Skip to content

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.
  • Labs icon Lab
  • A Cloud Guru
Google Cloud Platform icon

DNS: Create a chroot Jail

Isolating BIND in a chroot jail is common practice. It prevents any malicious user, who happens to gain access to the system by exploiting a BIND vulnerability, from further exploiting the system. In this lab, we'll practice setting up a jail for BIND.

Google Cloud Platform icon

Path Info

Clock icon Intermediate
Clock icon 15m
Clock icon May 01, 2020

Contact sales

By filling out this form and clicking submit, you acknowledge our privacy policy.

Table of Contents

  1. Challenge

    Set up the chroot Jail for the BIND Service

    In CentOS all we need to do is run yum install bind-chroot -y, and then ensure that the normal BIND service isn't set to run:

    systemctl stop named
    systemctl disable named
    systemctl enable named-chroot
  2. Challenge

    Add the Forward Zone Configuration to the /etc/named.conf File, Then Run the named-checkconf Command to Verify the Configuration

    # vim /etc/named.conf

    Insert the zone configuration just before the include statements at the bottom of the file:

    zone "" {
       type master;
       file "/var/named/chroot-zone.db";

    Then run the named-checkconf command to verify the configuration:

    # named-checkconf
  3. Challenge

    Create the Forward Zone File and Check the Configuration for Syntax Errors with named-checkzone

    1. Create the forward zone file:

      vim /var/named/chroot-zone.db
    2. Enter the following:

      $TTL    86400
      @       IN      SOA (
                                10030         ; Serial
                                 3600         ; Refresh
                                 1800         ; Retry
                               604800         ; Expiry
                                86400         ; Minimum TTL
      ; Name Server
      @        IN      NS
      ; A Record Definitions
      nameserver       IN      A
      mailprod         IN      A
      mailbackup       IN      A
      ; Canonical Name/Alias
      dns        IN    CNAME
      ; Mail Exchange Records
      @        IN    MX    10
      @        IN    MX    20
    3. Save the document with :wq!.

    4. Run the named-checkzone command to check the zone file for syntax errors:

      named-checkzone /var/named/chroot-zone.db
  4. Challenge

    Change the File Permissions and the Group Owner for /var/named/

    1. Change the file permissions for /var/named/chroot-zone.db:
      chmod 760 /var/named/chroot-zone.db
    2. Change the group owner of the file to named:
      chgrp named /var/named/chroot-zone.db
  5. Challenge

    Start the Newly Configured named-chroot Service

    systemctl start named-chroot

The Cloud Content team comprises subject matter experts hyper focused on services offered by the leading cloud vendors (AWS, GCP, and Azure), as well as cloud-related technologies such as Linux and DevOps. The team is thrilled to share their knowledge to help you build modern tech solutions from the ground up, secure and optimize your environments, and so much more!

What's a lab?

Hands-on Labs are real environments created by industry experts to help you learn. These environments help you gain knowledge and experience, practice without compromising your system, test without risk, destroy without fear, and let you learn from your mistakes. Hands-on Labs: practice your skills before delivering in the real world.

Provided environment for hands-on practice

We will provide the credentials and environment necessary for you to practice right within your browser.

Guided walkthrough

Follow along with the author’s guided walkthrough and build something new in your provided environment!

Did you know?

On average, you retain 75% more of your learning if you get time for practice.

Start learning by doing today

View Plans