# Guide BIND (9/10) Install on FreeBSD 10



## wisdown (Mar 30, 2014)

Hey guys,

Please would it be possible for someone to share a link to a step-by-step tutorial on how to install and set[]up BIND (99) on FreeBSD 10 x64? Looking on Google for it, many links say it is not possible to have BIND inside a jail anymore, is that true? I found a bug too, here: https://opensource.sas.com/its/browse/RPL-3291

So because this bug is not more secure use BIND on FreeBSD?

PS.: I was reading the handbook, but specifically the chapter 5 is so confusing with PKGNG and ports, I did a new install since the first part of the chapter explains about PKGNG and after making the software database can't redo it. Some tutorials I have found were saying to use ports or can't get jail working (and ports was on second part of handbook). Using ports was compiling with default options since I can't get detailed explanation about what other features does.

Thanks in advice


----------



## wblock@ (Mar 30, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*



			
				wisdown said:
			
		

> Hey guys,
> 
> Please would be possible someone share an link for an tutorial step-by-step how to install and setup BIND (99) on FreeBSD 10 x64?
> 
> Looking on google for it many links say is not possible have BIND inside an jail anymore, is that true?



No, that's not true.  It was not in a jail before unless you set it up that way.  It was just in a chroot(8), which can still be set up by the user.  But a jail is better.

To install dns/bind99 on FreeBSD 10:

Back up existing /var/named/etc/namedb.


```
# cd /usr/ports/dns/bind99
# make install clean
```

In /etc/rc.conf:

```
named_enable="YES"
```

In /usr/local/etc/namedb, create the same directory structure and files as existed in /var/named/etc/namedb (/etc/namedb, but really here due to the chroot(8).  These files can just be copied or moved.

Start named and check for errors: `service named start`.


----------



## wisdown (Mar 31, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*

Firts of all thanks for the answer!!!



> No, that's not true. It was not in a jail before unless you set it up that way. It was just in a chroot(8), which can still be set up by the user. But a jail is better.



I need setup the jail before BIND or this doesnt matter?
Reading about the jail https://www.freebsd.org/doc/handbook/jails-build.html I think I will need change for this:


```
# setenv D /usr/jail/bind
# mkdir -p $D
# cd /usr/src
# make buildworld
# make installworld DESTDIR=$D
# make distribution DESTDIR=$D
# mount -t devfs devfs $D/dev
```

If i got the Jail idea, this is like an virtual machine right?
So instead install BIND on top, the best practice would be make the jail, and then install inside?

Or i need install first BIND, then Jail, then move the BIND to Jail directory?

In the second option there no update right?
If an fix or new version come out, I will need install again BIND outside and the replace the files inside of jail?

Or link the BIND from outside to jail should work? (I guessing if link -ln - works would be an security hole because symlink right?)


----------



## wblock@ (Mar 31, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*

The instructions I posted do not involve a chroot or jail at all.  One of the projects I'd like to see or do is an article or Handbook section on setting up a minimal jail for BIND, but it probably won't be soon.

Yes, a jail is like a lightweight VM.


----------



## wisdown (Mar 31, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*

Got it,

Thanks for the help, i will keep searching here how to try do this setup, if I get this working then I will post here how I did.


----------



## freethread (Mar 31, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*



			
				wblock@ said:
			
		

> To install dns/bind99 on FreeBSD 10:
> 
> Back up existing /var/named/etc/namedb.
> 
> ...



Only to be sure. The only difference, for a chrooted named is the directory or the rc.conf variables


```
named_chrootdir
named_chroot_autoupdate
```

should be explicitly defined? In /etc/defaults/rc.conf on FreeBSD 10.0, the named_* variable pack no more exists, I suppose if I copy all that variables, changing the ones that specify file paths and directories, all should works as before. It's right? (I'm talking about chrooted named, not in a jail).


----------



## wblock@ (Mar 31, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*



			
				freethread said:
			
		

> Only to be sure. The only difference, for a chrooted named is the directory or the rc.conf variables
> 
> 
> ```
> ...



No, the start script installed by the port does not use chroot(8), so defining the variables won't help.  The port itself does different things depending on whether it is installed on FreeBSD 9 or 10.


