Difference between revisions of "BIND (chroot)"

From ArchWiki
Jump to: navigation, search
(if this is an update to the article about Bind, maybe they could be merged)
(Marked out of date because the article is dependent on initscripts.)
(13 intermediate revisions by 7 users not shown)
Line 1: Line 1:
{{Merge|Bind|Talk:Bind#Chroot method here no longer works as of 9.8.0}}
+
[[Category:Domain Name System]]
  
=== Introduction ===
+
{{Out of date|Arch no longer supports [[Initscripts]]. This article needs to be updated to work with [[systemd]].}}
It's not a good idea to run [[Bind|BIND]] as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
+
  
=== Installation ===
+
It's not a good idea to run [[BIND]] as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
You can install BIND from the extra repository using pacman.
+
  
pacman -Sy bind
+
== Installation ==
 +
See [[BIND#Install BIND]] for instructions on installing BIND.
  
=== Init Script ===
+
== Init script ==
The BIND package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
+
The {{Pkg|bind}} package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
 
+
Create the file '''/etc/rc.d/named-chroot''' and paste the following script into it.
+
  
 +
Create the following file:
 +
{{hc|/etc/rc.d/named-chroot|<nowiki>
 
  #!/bin/bash
 
  #!/bin/bash
 
   
 
   
Line 84: Line 83:
 
  esac
 
  esac
 
  exit 0
 
  exit 0
 +
</nowiki>}}
  
Don't forget to make this script executable.
+
Do not forget to make this script executable.
 
  # chmod a+x /etc/rc.d/named-chroot
 
  # chmod a+x /etc/rc.d/named-chroot
  
=== Configuration ===
+
== Configuration ==
 
You will now need to add a new configuration variable to '''/etc/conf.d/named'''. So open it up in a text editor and add the following:
 
You will now need to add a new configuration variable to '''/etc/conf.d/named'''. So open it up in a text editor and add the following:
 
  CHROOT="/srv/named"
 
  CHROOT="/srv/named"
Line 99: Line 99:
 
  CHROOT="/srv/named"
 
  CHROOT="/srv/named"
  
=== Setup BIND ===
+
==Setup BIND ==
At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.
+
At this point you can configure [[BIND]] the way you are used to because all the necessary files will be copied to the jail accordingly.
  
 
*One thing to note is, for security reasons, the '''/var/named''' directory in the '''chroot''' is read only and the '''/var/named/slave''' subdirectory is writable. So in reality, slave zone files are saved in '''/srv/named/var/named/slave''' so your slave zone's configuration should reflect this otherwise zone transfers will fail.
 
*One thing to note is, for security reasons, the '''/var/named''' directory in the '''chroot''' is read only and the '''/var/named/slave''' subdirectory is writable. So in reality, slave zone files are saved in '''/srv/named/var/named/slave''' so your slave zone's configuration should reflect this otherwise zone transfers will fail.
  
=== Running At Startup ===
+
== Running At Startup ==
In order to run the chrooted version of BIND on startup, edit the DAEMONS array of '''/etc/rc.conf''' and add ''name-chroot'' to it. Make sure it starts immediately after ''network''
+
In order to run the chrooted version of [[BIND]] on start-up, edit the DAEMONS array of '''/etc/rc.conf''' and add ''name-chroot'' to it. Make sure it starts immediately after ''network''
  
 
Here is an example:
 
Here is an example:
 
  DAEMONS=(rsyslogd crond iptables network named-chroot)
 
  DAEMONS=(rsyslogd crond iptables network named-chroot)

Revision as of 23:27, 25 July 2013


Tango-view-refresh-red.pngThis article or section is out of date.Tango-view-refresh-red.png

Reason: Arch no longer supports Initscripts. This article needs to be updated to work with systemd. (Discuss in Talk:BIND (chroot)#)

It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).

Installation

See BIND#Install BIND for instructions on installing BIND.

Init script

The bind package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.

Create the following file:

/etc/rc.d/named-chroot
 #!/bin/bash
 
 NAMED_ARGS=
 [ -f /etc/conf.d/named ] && . /etc/conf.d/named
 
 . /etc/rc.conf
 . /etc/rc.d/functions
 
 PID=`pidof -o %PPID /usr/sbin/named`
 case "$1" in
  start)
    stat_busy "Starting BIND (chroot)"
 
    # create chroot directories
    mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines
 
    # copy necessary files
    cp /etc/named.conf ${CHROOT}/etc/
    cp /etc/localtime ${CHROOT}/etc/
    cp -a /var/named/* ${CHROOT}/var/named/
    cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
 
    # create block devices
    mknod ${CHROOT}/dev/null c 1 3
    mknod ${CHROOT}/dev/random c 1 8
 
    # set permissions
    chown root:named ${CHROOT}
    chmod 750 ${CHROOT}
    chown -R named:named ${CHROOT}/var/named/slave
    chown named:named ${CHROOT}/var/{run,log}
    chmod 666 ${CHROOT}/dev/{null,random}
 
    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
    if [ $? -gt 0 ]; then
      stat_fail
    else
      add_daemon named-chroot
      stat_done
    fi
    ;;
  stop)
    stat_busy "Stopping BIND (chroot)"
    [ ! -z "$PID" ]  && kill $PID &> /dev/null
    if [ $? -gt 0 ]; then
      stat_fail
    else
      rm_daemon named-chroot
      rm -rf ${CHROOT}
      stat_done
    fi
    ;;
  restart)
    $0 stop
    sleep 1
    $0 start
    ;;
  reload)
    stat_busy "Reloading BIND"
    [ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null
    if [ $? -gt 0 ]; then
      stat_fail
    else
      stat_done
    fi
    ;;
  *)
    echo "usage: $0 {start|stop|reload|restart}"
 esac
 exit 0

Do not forget to make this script executable.

# chmod a+x /etc/rc.d/named-chroot

Configuration

You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:

CHROOT="/srv/named"

If you are using a clean install of bind your /etc/conf.d/named file should look like this:

#
# Parameters to be passed to BIND
#
NAMED_ARGS="-u named"
CHROOT="/srv/named"

Setup BIND

At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.

  • One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.

Running At Startup

In order to run the chrooted version of BIND on start-up, edit the DAEMONS array of /etc/rc.conf and add name-chroot to it. Make sure it starts immediately after network

Here is an example:

DAEMONS=(rsyslogd crond iptables network named-chroot)