Install and Configure DNS/BIND On Linux/Rhel/CentOS With Chroot Feature


Centos/Redhat BIND normally runs as the named process owned by the unprivileged named user.Sometimes BIND is also installed using Linux chroot feature to not only run named as user named, but also to limit the files named can see.

When installed, named is fooled into thinking that the directory /var/named/chroot is actually the root or / directory. Therefore, named files normally found in the /etc directory are found in /var/named/chroot/etc directory instead, and those you’d expect to find in /var/named are actually located in /var/named/chroot/var/named.

The advantage of the chroot feature is that if a hacker enters your system via a BIND exploit, the hacker’s access to the rest of your system is isolated to the files under the chroot directory and nothing else. This type of security is also known as a chroot jail.

You can install chroot add-on RPM by using this command.

To install we need to configure the Yum Repository.

[[email protected] ~]# yum install bind bind-chroot

Loaded plugins: fastestmirror

Determining fastest mirrors

myrepo | 1.1 kB 00:00

primary.xml.gz | 878 kB 00:00

myrepo 2508/2508

Setting up Install Process

Parsing package install arguments

Resolving Dependencies

There are unfinished transactions remaining. You mightconsider running yum-complete-transaction first to finish them.

–> Running transaction check

—> Package bind-chroot.i386 30:9.3.4-10.P1.el5 set to be updated

—> Package bind.i386 30:9.3.4-10.P1.el5 set to be updated

–> Finished Dependency Resolution

Dependencies Resolved


Package Arch Version Repository Size



bind i386 30:9.3.4-10.P1.el5 myrepo 953 k

bind-chroot i386 30:9.3.4-10.P1.el5 myrepo 42 k

Transaction Summary


Install 2 Package(s)

Update 0 Package(s)

Remove 0 Package(s)

Total download size: 995 k

Is this ok [y/N]: y

Downloading Packages:

(1/2): bind-chroot-9.3.4-10.P1.el5.i386.rpm | 42 kB 00:00

(2/2): bind-9.3.4-10.P1.el5.i386.rpm | 953 kB 00:00


Total 1.8 MB/s | 995 kB 00:00

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

Installing : bind [1/2]

Installing : bind-chroot [2/2]

Installed: bind.i386 30:9.3.4-10.P1.el5 bind-chroot.i386 30:9.3.4-10.P1.el5


Now the DNS root will be /var/named/chroot only. So first copy the named configuration file from /var/named/chroot/etc/

[[email protected] named]# cp /usr/share/doc/bind-9.3.4/sample/etc/* /var/named/chroot/etc/

Next copy the sample zone file from /var/named/chroot/var/named directory.

[[email protected] named]# cp -a /usr/share/doc/bind-9.3.4/sample /var/named/* /var/named/chroot/var/named/

cp: overwrite `/var/named/chroot/var/named/slaves/’? y

cp: overwrite `/var/named/chroot/var/named/slaves/’? y

Once sample copy is over, now we have to add the dns keygen in to the configuration file ie /var/named/chroot/etc/named.conf. to create the dns keygen use following command.

[[email protected] named]# dns-keygen


Insert above in /var/named/chtoot/etc/named.conf

[[email protected] named]# vi /etc/named.conf

key ddns_key


algorithm hmac-md5;

secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcC;


Again edit the /var/named/chroot/etc/named.conf, enter zone details as per your domain requirement. The following file is minimal configuration to run DNS server. you can copy and use it for your environment also.

[[email protected] named]# vi /var/named/chroot/etc/named.conf



directory “/var/named”; // the default

dump-file “data/cache_dump.db”;

statistics-file “data/named_stats.txt”;

memstatistics-file “data/named_mem_stats.txt”;




channel default_debug {

file “data/”;

severity dynamic;



zone “” IN { —–> Name of the forward Zone

type master;

file “”; —–> Name of the file where Zone Saved

allow-update { none; };


zone “” IN { —–> Name of the reverse Zone

type master;

file “”; —–> Name of the file where Zone Saved

allow-update { none; };


key ddns_key


algorithm hmac-md5;

secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcC;


Next you need to have forward zone file ( in the /var/named/chroot/var/named/ directory.

Copy the /var/named/chroot/var/namded/ as /var/named/chroot/var/named/

[[email protected] named]# cp /var/named/chroot/var/named/ /var/named/chroot/var/named/

There are some special keywords for Zone Files

A-A record

NS -Name Server

MX -Mail for Exchange

CN -Canonical Name

Appropriately edit the zone file. Ensure the entire domain name end with dot(.).

[[email protected] named]# vi /var/named/chroot/var/named/

$TTL 86400          @ IN SOA [email protected] (

42 ; serial (d. adams)

3H ; refresh

15M ; retry

1W ; expiry

1D ) ; minimum

IN             NS         

IN             A            

www       IN             A           

mail        IN             A           

ns1          IN              A          

server    IN             A             IN   MX      10

Next you need to have reverse zone file ( in the /var/named/chroot/var/named/ directory.

Copy the /var/named/chroot/var/namded/named.local as /var/named/chroot/var/named/

[[email protected] named]# cp /var/named/chroot/var/named/named.local /var/named/chroot/var/named/

Appropriately edit this as per your req.

[[email protected] named]# vi /var/named/chroot/var/named/

$TTL 86400         @ IN SOA [email protected] (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN       NS

55       IN        PTR

55       IN        PTR

55       IN        PTR

55      IN         PTR

55       IN        PTR

Restart the service using the following command

[[email protected] named]# service named restart

Simply test the server using command to check forward zone.

[[email protected] named]# host has address mail is handled by 10

This is for the reverse zone.

[[email protected] named]# host domain name pointer

These above command are good enough to check the DNS. To know more about DNS resolving details we can use Dig or Nslookup

You might also like