BIND 8.1.2 and later include an option that allows you to chroot( ) the name server: to change its view of the filesystem so that its root directory is actually a particular directory on your host's filesystem. This effectively traps your name server in this directory, along with any attackers who successfully compromise your name server's security.
mkdir -p dev etc var/named var/run
chown -R named:named var/run
cp /etc/named.conf etc
mv pz var/named
mknod dev/null c 1 3
mknod dev/random c 1 8
/etc/rc.d/syslog stop && /etc/rc.d/syslog start
That should be all there is to it. Restarting named should cause it to run in the new chroot. Welcome to an even more secure Bind configuration!