Debian bind9 chroot

Note: A lot has changed since this article was written in 2002 so the information may no longer be current.

Setting up a bind9 chroot on Debian

All self respecting sysadmins should set up their bind servers within a chroot jail. Setting bind up within a chroot jail gives you bonus kudos points while at the same time providing your server with some additional security.

This howto was written for debian testing & unstable and was valid at the time of writing.

apt-get install bind9
vi /etc/default/bind9

Change OPTIONS= in the above file to include the following:
OPTIONS="-u nobody -t /srv/chroot/bind"

Now lets prepare the chroot
mkdir -p /srv/chroot/bind/{etc,dev,var/cache/bind,var/log,var/run/bind/run}
mv /etc/bind /srv/chroot/bind/etc/
ln -s /srv/chroot/bind/etc/bind /etc/bind
mknod /srv/chroot/bind/dev/null c 1 3
mknod /srv/chroot/bind/dev/random c 1 8
chmod 666 /srv/chroot/bind/dev/null /srv/chroot/bind/dev/random
chown -R nobody:nogroup /srv/chroot/bind/var/*
chown -R nobody:nogroup /srv/chroot/bind/etc/bind/

Next we must configure syslog so it is aware of the chrooted bind9 config.
vi /etc/init.d/sysklogd

Change SYSLOGD= in the above file to include the following:
SYSLOGD="-a /srv/chroot/bind/dev/log"

Now we have to configure rndc keys.
rndc-confgen -a -t /srv/chroot/bind/

Copy the contents of /etc/bind/rndc.key to /srv/chroot/bind/etc/bind/named.conf.local

The following satisfies the log file requirement for the bindgraph package (apt-get install bindgraph)

Copy the following to /srv/chroot/bind/etc/bind/named.conf.local :
logging {
channel "querylog" { file "/var/log/bind9-query.log"; print-time yes; }; category queries { querylog; };

Considering we are writing to some log files, we better set up some log rotation. Perform the following commands:
cat >> /etc/logrotate.d/bind9-query < < EOF /srv/chroot/bind/var/log/bind9-query.log { weekly missingok rotate 10 postrotate /etc/init.d/bind9 reload > /dev/null
ln -s /srv/chroot/bind/var/log/bind9-query.log /var/log/bind9-query.log

Now its time to restart syslog and start up bind.
/etc/init.d/sysklogd restart
/etc/init.d/bind9 start

Of course now it should go without saying, that you need to change your resolv.conf and check that you can do lookups.

If things aren’t going as expected, take a look at /var/log/syslog for any errors and resolve them accordingly.. remember, google is your friend 😉