----------



## freethread (Apr 1, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*

Ah. I will try it in a VM. Also, things are more complicated, upgrading from 9.2 to 10.0, if I install named from ports in 9.2 and then upgrade to FreeBSD 10.0 I think it's not the same as upgrading the OS and then install named from ports. Mah, I will try. Thank you @wblock.


----------



## wisdown (Aug 28, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*

Seems finally I got sometime to do this setup, grab one week from my vacation reading tutorials on net and some books, then after making tests, finally seems I got this working, gonna post what I did, if someone can point whats is wrong or whats is missing i will be gratefull.
Did this for a multihomed server runing VMware ESXi with 3 NICs: LAN (192.168.1.0/24) / DMZ (10.1.1.0/24) /WAN (Static IP)

Note: I'm noob on FreeBSD world, so probaly this steps there a lot of mistakes or can compromisse your network, by the way, seems be 100% functional...
(Probaly I dindt wrote all steps since was reading many sites for get this working, so sorry for forget anything)

After an fresh install of FreeBSD 10 (using ZFS), I have started upgrading the stuff:


```
portsnap fetch extract
```

Then:


```
freebsd-update fetch install
```

Since I hate vi(), the next step for me is get nano:


```
cd /usr/ports/editors/nano
make config-recursive install clean
```

Setting nano as default editor:


```
cd /root/
nano .cshrc
```
Change: setenv  EDITOR ee
To: setenv  EDITOR nano

Get away from FreeBSD ZFS warn:


```
nano /boot/loader.conf
```

Add:


```
vfs.zfs.prefetch_disable="0"
vm.kmem_size="512M"
vm.kmem_size_max="512M"
vfs.zfs.arc_max="60M"
vfs.zfs.vdev.cache.size="10M"
```

Disabling X11 stuff:


```
nano /etc/make.conf
```

Add:


```
OPTIONS_UNSET=X11
reboot
```

Setup Subversion to grab FreeBSD source updated:


```
cd /usr/ports/devel/subversion
make config-recursive install clean
```

Update the Souce:


```
svn checkout http://svn.freebsd.org/base/release/10.0.0/ /usr/src
```

From now the system is updated and ready for build the jails, on my scenario I used two jails:

1 - Bind 910 to Authoritative DNS (will call it as s11)
2 - Bind 910 to Cache Server (will call it as s13)

Building the First Jail (s13):


```
mkdir -p /usr/jails/s13
cd /usr/src
make buildworld
make installworld DESTDIR=/usr/jails/s13
make distribution DESTDIR=/usr/jails/s13
```

Enabling ports for install the stuff inside Jail:


```
mount -t devfs devfs /usr/jails/s13/dev
```

Making a Null Kernell (mostly sites on web say it increase the security)


```
cd /usr/jails/s13/dev
ln -sf dev/null kernel
```

Enabling the Jail at startup:


```
nano /etc/rc.conf
jail_enable="YES"
jail_conf="/etc/jail.conf
jail_parallel_start="YES"
jail_list="s11 s13"
```

Setup the Jail config:
(change yourdomain.com for your domain and the network 10.1.1.XX for you current network setup)


```
nano /etc/jail.conf

s11 {
		   path	= /usr/jails/s11;
		   mount.devfs;
		   host.hostname = s11.yourdomain.com;
		   ip4.addr = 10.1.1.11;
		   interface = em0;
		   exec.start =	"/bin/sh /etc/rc";
		   exec.stop = "/bin/sh	/etc/rc.shutdown";
	   }

s13 {
		   path	= /usr/jails/s13;
		   mount.devfs;
		   host.hostname = s13.yourdomain.com;
		   ip4.addr = 10.1.1.13;
		   interface = em0;
		   exec.start =	"/bin/sh /etc/rc";
		   exec.stop = "/bin/sh	/etc/rc.shutdown";
	   }
```

Setiing the rc.conf for s13 jail:


```
nano /etc/jails/s13/etc/rc.conf
hostname="s13.yourdomain.com"
ifconfig_em0="inet 10.1.1.13 netmask 255.255.255.0"
defaultrouter="10.1.1.1"
mouse_enabled="YES"
ntpd_enable="YES"
dump_dev="NO"
clear_tmp_enable="YES"
zfs_enable="YES"

kern_securelevel_enable="YES"
kern_securelevel="3"

named_enable="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/named.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
```

