFER;
# };
#};
################################

First block is nothing but keys. TSIG keys are configured using the keys substatements. The keys
substatements inform a name server to sign queries and zone transfer requests sent to a particular
remote name server. In our case the above substatement informs the master server, to sign all
requests to the host slave server 75.55.2.100 with the key called TRANSFER. The server
statement's keys clause to tell the slave name server to sign all zone transfer requests and queries
sent to its master server and vice verse. Save and close the file. Open named.conf file, enter: #
vi /var/named/chroot/etc/named.conf Append the following line:
include "/etc/tsig.key";

Save and close the file. Restart named: # rndc reload OR # service named restart

Using TSIG - slave server configuration

Create /var/named/chroot/etc/tsig.key on slave server, enter: # vi
/var/named/chroot/etc/tsig.key Append following config:
key "TRANSFER" {
algorithm hmac-md5;
secret "0jnu3SdsMvzzlmTDPYRceA==";
};
# Master server IP
server 202.54.1.1 {
keys { TRANSFER; };
};

Save and close the file. Append following to /var/named/chroot/etc/named.conf:

include "/etc/tsig.key";

Restart / reload the bind server: # rndc reload OR # service named restart

Verify TSGI
Watch your master BIND dns server log file or system log file, enter: # tail -f
/var/log/messages OR # tail -f /var/log/syslog OR # grep
'theos.in/IN' /var/log/syslog

Further Resources
The following resources provide more detailed information about the BIND9 software:
1. man pages - bind, named.conf
2. Bind9 Project
 3. Bind from Wikipedia, the free encyclopedia

Have a question or comment?

Use our DNS tech support forum at http://nixcraft.com/.

Copyright © 2008-2009 nixCraft. All rights reserved. This pdf version is for personal use only. Please use all
information, commands and configuration with care. nixCraft website (http://www.cyberciti.biz/) and its contributors
will not be responsible for damages of any kind resulting from its use. The use of this information is your OWN sole
responsibility. All trademark within are property of their respective holders. Although the author and its contributors
believes the contents to be accurate at the time of publication, no liability is assumed for them, their application or any
consequences thereof. If any misrepresentations, errors or other need of clarification is found, please contact the us
immediately at vivek@nixcraft.com.

[ Privacy Policy - Terms of Service - Questions or Comments - Forum ]