From Fedora Project Wiki

DNS and BIND

This documentation is outdated
This section of the Wiki contains outdated information and should not be used as a guidance on how to configure and run BIND in Fedora. Please refer to the Official Fedora documentation for the appropriate Fedora version you are using. You can find the documentation about BIND in the DNS Servers chapter of the Networking Guide.

Running BIND in a Chroot Jail

Run the following command as root to install the bind-chroot packages:

yum install bind-chroot

Run the following command as root to remove the symbolic link, /etc/rndc.key. This file is not needed. The only file required for rndc is the symbolic link, /etc/rndc.conf, which points to the /var/named/chroot/etc/rndc.conf file:

rm /etc/rndc.key

If the rndc.key file exists in the chroot environment, run the following command as root to remove it:

rm /var/named/chroot/etc/rndc.key

A new directory structure, /var/named/chroot/, is created after installing the bind-chroot package. After the bind-chroot package is installed, /etc/named.conf is copied into the /var/named/chroot/etc/ directory, and /etc/named.conf becomes a symbolic link, which points to /var/named/chroot/etc/named.conf. The /etc/rndc.conf file is copied into the /var/named/chroot/etc/ directory, and /etc/rndc.conf becomes a symbolic link, which points to /var/named/chroot/etc/rndc.conf. The /etc/rndc.conf symbolic link must exist, otherwise the service named stop command will fail. If the symbolic link does not exist, change into the /etc/ directory, and run the following command as root to create it:

ln -s /var/named/chroot/etc/rndc.conf rndc.conf

If you were running bind in a non-chroot environment, prior to installing bind-chroot, then all files in the /etc/bind/ directory are automatically copied to the /var/named/chroot/etc/bind directory.

Permissions

This sections assumes you used the same names for configuration files, as mentioned in previous sections. All commands in this section and the SELinux Contexts section must be run as the root user. Run the following command to set the correct user, group, and mode for the bind/ directory:

chown named:named /var/named/chroot/etc/bind/; chmod 755 /var/named/chroot/etc/bind/

Run the following command to set the correct user, group, and mode for the named.conf file:

chown named:named /var/named/chroot/etc/named.conf; chmod 600 /var/named/chroot/etc/named.conf

Run the follwoing command to set the correct user, group, and mode for the rndc.conf file:

chown root:named /var/named/chroot/etc/rndc.conf; chmod 440 /var/named/chroot/etc/rndc.conf

Run the following command to set the correct user, group, and mode for the bind/bind.log file:

chown named:named /var/named/chroot/etc/bind/bind.log; chmod 600 /var/named/chroot/etc/bind/bind.log

Run the following command to set the correct user, group, and mode for the bind/logging file, which is used to define the logging used for named:

chown named:named /var/named/chroot/etc/bind/logging; chmod 400 /var/named/chroot/etc/bind/logging

Change into the /var/named/chroot/etc/bind/ directory and run the following command to set the correct user and group ownership for each zone database file:

chown named:named *

Run the following command to set the correct user, group, and mode for the bind/named-stats.log file:

chown named:root /var/named/chroot/etc/bind/named-stats.log; chmod 660 /var/named/chroot/etc/bind/named-stats.log

Once zone database files have been configured, it is recommended to only have read permission on them. Change into the directory containing the zone database files, and run the following command as root to set the correct user and group for each zone database file, replacing all instances of zone-database-name with the correct file name:

chown named:named <code>zone-database-name</code> <code>zone-database-name</code> <code>zone-database-name</code>

For example, if you used the database names from the previous steps, run the following command:

chown named:named root.hint db.testdomain.com db.127 db.0.168.192.in-­addr.arpa

To set read-only permissions, run the following command as root:

chmod 400 zone-database-name zone-database-name zone-database-name

SELinux Contexts

If you are running SELinux, run the following commands as root to set the correct SELinux contexts for the bind/ directory, and the named.conf, bind.log, rndc.conf, named-stats.log, and logging files:

chcon -t named_zone_t /var/named/chroot/etc/bind/
chcon -t named_zone_t /var/named/chroot/etc/named.conf
chcon -t named_cache_t /var/named/chroot/etc/bind/bind.log
chcon -t named_conf_t /var/named/chroot/etc/rndc.conf
chcon -t named_cache_t /var/named/chroot/etc/bind/named-stats.log
chcon -t named_zone_t /var/named/chroot/etc/bind/logging

Run the following command as root on each zone database file to set the correct SELinux context:

chcon -t named_zone_t <code>zone-database-name</code> <code>zone-database-name</code> <code>zone-database-name</code>
Administration Guide - TOC Previous Page - Starting, Stopping, and Testing BIND Next Page - Cache-only Nameserver