Connecting on your jail and setup BIND:
(Need execute those comands inside of the jail)

```
jail /usr/jails/s13 s13 10.1.1.13 /bin/sh
cd /usr/ports/dns/bind910
make config-recursive install clean
```

For the options check the ISC site.  What I did:

Disabled:


```
DOCS
```

Enabled:


```
FILTER_AAAA
FIXED_RRSET
GEOIP
IDN
IPV6
LARGE_FILE
NEWSTATS
RRL
SIGCHASE
```

Setup BIND inside of jail to start on reboot:


```
nano /etc/rc.cnf
named_enabled="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/name.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
nano /etc/resolv.conf
nameserver 10.1.1.13
```

Not going to use rndc(8), but created a strong key just in case enabled it on future:


```
rndc-confgen -a -b 512
```

Set up BIND config files:


```
nano /usr/local/etc/namedb/named.conf
options {
			directory	"/usr/local/etc/named/working";

			version		"not currently available";

			allow-transfer{"none"};

			dnssec-enable		yes;
			dnssec-validation	yes;

			recursion yes;
			allow-recursion {10.1.1/24; 192.168.1/24;}; // prevents Open resolver and allow LAN and DMZ interface use it
			
			listen-on	{10.1.1.13;};
		};
```

Enabling logs (named.conf) for troubleshoot diagnostics:


```
logging {
    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/log/named/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/log/named/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/log/named/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/log/named/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/log/named/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/log/named/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/log/named/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/log/named/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/log/named/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/log/named/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/log/named/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/log/named/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/log/named/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/log/named/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};
```

Disable RNDC:


```
controls {};
```

Enable statistics from server:


```
statistics-channel {
			inet * port 80 allow {192.168.1.0/24; 10.1.1.0/24;};
};
```

Be sure following zones are enabled and allow-update is set to none:


```
// required zone for recursive queries
zone "." {
			type	hint;
			file	"/usr/local/etc/namedb/named.root";
		};

zone "localhost" {
			type master;
			file "/usr/local/etc/namedb/master/localhost-forward.db";
			allow-update{none;};
		};

zone "0.0.127.IN-ADDR.ARPA" in{
			type master;
			file "/usr/local/etc/namedb/master/localhost-reverse.db";
			allow-update{none;};
		};
```

Exit from jail:


```
exit
```

Check the jail ID:


```
jls
```

Add an new user on jail s13 just in case in future you wish use rndc(8):
(Change ID to the number from previous command and set the group to bind)

```
jexec ID adduser dnsadmin
Name:		dnsadmin
Full Name:	Administrator RNDC
Uid:		88
Group:		bind
Home:		/var/named
shell /bin/sh
/sbin/nologin
```

Set some permissions to harden your BIND:
(Change ID from jexec to previous ID from comand `jls` for jail s13)


```
chown dnsadmin:wheel /usr/local/etc/namedb/named.conf
chmod 0660 /usr/local/etc/namedb/named.conf
mkdir -p /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/keys
chmod 04000 /usr/local/etc/namedb/keys
mkdir -p /usr/local/etc/namedb/master/ddns
chown bind:wheel /usr/local/etc/namedb/master/ddns/*
chmod 0770 $(find /usr/local/etc/namedb/master/ddns/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/ddns/ -type f)
mkdir -p /usr/local/etc/namedb/master/private
chown dnsadmin:wheel /usr/local/etc/namedb/master/private/*
chmod 0770 $(find /usr/local/etc/namedb/master/private/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/private/ -type f)
mkdir -p /usr/local/etc/namedb/rndc/keys
chown -R dnsadmin:wheel /usr/local/etc/namedb/rndc
chmod -R 0770 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc/keys
chmod 0400 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0400 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc.key
chmod -R 0400 /usr/local/etc/namedb/rndc.key
chown bind:wheel /usr/local/etc/namedb/slave/
chmod 0770 $(find /usr/local/etc/namedb/slave/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/slave/ -type f)
mkdir -p /usr/local/etc/namedb/views
chown dnsadmin:wheel /usr/local/etc/namedb/views/*
chmod 0770 $(find /usr/local/etc/namedb/views/ -type d)
chmod 0660 $(find /usr/local/etc/namedb/views/ -type f)
mkdir -p /var/log/named
chown -R bind:wheel /var/log/named/
chmod 0760 $(find /var/log/named/ -type d)
chmod -R 0640 $(find /var/log/named/ -type f)
chown bind:bind /var/run/named/pid
chmod 0644 /var/run/named/pid
```

