Difference between revisions of "BIND (chroot)"

From ArchWiki
Jump to: navigation, search
(How to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot))
 
(no content remaining)
 
(27 intermediate revisions by 11 users not shown)
Line 1: Line 1:
=== Introduction ===
+
#REDIRECT: [[BIND]]
It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
 
 
 
=== Installation ===
 
You can install BIND from the extra repository using pacman.
 
 
 
pacman -Sy bind
 
 
 
=== Init Script ===
 
The BIND package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
 
 
 
Create the file named-chroot in /etc/rc.d/ and paste the following script into it.
 
 
 
#!/bin/bash
 
 
NAMED_ARGS=
 
[ -f /etc/conf.d/named ] && . /etc/conf.d/named
 
 
. /etc/rc.conf
 
. /etc/rc.d/functions
 
 
PID=`pidof -o %PPID /usr/sbin/named`
 
case "$1" in
 
  start)
 
    stat_busy "Starting BIND (chroot)"
 
 
    # create chroot directories
 
    mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines
 
 
    # copy necessary files
 
    cp /etc/named.conf ${CHROOT}/etc/
 
    cp /etc/localtime ${CHROOT}/etc/
 
    cp -a /var/named/* ${CHROOT}/var/named/
 
    cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
 
 
    # create block devices
 
    mknod ${CHROOT}/dev/null c 1 3
 
    mknod ${CHROOT}/dev/random c 1 8
 
 
    # set permissions
 
    chown root:named ${CHROOT}
 
    chmod 750 ${CHROOT}
 
    chown -R named:named ${CHROOT}/var/named/slave
 
    chown named:named ${CHROOT}/var/{run,log}
 
    chmod 666 ${CHROOT}/dev/{null,random}
 
 
    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
 
    if [ $? -gt 0 ]; then
 
      stat_fail
 
    else
 
      add_daemon named-chroot
 
      stat_done
 
    fi
 
    ;;
 
  stop)
 
    stat_busy "Stopping BIND (chroot)"
 
    [ ! -z "$PID" ] && kill $PID &> /dev/null
 
    if [ $? -gt 0 ]; then
 
      stat_fail
 
    else
 
      rm_daemon named-chroot
 
      rm -rf ${CHROOT}
 
      stat_done
 
    fi
 
    ;;
 
  restart)
 
    $0 stop
 
    sleep 1
 
    $0 start
 
    ;;
 
  reload)
 
    stat_busy "Reloading BIND"
 
    [ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null
 
    if [ $? -gt 0 ]; then
 
      stat_fail
 
    else
 
      stat_done
 
    fi
 
    ;;
 
  *)
 
    echo "usage: $0 {start|stop|reload|restart}"
 
esac
 
exit 0
 
 
 
Don't forget to make this script executable.
 
# chmod a+x /etc/rc.d/named-chroot
 
 
 
=== Configuration ===
 
You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:
 
CHROOT="/srv/named"
 
 
 
If you are using a clean install of bind your /etc/conf.d/named file should look like this:
 
#
 
# Parameters to be passed to BIND
 
#
 
NAMED_ARGS="-u named"
 
CHROOT="/srv/named"
 
 
 
=== Setup BIND ===
 
At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.
 
 
 
*One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.
 
 
 
=== Running At Startup ===
 
In order to run the chrooted version of BIND on startup, edit the DAEMONS array of your rc.conf and add ''name-chroot'' to it. Make sure it starts immediately after ''network''
 
# vim /etc/rc.conf
 
 
 
Here is an example:
 
DAEMONS=(rsyslogd crond iptables network named-chroot)
 

Latest revision as of 16:03, 20 May 2015

Redirect to: