Note: it does not take in account SELinux - for SELinux install please see http://blog.acmenet.ru/en/2014/11/20/bind-centos-en/
# yum -y install bind bind-utils bind-chroot
# /usr/libexec/setup-named-chroot.sh /var/named/chroot on
# chmod g+w /var/named/chroot/var/named/
# vim /etc/sysconfig/named
OPTIONS="-4"
# vim /var/named/chroot/etc/named.conf
acl "trusted" {
/*
* You might put in here some ips which are allowed to use the cache or
* recursive queries
*/
127.0.0.0/8;
::1/128;
};
acl "xfer" {
/*
* Deny transfers by default except for the listed hosts.
* If we have other name servers, place them here.
*/
//put here your scondary dns servers ips, e.g. 192.12.32.78/32;
};
options {
listen-on port 53 { any; };
listen-on-v6 port 53 { none; };
...
allow-query {
/*
* Accept queries from our "trusted" ACL. We will
* allow anyone to query our master zones below.
* This prevents us from becoming a free DNS server
* to the masses.
*/
trusted;
};
allow-query-cache {
/* Use the cache for the "trusted" ACL. */
trusted;
};
allow-recursion {
/* Only trusted addresses are allowed to use recursion. */
trusted;
};
allow-transfer {
/* Zone tranfers are denied by default. */
xfer;
};
allow-update {
/* Don't allow updates, e.g. via nsupdate. */
none;
};
...
}
...
# systemctl start named-chroot.service # systemctl enable named-chroot.service
# systemctl status named-chroot.service # dig yahoo.com @localhost
# vim /var/named/chroot/etc/named.conf
...
include "/etc/named.zones";
# vim /var/named/chroot/etc/named.zones
zone "example.com" {
type master;
file "example.com.zone";
/* Anybody is allowed to query but transfer should be controlled by the master. */
allow-query { any; };
allow-transfer { xfer; };
};
# chown root:named /var/named/chroot/etc/named.zones
# chmod 0640 /var/named/chroot/etc/named.zones
# ln -s /var/named/chroot/etc/named.zones /etc/named.zones
# vim /var/named/chroot/var/named/example.com.zone
$TTL 86400 ; 1 day
@ IN SOA ns1.example.com. hostmaster.example.com. (
2017010201 ; serial
10800 ; refresh (3 hours)
3600 ; retry (1 hour)
604800 ; expire (1 week)
86400 ; minimum (1 day)
)
IN NS ns1.example.com.
IN NS ns2.example.com.
IN MX 10 mail.example.com.
IN A 174.122.216.61
www IN A 174.122.216.61
ns1 IN A 174.122.216.61
ns2 IN A 174.122.216.61
mail IN A 174.122.216.61
* IN A 174.122.216.61
example.com. IN TXT "v=spf1 mx -all"
# chown root:named /var/named/chroot/var/named/*.zone
# chmod 0640 /var/named/chroot/var/named/*.zone
# named-checkconf /etc/named.conf
# named-checkzone example.com /var/named/chroot/var/named/example.com.zone
zone example.com/IN: loaded serial 2017010101
OK
# systemctl reload named-chroot.service
# systemctl status named-chroot.service