Seems jails use a default template for permissions, so we need make sure this template will not change previous permission, add/set this:


```
nano /etc/mtree/BSD.root.dist

usr
   local
      etc
	     namedb
		    keys uname=bind gname=bind mode=04000
			..
			master
			   ddns uname=bind gname=wheel mode=0770
			   .. mode=0660
			   private uname=dnsadmin gname=wheel mode=0770
			   .. mode=0660
            ..
			rndc undame=dnsadmin gname=wheel mode=0770
			   keys uname=bind gname=bind mode=0400
			   .. mode=0400
			.. mode=0660
			slave uname=bind gname=wheel mode=0770
            .. mode=0660
		    named.conf uname=dnsadmin gname=wheel mode=0660
			rndc.key uname=bind gname=bind mode=0400
			..
	    ..
	..
..
var
   log
      named uname=bind gname=wheel mode=0760
      .. mode=0640
   ..
   run
      named uname=bind gname=bind mode=0644
      ..
   ..
..
```

Change default DNS servers add this server and comment other using #:

```
nano /etc/resolv.conf
nameserver 10.1.1.13
```

Exit from jail and do same thing on host, then reboot to get all this up:

```
exit
nano /etc/resolv.conf
nameserver 10.1.1.13
reboot
```

From now, if I remember all steps correctly your cache server is ready and working after reboot, and you will need set all clients to use your local DNS cache (on this example 10.1.1.13) next post I will post the setup for Authoritative Server with DNSSEC.


----------



## kpa (Aug 28, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*



			
				wisdown said:
			
		

> Making a Null Kernell (mostly sites on web say it increase the security)
> 
> 
> ```
> ...



This won't do anything to increase security. First of all there is no /dev/kernel in FreeBSD, if there ever was it's long gone now. Second issue is that the /dev contents are controlled by devfs(5), if you want to hide/unhide devices from the jails use devfs.rules(5). If you need to create links on the /dev filesystem or change permissions the correct configuration file for that is devfs.conf(5).


I didn't have time and the energy to scan the rest of your HOWTO thoroughly but it looked to me that you're doing quite a bit of manual work to change permissions etc., are all those steps really necessary?


----------



## wblock@ (Aug 28, 2014)

*Re: Guide BIND(910) Install on FreeBSD 10*

In the meantime, I've added a section on using sysutils/ezjail to the Handbook: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html.  The last part is a complete example of installing dns/bind99 in a jail: https://www.freebsd.org/doc/en_US.I...k/jails-ezjail.html#jails-ezjail-example-bind.


----------



## wisdown (Aug 28, 2014)

*Re: Guide BIND(910) Install on FreeBSD 10*

Now we gonna setup we're going to set up the Authoritative DNS (for domain owners) with DNSSEC. The steps about X11, buildworld, ZFs, etc. will be skipped since I'm assuming you already did them on the cache server - previous post).

Building the second jail (s11):


```
mkdir -p /usr/jails/s11
cd /usr/src
make installworld DESTDIR=/usr/jails/s11
make distribution DESTDIR=/usr/jails/s11
```

Enabling ports for installing the stuff inside the jail:


```
mount -t devfs devfs /usr/jails/s11/dev
mkdir -p /usr/jails/s11/usr/ports
mount_nullfs /usr/ports /usr/jails/s11/usr/ports
```

Making a null kernel (most sites on the web say it increases the security):


```
cd /usr/jails/s11/dev
ln -sf dev/null kernel
```

Connecting on your jail and set[]up BIND (you need to execute those commands inside the jail):


```
jail /usr/jails/s11 s13 10.1.1.11 /bin/sh
cd /usr/ports/dns/bind910
make config-recursive install clean
```

For the options, check the ISC site about them; what I have done:

Disabled:


```
DOCS
```

Enabled:


```
FILTER_AAAA
FIXED_RRSET
GEOIP
IDN
IPV6
LARGE_FILE
NEWSTATS
RRL
SIGCHASE
NATIVE_PKCS11
```

Install Nano:


```
cd /usr/ports/editors/nano
make config-recursive install clean
```

