Hardening the BIND DNS Server - Page 2

This paper presents the risks posed by an insecure DNS server and walks through compiling, installing, configuring and optionally, chroot'ing BIND 8. The test environment is Solaris 2.5, 2.6, 7 and 8. Many configuration and troubleshooting tips are provided, along with up-to-date references on BIND and alternatives for NT, Linux and Solaris.

 By Sean Boran
Page 2 of 5   |  Back to Page 1
Print Article

2. Setting up DNS data files

Create a configuration file:

cd /usr/local/etc
vi named.conf 
chown root.named named.conf 
chmod 640 named.conf 

So what do you put in named.conf? Have a look at the examples provided in the second footnote 2. The file consists of options, logging, ACL, server and Zone sections. Some of the directivesare:

  • The directory tells BIND where to look for data files.
  • Internal DNS servers without Internet access will need to use forwarders to forward all unknown queries to DNS servers which have Internet access.
  • The process number of BIND is stored according to the pid-file directive. The "named user" needs read and write access to this file.
  • BIND's logging is very flexible. The example show logs to the syslog local1.info facility.
  • Access control lists (ACLs) can and should be used to restrict what servers are allowed zone transfers. It is recommended to use this feature to make it more difficult for attackers to map your network layout. Servers typically allowed in the list are primaries/secondaries for the domain, your ISP and NIC for your country.

After setting up named.conf, the files containing the DNS records have to be set up on primaries (in /var/named in our example); these are automatically downloaded by secondaries.

3. Running BIND

Check the console and syslog (daemonlog) for errors, e.g.

tail -f local0log | grep "named" 

Start BIND:

/usr/local/sbin/named -u named

Configure automatic starting on boot
In /etc/init.d/inetsvc, change the DNS startup lines to:

# Start the BIND DNS server:
if [ -f /usr/local/sbin/named -a -f /usr/local/etc/named.conf ]; then
  echo "Starting BIND domain name server."
  /usr/local/sbin/named -u named;

Before moving on to the next stage, BIND should be working well, with no errors in the logs. See also the troubleshooting section.

Chroot'ing BIND

This process has three steps: create a general chroot jail, install BIND into the jail, start and test the chroot'ed BIND.

Set up a general chroot environment

BIND is now up and running, but we want to tighten security further by forcing it to run in a chroot environment (also called a jail or padded cell: Basically, restrict the files visible to BIND to a subdirectory within the file system). See also the second footnote 2 for a discussion of chroot environments.

We will now walk through the steps for setting up the chroot environment, copying over the BIND files, starting BIND and troubleshooting. These steps chroot the entire BIND program, not just using BIND's "-t" feature (see Note 1).

The following steps assume use of the C-Shell. We start by setting a variable for the chroot environment (jail) location, and setting umask so that all files copied can be read by both groups and world. These commands are designed to be copied and pasted.

  • Set source and destination directories
set jail='/home/dns';
umask 022; 
  • Set up empty directories and links:
mkdir $jail;
cd $jail;
mkdir -p {dev,opt,usr,var,etc};
mkdir -p var/{run,log,named} usr/{local,lib};
mkdir -p usr/share/lib/zoneinfo; 
  • Setup /etc
cp /etc/{syslog.conf,netconfig,nsswitch.conf,resolv.conf,TIMEZONE} $jail/etc 
    • Create a user and group account within chroot and for the whole system. BIND will run under this account.

Create $jail/etc/passwd and add to /etc/passwd also

echo "named:x:20000:20000:BIND DNS daemon:/tmp:/bin/false" >> /etc/passwd
echo "named:x:20000:20000:BIND DNS daemon:/tmp:/bin/false" > $jail/etc/passwd

And $jail/etc/shadow and add to /etc/shadow:

echo "named:NP:6445::::::"  >> /etc/shadow
echo "named:NP:6445::::::"  > $jail/etc/shadow

And $jail/etc/group and add to /etc/group:

echo "named::20000:" >> /etc/group
echo "named::20000:" > $jail/etc/group 
    • Set up libraries:

Use ldd to see what shared object libraries named and named-xfer rely on:

  • Check the domains using the IP-Plus tool 4.
  • Read the sections Known Problems and Configuration Notes below.
  • Join the FOCUS-SUN@SECURITYFOCUS.COM list and discuss the problem ;-)

Known Problems

  • BIND will still log to syslog "daemon" for certain events, even if the logging directive tells BIND to local to "local1" (as in our example).
  • ndc does not work correctly in a chroot'ed environment. It would be better to start BIND via ndc:

ldd /usr/local/sbin/named /usr/local/sbin/named-xfer

Copy the files listed above, for example for Solaris 2.6/7:

cp -p /usr/lib/libnsl.so.1 \
/usr/lib/libsocket.so.1 /usr/lib/libc.so.1 \
/usr/lib/libdl.so.1 /usr/lib/libmp.so.2 $jail/usr/lib

On Solaris 2.5:

cp -p /usr/lib/libnsl.so.1\
/usr/lib/libsocket.so.1 /usr/lib/libc.so.1\
/usr/lib/libdl.so.1 /usr/lib/libmp.so.1 /usr/lib/libw.so.1\
/usr/lib/libintl.so.1 $jail/usr/lib

Experience has shown the following are also needed for Solaris 2.5/6/7:

cp /usr/lib/ld.so.1 /usr/lib/nss_files.so.1 $jail/usr/lib

("Experience" means that first attempts didn't work, but by running BIND with truss, one could see what libraries were being sought after.)

  • Copy over Timezone files (I use MET, here in Europe):
mkdir -p $jail/usr/share/lib/zoneinfo;
cp -p /usr/share/lib/zoneinfo/MET $jail/usr/share/lib/zoneinfo/MET
  • Set up devices for communication, console, syslog, etc.
cd $jail/dev
mknod tcp c 11 42
mknod udp c 11 41
mknod log c 21 5 
mknod null c 13 2 
mknod zero c 13 12 
chgrp sys null zero
chmod 666 null
mknod conslog c 21 0
mknod syscon c 0 0 
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog

This article was originally published on Dec 5, 2000
Get the Latest Scoop with Networking Update Newsletter