Can't start Bind open: /etc/named.conf: permission denied
so I'm really new on this and was following this tutorial to set up bind, and up to 4:50 I was having no problems, I could ping, use nslookup and had internet connection with the dns server, then we had to add the zones and create the zone files (just creating them), perfect, I restart to see if there's any trouble (I use a virtual machine btw), then i could no longer ping, use nslookup and i didn't even have internet connection. This is what I got using systemctl status
Redirecting to /bin/systemctl status -l named.service
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor prese$
Active: failed (Result: exit-code) since jue 2019-04-25 23:14:30 -04; 3min 3$
Process: 3355 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "y$
abr 25 23:14:30 linux bash[3355]: _default/0.168.192.in-addr.arpa/IN: bad zone
abr 25 23:14:30 linux bash[3355]: zone localhost.localdomain/IN: loaded serial 0
abr 25 23:14:30 linux bash[3355]: zone localhost/IN: loaded serial 0
abr 25 23:14:30 linux bash[3355]: zone
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.$
abr 25 23:14:30 linux bash[3355]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial$
abr 25 23:14:30 linux bash[3355]: zone 0.in-addr.arpa/IN: loaded serial 0
abr 25 23:14:30 linux systemd[1]: named.service: control process exited, code=e$
abr 25 23:14:30 linux systemd[1]: Failed to start Berkeley Internet Name Domain$
abr 25 23:14:30 linux systemd[1]: Unit named.service entered failed state.
abr 25 23:14:30 linux systemd[1]: named.service failed.
I thought this was because of the empty zone files so I replaced with a named.conf without the zones, tried to restart with service restart named but got (again):
Failed to start BIND : Redirecting to /bin/systemctl start named.service Job
for named.service failed because the control process exited with error code.
See "systemctl status named.service" and "journalctl -xe" for details.
So I did
● named.service - Berkeley Internet Name Domain (DNS)
Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
Active: failed (Result: exit-code) since jue 2019-04-25 23:25:30 -04; 1min 3s ago
Process: 5557 ExecStart=/usr/sbin/named -u named -c ${NAMEDCONF} $OPTIONS (code=exited, status=1/FAILURE)
Process: 5552 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)
abr 25 23:25:30 linux named[5559]: found 2 CPUs, using 2 worker threads
abr 25 23:25:30 linux named[5559]: using 2 UDP listeners per interface
abr 25 23:25:30 linux named[5559]: using up to 21000 sockets
abr 25 23:25:30 linux named[5559]: loading configuration from '/etc/named.conf'
abr 25 23:25:30 linux named[5559]: open: /etc/named.conf: permission denied
abr 25 23:25:30 linux named[5559]: loading configuration: permission denied
abr 25 23:25:30 linux systemd[1]: named.service: control process exited, code=exited status=1
abr 25 23:25:30 linux systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
abr 25 23:25:30 linux systemd[1]: Unit named.service entered failed state.
abr 25 23:25:30 linux systemd[1]: named.service failed.
It's a permission problem but it worked perfectly before so I'm at a loss.
This is what I get by doing ls -l /etc/named.conf :
-rw-r-----. 1 root root 1808 abr 25 15:13 /etc/named.conf
And this is when I do ls -Z /etc/named.conf (if it has something to do with selinux):
-rw-r-----. 1 root root unconfined_u:object_r:etc_t:s0 /etc/named.conf
Not sure if it helps but here's the named.conf
options {
listen-on port 53 { 127.0.0.1; };
listen-on-v6 port 53 { ::1; };
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
recursing-file "/var/named/data/named.recursing";
secroots-file "/var/named/data/named.secroots";
allow-query { localhost; };
recursion yes;
dnssec-enable yes;
dnssec-validation yes;
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
pid-file "/run/named/named.pid";
session-keyfile "/run/named/session.key";
};
logging {
channel default_debug {
file "data/named.run";
severity dynamic;
};
};
zone "." IN {
type hint;
file "named.ca";
};
include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";
I also don't have a chroot folder in /etc/named/
Is there a solution for this? Thanks.
Solution 1:
when I replaced the named.conf the selinux context got messed, when doing ls -Z it should look like this
-rw-r--r--. root root system_u:object_r:named_conf_t:s0 named.conf
As you can see mine it's different, to reset it, I used
restorecon -RFv /etc/named.conf
With this, however, doing ls -Z gave me this
-rw-r-----. root root system_u:object_r:named_conf_t:s0 named.conf
To add the last 'r' so everyone can read it, I did
chmod 644 /etc/named.conf
Stopped the service named and restarted it, and it works again.
Solution 2:
On CentOS 7 bind runs by default as named user, not root, hence it cannot read your named.conf, as it is owned by root and readable by root only.
As Håkan Lindqvist already commented, the permissions on CentOS 7 should look like below:
-rw-r-----. 1 root named 10672 04-09 20:02 /etc/named.conf
so do:
# chown root:named /etc/named.conf
# chroot 640 /etc/named.conf