Setting Nano as the default editor:


```
cd /root/
nano .cshrc
```
Change: setenv  EDITOR ee
To: setenv  EDITOR nano

Setting the rc.conf for s11 jail:


```
nano /etc/jails/s11/etc/rc.conf
hostname="s11.yourdomain.com"
ifconfig_em0="inet 10.1.1.11 netmask 255.255.255.0"
defaultrouter="10.1.1.1"
mouse_enabled="YES"
ntpd_enable="YES"
dump_dev="NO"
clear_tmp_enable="YES"
zfs_enable="YES"

kern_securelevel_enable="YES"
kern_securelevel="3"

named_enable="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/named.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
```

Setup BIND inside the jail to start on reboot:


```
nano /etc/rc.cnf
named_enabled="YES"
named_program="/usr/local/sbin/named"
named_conf="/usr/local/etc/namedb/name.conf"
named_pidfile="/var/run/named/pid"
named_uid="bind"
nano /etc/resolv.conf
nameserver 10.1.1.13
```

Dont gonna use Am not going to use rndc, but used a strong key just in case it is enabled in the future:

`rndc-confgen -a -b 512`

Set[]up BIND configuration files:


```
nano /usr/local/etc/namedb/named.conf
options {
			directory	"/usr/local/etc/named/working";

			version		"not currently available";

			recursion {none;};

			allow-transfer			{"none"};

			dnssec-enable			yes;
			dnssec-validation		yes;

			minimal-responses		yes;
			additional-from-auth 		no;
			additional-from-cache	no;
			
			listen-on	{10.1.1.11;};
		};
```

Enabling logs (named.conf) for troubleshooting diagnostics:


```
logging {
    channel default_file {
        file "/var/log/named/default.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel general_file {
        file "/var/log/named/general.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel database_file {
        file "/var/log/named/database.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel security_file {
        file "/var/log/named/security.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel config_file {
        file "/var/log/named/config.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel resolver_file {
        file "/var/log/named/resolver.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-in_file {
        file "/var/log/named/xfer-in.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel xfer-out_file {
        file "/var/log/named/xfer-out.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel notify_file {
        file "/var/log/named/notify.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel client_file {
        file "/var/log/named/client.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel unmatched_file {
        file "/var/log/named/unmatched.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel queries_file {
        file "/var/log/named/queries.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel network_file {
        file "/var/log/named/network.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel update_file {
        file "/var/log/named/update.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dispatch_file {
        file "/var/log/named/dispatch.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel dnssec_file {
        file "/var/log/named/dnssec.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };
    channel lame-servers_file {
        file "/var/log/named/lame-servers.log" versions 3 size 5m;
        severity dynamic;
        print-time yes;
    };

    category default { default_file; };
    category general { general_file; };
    category database { database_file; };
    category security { security_file; };
    category config { config_file; };
    category resolver { resolver_file; };
    category xfer-in { xfer-in_file; };
    category xfer-out { xfer-out_file; };
    category notify { notify_file; };
    category client { client_file; };
    category unmatched { unmatched_file; };
    category queries { queries_file; };
    category network { network_file; };
    category update { update_file; };
    category dispatch { dispatch_file; };
    category dnssec { dnssec_file; };
    category lame-servers { lame-servers_file; };
};
```

Disable rndc:


```
controls {};
```

Enable statistics from server:


```
statistics-channel {
			inet * port 80 allow {192.168.1.0/24; 10.1.1.0/24;};
};
```

Be sure the following zones are enabled and allow-update is set to none, and change yourdomain.com to your valid domain and set XXX.XXX.XXX.XXX for a secondary name server (you need to set[]up a reverse zone, so change XXX.XXX.XXX to your network under the second record for the reverse zone, example: XXX.XXX.XXX.IN-ADDR.ARPA)


```
// required zone for recursive queries
zone "." {
			type	hint;
			file	"/usr/local/etc/namedb/named.root";
		};

zone "localhost" {
			type master;
			file "/usr/local/etc/namedb/master/localhost-forward.db";
			allow-update{none;};
		};

zone "0.0.127.IN-ADDR.ARPA" in{
			type master;
			file "/usr/local/etc/namedb/master/localhost-reverse.db";
			allow-update{none;};

zone "yourdomain.com" in{
			type master;
			file "/usr/local/etc/namedb/master/yourdomain.com.db";
			allow-transfer {XXX.XXX.XXX.XXX;};
			allow-update{none;};
		};
zone "XXX.XXX.XXX.IN-ADDR.ARPA" in{
			type master;
			file "/usr/local/etc/namedb/master/XXX.XXX.XXX.IN-ADDR.ARPA";
		};
```

