Difference between revisions of "BIND (chroot)"
m (Fix style. See Help:Style.) |
m |
||
| Line 3: | Line 3: | ||
== Installation == | == Installation == | ||
| − | See [[BIND# | + | See [[BIND#Install BIND]] for instructions on installing BIND. |
== Init script == | == Init script == | ||
Revision as of 10:56, 8 October 2012
It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
Installation
See BIND#Install BIND for instructions on installing BIND.
Init script
The bind package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
Create the following file:
/etc/rc.d/named-chroot
#!/bin/bash
NAMED_ARGS=
[ -f /etc/conf.d/named ] && . /etc/conf.d/named
. /etc/rc.conf
. /etc/rc.d/functions
PID=`pidof -o %PPID /usr/sbin/named`
case "$1" in
start)
stat_busy "Starting BIND (chroot)"
# create chroot directories
mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines
# copy necessary files
cp /etc/named.conf ${CHROOT}/etc/
cp /etc/localtime ${CHROOT}/etc/
cp -a /var/named/* ${CHROOT}/var/named/
cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/
# create block devices
mknod ${CHROOT}/dev/null c 1 3
mknod ${CHROOT}/dev/random c 1 8
# set permissions
chown root:named ${CHROOT}
chmod 750 ${CHROOT}
chown -R named:named ${CHROOT}/var/named/slave
chown named:named ${CHROOT}/var/{run,log}
chmod 666 ${CHROOT}/dev/{null,random}
[ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
if [ $? -gt 0 ]; then
stat_fail
else
add_daemon named-chroot
stat_done
fi
;;
stop)
stat_busy "Stopping BIND (chroot)"
[ ! -z "$PID" ] && kill $PID &> /dev/null
if [ $? -gt 0 ]; then
stat_fail
else
rm_daemon named-chroot
rm -rf ${CHROOT}
stat_done
fi
;;
restart)
$0 stop
sleep 1
$0 start
;;
reload)
stat_busy "Reloading BIND"
[ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null
if [ $? -gt 0 ]; then
stat_fail
else
stat_done
fi
;;
*)
echo "usage: $0 {start|stop|reload|restart}"
esac
exit 0
Do not forget to make this script executable.
# chmod a+x /etc/rc.d/named-chroot
Configuration
You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:
CHROOT="/srv/named"
If you are using a clean install of bind your /etc/conf.d/named file should look like this:
# # Parameters to be passed to BIND # NAMED_ARGS="-u named" CHROOT="/srv/named"
Setup BIND
At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.
- One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.
Running At Startup
In order to run the chrooted version of BIND on start-up, edit the DAEMONS array of /etc/rc.conf and add name-chroot to it. Make sure it starts immediately after network
Here is an example:
DAEMONS=(rsyslogd crond iptables network named-chroot)