1. Setting up and configuring a BIND DNS server
BIND is a feature-rich DNS server that is fully compliant with the Internet Engineering Task Force (IETF) DNS standards and draft standards. For example, administrators frequently use BIND as:
- Caching DNS server in the local network
- Authoritative DNS server for zones
- Secondary server to provide high availability for zones
1.1. Considerations about protecting BIND with SELinux or running it in a change-root environment
To secure a BIND installation, you can:
- Run the
namedservice without a change-root environment. In this case, SELinux inenforcingmode prevents exploitation of known BIND security vulnerabilities. By default, Red Hat Enterprise Linux uses SELinux inenforcingmode.Run thenamed-chrootservice in a change-root environment.
Using the change-root feature, administrators can define that the root directory of a process and its sub-processes is different to the/directory. When you start thenamed-chrootservice, BIND switches its root directory to/var/named/chroot/. As a consequence, the service usesmount --bindcommands to make the files and directories listed in/etc/named-chroot.filesavailable in/var/named/chroot/, and the process has no access to files outside of/var/named/chroot/. - If you decide to use BIND:
- In normal mode, use the
namedservice. - In a change-root environment, use the
named-chrootservice. This requires that you install, additionally, thenamed-chrootpackage.
Waiting to update...
