DNS: Create a chroot Jail

15 minutes
  • 5 Learning Objectives

About this Hands-on Lab

Isolating BIND in a chroot jail is common practice. It prevents any malicious user, who happens to gain access to the system by exploiting a BIND vulnerability, from further exploiting the system. In this lab, we’ll practice setting up a jail for BIND.

Learning Objectives

Successfully complete this lab by achieving the following learning objectives:

Set up the chroot Jail for the BIND Service

In CentOS all we need to do is run yum install bind-chroot -y, and then ensure that the normal BIND service isn’t set to run:

systemctl stop named
systemctl disable named
systemctl enable named-chroot
Add the Forward Zone Configuration to the /etc/named.conf File, Then Run the named-checkconf Command to Verify the Configuration
 # vim /etc/named.conf

Insert the zone configuration just before the include statements at the bottom of the file:

 zone "mylabserver.com" {
    type master;
    file "/var/named/chroot-zone.db";

Then run the named-checkconf command to verify the configuration:

 # named-checkconf
Create the Forward Zone File and Check the Configuration for Syntax Errors with named-checkzone
  1. Create the forward zone file:

    vim /var/named/chroot-zone.db
  2. Enter the following:

    $TTL    86400
    @       IN      SOA     nameserver.mylabserver.com. root.mylabserver.com. (
                              10030         ; Serial
                               3600         ; Refresh
                               1800         ; Retry
                             604800         ; Expiry
                              86400         ; Minimum TTL
    ; Name Server
    @        IN      NS       nameserver.mylabserver.com.
    ; A Record Definitions
    nameserver       IN      A
    mailprod         IN      A
    mailbackup       IN      A
    ; Canonical Name/Alias
    dns        IN    CNAME    nameserver.mylabserver.com.
    ; Mail Exchange Records
    @        IN    MX    10    mailprod.mylabserver.com.
    @        IN    MX    20    mailbackup.mylabserver.com.
  3. Save the document with :wq!.

  4. Run the named-checkzone command to check the zone file for syntax errors:

    named-checkzone mylabserver.com /var/named/chroot-zone.db
Change the File Permissions and the Group Owner for /var/named/fwd.mylabserver.com.db
  1. Change the file permissions for /var/named/chroot-zone.db:
    chmod 760 /var/named/chroot-zone.db
  2. Change the group owner of the file to named:
    chgrp named /var/named/chroot-zone.db
Start the Newly Configured named-chroot Service
systemctl start named-chroot

Additional Resources

ABC Company is currently in the process of setting up its own internally-hosted DNS service. The next phase of the project is to set BIND up in a chroot jail. The DNS administrator fell sick and is unavailable, but the project has a tight timeline. We have been designated as a resource to set up a BIND chroot jail with a forward DNS zone.

To complete this lab we'll need to set up a chroot jail and then create a forward zone file that contains the following records:

  • TTL Record
  • SOA Record
  • A Records:
    • nameserver
    • mailprod
    • mailbackup
  • CNAME Record:
    • dns = nameserver.mylabserver.com.

What are Hands-on Labs

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Sign In
Welcome Back!

Psst…this one if you’ve been moved to ACG!

Get Started
Who’s going to be learning?