Exit from the jail:

`exit`

Check the jail ID:

`jls`

Add a new user to jail s13 just in case in future your wish to use rndc (change the ID to the number from the previous command and set the group to bind)


```
jexec ID adduser dnsadmin
Name:		dnsadmin
Full Name:	Administrator RNDC
Uid:			88
Group:		bind
Home:		/var/named
shell 			/bin/sh
/sbin/nologin
```

Set some permissions to hardening your BIND (change ID from jexec to previous ID from command jls for jail s11)


```
chown dnsadmin:wheel /usr/local/etc/namedb/named.conf
chmod 0660 /usr/local/etc/namedb/named.conf
mkdir -p /usr/local/etc/namedb/keys
chown bind:bind /usr/local/etc/namedb/keys
chmod 04000 /usr/local/etc/namedb/keys
mkdir -p /usr/local/etc/namedb/master/ddns
chown bind:wheel /usr/local/etc/namedb/master/ddns/*
chmod 0770 $(find /usr/local/etc/namedb/master/ddns/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/ddns/ -type f)
mkdir -p /usr/local/etc/namedb/master/private
chown dnsadmin:wheel /usr/local/etc/namedb/master/private/*
chmod 0770 $(find /usr/local/etc/namedb/master/private/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/master/private/ -type f)
mkdir -p /usr/local/etc/namedb/rndc/keys
chown -R dnsadmin:wheel /usr/local/etc/namedb/rndc
chmod -R 0770 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc/keys
chmod 0400 $(find /usr/local/etc/namedb/rndc/ -type d)
chmod -R 0400 $(find /usr/local/etc/namedb/rndc/ -type f)
chown -R bind:bind /usr/local/etc/namedb/rndc.key
chmod -R 0400 /usr/local/etc/namedb/rndc.key
chown bind:wheel /usr/local/etc/namedb/slave/
chmod 0770 $(find /usr/local/etc/namedb/slave/ -type d)
chmod -R 0660 $(find /usr/local/etc/namedb/slave/ -type f)
mkdir -p /usr/local/etc/namedb/views
chown dnsadmin:wheel /usr/local/etc/namedb/views/*
chmod 0770 $(find /usr/local/etc/namedb/views/ -type d)
chmod 0660 $(find /usr/local/etc/namedb/views/ -type f)
mkdir -p /var/log/named
chown -R bind:wheel /var/log/named/
chmod 0760 $(find /var/log/named/ -type d)
chmod -R 0640 $(find /var/log/named/ -type f)
chown bind:bind /var/run/named/pid
chmod 0644 /var/run/named/pid
```

It seems like the jail uses a default template for permissions, so we need to make sure that this template will not change previous permissions, add/set this:


```
nano /etc/mtree/BSD.root.dist

usr
   local
      etc
	     namedb
		    keys uname=bind gname=bind mode=04000
			..
			master
			   ddns uname=bind gname=wheel mode=0770
			   .. mode=0660
			   private uname=dnsadmin gname=wheel mode=0770
			   .. mode=0660
            ..
			rndc undame=dnsadmin gname=wheel mode=0770
			   keys uname=bind gname=bind mode=0400
			   .. mode=0400
			.. mode=0660
			slave uname=bind gname=wheel mode=0770
            .. mode=0660
		    named.conf uname=dnsadmin gname=wheel mode=0660
			rndc.key uname=bind gname=bind mode=0400
			..
	    ..
	..
..
var
   log
      named uname=bind gname=wheel mode=0760
      .. mode=0640
   ..
   run
      named uname=bind gname=bind mode=0644
      ..
   ..
..
```

Change the default DNS servers, add this server and comment the other using #:

```
nano /etc/resolv.conf
nameserver 10.1.1.13
```

You will need to set[]up the reverse zone and the main zone files inside the jail in the directory /usr/local/etc/namedb/master/.

