Bind Chroot in debian

Details: Category: Linux && Unix Services; Written by Mahdi Bahmani Ciahmard; Hits: 49

Bind Chroot

By default, the bind configuration job uses bind to execute the named demon. So, this option is found in /etc/default/bind9:

OPTIONS="-u bind" which is taken into account when the service was launched bind9. Here is an extract from the file / etc/init.d/bind9: test -f /etc/default/bind9 && . /etc/default/bind9 ... if start-stop-daemon --start --quiet --exec /usr/sbin/named \ --pidfile /var/run/bind/run/named.pid -- $OPTIONS; It's already a good thing but this must be added using a root other than / to imprison the demon named in his prison. It is simply to use option-ten specifying the chroot directory. The OPTIONS variable in / etc/default/bind9 becomes: OPTIONS="-u bind -t /var/lib/named" Now we create the tree in the chroot. /var/lib/named/ | |__ /etc |__ /dev |__ /var |__ /cache | |__ /bind | |__ /log # mkdir -p /var/lib/named/etc # mkdir /var/lib/named/dev # mkdir -p /var/lib/named/var/cache/bind # mkdir /var/lib/named/var/log It moves the old working directory to bind in the prison, and it sets up a symbolic link / etc / bind to the same directory to allow the process to find these rndc small as it will use the file rndc. default key to authenticate the channel administration port 953. # mv /etc/bind /var/lib/named/etc # ln -s /var/lib/named/etc/bind /etc/bind It adds the null and random devices: # mknod /var/lib/named/dev/null c 1 3 # mknod /var/lib/named/dev/random c 1 8 # chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random To allow the syslog daemon to take into account the logs bind, we need to specify the listening socket / var / lib / named / dev / log. To do this, edit the file /etc/default/syslogd to use the next option. SYSLOGD="-a /var/lib/named/dev/log" One last thing, is to create the directory to store the pid of the process. I opted for improved file service startup. I modified the file /etc/init.d/bind9: Creation of the CHROOT_DIR variable Changing the creation of the directory containing the pid process CHROOT_DIR=`echo $OPTIONS | cut -d ' ' -f 4` # dirs under /var/run can go away on reboots. mkdir -p $CHROOT_DIR/var/run/bind/run chmod 775 $CHROOT_DIR/var/run/bind/run chown root:bind $CHROOT_DIR/var/run/bind/run >/dev/null 2>&1 || true We must move files RR previously stored in / var / cache / bind / in / var / lib / named / var / cache / bind # mv /var/cache/bind/* /var/lib/named/var/cache/bind/ The tree is complete and all files are present, but the rights are not points, so: # chown -R root:bind /var/lib/named/etc/bind # chmod 640 /var/lib/named/etc/bind/* # chown bind:bind /var/lib/named/var/*

root@linux1:/etc/bind# ls /var/lib/named/etc/bind/
bind.keys db.127 db.empty db.local named.conf named.conf.local rndc.key
db.0 db.255 db.gbgnetwork.net db.root named.conf.default-zones named.conf.options zones.rfc1918

root@linux1:/etc/bind# cat /var/lib/named/etc/bind/named.conf

// This is the primary configuration file for the BIND DNS server named.
//
// Please read /usr/share/doc/bind9/README.Debian.gz for information on the
// structure of BIND configuration files in Debian, *BEFORE* you customize
// this configuration file.
//
// If you are just adding zones, please do that in /etc/bind/named.conf.local

include "/etc/bind/named.conf.options";
include "/etc/bind/named.conf.local";
include "/etc/bind/named.conf.default-zones";

root@linux1:~# cat /var/lib/named/etc/bind/named.conf.local
//
// Do any local configuration here
//

// Consider adding the 1918 zones here, if they are not used in your
// organization
//include "/etc/bind/zones.rfc1918";
zone "mbctux.net" IN {
type master;
file "mbctux.net";
allow-update { none; };

};

zone "dolphin.com" IN {
type master;
file "dolphin.com";
allow-update { none; };

};

zone "gbgnetwork.net" IN {
type forward;
forwarders { 172.20.21.5; 172.20.21.6; };
};

root@linux1:~#

root@linux1:/etc/bind#

root@linux1:~# cat /var/lib/named/var/cache/bind/mbctux.net
$TTL 1H
@ IN SOA mbctux1.mbctux.net. root.mbctux.net (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

; DNS Servers
@ IN NS linux1
@ IN NS linux2
@ IN NS linux3

; Mail Servers
@ IN MX 10 linux1
@ IN MX 20 linux2
@ IN MX 30 linux3

; Host Address
mbctux.net. IN A 172.20.24.69
linux3 IN A 172.20.24.69
linux1 IN A 172.20.24.51
linux2 IN A 172.20.24.30
test IN A 10.10.10.10

