BIND (chroot)
It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
Contents
Installation
See BIND#Install BIND for instructions on installing BIND.
SystemD
Creating the Jail House
In order to do this, we first need to create a place to keep the jail, we shall use /srv/named, and then put the required files into the jail.
mkdir -p /srv/named/{dev,etc,usr/lib/engines,var/{run,log,named}}
# Copy over required system files
cp -av /etc/{localtime,named.conf} /srv/named/etc/
cp -av /usr/lib/engines/* /srv/named/usr/lib/engines/
# Set up required dev nodes
mknod /srv/named/dev/null c 1 3
mknod /srv/named/dev/random c 1 8
# Set Ownership of the files
chown -R named:named /srv/named
This should create the required file system for the jail.
Service File
Next we need to create the new service file which will allow force bind into the chroot
cp -av /usr/lib/systemd/system/named.service /etc/systemd/system/named-chroot.service
we need to edit how the service calls bind.
/etc/systemd/system/named-chroot.service
ExecStart=/usr/bin/named '''-4''' -f -u named '''-t "/srv/named"'''}
Now, reload systemd systemctl daemon-reload, then start the service systemctl start named-chroot.service
SysV
Init script
The bind package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
Create the following file:
/etc/rc.d/named-chroot
#!/bin/bash
NAMED_ARGS=
[ -f /etc/conf.d/named ] && . /etc/conf.d/named
. /etc/rc.conf
. /etc/rc.d/functions
PID=`pidof -o %PPID /usr/sbin/named`
case "$1" in
start)
stat_busy "Starting BIND (chroot)"
# create chroot directories
mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines
# copy necessary files
cp /etc/named.conf ${CHROOT}/etc/
cp /etc/localtime ${CHROOT}/etc/
cp -a /var/named/* ${CHROOT}/var/named/
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
# create block devices
mknod ${CHROOT}/dev/null c 1 3
mknod ${CHROOT}/dev/random c 1 8
# set permissions
chown root:named ${CHROOT}
chmod 750 ${CHROOT}
chown -R named:named ${CHROOT}/var/named/slave
chown named:named ${CHROOT}/var/{run,log}
chmod 666 ${CHROOT}/dev/{null,random}
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
if [ $? -gt 0 ]; then
stat_fail
else
add_daemon named-chroot
stat_done
fi
;;
stop)
stat_busy "Stopping BIND (chroot)"
[ ! -z "$PID" ] && kill $PID &> /dev/null
if [ $? -gt 0 ]; then
stat_fail
else
rm_daemon named-chroot
rm -rf ${CHROOT}
stat_done
fi
;;
restart)
$0 stop
sleep 1
$0 start
;;
reload)
stat_busy "Reloading BIND"
[ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
stat_done
fi
;;
*)
echo "usage: $0 {start|stop|reload|restart}"
esac
exit 0
Do not forget to make this script executable.
# chmod a+x /etc/rc.d/named-chroot
Configuration
You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:
CHROOT="/srv/named"
If you are using a clean install of bind your /etc/conf.d/named file should look like this:
# # Parameters to be passed to BIND # NAMED_ARGS="-u named" CHROOT="/srv/named"
Setup BIND
At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.
- One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.
Running At Startup
In order to run the chrooted version of BIND on start-up, edit the DAEMONS array of /etc/rc.conf and add name-chroot to it. Make sure it starts immediately after network
Here is an example:
DAEMONS=(rsyslogd crond iptables network named-chroot)