Copyright 2021 Simon Quantrill, All Rights Reserved

Chroot a DNS server

Tue 13 January 2015

Chroot DNS Install bind9 and its docs and utilities:

aptitude install bind9 bind9-doc dnsutils

It will probably autostart after install, so stop it before proceeding:

/etc/init.d/bind9 stop

Create the chroot. This requires a minimal file tree:

mkdir -p /var/named/{etc,dev,var/cache/bind,var/run/bind/run}

chown -R bind:bind /var/named/var/*

And some devices:

mknod /var/named/dev/null c 1 3

mknod /var/named/dev/random c 1 8

chmod 666 /var/named/dev/{null,random}

Move your default configuration files:

mv /etc/bind /var/named/etc

ln -s /var/named/etc/bind /etc/bind

Tell rsyslog to listen for log events in the chroot:

vi /etc/rsyslog.d/bind-chroot.conf

and add the line:

$AddUnixListenSocket /var/named/dev/log Tell bind9 init to use the chroot:

vi /etc/default/bind9

and add:

OPTIONS=”-u bind -t /var/named” Restart syslogd and make sure it creates /dev/log in the chroot.

/etc/init.d/rsyslog restart

Restarting system log daemon: syslogd.

ls -al /var/named/dev/log

srw-rw-rw- 1 root root 0 2008-10-09 14:48 /var/named/dev/log Start bind9 and make sure it works

/etc/init.d/bind9 start

Starting domain name service…: bind.

ps ax | grep [n]amed

5397 ? Ssl 0:00 /usr/sbin/named -u bind -t /var/named

host localhost

localhost A

on the top