Install and Configure DNS/BIND On Linux/Rhel/CentOS With Chroot Feature


Centos/Redhat BIND normally runs as the named process owned by the unprivileged named user.Sometimes BIND is also installed using Linux chroot feature to not only run named as user named, but also to limit the files named can see.

When installed, named is fooled into thinking that the directory /var/named/chroot is actually the root or / directory. Therefore, named files normally found in the /etc directory are found in /var/named/chroot/etc directory instead, and those you’d expect to find in /var/named are actually located in /var/named/chroot/var/named.

The advantage of the chroot feature is that if a hacker enters your system via a BIND exploit, the hacker’s access to the rest of your system is isolated to the files under the chroot directory and nothing else. This type of security is also known as a chroot jail.

You can install chroot add-on RPM by using this command.

To install we need to configure the Yum Repository.

[root@SRV01 ~]# yum install bind bind-chroot

Loaded plugins: fastestmirror

Determining fastest mirrors

myrepo | 1.1 kB 00:00

primary.xml.gz | 878 kB 00:00

myrepo 2508/2508

Setting up Install Process

Parsing package install arguments

Resolving Dependencies

There are unfinished transactions remaining. You mightconsider running yum-complete-transaction first to finish them.

–> Running transaction check

—> Package bind-chroot.i386 30:9.3.4-10.P1.el5 set to be updated

—> Package bind.i386 30:9.3.4-10.P1.el5 set to be updated

–> Finished Dependency Resolution

Dependencies Resolved


Package Arch Version Repository Size



bind i386 30:9.3.4-10.P1.el5 myrepo 953 k

bind-chroot i386 30:9.3.4-10.P1.el5 myrepo 42 k

Transaction Summary


Install 2 Package(s)

Update 0 Package(s)

Remove 0 Package(s)

Total download size: 995 k

Is this ok [y/N]: y

Downloading Packages:

(1/2): bind-chroot-9.3.4-10.P1.el5.i386.rpm | 42 kB 00:00

(2/2): bind-9.3.4-10.P1.el5.i386.rpm | 953 kB 00:00


Total 1.8 MB/s | 995 kB 00:00

Running rpm_check_debug

Running Transaction Test

Finished Transaction Test

Transaction Test Succeeded

Running Transaction

Installing : bind [1/2]

Installing : bind-chroot [2/2]

Installed: bind.i386 30:9.3.4-10.P1.el5 bind-chroot.i386 30:9.3.4-10.P1.el5


Now the DNS root will be /var/named/chroot only. So first copy the named configuration file from /var/named/chroot/etc/

[root@SRV01 named]# cp /usr/share/doc/bind-9.3.4/sample/etc/* /var/named/chroot/etc/

Next copy the sample zone file from /var/named/chroot/var/named directory.

[root@SRV01 named]# cp -a /usr/share/doc/bind-9.3.4/sample /var/named/* /var/named/chroot/var/named/

cp: overwrite `/var/named/chroot/var/named/slaves/’? y

cp: overwrite `/var/named/chroot/var/named/slaves/’? y

Once sample copy is over, now we have to add the dns keygen in to the configuration file ie /var/named/chroot/etc/named.conf. to create the dns keygen use following command.

[root@SRV01 named]# dns-keygen


Insert above in /var/named/chtoot/etc/named.conf

[root@SRV01 named]# vi /etc/named.conf

key ddns_key


algorithm hmac-md5;

secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcC;


Again edit the /var/named/chroot/etc/named.conf, enter zone details as per your domain requirement. The following file is minimal configuration to run DNS server. you can copy and use it for your environment also.

[root@SRV01 named]# vi /var/named/chroot/etc/named.conf



directory “/var/named”; // the default

dump-file “data/cache_dump.db”;

statistics-file “data/named_stats.txt”;

memstatistics-file “data/named_mem_stats.txt”;




channel default_debug {

file “data/”;

severity dynamic;



zone “” IN { —–> Name of the forward Zone

type master;

file “”; —–> Name of the file where Zone Saved

allow-update { none; };


zone “” IN { —–> Name of the reverse Zone

type master;

file “”; —–> Name of the file where Zone Saved

allow-update { none; };


key ddns_key


algorithm hmac-md5;

secret 31LAA52EawiHZBOsTR1qeuMa36IU11i80zCgmTWOUL6DJ8vGcC;


Next you need to have forward zone file ( in the /var/named/chroot/var/named/ directory.

Copy the /var/named/chroot/var/namded/ as /var/named/chroot/var/named/

[root@SRV01 named]# cp /var/named/chroot/var/named/ /var/named/chroot/var/named/

There are some special keywords for Zone Files

A-A record

NS -Name Server

MX -Mail for Exchange

CN -Canonical Name

Appropriately edit the zone file. Ensure the entire domain name end with dot(.).

[root@SRV01 named]# vi /var/named/chroot/var/named/

$TTL 86400          @ IN SOA [email protected]. (

42 ; serial (d. adams)

3H ; refresh

15M ; retry

1W ; expiry

1D ) ; minimum

IN             NS         

IN             A            

www       IN             A           

mail        IN             A           

ns1          IN              A          

server    IN             A             IN   MX      10

Next you need to have reverse zone file ( in the /var/named/chroot/var/named/ directory.

Copy the /var/named/chroot/var/namded/named.local as /var/named/chroot/var/named/

[root@SRV01 named]# cp /var/named/chroot/var/named/named.local /var/named/chroot/var/named/

Appropriately edit this as per your req.

[root@SRV01 named]# vi /var/named/chroot/var/named/

$TTL 86400         @ IN SOA [email protected]. (

1997022700 ; Serial

28800 ; Refresh

14400 ; Retry

3600000 ; Expire

86400 ) ; Minimum

IN       NS

55       IN        PTR

55       IN        PTR

55       IN        PTR

55      IN         PTR

55       IN        PTR

Restart the service using the following command

[root@SRV01 named]# service named restart

Simply test the server using command to check forward zone.

[root@SRV01 named]# host has address mail is handled by 10

This is for the reverse zone.

[root@SRV01 named]# host domain name pointer

These above command are good enough to check the DNS. To know more about DNS resolving details we can use Dig or Nslookup

You might also like