m (1 revision(s)) |
m (Docs/Drafts/AdministrationGuide/Servers/DNSBIND/BINDChroot moved to Archive:Docs/Drafts/AdministrationGuide/Servers/DNSBIND/BINDChroot: This page references a newer draft version. Archiving old page tree then I'll go back and redirect to the new.) |
(No difference)
|
Revision as of 17:49, 4 March 2009
DNS and BIND
Running BIND in a Chroot Jail
Run the following command as root to install the bind-chroot
packages:
yum install bind-chroot
Run the following command as root to remove the symbolic link, /etc/rndc.key
. This file is not needed. The only file required for rndc is the symbolic link, /etc/rndc.conf
, which points to the /var/named/chroot/etc/rndc.conf
file:
rm /etc/rndc.key
If the rndc.key
file exists in the chroot environment, run the following command as root to remove it:
rm /var/named/chroot/etc/rndc.key
A new directory structure, /var/named/chroot/
, is created after installing the bind-chroot
package. After the bind-chroot
package is installed, /etc/named.conf
is copied into the /var/named/chroot/etc/
directory, and /etc/named.conf
becomes a symbolic link, which points to /var/named/chroot/etc/named.conf
. The /etc/rndc.conf
file is copied into the /var/named/chroot/etc/
directory, and /etc/rndc.conf
becomes a symbolic link, which points to /var/named/chroot/etc/rndc.conf
. The /etc/rndc.conf
symbolic link must exist, otherwise the service named stop command will fail. If the symbolic link does not exist, change into the /etc/
directory, and run the following command as root to create it:
ln -s /var/named/chroot/etc/rndc.conf rndc.conf
If you were running bind in a non-chroot environment, prior to installing bind-chroot
, then all files in the /etc/bind/
directory are automatically copied to the /var/named/chroot/etc/bind
directory.
Permissions
This sections assumes you used the same names for configuration files, as mentioned in previous sections. All commands in this section and the SELinux Contexts section must be run as the root user. Run the following command to set the correct user, group, and mode for the bind/
directory:
chown named:named /var/named/chroot/etc/bind/; chmod 755 /var/named/chroot/etc/bind/
Run the following command to set the correct user, group, and mode for the named.conf
file:
chown named:named /var/named/chroot/etc/named.conf; chmod 600 /var/named/chroot/etc/named.conf
Run the follwoing command to set the correct user, group, and mode for the rndc.conf
file:
chown root:named /var/named/chroot/etc/rndc.conf; chmod 440 /var/named/chroot/etc/rndc.conf
Run the following command to set the correct user, group, and mode for the bind/bind.log
file:
chown named:named /var/named/chroot/etc/bind/bind.log; chmod 600 /var/named/chroot/etc/bind/bind.log
Run the following command to set the correct user, group, and mode for the bind/logging
file, which is used to define the logging used for named:
chown named:named /var/named/chroot/etc/bind/logging; chmod 400 /var/named/chroot/etc/bind/logging
Change into the /var/named/chroot/etc/bind/
directory and run the following command to set the correct user and group ownership for each zone database file:
chown named:named *
Run the following command to set the correct user, group, and mode for the bind/named-stats.log
file:
chown named:root /var/named/chroot/etc/bind/named-stats.log; chmod 660 /var/named/chroot/etc/bind/named-stats.log
Once zone database files have been configured, it is recommended to only have read permission on them. Change into the directory containing the zone database files, and run the following command as root to set the correct user and group for each zone database file, replacing all instances of zone-database-name
with the correct file name:
chown named:named <code>zone-database-name</code> <code>zone-database-name</code> <code>zone-database-name</code>
For example, if you used the database names from the previous steps, run the following command:
chown named:named root.hint db.testdomain.com db.127 db.0.168.192.in-addr.arpa
To set read-only permissions, run the following command as root:
chmod 400 zone-database-name zone-database-name zone-database-name
SELinux Contexts
If you are running SELinux, run the following commands as root to set the correct SELinux contexts for the bind/
directory, and the named.conf
, bind.log
, rndc.conf
, named-stats.log
, and logging
files:
chcon -t named_zone_t /var/named/chroot/etc/bind/
chcon -t named_zone_t /var/named/chroot/etc/named.conf
chcon -t named_cache_t /var/named/chroot/etc/bind/bind.log
chcon -t named_conf_t /var/named/chroot/etc/rndc.conf
chcon -t named_cache_t /var/named/chroot/etc/bind/named-stats.log
chcon -t named_zone_t /var/named/chroot/etc/bind/logging
Run the following command as root on each zone database file to set the correct SELinux context:
chcon -t named_zone_t <code>zone-database-name</code> <code>zone-database-name</code> <code>zone-database-name</code>
Administration Guide - TOC | Previous Page - Starting, Stopping, and Testing BIND | Next Page - Cache-only Nameserver |