Otdfbt

so I'm really new on this and was following this tutorial to set up bind, and up to 4:50 I was having no problems, I could ping, use nslookup and had internet connection with the dns server, then we had to add the zones and create the zone files (just creating them), perfect, I restart to see if there's any trouble (I use a virtual machine btw), then i could no longer ping, use nslookup and i didn't even have internet connection.
This is what I got using systemctl status

Redirecting to /bin/systemctl status -l named.service
● named.service - Berkeley Internet Name Domain (DNS)
 Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor prese$
 Active: failed (Result: exit-code) since jue 2019-04-25 23:14:30 -04; 3min 3$
 Process: 3355 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "y$

abr 25 23:14:30 linux bash[3355]: _default/0.168.192.in-addr.arpa/IN: bad zone
abr 25 23:14:30 linux bash[3355]: zone localhost.localdomain/IN: loaded serial 0
abr 25 23:14:30 linux bash[3355]: zone localhost/IN: loaded serial 0
abr 25 23:14:30 linux bash[3355]: zone 
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.$
abr 25 23:14:30 linux bash[3355]: zone 1.0.0.127.in-addr.arpa/IN: loaded serial$
abr 25 23:14:30 linux bash[3355]: zone 0.in-addr.arpa/IN: loaded serial 0
abr 25 23:14:30 linux systemd[1]: named.service: control process exited, code=e$
abr 25 23:14:30 linux systemd[1]: Failed to start Berkeley Internet Name Domain$
abr 25 23:14:30 linux systemd[1]: Unit named.service entered failed state.
abr 25 23:14:30 linux systemd[1]: named.service failed.

I thought this was because of the empty zone files so I replaced with a named.conf without the zones, tried to restart with service restart named but got (again):

Failed to start BIND : Redirecting to /bin/systemctl start named.service Job 
for named.service failed because the control process exited with error code.
See "systemctl status named.service" and "journalctl -xe" for details.

So I did

● named.service - Berkeley Internet Name Domain (DNS)
 Loaded: loaded (/usr/lib/systemd/system/named.service; enabled; vendor preset: disabled)
 Active: failed (Result: exit-code) since jue 2019-04-25 23:25:30 -04; 1min 3s ago
 Process: 5557 ExecStart=/usr/sbin/named -u named -c $NAMEDCONF $OPTIONS (code=exited, status=1/FAILURE)
 Process: 5552 ExecStartPre=/bin/bash -c if [ ! "$DISABLE_ZONE_CHECKING" == "yes" ]; then /usr/sbin/named-checkconf -z "$NAMEDCONF"; else echo "Checking of zone files is disabled"; fi (code=exited, status=0/SUCCESS)

abr 25 23:25:30 linux named[5559]: found 2 CPUs, using 2 worker threads
abr 25 23:25:30 linux named[5559]: using 2 UDP listeners per interface
abr 25 23:25:30 linux named[5559]: using up to 21000 sockets
abr 25 23:25:30 linux named[5559]: loading configuration from '/etc/named.conf'
abr 25 23:25:30 linux named[5559]: open: /etc/named.conf: permission denied
abr 25 23:25:30 linux named[5559]: loading configuration: permission denied
abr 25 23:25:30 linux systemd[1]: named.service: control process exited, code=exited status=1
abr 25 23:25:30 linux systemd[1]: Failed to start Berkeley Internet Name Domain (DNS).
abr 25 23:25:30 linux systemd[1]: Unit named.service entered failed state.
abr 25 23:25:30 linux systemd[1]: named.service failed.

It's a permission problem but it worked perfectly before so I'm at a loss.

This is what I get by doing ls -l /etc/named.conf :

-rw-r-----. 1 root root 1808 abr 25 15:13 /etc/named.conf

And this is when I do ls -Z /etc/named.conf (if it has something to do with selinux):

 -rw-r-----. 1 root root unconfined_u:object_r:etc_t:s0 /etc/named.conf

Not sure if it helps but here's the named.conf

options 
 listen-on port 53 127.0.0.1; ;
 listen-on-v6 port 53 ::1; ;
 directory "/var/named";
 dump-file "/var/named/data/cache_dump.db";
 statistics-file "/var/named/data/named_stats.txt";
 memstatistics-file "/var/named/data/named_mem_stats.txt";
 recursing-file "/var/named/data/named.recursing";
 secroots-file "/var/named/data/named.secroots";
 allow-query localhost; ;

 recursion yes;

 dnssec-enable yes;
 dnssec-validation yes;

 /* Path to ISC DLV key */
 bindkeys-file "/etc/named.iscdlv.key";

 managed-keys-directory "/var/named/dynamic";

 pid-file "/run/named/named.pid";
 session-keyfile "/run/named/session.key";
;

logging 
 channel default_debug 
 file "data/named.run";
 severity dynamic;
 ;
;

zone "." IN 
 type hint;
 file "named.ca";
;

include "/etc/named.rfc1912.zones";
include "/etc/named.root.key";

I also don't have a chroot folder in /etc/named/

Is there a solution for this? Thanks.

when I replaced the named.conf the selinux context got messed, when doing ls -Z it should look like this

-rw-r--r--. root root system_u:object_r:named_conf_t:s0 named.conf

As you can see mine it's different, to reset it, I used

restorecon -RFv /etc/named.conf

With this, however, doing ls -Z gave me this

-rw-r-----. root root system_u:object_r:named_conf_t:s0 named.conf

To add the last 'r' so everyone can read it, I did

chmod 644 /etc/named.conf

Stopped the service named and restarted it, and it works again.

On CentOS 7 bind runs by default as named user, not root, hence it cannot read your named.conf, as it is owned by root and readable by root only.

As Håkan Lindqvist already commented, the permissions on CentOS 7 should look like below:

-rw-r-----. 1 root named 10672 04-09 20:02 /etc/named.conf

so do:

# chown root:named /etc/named.conf
# chroot 640 /etc/named.conf

I would request you to check audit logs, and if you are using any additional filesystem acl check those logs too, If you think this is SELinux issue please disable and try it again if it works you need to fix selinux policies. please check https://www.systutorials.com/docs/linux/man/8-bind_selinux/ for bind selinux reference.