Secure BIND
Lock down your BIND setup to help contain potential security problems.
Due to BIND’s
not-so-illustrious track record with regard to security,
you’ll probably want to spend some time hardening
your setup if you want to continue using it. One way to make running
BIND a little safer is to run it inside a sandboxed environment. This is easy to do
with recent versions of BIND, since it natively supports running as a
nonprivileged user within a chroot( )
jail. All you need to do is set up the
directory you’re going to have it chroot( ) to, and then change the command you’re
using to start named to reflect this.
To begin, create a user and group to run named
as (e.g., named). To prepare the sandboxed environment,
you’ll need to create the appropriate directory
structure. You can create the directories for such an environment
within /named_chroot by running the following
commands:
#mkdir /named_chroot#cd /named_chroot#mkdir -p dev etc/namedb/slave var/run
Next, you’ll need to copy your
named.conf and namedb
directory to the sandboxed environment:
#cp /etc/named.conf /named_chroot/etc#cp -a /var/namedb/* /named_chroot/etc/namedb
This assumes that you store your zone files in
/var/namedb. If you’re setting
up BIND as a secondary DNS server, you will need to make the
/named_chroot/etc/namedb/slave directory
writable so that named can update the records it contains when it performs a domain transfer from the master DNS node. You can do this by running a command similar to the ...