chroot BIND 8.2.2p5
Michael Bryan
bind at ursine.com
Fri Jun 9 15:43:42 UTC 2000
philip.wolfe at quintiles.com wrote:
>
> Hello,
>
> Could someone point me in the direction to some decent documentation on setting
> up BIND 8.2.2p5 as chroot unprivileged user.
A couple of useful links are:
http://www.etherboy.com/dns/chrootdns.html
(Geared towards dual DNS on Redhat)
http://www.psionic.com/papers/dns/dns-openbsd/
(Geared towards OpenBSD/FreeBSD)
Neither one is 100% complete, there are gotchas such as handling the
ndc control pipe that also have to be worked out for a chroot environment,
and making sure named has write access to the location where it puts
its named.pid file. But they both have good info, and are worth
reading.
Keep in mind that you will lose some functionality in BIND with
a chroot/nonpriv environment. The biggest is probably that BIND
will not be able to scan for new IP addresses on interfaces to open
up a socket on port 53, since only root can bind to port 53. Also,
the "ndc restart" function will likely not work, since the new
named process will not even start as root, and therefore will not
be able to bind to port 53 on any address. If your IP addresses
are stable, named doesn't really need to scan for changed addresses
anyway. Also, you can replace "ndc restart" with a custom script
to do a full restart. Just a little work, but it's still more than
a basic no-brainer operation.
More information about the bind-users
mailing list