named.conf, root.hints, 127.0.0, rndc.conf We will configure BIND to run in a chroot jail as an unprivileged user (named). This configuration is more secure in that a DNS compromise can only affect a few files in the named user's HOME directory. First we create the unprivileged user and group named: groupadd named && useradd -m -g named -s /bin/false named Then we set up some files, directories and devices needed by BIND: cd /home/named && mkdir -p dev etc/namedb/slave var/run && mknod /home/named/dev/null c 1 3 && mknod /home/named/dev/random c 1 8 && chmod 666 /home/named/dev/{null,random} && mkdir /home/named/etc/namedb/pz && cp /etc/localtime /home/named/etc Create the named.conf file from which named will read the location of zone files, root name servers and secure DNS keys: cat > /home/named/etc/named.conf << "EOF" options { directory "/etc/namedb"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; }; controls { inet 127.0.0.1 allow { localhost; } keys { rndc_key; }; }; key "rndc_key" { algorithm hmac-md5; secret "[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]"; }; zone "." { type hint; file "root.hints"; }; zone "0.0.127.in-addr.arpa" { type master; file "pz/127.0.0"; }; EOF Create a zone file with the following contents: cat > /home/named/etc/namedb/pz/127.0.0 << "EOF" $TTL 3D @ IN SOA ns.local.domain. hostmaster.local.domain. ( 1 ; Serial 8H ; Refresh 2H ; Retry 4W ; Expire 1D) ; Minimum TTL NS ns.local.domain. 1 PTR localhost. EOF Create the root.hints file with the following commands: Caution must be used to insure no leading spaces in this file. cat > /home/named/etc/namedb/root.hints << "EOF" . 6D IN NS A.ROOT-SERVERS.NET. . 6D IN NS B.ROOT-SERVERS.NET. . 6D IN NS C.ROOT-SERVERS.NET. . 6D IN NS D.ROOT-SERVERS.NET. . 6D IN NS E.ROOT-SERVERS.NET. . 6D IN NS F.ROOT-SERVERS.NET. . 6D IN NS G.ROOT-SERVERS.NET. . 6D IN NS H.ROOT-SERVERS.NET. . 6D IN NS I.ROOT-SERVERS.NET. . 6D IN NS J.ROOT-SERVERS.NET. . 6D IN NS K.ROOT-SERVERS.NET. . 6D IN NS L.ROOT-SERVERS.NET. . 6D IN NS M.ROOT-SERVERS.NET. A.ROOT-SERVERS.NET. 6D IN A 198.41.0.4 B.ROOT-SERVERS.NET. 6D IN A 128.9.0.107 C.ROOT-SERVERS.NET. 6D IN A 192.33.4.12 D.ROOT-SERVERS.NET. 6D IN A 128.8.10.90 E.ROOT-SERVERS.NET. 6D IN A 192.203.230.10 F.ROOT-SERVERS.NET. 6D IN A 192.5.5.241 G.ROOT-SERVERS.NET. 6D IN A 192.112.36.4 H.ROOT-SERVERS.NET. 6D IN A 128.63.2.53 I.ROOT-SERVERS.NET. 6D IN A 192.36.148.17 J.ROOT-SERVERS.NET. 6D IN A 192.58.128.30 K.ROOT-SERVERS.NET. 6D IN A 193.0.14.129 L.ROOT-SERVERS.NET. 6D IN A 198.32.64.12 M.ROOT-SERVERS.NET. 6D IN A 202.12.27.33 EOF The root.hints file is a list of root name servers. This file must be updated periodically with the dig utility. Consult the BIND 9 Administrator Reference Manual for details. Create the rndc.conf with the following commands: cat > /etc/rndc.conf << "EOF" key rndc_key { algorithm "hmac-md5"; secret "[c3Ryb25nIGVub3VnaCBmb3IgYSBtYW4gYnV0IG1hZGUgZm9yIGEgd29tYW4K]"; }; options { default-server localhost; default-key rndc_key; }; EOF The rndc.conf file contains information for controlling named operations with the rndc utility. Create or modify resolv.conf to use the new name server with the following commands: Replace yourdomain.com with your own valid domain name. cp /etc/resolv.conf /etc/resolv.conf.bak && cat > /etc/resolv.conf << "EOF" search yourdomain.com nameserver 127.0.0.1 EOF Set permissions on the chroot jail with the following command: chown -R named.named /home/named To start the DNS server at boot, install /etc/rc.d/init.d/bind init script included in the package. make install-bind Now start BIND with the new boot script: /etc/rc.d/init.d/bind start Test out the new BIND 9 installation. First query the local host address with dig: dig -x 127.0.0.1 Now try an external name lookup, taking note of the speed difference in repeated lookups due to the caching. Run the dig command twice on the same address: dig beyond.linuxfromscratch.org && dig beyond.linuxfromscratch.org You can see almost instantaneous results with the named caching lookups. Consult bind-&bind-version;/doc/arm/Bv9ARM.html, the BIND Administrator Reference Manual for further configuration options.