Re: Using BIND in a chroot enviro?
Well, I got it all to work, even loging :-D
BIND is ran under user and group named, and restrained into a chroot jail.
My directory structure looks like:
*the file permissions are also configured according to the
Chroot-BIND-HOWTO
root@NodeFilter:/# du -a /chroot
0 /chroot/named/dev/log
0 /chroot/named/dev/null
1 /chroot/named/dev
4 /chroot/named/etc/bind/db.0
4 /chroot/named/etc/bind/db.local
4 /chroot/named/etc/bind/db.127
4 /chroot/named/etc/bind/db.255
4 /chroot/named/etc/bind/db.root
21 /chroot/named/etc/bind
4 /chroot/named/etc/group
4 /chroot/named/etc/named.conf
4 /chroot/named/etc/localtime
33 /chroot/named/etc
92 /chroot/named/lib/ld-2.2.3.so
1100 /chroot/named/lib/libc-2.2.3.so
0 /chroot/named/lib/ld-linux.so.2
0 /chroot/named/lib/libc.so.6
1193 /chroot/named/lib
0 /chroot/named/var/run/ndc
4 /chroot/named/var/run/named.pid
5 /chroot/named/var/run
4 /chroot/named/var/cache/bind/named_dump.db
5 /chroot/named/var/cache/bind
5 /chroot/named/var/cache
10 /chroot/named/var
2300 /chroot/named/usr/sbin/named
2301 /chroot/named/usr/sbin
2301 /chroot/named/usr
3538 /chroot/named
3538 /chroot
However, I did have to downgrade to BIND 8.2.4. I did so because I needed
to compile a statically linked version of the named binary. (BIND 9's
source is different and I had no docs to follow on it)
I got a few questions about my chroot'ed DNS setup. I basically followed
the instructions on the Psionic Software web site and the
Chroot-BIND-How-to. However, I noticed two differences between the
documents.
1. Psionic's doc recomends that you compile a statically linked named
binary and then copy it into your chroot tree while the Chroot-BIND-Howto
recomends that you compile and install BIND directly into your chroot tree.
2. the Chroot-BIND-Howto recomends that you create a /chroot/named/lib
directory and copy your systems C libraries into it so that BIND can access
them.
My questions are, what's the difference between a normal compilation and a
statically linked one?
Why would you place the C libraries into your chroot tree?
I'm no newbie to Linux, but I'm no expert when it comes to sysadmin tasks
and software compilation (Dam that apt daemon!!) I would appreciate it if
some of you guru's could give me a little detail on these subjects.
Thanks
Stef
BTW, I edited named.conf and commented out the query source port statement,
I'm going to have to edit my IPtables script to match this new behavior in
my BIND daemon. -> thanks for the tip(s) :-D
Reply to: