Socialtools
Start of topic | Skip to actions
BIND DNS server
BIND version
Tested with BIND 9.3.1.Introduction
BIND is the most commonly-used DNS server. Unfortunately, security vulnerabilities have often been found in BIND. Therefore, we explain here how to set up the BIND DNS server to run in a 'chroot jail'. This means that we make a directory,/chroot/named, and BIND thinks that's the root directory of the filesystem. This makes it more difficult for a security exploit in BIND to cause any harm to the rest of the system. BIND 9 has a command-line option for running in a chroot jail, so this is pretty easy to set up. It relies on running BIND as a normal user, rather than as the root user (a chrooted program can get out of its jail if it's running as root, but not if it's running as a normal user).
This is based on the Chroot-BIND HOWTO. We could also have used the Debian package makejail to do some of this work for us.
The instructions below spell out exactly what I did while following the instructions in the HOWTO, modifying a few things to make the result more consistent with Debian conventions.
Installation
Uninstall the Debian BIND packages. (We won't be usinglwresd at all.)
sudo apt-get remove bind9 bind9-host sudo apt-get remove --purge lwresd sudo update-rc.d -f bind9 remove sudo update-rc.d -f lwresd removeCreate a
named user and group. Since we use shadow passwords, do this with adduser, which will handle the shadows.
sudo adduser --system --home /chroot/named --group namedMake a directory structure for the chroot, consistent with Debian's standard BIND install.
sudo sh -c 'mkdir -p /chroot/named; cd /chroot/named; mkdir -p dev var/run var/cache/bind etc/bind' sudo chown -R named:named /chroot/named/var/cache/bind sudo chown -R named:named /chroot/named/var/run sudo chown named:named /chroot/named sudo chmod 700 /chroot/namedAdd system support files:
sudo mknod /chroot/named/dev/null c 1 3
sudo mknod /chroot/named/dev/random c 1 8
sudo chmod 666 /chroot/named/dev/{null,random}
sudo cp /etc/localtime /chroot/named/etc
Install /etc/init.d/bind9 (make it world-executable), then make symlinks for it:
sudo update-rc.d bind9 defaults 15 85If you already had zone files and a
named.conf in /etc/bind, move them to the chroot:
sudo cp /etc/bind/* /chroot/named/etc/bindIf you didn't already have zone files and
named.conf, install the ones attached to this topic, into /chroot/named/etc/bind (the zone files have names beginning with db.).
In /chroot/named/etc/bind/named.conf, make sure you have the following in the options section:
pid-file "/var/run/named.pid";
statistics-file "/var/run/named.stats";
Change these fake DNS server IP addresses to the ones provided by your ISP:
forwarders {
10.15.15.150;
10.15.15.151;
};
Change the network address in the allow-queries directive to your local network's address. Note that this only allows your DNS server to be used for queries originating from your local network. If you want your nameserver to handle queries from outside your network, use the 'Two Nameservers in One' approach in Chapter 11 ('Security') of DNS and BIND.
Install the /etc/init.d/sysklogd from StandardConfigFiles. (The init file for sysklogd needs to put a Unix socket in the chroot, so BIND can log to it.) Then Restart syslogd:
sudo /etc/init.d/sysklogd restartDownload the latest BIND source code. Install /usr/local/configure-wrappers/configure-bind (make it world-executable).
tar zxf bind-9.x.y.tar.gz cd bind-9.x.y /usr/local/configure-wrappers/configure-bind make sudo make installIn
/etc/profile, add /usr/local/bind/bin to LOCAL_PATH, and add /usr/local/bind/man to LOCAL_MAN.
Make /etc/bind a symlink to the new config files. The symlink is necessary because, when we compiled BIND, we told it that its config files would be in /etc/bind. When the daemon is running in its chroot, that translates to /chroot/named/etc/bind. But command-line programs, such as rndc, will still look in the real /etc/bind.
sudo rm -rf /etc/bind sudo ln -s /chroot/named/etc/bind /etc/bindReplace the contents of
/etc/resolv.conf according to the instructions in StandardConfigFiles. Then start BIND:
sudo /etc/init.d/bind9 start
Testing
Log out and in again (so your changes to/etc/profile will take effect), and verify that BIND is working, by using the dig command to look up a hostname, e.g.:
dig socialtools.net
Upgrading
tar zxf bind-9.x.y.tar.gz cd bind-9.x.y /usr/local/configure-wrappers/configure-bind make sudo /etc/init.d/bind9 stop sudo make install sudo /etc/init.d/bind9 start
to top
| I | Attachment  | Action | Size | Date | Who | Comment |
|---|---|---|---|---|---|---|
 | db.0 | manage | 0.2 K | 01 Mar 2003 - 23:27 | BenjaminGeer | /chroot/named/etc/bind/db.0 |
| | db.127 | manage | 0.3 K | 01 Mar 2003 - 23:27 | BenjaminGeer | /chroot/named/etc/bind/db.127 |
| | db.255 | manage | 0.2 K | 01 Mar 2003 - 23:28 | BenjaminGeer | /chroot/named/etc/bind/db.255 |
| | db.local | manage | 0.2 K | 01 Mar 2003 - 23:28 | BenjaminGeer | /chroot/named/etc/bind/db.local |
| | db.root | manage | 2.7 K | 01 Mar 2003 - 23:29 | BenjaminGeer | /chroot/named/etc/bind/db.root |
| | named.conf | manage | 1.8 K | 13 May 2003 - 08:22 | BenjaminGeer | /chroot/named/etc/bind/named.conf |
| | bind9 | manage | 0.7 K | 01 Mar 2003 - 23:30 | BenjaminGeer | /etc/init.d/bind9 |
| | configure-bind | manage | 0.1 K | 02 May 2003 - 00:37 | BenjaminGeer | /usr/local/configure-wrappers/configure-bind |
Edit | Attach image or document | Printable version | Raw text | More topic actions
Revisions: | r1.20 | > | r1.19 | > | r1.18 | Total page history | Backlinks
Revisions: | r1.20 | > | r1.19 | > | r1.18 | Total page history | Backlinks
Socialtools.StandardBind moved from Socialtools.StandardBindChroot on 09 May 2003 - 22:35 by BenjaminGeer - put it back