BIND 8 chroot jail

Note: I recommend upgrading to the latest BIND 9 release to take advantage of BIND 9's security features and security-focused code rewrite.

Thanks to Sean Boran for his "Installing BIND v8 chroot'ed on Solaris 7." Much of the information on this page was obtained from his installation guide.

In this BIND chroot jail example on a Solaris 7 server, the named daemon is executed as the named user (UID 53, GID 53). The chroot jail is the /home/dns directory. This document assumes BIND is already installed with binaries in /usr/local, configuration files in /usr/local/etc, and DNS data in /var/dns.


Upgrading your BIND chroot jail

If you already have a BIND chroot jail configured, and want to upgrade to a new version of BIND, perform the following commands after running make install. These steps assume you installed BIND to the standard /usr/local directory tree.

for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/dns/usr/lib
done

cd /home/dns/usr/local/sbin
(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -

cd /home/dns/usr/local/bin
(cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf -

Restart BIND to enable the new version.

Creating an initial BIND chroot jail

To create a BIND chroot jail from scratch, perform the following steps:

1. Create named user and chroot jail.

groupadd -g 53 named
useradd -c "BIND DNS daemon" -d /home/named -g named -u 53 -s /bin/false named

mkdir -m 750 /home/named
cd /home/named
mkdir -p dev opt usr var etc var/run var/log var/dns usr/local usr/lib usr/share/lib/zoneinfo
cp /etc/syslog.conf /etc/netconfig /etc/nsswitch.conf /etc/resolv.conf /etc/TIMEZONE etc


2. Copy libraries into chroot jail.

for i in `ldd /usr/local/sbin/named /usr/local/sbin/named-xfer | awk '{print $3}'`
/usr/local/sbin/named-xfer | awk '{print $3}'`
do
cp $i /home/named/usr/lib
done

cp /usr/lib/ld.so.1 /home/named/usr/lib


3. Create device files in the chrooted environment.

cd /home/named/dev
mknod tcp c 11 42
mknod udp c 11 41
mknod log c 21 5
mknod null c 13 2
mknod zero c 13 12
chgrp sys null zero
mknod conslog c 21 0
mknod syscon c 0 0
chmod 620 syscon
chgrp tty syscon
chgrp sys conslog


4. Copy the timezone information into the chroot jail. Otherwise, BIND will use a GMT timestamp when sending messages to syslog. In this example, the TIMEZONE is US/Central.

cd /home/named
mkdir -p usr/share/lib/zoneinfo/US

cp -p /usr/share/lib/zoneinfo/US/Central usr/share/lib/zoneinfo/US


5. Copy BIND to chroot jail and set appropriate permissions.

cd /home/named
mkdir -p usr/local/bin usr/local/lib usr/local/sbin usr/local/bind usr/local/etc
chmod 755 usr/local/bin usr/local/lib usr/local/sbin usr/local/bind usr/local/etc

cd /home/named/usr/local/sbin

(cd /usr/local/sbin; tar cf - dnskeygen named* irpd ndc) | tar xvf -

cd /home/named/usr/local/bin

(cd /usr/local/bin; tar cf - dnsquery dig host nslookup nsupdate) | tar xvf -

cd /home/named/usr/local
cp /usr/local/etc/named.conf etc
(cd /usr/local; tar cf - bind) | tar xvf -
chown -R root:named *
chmod 775 etc

cd /home/named/var/
(cd /var/dns; tar cf - *) | tar xvf -

cd /home/named
chown -R root:named opt var
chmod -R g-w var
chmod -R o-rx .
chmod g+w var/run var/log
touch var/log/all.log var/run/named.pid
chown named:named var/log/all.log var/run/named.pid
find . -type f | xargs chmod ug-s


6. Start BIND.

/usr/local/sbin/named -u 53 -g 53 -t /home/named

Make sure to modify your BIND startup/shutdown script to execute BIND as a non-privileged user within the chroot jail. Compare your copy to the following /etc/init.d/named script.

#!/bin/sh

case $1 in
'start' )
   /usr/local/sbin/named -u 53 -g 53 -t /home/named
   ;;
'stop' )
   kill `ps -ef | grep named | grep -v grep | awk '{print $2}'` > /dev/null 2>&1
   ;;
*)
   echo "usage: $0 {start|stop}"
esac

Back to brandonhutchinson.com.

Last modified: 05/14/2003