Lab
A Cloud Guru

DNS: Create a chroot Jail

Isolating BIND in a chroot jail is common practice. It prevents any malicious user, who happens to gain access to the system by exploiting a BIND vulnerability, from further exploiting the system. In this lab, we'll practice setting up a jail for BIND.

Try for free Contact sales

Path Info

Level

Intermediate

Duration

15m

Published

May 01, 2020

Challenge

Set up the chroot Jail for the BIND Service
In CentOS all we need to do is run yum install bind-chroot -y, and then ensure that the normal BIND service isn't set to run:
```
systemctl stop named
systemctl disable named
systemctl enable named-chroot
```
Challenge

Add the Forward Zone Configuration to the /etc/named.conf File, Then Run the named-checkconf Command to Verify the Configuration
```
# vim /etc/named.conf
```
Insert the zone configuration just before the include statements at the bottom of the file:
```
zone "mylabserver.com" {
   type master;
   file "/var/named/chroot-zone.db";
};
```
Then run the named-checkconf command to verify the configuration:
```
# named-checkconf
```

Challenge

Create the Forward Zone File and Check the Configuration for Syntax Errors with named-checkzone

Create the forward zone file:
```
vim /var/named/chroot-zone.db
```

Enter the following:

$TTL    86400
@       IN      SOA     nameserver.mylabserver.com. root.mylabserver.com. (
                          10030         ; Serial
                           3600         ; Refresh
                           1800         ; Retry
                         604800         ; Expiry
                          86400         ; Minimum TTL
)
; Name Server
@        IN      NS       nameserver.mylabserver.com.
; A Record Definitions
nameserver       IN      A       172.31.18.93
mailprod         IN      A       172.31.18.30
mailbackup       IN      A       172.31.18.72
; Canonical Name/Alias
dns        IN    CNAME    nameserver.mylabserver.com.
; Mail Exchange Records
@        IN    MX    10    mailprod.mylabserver.com.
@        IN    MX    20    mailbackup.mylabserver.com.

Save the document with :wq!.
Run the named-checkzone command to check the zone file for syntax errors:
```
named-checkzone mylabserver.com /var/named/chroot-zone.db
```

Challenge

Change the File Permissions and the Group Owner for /var/named/fwd.mylabserver.com.db
1. Change the file permissions for /var/named/chroot-zone.db:
```
chmod 760 /var/named/chroot-zone.db
```
2. Change the group owner of the file to named:
```
chgrp named /var/named/chroot-zone.db
```
Challenge

Start the Newly Configured named-chroot Service
```
systemctl start named-chroot
```

Author

A Cloud Guru

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans

DNS: Create a chroot Jail

Path Info

Table of Contents

Set up the chroot Jail for the BIND Service

Add the Forward Zone Configuration to the /etc/named.conf File, Then Run the named-checkconf Command to Verify the Configuration