Configure a secure DNS-chrootBIND9 based on RedHat

Article title: configure a secure DNS-chrootBIND9 based on RedHat. Linux is a technology channel of the IT lab in China. Includes basic categories such as desktop applications, Linux system management, kernel research, embedded systems, and open source.
Tianyuan recently used a lot of Red Hat operating systems and configured Bind 9 under a Red Hat 9 operating system, in the following example, we will introduce the Red Hat AS3 configuration platform. Tianyuan's service DNS is a solaris operating system. Therefore, when I write a shell, I try to use Solaris as well. Due to various factors, I was not able to perform a test on Solaris myself. The following installation process is correct for Red Hat and other unix operating systems. the automatically installed shell script attached to the installation is successfully tested only under Red Hat, solaris is also basically taken into account. if you find that there is a problem with the use of the script in Solaris, please report it to the message in this article in a timely manner, so that I can make corrections in time to make it easier for other readers.
　　
First, before we start, let's explain the chroot and bind words in the title. First, chroot. In fact, in many English articles, it is called "jail" (prison, detention center, prison ). So what is "Jail? Simply put, a thing is restricted to a certain range. As we all know, sometimes an application may be controlled by attackers due to bugs, vulnerabilities, and other issues, so as to gain the permissions of the corresponding users and then the system administrator level. For example, Windows users may have heard about the situation that some iis vulnerabilities cause the system's highest permissions to fall into the hands of attackers. No matter what program, there may be bugs/Vulnerabilities. to prevent the system from being stolen by the attacker due to a program vulnerability in the system, you need to restrict the permissions of the program.
　　
The so-called restrictions do not prevent the program from running, but strictly control the system resources, user permissions, and directories that can be used when the program is running. In this way, after the program is illegally controlled by others, the permissions can be quite limited, which will not cause greater harm to the system. For example, anyone who has used an ftp server knows that users can use their usernames and passwords to access their own space to upload, download, add, and delete directories, however, you cannot perform any operations on directories of other users or other directories of the system (of course, these permissions are authorized by the administrator). This can be seen as a Jail, restrict ftp users to their own directories. In computer terms, we call this Jail program "chroot ". Therefore, the chroot bind in the question can be understood as "bind with strict permissions ".
　　
It is worth mentioning that the chroot program cannot be said that the program itself is safer. compared with programs without chroot, it still has the same number of bugs/vulnerabilities, attackers can exploit these bugs or vulnerabilities to launch attacks. So what do we do for chroot? To minimize the loss. For example, purchasing life insurance does not guarantee your life's safety, but it can reduce your losses when you are in trouble. The same is true for our chroot program. when attackers obtain the permissions of the program, the attackers cannot cause more damage because the permissions of the program are strictly limited, you cannot obtain the maximum permissions of the operating system. Because the DNS server is used for domain name resolution, it needs to cope with a lot of access from different regions, and generally does not limit the access ip address, so the security risk and the possibility of being attacked are quite high. As a DNS server, data can be found everywhere on the network. as a network administrator, what we need is not only domain name resolution, but also "security" (Tian Yuan mentioned in previous network management notes, "Security is a kind of consciousness". when doing anything, I should remind myself to pay attention to security, which is what a competent network manager should possess )!
　　
Well, the second term is Bind ". Bind is the software of ISC, and it is also the most common and common DNS software in the world. if Apache and IIS are two-point Web servers, so Bind is the de facto standard of DNS Server.
　　
Next, let's start our Bind installation journey. The chroot method is actually to restrict a software to a sub-directory under the root directory. That is, the software only has permissions in this directory, and once it jumps out of this directory, it does not have any permissions. In Bind 8, it was very troublesome to put all Bind files in a directory. in Bind 9, the development company ISC finally became popular, not only can Bind software be easily installed in the same directory for permission restriction jobs, but also remote control software is added, which is really a great value.
　　
　　 1. install Bind 9
Although I use the rpm Package in Red Hat AS3, we still install it in the source code package to make it easier for other operating systems. First from the ISC home page (http://www.isc.org/products/BIND/) under the Bind 9 software package.
　　
Wget ftp://ftp.isc.org/isc/bind9/9.2.3/bind-9.2.3.tar.gz
　　
Next, start decompression (simple description. the following operations are performed with root permissions without special declarations)
Tar vzxf bind-9.2.3.tar.gz
　　
Uninstall the original Bind in Red Hat. There are three rpm packages.
