chroot question

Bill Larson wllarso at swcp.com
Thu Jul 5 13:52:48 UTC 2001 

For running BIND in a chroot environment under HP-UX, look at
http://www.stahl.bau.tu-bs.de/~hildeb/bind/.  Ralf Hildebrandt has put together
an excellent description of how to set this up.  For Solaris, look at
http://www.securityportal.com/cover/coverstory20001002.html.

It you are planning on running BIND-9, then using the "-t" option to named
makes running BIND in a chroot environment an almost no brainer.  The tricks
necessary to run BIND-8 are eliminated with BIND-9 because there is no need, or
possibility, for forking additional processes.  In BIND-9 there is no
named-axfr to deal with, which makes the chroot setup more difficult.  Just
make sure that you are not running named as "root", even in a chroot
environment.  Use the "-u" option also.

Strong bias:  You don't need to waste a big/expensive HP-UX or Solaris system
for a DNS server.  These systems are overkill.  You can run a very successful
DNS server operation on an Intel platform with OpenBSD (my first choice for an
OS in this situation), or one of the other BSD OS's (FreeBSD or NetBSD), or
Linux.  Any such setup will require going through the OS networking components
to help insure a secure system.  OpenBSD makes this easier that the other
possibilities.

If you are worried about DNS server security, then you don't want to be running
other services, such as web servers, on the same server as the DNS server.  DNS
is too critical of a service to allow it to go down just because someone breaks
into the system through some other service.  Dedicate a small and inexpensive
for providing just DNS services.

By the way, the two sites mentioned can be quickly found by using Yahoo and
searching for "dns bind chroot hp-ux" and "dns bind chroot solaris".  Also, the
bind-users mailing list, which is gatewayed to the comp.protocols.dns.bind
newsgroup is archived at http://www.mail-archive.com/bind-users%40isc.org/ and
DejaNews.  You can search either of these locations quite quickly and pull up
even more references.

Bill Larson

lg042-5 wrote:

> Thanks for the answer.
>
> I am planning to build chroot on both Solaris 8 for internet servers
> and HP_UX for intranet (don't know yet whether it will be 11.0 or 11.11)

More information about the bind-users mailing list