https://wiki.archlinux.org/api.php?action=feedcontributions&user=Tiltar&feedformat=atomArchWiki - User contributions [en]2024-03-29T15:14:24ZUser contributionsMediaWiki 1.41.0https://wiki.archlinux.org/index.php?title=BIND_(chroot)&diff=267999BIND (chroot)2013-07-25T23:27:54Z<p>Tiltar: Marked out of date because the article is dependent on initscripts.</p>
<hr />
<div>[[Category:Domain Name System]]<br />
<br />
{{Out of date|Arch no longer supports [[Initscripts]]. This article needs to be updated to work with [[systemd]].}}<br />
<br />
It's not a good idea to run [[BIND]] as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).<br />
<br />
== Installation ==<br />
See [[BIND#Install BIND]] for instructions on installing BIND.<br />
<br />
== Init script ==<br />
The {{Pkg|bind}} package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.<br />
<br />
Create the following file:<br />
{{hc|/etc/rc.d/named-chroot|<nowiki><br />
#!/bin/bash<br />
<br />
NAMED_ARGS=<br />
[ -f /etc/conf.d/named ] && . /etc/conf.d/named<br />
<br />
. /etc/rc.conf<br />
. /etc/rc.d/functions<br />
<br />
PID=`pidof -o %PPID /usr/sbin/named`<br />
case "$1" in<br />
start)<br />
stat_busy "Starting BIND (chroot)"<br />
<br />
# create chroot directories<br />
mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines<br />
<br />
# copy necessary files<br />
cp /etc/named.conf ${CHROOT}/etc/<br />
cp /etc/localtime ${CHROOT}/etc/<br />
cp -a /var/named/* ${CHROOT}/var/named/<br />
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/<br />
<br />
# create block devices<br />
mknod ${CHROOT}/dev/null c 1 3<br />
mknod ${CHROOT}/dev/random c 1 8<br />
<br />
# set permissions<br />
chown root:named ${CHROOT}<br />
chmod 750 ${CHROOT}<br />
chown -R named:named ${CHROOT}/var/named/slave<br />
chown named:named ${CHROOT}/var/{run,log}<br />
chmod 666 ${CHROOT}/dev/{null,random}<br />
<br />
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}<br />
if [ $? -gt 0 ]; then<br />
stat_fail<br />
else<br />
add_daemon named-chroot<br />
stat_done<br />
fi<br />
;;<br />
stop)<br />
stat_busy "Stopping BIND (chroot)"<br />
[ ! -z "$PID" ] && kill $PID &> /dev/null<br />
if [ $? -gt 0 ]; then<br />
stat_fail<br />
else<br />
rm_daemon named-chroot<br />
rm -rf ${CHROOT}<br />
stat_done<br />
fi<br />
;;<br />
restart)<br />
$0 stop<br />
sleep 1<br />
$0 start<br />
;;<br />
reload)<br />
stat_busy "Reloading BIND"<br />
[ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null<br />
if [ $? -gt 0 ]; then<br />
stat_fail<br />
else<br />
stat_done<br />
fi<br />
;;<br />
*)<br />
echo "usage: $0 {start|stop|reload|restart}"<br />
esac<br />
exit 0<br />
</nowiki>}}<br />
<br />
Do not forget to make this script executable.<br />
# chmod a+x /etc/rc.d/named-chroot<br />
<br />
== Configuration ==<br />
You will now need to add a new configuration variable to '''/etc/conf.d/named'''. So open it up in a text editor and add the following:<br />
CHROOT="/srv/named"<br />
<br />
If you are using a clean install of bind your '''/etc/conf.d/named''' file should look like this:<br />
#<br />
# Parameters to be passed to BIND<br />
#<br />
NAMED_ARGS="-u named"<br />
CHROOT="/srv/named"<br />
<br />
==Setup BIND ==<br />
At this point you can configure [[BIND]] the way you are used to because all the necessary files will be copied to the jail accordingly.<br />
<br />
*One thing to note is, for security reasons, the '''/var/named''' directory in the '''chroot''' is read only and the '''/var/named/slave''' subdirectory is writable. So in reality, slave zone files are saved in '''/srv/named/var/named/slave''' so your slave zone's configuration should reflect this otherwise zone transfers will fail.<br />
<br />
== Running At Startup ==<br />
In order to run the chrooted version of [[BIND]] on start-up, edit the DAEMONS array of '''/etc/rc.conf''' and add ''name-chroot'' to it. Make sure it starts immediately after ''network''<br />
<br />
Here is an example:<br />
DAEMONS=(rsyslogd crond iptables network named-chroot)</div>Tiltar