Re: Using BIND in a chroot enviro?
Stefan Srdic <linuxbox@telusplanet.net> writes:
[snip]
> Recently I have been receiving several weird netfilter logs complaining
> about denied DNS queries comming in from and going out to unknow hosts. I
> beleive that these logs may reflect a script kiddie who is attempting to
> break BIND and possibly use my computer for remote DoS attacks or port
> scans.
Um, how's netfilter telling you this?
> Where could I find any relative information on running BIND in a chroot
> jail on Debian? I was running BIND 8 under a user and group named.
> However I feel that it might be worth while using a chroot jail to
> prevent any possible BIND exploits on my system.
>
> Does anybody have any real-world experience with chroot'ing BIND?
It really is quite simple. /usr/sbin/named takes arguments `-u' for running
as a different user, and `-t' to chroot elseplaces.
Me, I have a bind9 from debian/unstable running chroot()ed into /etc/bind/,
and the only things I've needed to do are copy a few files around and fudge
some permissions, thus:
drwxr-xr-x 4 root root 1024 Jun 21 18:10 .
drwxr-xr-x 4 root root 1024 Jun 12 16:51 ./var
drwxr-xr-x 3 root root 1024 Jun 12 16:49 ./var/cache
drwxrwxr-x 2 root named 1024 Jun 27 12:17 ./var/cache/bind
-rw------- 1 named named 728 Jul 1 16:00 ./var/cache/bind/db.domain.com
drwxrwxr-t 2 root named 1024 Jun 21 18:10 ./var/run
-rw------- 1 named named 5 Jun 21 18:10 ./var/run/named.pid
-rw-r--r-- 1 root root 2385 Jun 21 18:10 ./named.conf
drwxr-xr-x 3 root root 1024 Jun 12 16:50 ./etc
drwxr-xr-x 2 root root 1024 Jun 21 18:10 ./etc/bind
-rw-r--r-- 1 root root 2385 Jun 21 18:10 ./etc/bind/named.conf
-rw-r--r-- 1 root root 237 Nov 11 2000 ./etc/bind/db.0
-rw-r--r-- 1 root root 271 Nov 11 2000 ./etc/bind/db.127
-rw-r--r-- 1 root root 237 Nov 11 2000 ./etc/bind/db.255
-rw-r--r-- 1 root root 256 Nov 11 2000 ./etc/bind/db.local
-rw-r--r-- 1 root root 734 Jun 12 16:05 ./etc/bind/db.root
-rw-r--r-- 1 root root 1192 Apr 26 07:43 ./rndc.conf
In the init.d scripts, you'll find it easiest to rip out the
start-stop-daemon stuff and run the command directly,
/usr/sbin/named -t /etc/bind -u named
unless you're a purist in which case, you tell me how instead ;)
If it's Bind security you're worried about, btw, can you not firewall out
53/tcp altogether as well? If you've got a few slave nameservers relying on
you, allow 53/tcp for their IP#s only; for the rest of the time, you really
don't need it, and having it open for all will result in crack attempts.
~Tim
--
And in the rapture and the charm, |piglet@stirfried.vegetable.org.uk
Came the tranquil and the calm, |http://spodzone.org.uk/
On the ridge of the mighty Atlantic. |
Reply to: