Setting up BIND to be as insecure as possible in Centos/RHEL7

DNS, in general, should be locked down as much as possible. It’s too easy for hackers to send DNS attacks like DDoS unless you set up some security measures.

However, if you’re just trying to set up a simple BIND DNS server in a lab that’s not on a public network and is behind a ton of firewalls, just to test some basic functionality like I’ve been doing, you may want things to just *work* without having to set up all the extra security bells and whistles.

I’m writing this up to help people avoid the hours of head banging, Googling and debugging that always ends up in an Occam’s razor-like scenario: disable your firewall.


Before we start, I want to re-iterate something:


Now that that’s out of the way…

BIND configuration – named.conf Worst Practices

The general recommendations to secure DNS servers is to diable recursion, lock down the allowed queries, etc. Eff that. We’re going all out and allowing everything.

Here’s the named.conf file I used on my BIND server:

options {
 listen-on port 53 {any;};
 listen-on-v6 port 53 {any;};
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 allow-transfer {any;};
 allow-query-cache {any;};
 allow-query {any;};
 recursion yes;

 dnssec-enable no;
 dnssec-validation no;

/* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

managed-keys-directory "/var/named/dynamic";

pid-file "/run/named/";
 session-keyfile "/run/named/session.key";

Hackable as s**t. But it works, dammit.

For good measure, my zones:


zone "" IN {
 type master;
 file "";
 allow-update {any; };
 allow-query {any;};

zone "" IN {
 type master;
 file "";
 allow-update {any;};
 allow-query {any;};

Arrrgh. Firewalls!


If you’ve worked with Linux in the past 10 years, I’m sure you’ve run into the problem with Linux firewalls where you just end up turning them off. Historically, it’s been iptables and SELinux. When I was working on my environment, I was seeing the following in a packet trace when attempting remote nslookups:

ICMP 118 Destination unreachable (Host administratively prohibited)

Local worked fine. Pinging the IP worked fine. But dig?

# dig @xx.xx.xx.xx

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @xx.xx.xx.xx
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached


# ping
ping: unknown host

Everything I read said it was either a config or firewall issue. I had already disabled the usual suspects, SELinux and iptables. But no dice.

Finally, I remembered that Centos/RHEL7 is pretty different from previous versions. So I Googled “centos7 security features” and found my answer: THEY ADDED A NEW &*@$ FIREWALL.

Introducing your newest Linux security nemesis…


Now, I fully understand the need for new security enhancements. And you should totally leave this alone in production environments. But, like the Windows Firewall, it’s the bane of a lab machine’s existence. So, I disabled it.

# systemctl status firewalld
● firewalld.service - firewalld - dynamic firewall daemon
 Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
 Active: active (running) since Thu 2016-06-23 14:57:47 EDT; 6h ago
 Main PID: 670 (firewalld)
 CGroup: /system.slice/firewalld.service
 └─670 /usr/bin/python -Es /usr/sbin/firewalld --nofork --nopid

Jun 23 14:57:21 systemd[1]: Starting firewalld - dynamic firewall daemon...
Jun 23 14:57:47 systemd[1]: Started firewalld - dynamic firewall daemon.

# systemctl stop firewalld


# dig @xx.xx.xx.xx

; <<>> DiG 9.9.4-RedHat-9.9.4-29.el7_2.3 <<>> @xx.xx.xx.xx
; (1 server found)
;; global options: +cmd
;; Got answer:

Now, on to fight with BIND some more. Stay tuned for news on TR updates featuring BIND configuration with on-box DNS in ONTAP!

5 thoughts on “Setting up BIND to be as insecure as possible in Centos/RHEL7

  1. if you use firewall-cmd –add-service=dns (–permanent, if you want it to stick after a reboot), it will just work (just tested it).

    Pro tip, install the bash-completion package, then firewall-cmd will be very easy to use (or systemctl, or journalctl, …)


  2. Pingback: Why Is the Internet Broken: Greatest Hits | Why Is The Internet Broken?

  3. Thank you so much!!!! I have been pulling my hair out for a week and couldn’t figure out why I kept getting “Destination unreachable (Host administratively prohibited)” with remote nslookups. I am using Ubuntu 18.04. You’re a life saver!!


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s