; WWW/FTP/Mail Addresses
www.mbctux.net. IN CNAME mbctux.net.
ftp.mbctux.net. IN CNAME mbctux.net.
mail1.mbctux.net. IN CNAME linux1
mail2.mbctux.net. IN CNAME linux2
mail3.mbctux.net. IN CNAME linux3

; Webmail points to BDH
;webmail.test.com. IN CNAME webmail.tld.com.
;www.webmail.test.com. IN CNAME webmail.tld.com.

root@linux1:~#
root@linux1:~#

root@linux1:~# cat /var/lib/named/var/cache/bind/dolphin.com
$TTL 1H
@ IN SOA dolphin.com. root.dolphin.com (
42 ; serial (d. adams)
3H ; refresh
15M ; retry
1W ; expiry
1D ) ; minimum

; DNS Servers
@ IN NS linux1
@ IN NS linux2
@ IN NS linux3

; Mail Servers
@ IN MX 10 linux1
@ IN MX 20 linux2
@ IN MX 30 linux3

; Host Address
dolphin.com. IN A 172.20.24.69
linux3 IN A 172.20.24.69
linux1 IN A 172.20.24.51
linux2 IN A 172.20.24.30
test IN A 10.10.10.10

; WWW/FTP/Mail Addresses
www.dolphin.com. IN CNAME dolphin.com.
ftp.dolphin.com. IN CNAME dolphin.com.
mail1.dolphin.com. IN CNAME linux1
mail2.dolphin.com. IN CNAME linux2
mail3.dolphin.com. IN CNAME linux3

; Webmail points to BDH
;webmail.test.com. IN CNAME webmail.tld.com.
;www.webmail.test.com. IN CNAME webmail.tld.com.

root@linux1:~#

root@linux1:/etc/bind#

root@linux1:/etc/bind# nslookup
> linux1.mbctux.net
Server: 127.0.0.1
Address: 127.0.0.1#53

Name: linux1.mbctux.net
Address: 172.20.24.51
> set type=ns
> mbctux.net
Server: 127.0.0.1
Address: 127.0.0.1#53

mbctux.net nameserver = linux1.mbctux.net.
> set type=mx
> mbctux.net
Server: 127.0.0.1
Address: 127.0.0.1#53

mbctux.net mail exchanger = 10 linux3.mbctux.net.
> exit

root@linux1:/etc/bind#

root@linux1:~# tail -f /var/log/syslog

mbahmani@it-27:~$ dig mbctux.net

; <<>> DiG 9.7.0-P1 <<>> mbctux.net
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22356
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;mbctux.net. IN A

;; ANSWER SECTION:
mbctux.net. 3600 IN A 172.20.24.69

;; AUTHORITY SECTION:
mbctux.net. 3600 IN NS linux3.mbctux.net.
mbctux.net. 3600 IN NS linux2.mbctux.net.
mbctux.net. 3600 IN NS linux1.mbctux.net.

;; ADDITIONAL SECTION:
linux1.mbctux.net. 3600 IN A 172.20.24.51
linux2.mbctux.net. 3600 IN A 172.20.24.30
linux3.mbctux.net. 3600 IN A 172.20.24.69

;; Query time: 2 msec
;; SERVER: 172.20.24.51#53(172.20.24.51)
;; WHEN: Mon May 24 13:32:41 2010
;; MSG SIZE rcvd: 155

mbahmani@it-27:~$ dig dolphin.com

; <<>> DiG 9.7.0-P1 <<>> dolphin.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7190
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 3, ADDITIONAL: 3

;; QUESTION SECTION:
;dolphin.com. IN A

;; ANSWER SECTION:
dolphin.com. 3600 IN A 172.20.24.69

;; AUTHORITY SECTION:
dolphin.com. 3600 IN NS linux1.dolphin.com.
dolphin.com. 3600 IN NS linux2.dolphin.com.
dolphin.com. 3600 IN NS linux3.dolphin.com.

;; ADDITIONAL SECTION:
linux1.dolphin.com. 3600 IN A 172.20.24.51
linux2.dolphin.com. 3600 IN A 172.20.24.30
linux3.dolphin.com. 3600 IN A 172.20.24.69

;; Query time: 0 msec
;; SERVER: 172.20.24.51#53(172.20.24.51)
;; WHEN: Mon May 24 13:32:57 2010
;; MSG SIZE rcvd: 156

mbahmani@it-27:~$

source: http://wiki.debian.org/Bind9

Nav view search

Navigation

Search

Bind Chroot in debian