Difference between revisions of "BIND (chroot)"

From ArchWiki
Jump to: navigation, search
m
(no content remaining)
 
(8 intermediate revisions by 5 users not shown)
Line 1: Line 1:
[[Category:Domain Name System]]
+
#REDIRECT: [[BIND]]
It's not a good idea to run [[BIND]] as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
+
 
+
== Installation ==
+
See [[BIND#Install BIND]] for instructions on installing BIND.
+
 
+
== Init script ==
+
The {{Pkg|bind}} package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
+
 
+
Create the following file:
+
{{hc|/etc/rc.d/named-chroot|<nowiki>
+
#!/bin/bash
+
+
NAMED_ARGS=
+
[ -f /etc/conf.d/named ] && . /etc/conf.d/named
+
+
. /etc/rc.conf
+
. /etc/rc.d/functions
+
+
PID=`pidof -o %PPID /usr/sbin/named`
+
case "$1" in
+
  start)
+
    stat_busy "Starting BIND (chroot)"
+
+
    # create chroot directories
+
    mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines
+
+
    # copy necessary files
+
    cp /etc/named.conf ${CHROOT}/etc/
+
    cp /etc/localtime ${CHROOT}/etc/
+
    cp -a /var/named/* ${CHROOT}/var/named/
+
    cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
+
+
    # create block devices
+
    mknod ${CHROOT}/dev/null c 1 3
+
    mknod ${CHROOT}/dev/random c 1 8
+
+
    # set permissions
+
    chown root:named ${CHROOT}
+
    chmod 750 ${CHROOT}
+
    chown -R named:named ${CHROOT}/var/named/slave
+
    chown named:named ${CHROOT}/var/{run,log}
+
    chmod 666 ${CHROOT}/dev/{null,random}
+
+
    [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
+
    if [ $? -gt 0 ]; then
+
      stat_fail
+
    else
+
      add_daemon named-chroot
+
      stat_done
+
    fi
+
    ;;
+
  stop)
+
    stat_busy "Stopping BIND (chroot)"
+
    [ ! -z "$PID" ] && kill $PID &> /dev/null
+
    if [ $? -gt 0 ]; then
+
      stat_fail
+
    else
+
      rm_daemon named-chroot
+
      rm -rf ${CHROOT}
+
      stat_done
+
    fi
+
    ;;
+
  restart)
+
    $0 stop
+
    sleep 1
+
    $0 start
+
    ;;
+
  reload)
+
    stat_busy "Reloading BIND"
+
    [ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null
+
    if [ $? -gt 0 ]; then
+
      stat_fail
+
    else
+
      stat_done
+
    fi
+
    ;;
+
  *)
+
    echo "usage: $0 {start|stop|reload|restart}"
+
esac
+
exit 0
+
</nowiki>}}
+
 
+
Do not forget to make this script executable.
+
# chmod a+x /etc/rc.d/named-chroot
+
 
+
== Configuration ==
+
You will now need to add a new configuration variable to '''/etc/conf.d/named'''. So open it up in a text editor and add the following:
+
CHROOT="/srv/named"
+
 
+
If you are using a clean install of bind your '''/etc/conf.d/named''' file should look like this:
+
#
+
# Parameters to be passed to BIND
+
#
+
NAMED_ARGS="-u named"
+
CHROOT="/srv/named"
+
 
+
==Setup BIND ==
+
At this point you can configure [[BIND]] the way you are used to because all the necessary files will be copied to the jail accordingly.
+
 
+
*One thing to note is, for security reasons, the '''/var/named''' directory in the '''chroot''' is read only and the '''/var/named/slave''' subdirectory is writable. So in reality, slave zone files are saved in '''/srv/named/var/named/slave''' so your slave zone's configuration should reflect this otherwise zone transfers will fail.
+
 
+
== Running At Startup ==
+
In order to run the chrooted version of [[BIND]] on start-up, edit the DAEMONS array of '''/etc/rc.conf''' and add ''name-chroot'' to it. Make sure it starts immediately after ''network''
+
 
+
Here is an example:
+
DAEMONS=(rsyslogd crond iptables network named-chroot)
+

Latest revision as of 16:03, 20 May 2015

Redirect to: