BIND (chroot)
Contents
Introduction
It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).
Installation
You can install BIND from the extra repository using pacman.
pacman -S bind
Init Script
The BIND package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.
Create the file /etc/rc.d/named-chroot and paste the following script into it.
#!/bin/bash NAMED_ARGS= [ -f /etc/conf.d/named ] && . /etc/conf.d/named . /etc/rc.conf . /etc/rc.d/functions PID=`pidof -o %PPID /usr/sbin/named` case "$1" in start) stat_busy "Starting BIND (chroot)" # create chroot directories mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines # copy necessary files cp /etc/named.conf ${CHROOT}/etc/ cp /etc/localtime ${CHROOT}/etc/ cp -a /var/named/* ${CHROOT}/var/named/ cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/ # create block devices mknod ${CHROOT}/dev/null c 1 3 mknod ${CHROOT}/dev/random c 1 8 # set permissions chown root:named ${CHROOT} chmod 750 ${CHROOT} chown -R named:named ${CHROOT}/var/named/slave chown named:named ${CHROOT}/var/{run,log} chmod 666 ${CHROOT}/dev/{null,random} [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT} if [ $? -gt 0 ]; then stat_fail else add_daemon named-chroot stat_done fi ;; stop) stat_busy "Stopping BIND (chroot)" [ ! -z "$PID" ] && kill $PID &> /dev/null if [ $? -gt 0 ]; then stat_fail else rm_daemon named-chroot rm -rf ${CHROOT} stat_done fi ;; restart) $0 stop sleep 1 $0 start ;; reload) stat_busy "Reloading BIND" [ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null if [ $? -gt 0 ]; then stat_fail else stat_done fi ;; *) echo "usage: $0 {start|stop|reload|restart}" esac exit 0
Don't forget to make this script executable.
# chmod a+x /etc/rc.d/named-chroot
Configuration
You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:
CHROOT="/srv/named"
If you are using a clean install of bind your /etc/conf.d/named file should look like this:
# # Parameters to be passed to BIND # NAMED_ARGS="-u named" CHROOT="/srv/named"
Setup BIND
At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.
- One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.
Running At Startup
In order to run the chrooted version of BIND on startup, edit the DAEMONS array of /etc/rc.conf and add name-chroot to it. Make sure it starts immediately after network
Here is an example:
DAEMONS=(rsyslogd crond iptables network named-chroot)