Difference between revisions of "BIND (chroot)"

From ArchWiki
Jump to: navigation, search
(Installation: removed install instructions and added link to Bind#Install_BIND)
(Init Script: added Template:hc; changed 'Script' to 'script' in the heading)
Line 7: Line 7:
 
See [[Bind#Install_BIND]] for instructions on installing BIND.
 
See [[Bind#Install_BIND]] for instructions on installing BIND.
  
=== Init Script ===
+
=== Init script ===
The BIND package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
+
The {{Pkg|bind}} package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
 
+
Create the file '''/etc/rc.d/named-chroot''' and paste the following script into it.
+
  
 +
Create the following file:
 +
{{hc|/etc/rc.d/named-chroot|<nowiki>
 
  #!/bin/bash
 
  #!/bin/bash
 
   
 
   
Line 82: Line 82:
 
  esac
 
  esac
 
  exit 0
 
  exit 0
 +
</nowiki>}}
  
Don't forget to make this script executable.
+
Do not forget to make this script executable.
 
  # chmod a+x /etc/rc.d/named-chroot
 
  # chmod a+x /etc/rc.d/named-chroot
  

Revision as of 22:58, 27 November 2011

Merge-arrows-2.pngThis article or section is a candidate for merging with Bind.Merge-arrows-2.png

Notes: Talk:Bind#Chroot method here no longer works as of 9.8.0 (Discuss in Talk:BIND (chroot)#)

Introduction

It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).

Installation

See Bind#Install_BIND for instructions on installing BIND.

Init script

The bind package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.

Create the following file:

/etc/rc.d/named-chroot
 #!/bin/bash
 
 NAMED_ARGS=
 [ -f /etc/conf.d/named ] && . /etc/conf.d/named
 
 . /etc/rc.conf
 . /etc/rc.d/functions
 
 PID=`pidof -o %PPID /usr/sbin/named`
 case "$1" in
  start)
    stat_busy "Starting BIND (chroot)"
 
    # create chroot directories
    mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines
 
    # copy necessary files
    cp /etc/named.conf ${CHROOT}/etc/
    cp /etc/localtime ${CHROOT}/etc/
    cp -a /var/named/* ${CHROOT}/var/named/
    cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
 
    # create block devices
    mknod ${CHROOT}/dev/null c 1 3
    mknod ${CHROOT}/dev/random c 1 8
 
    # set permissions
    chown root:named ${CHROOT}
    chmod 750 ${CHROOT}
    chown -R named:named ${CHROOT}/var/named/slave
    chown named:named ${CHROOT}/var/{run,log}
    chmod 666 ${CHROOT}/dev/{null,random}
 
    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
    if [ $? -gt 0 ]; then
      stat_fail
    else
      add_daemon named-chroot
      stat_done
    fi
    ;;
  stop)
    stat_busy "Stopping BIND (chroot)"
    [ ! -z "$PID" ]  && kill $PID &> /dev/null
    if [ $? -gt 0 ]; then
      stat_fail
    else
      rm_daemon named-chroot
      rm -rf ${CHROOT}
      stat_done
    fi
    ;;
  restart)
    $0 stop
    sleep 1
    $0 start
    ;;
  reload)
    stat_busy "Reloading BIND"
    [ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null
    if [ $? -gt 0 ]; then
      stat_fail
    else
      stat_done
    fi
    ;;
  *)
    echo "usage: $0 {start|stop|reload|restart}"
 esac
 exit 0

Do not forget to make this script executable.

# chmod a+x /etc/rc.d/named-chroot

Configuration

You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:

CHROOT="/srv/named"

If you are using a clean install of bind your /etc/conf.d/named file should look like this:

#
# Parameters to be passed to BIND
#
NAMED_ARGS="-u named"
CHROOT="/srv/named"

Setup BIND

At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.

  • One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.

Running At Startup

In order to run the chrooted version of BIND on startup, edit the DAEMONS array of /etc/rc.conf and add name-chroot to it. Make sure it starts immediately after network

Here is an example:

DAEMONS=(rsyslogd crond iptables network named-chroot)