The umask settings are passed down from the parent process to the BIND process. This means that the permissions for all files made by BIND can be restricted.
You need to change the systemd unit file so that “others” can’t read, write, or run any files made by BIND.
Create a directory for drop-ins in /etc/systemd/system/named.service.d:
[root@centos7 ~]# mkdir /etc/systemd/system/named.service.d/
Set the UMask option to 007 in the /etc/systemd/system/named.service.d/umask.conf configuration file. Create a new file if it does not exist. This will make sure that other people can’t read log files, journal files, and other files. The configuration file should have the following.
[Service] UMask=0007
Instruct systemd to reload information about services.
[root@centos7 ~]# systemctl daemon-reload
Verify that the drop-in was discovered.
[root@centos7 ~]# systemctl status named named.service - Berkeley Internet Name Domain (DNS) Loaded: loaded (/usr/lib/systemd/system/named.service; disabled) Drop-In: /etc/systemd/system/named.service.d └─umask.conf ...
This will ensure that other users can’t read log files, journal files, and other files.
[root@centos7 ~]# ls -l /var/named/data/ total 4 -rw-rw----. 1 named named 2039 sep 9 10:34 named.run
For CentOS 5 and 6, add the following line to /etc/sysconfig/named to make sure “others” can’t read, write, or run any files made by BIND:
umask 0007
This will make sure that log files, but also any journal files and other are not readable by others.
[root@centos6 ~]# ls -l /var/named/data/
total 4
-rw-rw----. 1 named named 2039 sep 9 10:34 named.run