How to compile and install BIND Caching Server on RHEL 8 - nomorespice/rhel8-howto GitHub Wiki
BIND (Berkeley Internet Name Domain), or named is the most widely used Domain Name System (DNS) software on the Internet. It can be configured to perform a variety of DNS roles, the two most common are authoritative and recursive modes. This procedure will guide you through the source compilation and installation process on a Red Hat Enterprise Linux 8 server.
This document assumes that:
- you installed the RHEL 8 x64 Operating System according to How to install RHEL 8 via kickstart
- you are performing these tasks as root
- you are performing these tasks in order, as some tasks require others to be completed first
subscription-manager repos --enable codeready-builder-for-rhel-8-x86_64-rpms
dnf -y install libuv-devel libcap-devel libnghttp2-devel openssl-devel python36
Verify you are downloading the latest stable code that is available
mkdir /var/src
cd /var/src
wget -4 https://downloads.isc.org/isc/bind9/9.18.24/bind-9.18.24.tar.xz
tar -xJvf bind-9.18.24.tar.xz
cd bind-9.18.24
./configure --sbindir=/usr/sbin
make
make install
groupadd named
useradd -g named -M -d /var/named/chroot -s /sbin/nologin named
passwd -l named
mkdir -p /var/named/chroot
mkdir /var/named/chroot/dev
mknod /var/named/chroot/dev/null c 1 3
mknod /var/named/chroot/dev/zero c 1 5
mknod /var/named/chroot/dev/random c 1 8
mknod /var/named/chroot/dev/urandom c 1 9
mkdir /var/named/chroot/etc
mkdir -p /var/named/chroot/var/log
mkdir /var/named/chroot/var/named
mkdir /var/named/chroot/var/run
cp -p /etc/localtime /var/named/chroot/etc/localtime
touch /var/named/chroot/var/run/named.pid
touch /var/named/chroot/var/run/named.stats
touch /var/named/chroot/var/run/named.db
touch /var/named/chroot/var/log/named-query.log
touch /var/named/chroot/var/log/named-security.log
touch /var/named/chroot/var/log/named-rate-limit.log
touch /var/log/named.log
/bin/cat <<\EOT >/etc/rsyslog.d/15-named.conf
if $programname == 'named' then /var/log/named.log
& stop
EOT
systemctl restart rsyslog
sed -i '/\/var\/log\/messages/ a \/var\/log\/named.log' /etc/logrotate.d/syslog
rndc-confgen -a -A hmac-sha256 -c /var/named/chroot/etc/rndc.key -u named
Note for this named.conf configuration:
- RFC 1918 bogon query access has been disabled (except 10.0.0.0/8- which is assumed to be "internal"
- Only internal 10.0.0.0/8 IP addresses can sucessfully query this service
- The BIND named service runs "chrooted" in the /var/named/chroot/ directory so the default SELinux rules will apply
- IPv6 has been disabled
- RRL (Response Rate Limiting) has been enabled
- DNSSEC (Domain Name System Security Extensions) has been disabled
/bin/cat <<\EOT >/var/named/chroot/etc/named.conf
acl "bogon" {
0.0.0.0/8;
169.254.0.0/16;
172.16.0.0/12;
192.0.0.0/24;
192.0.2.0/24;
192.168.0.0/16;
198.51.100.0/24;
203.0.113.0/24;
224.0.0.0/3;
};
acl "internal" {
10.0.0.0/8;
localhost;
};
include "/etc/rndc.key";
controls { inet 127.0.0.1 allow { 127.0.0.1; } keys { rndc-key; }; };
options {
directory "/var/named";
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
dump-file "/var/run/named.db";
session-keyfile "/var/run/session.key";
zone-statistics yes;
recursive-clients 4000;
version none;
allow-query { internal; };
allow-recursion { internal; };
minimal-responses yes;
listen-on-v6 { none; };
max-udp-size 1220;
edns-udp-size 1220;
interface-interval 0;
blackhole { bogon; };
allow-transfer {"none";};
managed-keys-directory "/var/named";
rate-limit { responses-per-second 40; ipv4-prefix-length 32; };
dnssec-enable no;
dnssec-validation no;
};
logging {
channel default_syslog { syslog local2; severity info; };
channel dns_security { file "/var/log/named-security.log" versions 3 size 10m; severity info; print-time yes; };
category security { dns_security; };
channel dns_queries { file "/var/log/named-query.log" versions 5 size 200m; severity dynamic; print-time yes; };
category queries { dns_queries; };
channel rate_limiting_log { file "/var/log/named-rate-limit.log" versions 3 size 50m; severity info; print-time yes; };
category rate-limit { rate_limiting_log; default_debug; };
channel junk { null; };
category lame-servers { null; };
category update { null; };
category update-security { null; };
category edns-disabled { null; };
};
zone "." in { type hint; file "/etc/named.root.hints"; };
EOT
dig +bufsize=1200 +norec NS . @a.root-servers.net > /var/named/chroot/etc/named.root.hints
chown -R root:named /var/named/chroot/.
find /var/named/chroot/. -type f -print | xargs chmod u=rw,og=r
find /var/named/chroot/. -type d -print | xargs chmod u=rwx,og=rx
chmod o= /var/named/chroot/etc/*.conf
chown root:root /var/named/chroot/var/
chmod u=rwx,og=x /var/named/chroot/var/
chown root:named /var/named/chroot/var/run/
chmod ug=rwx,o=rx /var/named/chroot/var/run/
chown root:named /var/named/chroot/var/log/
chmod ug=rwx,o=rx /var/named/chroot/var/log/
chmod ug=rwx,o=rx /var/named/chroot/var/log/*
chown -R named:named /var/named/chroot/var/named/
chmod -R ug=rwx,o=rx /var/named/chroot/var/named/
restorecon -Rv /var/named/chroot/
restorecon -v /usr/local/lib/python3.6/site-packages/*
chcon -t var_run_t /var/named/chroot/var/run
/bin/cat << EOT >/var/src/my-rndc.te
module my-rndc 1.0;
require {
type ndc_t;
class process setsched;
}
#============= ndc_t ==============
allow ndc_t self:process setsched;
EOT
checkmodule -M -m -o /var/src/my-rndc.mod /var/src/my-rndc.te
semodule_package -o /var/src/my-rndc.pp -m /var/src/my-rndc.mod
semodule -i /var/src/my-rndc.pp
/bin/cat <<\EOT >/usr/lib/systemd/system/named.service
[Unit]
Description=Berkeley Internet Name Domain (DNS)
After=network.target
[Service]
Type=simple
PIDFile=/var/named/chroot/var/run/named.pid
ExecStartPre=/bin/bash -c '/usr/sbin/named-checkconf -t /var/named/chroot -z /etc/named.conf'
ExecStart=/usr/sbin/named -4 -t /var/named/chroot -u named -c /etc/named.conf
ExecReload=/bin/sh -c '/usr/sbin/rndc reload > /dev/null 2>&1 || /bin/kill -HUP $MAINPID'
ExecStop=/bin/sh -c '/usr/sbin/rndc stop > /dev/null 2>&1 || /bin/kill -TERM $MAINPID'
PrivateTmp=true
[Install]
WantedBy=multi-user.target
EOT
systemctl enable --now named