BIND (chroot)

Introduction

It's not a good idea to run BIND as root, so this document will briefly explain how to setup a basic DNS server using BIND 9.8.0 in a jailed environment (chroot). This document assumes that you already know how to configure and use BIND (the Berkeley Internet Name Domain).

Installation

You can install BIND from the extra repository using pacman.

pacman -S bind

Init Script

The BIND package already comes with an init script, but it does not run BIND in a jailed environment; however, the following script does.

Create the file /etc/rc.d/named-chroot and paste the following script into it.

#!/bin/bash

NAMED_ARGS=
[ -f /etc/conf.d/named ] && . /etc/conf.d/named

. /etc/rc.conf
. /etc/rc.d/functions

PID=`pidof -o %PPID /usr/sbin/named`
case "$1" in
 start)
   stat_busy "Starting BIND (chroot)"

   # create chroot directories
   mkdir -p ${CHROOT}/{dev,etc} ${CHROOT}/var/named/slave ${CHROOT}/var/{run,log} ${CHROOT}/usr/lib/engines

   # copy necessary files
   cp /etc/named.conf ${CHROOT}/etc/
   cp /etc/localtime ${CHROOT}/etc/
   cp -a /var/named/* ${CHROOT}/var/named/
   cp /usr/lib/engines/libgost.so ${CHROOT}/usr/lib/engines/

   # create block devices
   mknod ${CHROOT}/dev/null c 1 3
   mknod ${CHROOT}/dev/random c 1 8

   # set permissions
   chown root:named ${CHROOT}
   chmod 750 ${CHROOT}
   chown -R named:named ${CHROOT}/var/named/slave
   chown named:named ${CHROOT}/var/{run,log}
   chmod 666 ${CHROOT}/dev/{null,random}

   [ -z "$PID" ] && /usr/sbin/named ${NAMED_ARGS} -t ${CHROOT}
   if [ $? -gt 0 ]; then
     stat_fail
   else
     add_daemon named-chroot
     stat_done
   fi
   ;;
 stop)
   stat_busy "Stopping BIND (chroot)"
   [ ! -z "$PID" ]  && kill $PID &> /dev/null
   if [ $? -gt 0 ]; then
     stat_fail
   else
     rm_daemon named-chroot
     rm -rf ${CHROOT}
     stat_done
   fi
   ;;
 restart)
   $0 stop
   sleep 1
   $0 start
   ;;
 reload)
   stat_busy "Reloading BIND"
   [ ! -z "$PID" ] && rndc reload &>/dev/null || kill -HUP $PID &>/dev/null
   if [ $? -gt 0 ]; then
     stat_fail
   else
     stat_done
   fi
   ;;
 *)
   echo "usage: $0 {start|stop|reload|restart}"
esac
exit 0

Don't forget to make this script executable.

# chmod a+x /etc/rc.d/named-chroot

Configuration

You will now need to add a new configuration variable to /etc/conf.d/named. So open it up in a text editor and add the following:

CHROOT="/srv/named"

If you are using a clean install of bind your /etc/conf.d/named file should look like this:

#
# Parameters to be passed to BIND
#
NAMED_ARGS="-u named"
CHROOT="/srv/named"

Setup BIND

At this point you can configure BIND the way you are used to because all the necessary files will be copied to the jail accordingly.

• One thing to note is, for security reasons, the /var/named directory in the chroot is read only and the /var/named/slave subdirectory is writable. So in reality, slave zone files are saved in /srv/named/var/named/slave so your slave zone's configuration should reflect this otherwise zone transfers will fail.

Running At Startup

In order to run the chrooted version of BIND on startup, edit the DAEMONS array of /etc/rc.conf and add name-chroot to it. Make sure it starts immediately after network

Here is an example:

DAEMONS=(rsyslogd crond iptables network named-chroot)