Rpm-e bind-utils caching-nameserver
　　
Enter this directory to start compilation and installation
./Configure -- prefix =/usr/local -- disable-ipv6 -- disable-threads
　　
# Because ipv6 and thread methods are not used, I will remove them and install Bind 9 under/usr/local.
Make; make install
　　
By now, Bind 9 has been installed, and the installation of common DNS servers is complete, and it is just the beginning for our chroot.
　　
　　 2. build the chroot Directory environment
A. create the Bind working directory/chroot/named and its subordinate working directory
　　
Rm-rf/chroot/named # delete the old directory. the reason for this is that debugging is convenient when I write a shell.
　　
Mkdir-p/chroot/named
Cd/chroot/named
Mkdir dev (virtual/dev)
Mkdir etc (virtual/etc)
Mkdir logs (storing logs)
Mkdir-p var/run (a named. pid file will be placed below in the future)
　　
B. create Bind groups and user named
　　
Groupadd named
Useradd-g named-d/chroot/named-s/bin/true named
PASswd-l named #-l, Lock, indicating to Lock the user
　　
C. create virtual devices (dev). some options may be used when logging. By default, files under the/dev directory are used, but because we need to restrict DNS to a directory, we must completely put the files (or devices) used under/dev) it can be simulated.
　　
Ls-lL/dev/zero/dev/null/dev/random
　　
See similar
　　
Crw-rw-1 root 1, 3 2003-09-15/dev/null
Crw-r -- 1 root 1, 8 2003-09-15/dev/random
Crw-rw-1 root 1, 5 2003-09-15/dev/zero
　　
In this case, the numbers such as 1, 3 are recorded, which indicates the master device number and the secondary device number (generally, the master device number is used to distinguish the device type; the second device number is used for uniqueness differentiation and identifies different properties-note that devices are treated as files in unix systems). in redhat 9, it doesn't matter if the ls parameter is added without the-L parameter, but it must be added in Solaris to display it.
　　
Mknod dev/null c 1 3
Mknod dev/zero c 1 5
Mknod dev/random c 1 8
　　
D. copy the clock file to our chroot etc. The Linux clock setting file is:/etc/localtime. In fact, this file is a symbolic connection to the corresponding file under the/usr/share/zoneinfo directory. (Assume that our region is located in Shanghai, you only need to run the following command to set the time zone. Ln-sf/usr/share/zoneinfo/ASia/Shanghai/etc/localtime. Note that this file is not found in solaris 2.6 of Tianyuan, instead, use/usr/share/lib/zoneinfo/GB)
　　
Cp/etc/localtime etc/
　　
　　 3. create and set the BIND 9 configuration file
By default, bind uses the/etc/named. conf file as the configuration file. However, because we want to use the DNS of chroot, we need to put named. conf in/chroot/named/conf, and then connect it to/etc/named. conf. First, create and edit named. conf file (because most of the articles about DNS are about named. the configuration of conf is quite detailed, so I will not explain it in a sentence. you can refer to other articles for comments, which is easy to understand)
　　
Vi/chroot/named/etc/named. conf, enter the following content (because each person's configuration is different, Tianyuan only lists the DNS settings for cache only)
　　
Options {
// Note that the following/conf and/var are not the true/conf and/var directories in the system because they are in the chroot mode, it refers to the Directory of the same name under/chroot/named.
Directory "/conf"; // directory where the configuration file is located
Pid-file "/var/run/named. pid"; // process daemon file
Statistics-file "/var/run/named. stats"; // status output file; used in rndc
Dump-file "/var/run/named. db"; // Output database file, which is used in rndc
　　
// Hide the real version number. I will write a 4.0 version number to mislead you.
Version "[4.0]";
　　
Logging {// logging
Channel LAMER_log {
File "/logs/DNS-lamer.log" versions 3 size 10 m;
Severity info;
Print-severity yes; print-time yes;
};
　　
Channel SEC_log {
File "/logs/DNS-sec.log" versions 3 size 10 m;
Severity info;
Print-severity yes; print-time yes;
};
　　
Channel STAT_log {
File "/logs/DNS-stat.log" versions 3 size 10 m;
Severity info;
Print-severity yes; print-time yes;
};
　　
Category cname {null ;};
Category lame-servers {LAMER_log ;};
Category security {SEC_log ;};
Category statistics {STAT_log ;};
};
　　
// Root parsing
Zone "."{
Type hint;
File "named. root ";
};
　　
// Localhost resolution
Zone "localhost "{
Type mASter;
File