BIND (chroot)
It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
Contents
Installation
See BIND#Install BIND for instructions on installing BIND.
SystemD
Creating the Jail House
In order to do this, we first need to create a place to keep the jail, we shall use /srv/named
, and then put the required files into the jail.
mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}} # Copy over required system files cp -av /etc/{localtime,named.conf} /srv/named/etc/ cp -av /usr/lib/engines/* /srv/named/usr/lib/engines/ # Set up required dev nodes mknod /srv/named/dev/null c 1 3 mknod /srv/named/dev/random c 1 8 # Set Ownership of the files chown -R named:named /srv/named
This should create the required file system for the jail.
Service File
Next we need to create the new service file which will allow force bind into the chroot
cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service
we need to edit how the service calls bind.
/etc/systemd/system/named-chroot.service
ExecStart=/usr/bin/named '''-4''' -f -u named '''-t "/srv/named"'''}
Now, reload systemd systemctl daemon-reload
, then start the service systemctl start named-chroot.service
SysV
Init script
The bind package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
Create the following file:
/etc/rc.d/named-chroot
#!/bin/bash NAMED_ARGS= [ -f /etc/conf.d/named ] && . /etc/conf.d/named . /etc/rc.conf . /etc/rc.d/functions PID=`pidof -o %PPID /usr/sbin/named` case "$1" in start) stat_busy "Starting BIND (chroot)" # create chroot directories mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines # copy necessary files cp /etc/named.conf ${CHROOT}/etc/ cp /etc/localtime ${CHROOT}/etc/ cp -a /var/named/* ${CHROOT}/var/named/ cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/ # create block devices mknod ${CHROOT}/dev/null c 1 3 mknod ${CHROOT}/dev/random c 1 8 # set permissions chown root:named ${CHROOT} chmod 750 ${CHROOT} chown -R named:named ${CHROOT}/var/named/slave chown named:named ${CHROOT}/var/{run,log} chmod 666 ${CHROOT}/dev/{null,random} [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT} if [ $? -gt 0 ]; then stat_fail else add_daemon named-chroot stat_done fi ;; stop) stat_busy "Stopping BIND (chroot)" [ ! -z "$PID" ] && kill $PID &> /dev/null if [ $? -gt 0 ]; then stat_fail else rm_daemon named-chroot rm -rf ${CHROOT} stat_done fi ;; restart) $0 stop sleep 1 $0 start ;; reload) stat_busy "Reloading BIND" [ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null if [ $? -gt 0 ]; then stat_fail else stat_done fi ;; *) echo "usage: $0 {start|stop|reload|restart}" esac exit 0
Do not forget to make this script executable.
# chmod a+x /etc/rc.d/named-chroot
Configuration
You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:
CHROOT="/srv/named"
If you are using a clean install of bind your /etc/conf.d/named file should look like this:
# # Parameters to be passed to BIND # NAMED_ARGS="-u named" CHROOT="/srv/named"
Setup BIND
At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.
- One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.
Running At Startup
In order to run the chrooted version of BIND on start-up, edit the DAEMONS array of /etc/rc.conf and add name-chroot to it. Make sure it starts immediately after network
Here is an example:
DAEMONS=(rsyslogd crond iptables network named-chroot)