Re: Using BIND in a chroot enviro?

To: Stefan Srdic <linuxbox@telusplanet.net>
Cc: debian-security@lists.debian.org
Subject: Re: Using BIND in a chroot enviro?
From: Tim Haynes <debian@stirfried.vegetable.org.uk>
Date: 01 Jul 2001 17:02:26 +0100
Message-id: <[🔎] 86r8w0k57x.fsf@potato.vegetable.org.uk>
Reply-to: debian@stirfried.vegetable.org.uk
In-reply-to: <[🔎] 3B3EE852.6040906@telusplanet.net> (Stefan Srdic's message of "Sun, 01 Jul 2001 03:07:30 -0600")
References: <[🔎] 3B3EE852.6040906@telusplanet.net>

Stefan Srdic <linuxbox@telusplanet.net> writes:

[snip]
> Recently I have been receiving several weird netfilter logs complaining
> about denied DNS queries comming in from and going out to unknow hosts. I
> beleive that these logs may reflect a script kiddie who is attempting to
> break BIND and possibly use my computer for remote DoS attacks or port
> scans.

Um, how's netfilter telling you this?

> Where could I find any relative information on running BIND in a chroot
> jail on Debian? I was running BIND 8 under a user and group named. 
> However I feel that it might be worth while using a chroot jail to
> prevent any possible BIND exploits on my system.
> 
> Does anybody have any real-world experience with chroot'ing BIND?

It really is quite simple. /usr/sbin/named takes arguments `-u' for running
as a different user, and `-t' to chroot elseplaces.

Me, I have a bind9 from debian/unstable running chroot()ed into /etc/bind/,
and the only things I've needed to do are copy a few files around and fudge
some permissions, thus:

drwxr-xr-x   4 root   root       1024 Jun 21 18:10 .
drwxr-xr-x   4 root   root       1024 Jun 12 16:51 ./var
drwxr-xr-x   3 root   root       1024 Jun 12 16:49 ./var/cache
drwxrwxr-x   2 root   named      1024 Jun 27 12:17 ./var/cache/bind
-rw-------   1 named  named       728 Jul  1 16:00 ./var/cache/bind/db.domain.com
drwxrwxr-t   2 root   named      1024 Jun 21 18:10 ./var/run
-rw-------   1 named  named         5 Jun 21 18:10 ./var/run/named.pid
-rw-r--r--   1 root   root       2385 Jun 21 18:10 ./named.conf
drwxr-xr-x   3 root   root       1024 Jun 12 16:50 ./etc
drwxr-xr-x   2 root   root       1024 Jun 21 18:10 ./etc/bind
-rw-r--r--   1 root   root       2385 Jun 21 18:10 ./etc/bind/named.conf
-rw-r--r--   1 root   root        237 Nov 11  2000 ./etc/bind/db.0
-rw-r--r--   1 root   root        271 Nov 11  2000 ./etc/bind/db.127
-rw-r--r--   1 root   root        237 Nov 11  2000 ./etc/bind/db.255
-rw-r--r--   1 root   root        256 Nov 11  2000 ./etc/bind/db.local
-rw-r--r--   1 root   root        734 Jun 12 16:05 ./etc/bind/db.root
-rw-r--r--   1 root   root       1192 Apr 26 07:43 ./rndc.conf

In the init.d scripts, you'll find it easiest to rip out the
start-stop-daemon stuff and run the command directly,
        /usr/sbin/named -t /etc/bind -u named
unless you're a purist in which case, you tell me how instead ;)

If it's Bind security you're worried about, btw, can you not firewall out
53/tcp altogether as well? If you've got a few slave nameservers relying on
you, allow 53/tcp for their IP#s only; for the rest of the time, you really
don't need it, and having it open for all will result in crack attempts.

~Tim
-- 
And in the rapture and the charm,           |piglet@stirfried.vegetable.org.uk
Came the tranquil and the calm,             |http://spodzone.org.uk/
On the ridge of the mighty Atlantic.        |

Reply to:

Follow-Ups:
- Re: [security] Re: Using BIND in a chroot enviro?
  - From: "Martin F. Krafft" <madduck@madduck.net>
- Re: Using BIND in a chroot enviro?
  - From: Dossy <dossy@panoptic.com>

References:
- Using BIND in a chroot enviro?
  - From: Stefan Srdic <linuxbox@telusplanet.net>

Prev by Date: Using BIND in a chroot enviro?
Next by Date: Re: [security] Re: Using BIND in a chroot enviro?
Previous by thread: Using BIND in a chroot enviro?
Next by thread: Re: [security] Re: Using BIND in a chroot enviro?
Index(es):
- Date
- Thread