Submitter: Doug Hunley

BIND 8.1.2 and later include an option that allows you to chroot( ) the name server: to change its view of the filesystem so that its root directory is actually a particular directory on your host's filesystem. This effectively traps your name server in this directory, along with any attackers who successfully compromise your name server's security.

  1. Install and configure Bind 9.x
  2. Create dev, etc, lib, usr, and var subdirectories for the chroot environment. Within usr, create an sbin subdirectory. Within var, create subdirectories named named and run.
  3. Setup permissions and touch the pid file
  4. Copy named.conf into the chroot
  5. Move the database files into the chroot
  6. Create dev/null in the chroot
  7. Create dev/random in the chroot
  8. Configure syslog to receive the log entries from the chroot
  9. Restart syslog to have it notice the change. When syslogd restarts next, it will create /var/named/dev/log, and named will log to it.
  10. Finally, edit your startup files to start named with the -t option

That should be all there is to it. Restarting named should cause it to run in the new chroot. Welcome to an even more secure Bind configuration!
searchSearch Index