Chroot a DNS server
Tue 13 January 2015
Chroot DNS Install bind9 and its docs and utilities:
aptitude install bind9 bind9-doc dnsutils
It will probably autostart after install, so stop it before proceeding:
/etc/init.d/bind9 stop
Create the chroot. This requires a minimal file tree:
mkdir -p /var/named/{etc,dev,var/cache/bind,var/run/bind/run}
chown -R bind:bind /var/named/var/*
And some devices:
mknod /var/named/dev/null c 1 3
mknod /var/named/dev/random c 1 8
chmod 666 /var/named/dev/{null,random}
Move your default configuration files:
mv /etc/bind /var/named/etc
ln -s /var/named/etc/bind /etc/bind
Tell rsyslog to listen for log events in the chroot:
vi /etc/rsyslog.d/bind-chroot.conf
and add the line:
$AddUnixListenSocket /var/named/dev/log Tell bind9 init to use the chroot:
vi /etc/default/bind9
and add:
OPTIONS=”-u bind -t /var/named” Restart syslogd and make sure it creates /dev/log in the chroot.
/etc/init.d/rsyslog restart
Restarting system log daemon: syslogd.
ls -al /var/named/dev/log
srw-rw-rw- 1 root root 0 2008-10-09 14:48 /var/named/dev/log Start bind9 and make sure it works
/etc/init.d/bind9 start
Starting domain name service…: bind.
ps ax | grep [n]amed
5397 ? Ssl 0:00 /usr/sbin/named -u bind -t /var/named
host localhost 127.0.0.1
localhost A 127.0.0.1