BIND 9 chroot jail

The following steps were used to create a chroot jail with BIND 9. These steps were used on a Solaris 8 system, although they may work on other UNIX platforms.

These instructions assume a working non-chrooted BIND installation with configuration file /etc/named.conf and zone files in /var/named.

1. Create named user and chroot jail.

groupadd -g 53 named
useradd -c "BIND DNS daemon" -d /home/named -g named -u 53 -s /bin/false named

mkdir -m 750 /home/named

cd /home/named

mkdir -p dev etc lib usr/sbin var/named var/run
mknod dev/null c 1 3

chown named:named /home/named
chown named:named /home/named/var/named
chown named:named /home/named/var/run

2. Move the BIND configuration file, root hints file, and localhost reverse zone file to the chroot jail.

mv /etc/named.conf etc
mv /var/named/named.ca /home/named/var/named
mv /var/named/named.local /home/named/var/named

rmdir /var/named

3. Copy the timezone information into the chroot jail. Otherwise, BIND will use a GMT timestamp when sending messages to syslog. In this example, the TIMEZONE is WET.

mkdir -p /home/named/usr/share/lib/zoneinfo
cp -p /usr/share/lib/zoneinfo/WET /home/named/usr/share/lib/zoneinfo

4. Modify the BIND startup/shutdown script (/etc/init.d/named) to run in the chrooted environment as the named user.

#!/bin/sh

case $1 in
'start' )
   /usr/local/sbin/named -u 53 -t /home/named
   ;;
'stop' )
   /usr/local/sbin/rndc stop
   ;;
*)
   echo "usage: $0 {start|stop}"
esac


5. Start BIND.

/etc/init.d/named start

Back to brandonhutchinson.com.
Last modified: 11/24/2003