User Tools

Site Tools


chrooted_dns

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Next revision
Previous revision
chrooted_dns [2007/01/03 12:10]
adam created
chrooted_dns [2016/11/25 22:38] (current)
Line 5: Line 5:
 Run Run
  
-apt-get install bind9+  ​apt-get install bind9
  
 For security reasons we want to run BIND chrooted so we have to do the following steps: For security reasons we want to run BIND chrooted so we have to do the following steps:
  
-/​etc/​init.d/​bind9 stop+  ​/​etc/​init.d/​bind9 stop
  
-Edit the file /​etc/​default/​bind9 so that the daemon will run as the unprivileged user bind, chrooted to /​var/​lib/​named. ​Modify the line: OPTIONS="​ -u bind" so that it reads OPTIONS="​-u bind -t /​var/​lib/​named":​+Edit the file ''​/​etc/​default/​bind9'' ​so that the daemon will run as the unprivileged user bind, chrooted to /​var/​lib/​named.
  
-vi /etc/default/bind9+Modify the line: ''​OPTIONS="​ -u bind"''​ so that it reads ''​OPTIONS="​-u bind -t /var/lib/named"'':​
  
-OPTIONS="​-u bind -t /​var/​lib/​named"​ +  vi /​etc/​default/​bind9 
-# Set RESOLVCONF=no to not run resolvconf + 
-RESOLVCONF=yes+  ​OPTIONS="​-u bind -t /​var/​lib/​named"​ 
 +  # Set RESOLVCONF=no to not run resolvconf 
 +  RESOLVCONF=yes
  
 Create the necessary directories under /var/lib: Create the necessary directories under /var/lib:
  
-mkdir -p /​var/​lib/​named/​etc +  ​mkdir -p /​var/​lib/​named/​etc 
-mkdir /​var/​lib/​named/​dev +  mkdir /​var/​lib/​named/​dev 
-mkdir -p /​var/​lib/​named/​var/​cache/​bind +  mkdir -p /​var/​lib/​named/​var/​cache/​bind 
-mkdir -p /​var/​lib/​named/​var/​run/​bind/​run+  mkdir -p /​var/​lib/​named/​var/​run/​bind/​run
  
 Then move the config directory from /etc to /​var/​lib/​named/​etc:​ Then move the config directory from /etc to /​var/​lib/​named/​etc:​
  
-mv /etc/bind /​var/​lib/​named/​etc+  ​mv /etc/bind /​var/​lib/​named/​etc
  
 Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future): Create a symlink to the new config directory from the old location (to avoid problems when bind is upgraded in the future):
  
-ln -s /​var/​lib/​named/​etc/​bind /etc/bind+  ​ln -s /​var/​lib/​named/​etc/​bind /etc/bind
  
 Make null and random devices, and fix permissions of the directories:​ Make null and random devices, and fix permissions of the directories:​
  
-mknod /​var/​lib/​named/​dev/​null c 1 3 +  ​mknod /​var/​lib/​named/​dev/​null c 1 3 
-mknod /​var/​lib/​named/​dev/​random c 1 8 +  mknod /​var/​lib/​named/​dev/​random c 1 8 
-chmod 666 /​var/​lib/​named/​dev/​null /​var/​lib/​named/​dev/​random +  chmod 666 /​var/​lib/​named/​dev/​null /​var/​lib/​named/​dev/​random 
-chown -R bind:bind /​var/​lib/​named/​var/​* +  chown -R bind:bind /​var/​lib/​named/​var/​* 
-chown -R bind:bind /​var/​lib/​named/​etc/​bind+  chown -R bind:bind /​var/​lib/​named/​etc/​bind
  
-We need to modify the startup script /​etc/​init.d/​sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: SYSLOGD="​-u syslog"​ so that it reads: SYSLOGD="​-u syslog -a /​var/​lib/​named/​dev/​log":​+We need to modify the startup script /​etc/​init.d/​sysklogd of sysklogd so that we can still get important messages logged to the system logs. Modify the line: ''​SYSLOGD="​-u syslog"​'' ​so that it reads: ​''​SYSLOGD="​-u syslog -a /​var/​lib/​named/​dev/​log"​''​:
  
-vi /​etc/​init.d/​sysklogd+  ​vi /​etc/​init.d/​sysklogd
  
 [...] [...]
-SYSLOGD="​-u syslog -a /​var/​lib/​named/​dev/​log"​+  ​SYSLOGD="​-u syslog -a /​var/​lib/​named/​dev/​log"​
 [...] [...]
  
 Restart the logging daemon: Restart the logging daemon:
  
-/​etc/​init.d/​sysklogd restart+  ​/​etc/​init.d/​sysklogd restart
  
 Start up BIND, and check /​var/​log/​syslog for errors: Start up BIND, and check /​var/​log/​syslog for errors:
  
-/​etc/​init.d/​bind9 start+  ​/​etc/​init.d/​bind9 start
  
chrooted_dns.txt · Last modified: 2016/11/25 22:38 (external edit)