This shows you the differences between two versions of the page.
Next revision | Previous revision | ||
chrooted_dns [2007/01/03 12:10] adam created |
chrooted_dns [2016/11/25 22:38] (current) |
||
---|---|---|---|
Line 5: | Line 5: | ||
Run | Run | ||
- | apt-get install bind9 | + | apt-get install bind9 |
For security reasons we want to run BIND chrooted so we have to do the following steps: | For security reasons we want to run BIND chrooted so we have to do the following steps: | ||
- | /etc/init.d/bind9 stop | + | /etc/init.d/bind9 stop |
- | Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS=" -u bind" so that it reads OPTIONS="-u bind -t /var/lib/named": | + | Edit the file ''/etc/default/bind9'' so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. |
- | vi /etc/default/bind9 | + | Modify the line: ''OPTIONS=" -u bind"'' so that it reads ''OPTIONS="-u bind -t /var/lib/named"'': |
- | OPTIONS="-u bind -t /var/lib/named" | + | vi /etc/default/bind9 |
- | # Set RESOLVCONF=no to not run resolvconf | + | |
- | RESOLVCONF=yes | + | OPTIONS="-u bind -t /var/lib/named" |
+ | # Set RESOLVCONF=no to not run resolvconf | ||
+ | RESOLVCONF=yes | ||
Create the necessary directories under /var/lib: | Create the necessary directories under /var/lib: | ||
- | mkdir -p /var/lib/named/etc | + | mkdir -p /var/lib/named/etc |
- | mkdir /var/lib/named/dev | + | mkdir /var/lib/named/dev |
- | mkdir -p /var/lib/named/var/cache/bind | + | mkdir -p /var/lib/named/var/cache/bind |
- | mkdir -p /var/lib/named/var/run/bind/run | + | mkdir -p /var/lib/named/var/run/bind/run |
Then move the config directory from /etc to /var/lib/named/etc: | Then move the config directory from /etc to /var/lib/named/etc: | ||
- | mv /etc/bind /var/lib/named/etc | + | mv /etc/bind /var/lib/named/etc |
Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future): | Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future): | ||
- | ln -s /var/lib/named/etc/bind /etc/bind | + | ln -s /var/lib/named/etc/bind /etc/bind |
Make null and random devices, and fix permissions of the directories: | Make null and random devices, and fix permissions of the directories: | ||
- | mknod /var/lib/named/dev/null c 1 3 | + | mknod /var/lib/named/dev/null c 1 3 |
- | mknod /var/lib/named/dev/random c 1 8 | + | mknod /var/lib/named/dev/random c 1 8 |
- | chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random | + | chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random |
- | chown -R bind:bind /var/lib/named/var/* | + | chown -R bind:bind /var/lib/named/var/* |
- | chown -R bind:bind /var/lib/named/etc/bind | + | chown -R bind:bind /var/lib/named/etc/bind |
- | We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="-u syslog" so that it reads: SYSLOGD="-u syslog -a /var/lib/named/dev/log": | + | We need to modify the startup script /etc/init.d/sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: ''SYSLOGD="-u syslog"'' so that it reads: ''SYSLOGD="-u syslog -a /var/lib/named/dev/log"'': |
- | vi /etc/init.d/sysklogd | + | vi /etc/init.d/sysklogd |
[...] | [...] | ||
- | SYSLOGD="-u syslog -a /var/lib/named/dev/log" | + | SYSLOGD="-u syslog -a /var/lib/named/dev/log" |
[...] | [...] | ||
Restart the logging daemon: | Restart the logging daemon: | ||
- | /etc/init.d/sysklogd restart | + | /etc/init.d/sysklogd restart |
Start up BIND, and check /var/log/syslog for errors: | Start up BIND, and check /var/log/syslog for errors: | ||
- | /etc/init.d/bind9 start | + | /etc/init.d/bind9 start |