The details about how to set[]up your zone and reverse zone you will need to search on the internet.

Following steps only can be done after setting up the zone files:

Creating your ZSK key files (the standards say to use 2048 but since *I*'m only hosting my personal website, I have used 4096, the 365d means the expiration date to this key, one time, you need to change yourdomain.com to you current domain):


```
cd /usr/local/etc/namedb/keys/
dnssec-keygen -a rsasha256 -b 4096 -P now -A now -I +365d -D +367d -n zone yourdomain.com
```

Creating your KSK files (one time, change yourdomain.com to your current domain, this one is for three years)


```
dnssec-keygen -a rsasha256 -b 4096 -f ksk -P now -A now -R +730d -D +733d -n zone yourdomain.com
```

Checking the certificates (one time change yourdomain.com to your current domain and XXX+XXXXX for the generate on files, remove .key and .private))

```
dnssec-settime -p all Kyourdomain.com.+XXX+XXXXX
dnssec-settime -p all Kyourdomain.com.+XXX+XXXXX
```

Add the .key files to your zone file (this time be sure to add only the .key file):

```
nano /usr/local/etc/named/master/yourdomain.com.db
$INCLUDE ..keys/Kyourdomain.com.+XXX+XXXXX.key ; KSK
$INCLUDE ..keys/Kyourdomain.com.+XXX+XXXXX.key ; ZSK
```

Sign your zone files (first parameter the KSK - second ZSK) and update it in named.conf (this will generate a copy encrypted of your zone files with .signed on the end in the same directory of the zone file):

```
dnssec-signzone -o yourdomain.com -t -k Kyourdomain.com.+XXX+XXXXX /usr/local/etc/namedb/master/yourdomain.com.db Kyourdomain.com.+XXX+XXXXX
nano ../named.conf
Add extension .signed for your zone file
service named restart
```

Copy the contents from your .key to your registrar and add it in the  DNSSEC section. Wait a few minutes and now you have DNSSEC on. Move the .private files to a safe place (you need them to make new certificates, to revoke, etc...)

Any hints, advice about missing steps, or how to increase the security, or if those steps are wrong are welcome.

Sorry for not providing the references links, lost most of them after Firefox crashed because it ran out of memory and crashed, losing the history.

By the way I grabbed many hints from this book:

http://www.amazon.com/BIND-Experts-Voice-Open-Source/dp/1430230487

Links for tools for checking your setup:

http://www.ipok.com.br/tools.php?tool=nslookup
http://dnscheck.pingdom.com/

```
http://www.dnsstuff.com/tools#reverseDns
```
http://mxtoolbox.com/
http://www.nabber.org/projects/dnscheck/
http://dnssec-debugger.verisignlabs.com/
http://dnsviz.net/d/
https://www.ultratools.com/tools


----------



## wisdown (Aug 28, 2014)

*Re: Guide BIND(99) Install on FreeBSD 10*



			
				kpa said:
			
		

> wisdown said:
> 
> 
> 
> > I didn't have time and the energy to scan the rest of your HOWTO thoroughly but it looked to me that you're doing quite a bit of manual work to change permissions etc., are all those steps really necessary?



I was following the book *Pro DNS and BIND 10* about how to increase the security. There is a special chapter about how to set permissions. What I have done is follow all of the author's tips, whether really necessary or not, I'm not sure. But this is working, so in my opinion, decreasing the privileges without breaking things sounds like a security good practice.


----------



## beans10001 (Apr 28, 2015)

wblock@ said:


> *Re: Guide BIND(910) Install on FreeBSD 10*
> 
> In the meantime, I've added a section on using sysutils/ezjail to the Handbook: https://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/jails-ezjail.html.  The last part is a complete example of installing dns/bind99 in a jail: https://www.freebsd.org/doc/en_US.I...k/jails-ezjail.html#jails-ezjail-example-bind.


Awesome, thanks for this!!


----------



## Vladimir Botka (Oct 22, 2016)

Hello!

JFYI, chrooted named with bind99 and FreeBSD 10.3 works fine. I've created Ansible role to install and configure it. https://galaxy.ansible.com/vbotka/freebsd-dns/.


----------

