Hardening the BIND DNS Server
2. Setting up DNS data files
Create a configuration file:
cd /usr/local/etc vi named.conf chown root.named named.conf chmod 640 named.conf |
So what do you put in named.conf? Have a look at the examples provided in the second footnote 2. The file consists of options, logging, ACL, server and Zone sections. Some of the directives are:
- The directory tells BIND where to look for data files.
- Internal DNS servers without Internet access will need to use forwarders to forward all unknown queries to DNS servers which have Internet access.
- The process number of BIND is stored according to the pid-file directive. The "named user" needs read and write access to this file.
- BIND's logging is very flexible. The example show logs to the syslog local1.info facility.
- Access control lists (ACLs) can and should be used to restrict what servers are allowed zone transfers. It is recommended to use this feature to make it more difficult for attackers to map your network layout. Servers typically allowed in the list are primaries/secondaries for the domain, your ISP and NIC for your country.
After setting up named.conf, the files containing the DNS records have to be set up on primaries (in /var/named in our example); these are automatically downloaded by secondaries.
3. Running BIND
Check the console and syslog (daemonlog) for errors, e.g.
tail -f local0log | grep "named" |
Start BIND:
/usr/local/sbin/named -u named |
Configure automatic starting on boot
In /etc/init.d/inetsvc, change the DNS startup lines to:
# Start the BIND DNS server: if [ -f /usr/local/sbin/named -a -f /usr/local/etc/named.conf ]; then echo "Starting BIND domain name server." /usr/local/sbin/named -u named; |
Before moving on to the next stage, BIND should be working well, with no errors in the logs. See also the troubleshooting section.
Chroot'ing BIND
This process has three steps: create a general chroot jail, install BIND into the jail, start and test the chroot'ed BIND.
Set up a general chroot environment
BIND is now up and running, but we want to tighten security further by forcing it to run in a chroot environment (also called a jail or padded cell: Basically, restrict the files visible to BIND to a subdirectory within the file system). See also the second footnote 2 for a discussion of chroot environments.
We will now walk through the steps for setting up the chroot environment, copying over the BIND files, starting BIND and troubleshooting. These steps chroot the entire BIND program, not just using BIND's "-t" feature (see Note 1).The following steps assume use of the C-Shell. We start by setting a variable for the chroot environment (jail) location, and setting umask so that all files copied can be read by both groups and world. These commands are designed to be copied and pasted.
- Set source and destination directories
csh set jail='/home/dns'; umask 022; |
- Set up empty directories and links:
mkdir $jail; cd $jail; mkdir -p {dev,opt,usr,var,etc}; mkdir -p var/{run,log,named} usr/{local,lib}; mkdir -p usr/share/lib/zoneinfo; |
- Setup /etc
cp /etc/{syslog.conf,netconfig,nsswitch.conf,resolv.conf,TIMEZONE} $jail/etc |
- Create a user and group account within chroot and for the whole system. BIND will run under this account.
Create $jail/etc/passwd and add to /etc/passwd also
echo "named:x:20000:20000:BIND DNS daemon:/tmp:/bin/false" >> /etc/passwd echo "named:x:20000:20000:BIND DNS daemon:/tmp:/bin/false" > $jail/etc/passwd |
And $jail/etc/shadow and add to /etc/shadow:
echo "named:NP:6445::::::" >> /etc/shadow echo "named:NP:6445::::::" > $jail/etc/shadow |
And $jail/etc/group and add to /etc/group:
echo "named::20000:" >> /etc/group echo "named::20000:" > $jail/etc/group |
- Set up libraries:
Use ldd to see what shared object libraries named and named-xfer rely on:
Known Problems
- BIND will still log to syslog "daemon" for certain events, even if the logging directive tells BIND to local to "local1" (as in our example).
- ndc does not work correctly in a chroot'ed environment. It would be better to start BIND via ndc:
ldd /usr/local/sbin/named /usr/local/sbin/named-xfer
Copy the files listed above, for example for Solaris 2.6/7:
cp -p /usr/lib/libnsl.so.1 \ /usr/lib/libsocket.so.1 /usr/lib/libc.so.1 \ /usr/lib/libdl.so.1 /usr/lib/libmp.so.2 $jail/usr/lib
On Solaris 2.5:
cp -p /usr/lib/libnsl.so.1\ /usr/lib/libsocket.so.1 /usr/lib/libc.so.1\ /usr/lib/libdl.so.1 /usr/lib/libmp.so.1 /usr/lib/libw.so.1\ /usr/lib/libintl.so.1 $jail/usr/lib
Experience has shown the following are also needed for Solaris 2.5/6/7:
cp /usr/lib/ld.so.1 /usr/lib/nss_files.so.1 $jail/usr/lib
- Copy over Timezone files (I use MET, here in Europe):
("Experience" means that first attempts didn't work, but by running BIND with truss, one could see what libraries were being sought after.)
mkdir -p $jail/usr/share/lib/zoneinfo; cp -p /usr/share/lib/zoneinfo/MET $jail/usr/share/lib/zoneinfo/MET
- Set up devices for communication, console, syslog, etc.
cd $jail/dev mknod tcp c 11 42 mknod udp c 11 41 mknod log c 21 5 mknod null c 13 2 mknod zero c 13 12 chgrp sys null zero chmod 666 null mknod conslog c 21 0 mknod syscon c 0 0 chmod 620 syscon chgrp tty syscon chgrp sys conslog
Page 2 of 5