124 lines
6.1 KiB
HTML
124 lines
6.1 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Chroot-BIND HOWTO: Introduction</TITLE>
|
|
<LINK HREF="Chroot-BIND-HOWTO-2.html" REL=next>
|
|
|
|
<LINK HREF="Chroot-BIND-HOWTO.html#toc1" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Chroot-BIND-HOWTO-2.html">Next</A>
|
|
Previous
|
|
<A HREF="Chroot-BIND-HOWTO.html#toc1">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s1">1. Introduction</A></H2>
|
|
|
|
<P>This is the Chroot-BIND HOWTO; see
|
|
<A HREF="#where">Where?</A> for the
|
|
master site, which contains the latest copy. It is assumed that you already
|
|
know how to configure and use BIND (the Berkeley Internet Name Domain). If
|
|
not, I would recommend that you read the DNS HOWTO first. It is also assumed
|
|
that you have a basic familiarity with compiling and installing software on
|
|
your UNIX-like system.
|
|
<P>
|
|
<H2><A NAME="ss1.1">1.1 What?</A>
|
|
</H2>
|
|
|
|
<P>This document describes some extra security precautions that you can take when
|
|
you install BIND. It explains how to configure BIND so that it resides in a
|
|
``chroot jail,'' meaning that it cannot see or access files outside its own
|
|
little directory tree. We shall also configure it to run as a non-root user.
|
|
<P>The idea behind chroot is fairly simple. When you run BIND (or any other
|
|
process) in a chroot jail, the process is simply unable to see any part of the
|
|
filesystem outside the jail. For example, in this document, we'll set BIND up
|
|
to run chrooted to the directory <CODE>/chroot/named</CODE>. Well, to BIND, the
|
|
contents of this directory will appear to be <CODE>/</CODE>, the root directory.
|
|
Nothing outside this directory will be accessible to it. You've probably
|
|
encounted a chroot jail before, if you've ever used <CODE>ftp</CODE> to log into a
|
|
public system.
|
|
<P>Because the chroot process is much simpler with BIND 9, I have started to expand
|
|
this document slightly, to include more general tips about securing a BIND
|
|
installation. Nevertheless, this document is not (and is not intended to be) a
|
|
complete reference for securing BIND. If you do only what is outlined in this
|
|
document, you're not finished securing your nameserver!
|
|
<P>
|
|
<H2><A NAME="ss1.2">1.2 Why?</A>
|
|
</H2>
|
|
|
|
<P>The idea behind running BIND in a chroot jail is to limit the amount of access
|
|
any malicious individual could gain by exploiting vulnerabilities in BIND. It
|
|
is for the same reason that we run BIND as a non-root user.
|
|
<P>This should be considered as a supplement to the normal security precautions
|
|
(running the latest version, using access control, etc.), certainly not as a
|
|
replacement for
|
|
them.
|
|
<P>If you're interested in DNS security, you might also be interested in a few
|
|
other products. Building BIND with
|
|
<A HREF="http://www.immunix.org/products.html#stackguard">StackGuard</A> would
|
|
probably be a good idea for even more protection. Using it is easy; it's
|
|
just like using ordinary gcc. Also,
|
|
<A HREF="http://cr.yp.to/dnscache.html">DNScache</A> is a secure replacement
|
|
for BIND, written by Dan Bernstein. Dan is the author of qmail, and DNScache
|
|
appears to follow a similar philosophy.
|
|
<P>
|
|
<H2><A NAME="where"></A> <A NAME="ss1.3">1.3 Where?</A>
|
|
</H2>
|
|
|
|
<P>The latest version of this document is always available from the web site of the
|
|
Linux/Open Source Users of Regina, Sask., at
|
|
<A HREF="http://www.losurs.org/docs/howto/Chroot-BIND.html">http://www.losurs.org/docs/howto/Chroot-BIND.html</A>.
|
|
<P>There is now a Japanese translation of this document, maintained by Nakano
|
|
Takeo <CODE>nakano at apm.seikei.ac.jp</CODE>. This is available at
|
|
<A HREF="http://www.linux.or.jp/JF/JFdocs/Chroot-BIND-HOWTO.html">http://www.linux.or.jp/JF/JFdocs/Chroot-BIND-HOWTO.html</A>.
|
|
<P>BIND is available from
|
|
<A HREF="http://www.isc.org/">the Internet Software Consortium</A> at
|
|
<A HREF="http://www.isc.org/bind.html">http://www.isc.org/bind.html</A>. As of this
|
|
writing, the current version of BIND 9 is 9.2.0. BIND 9 has been out for some
|
|
time now, and many people are using it in production. Nevertheless, some more
|
|
conservative sorts still prefer to remain with BIND 8. If you are such a
|
|
person, please see my Chroot-BIND8 HOWTO (available from the same location)
|
|
for details on chrooting it, but be warned that BIND 8 is much messier to
|
|
chroot.
|
|
<P>Keep in mind that there are <B>known</B> security holes in many earlier
|
|
versions of BIND, so make very sure that you're running the latest version!
|
|
<P>
|
|
<H2><A NAME="ss1.4">1.4 How?</A>
|
|
</H2>
|
|
|
|
<P>I wrote this document based on my experiences in setting BIND up in a chroot
|
|
environment. In my case, I already had an existing BIND installation in the
|
|
form of a package that came with my Linux distribution. I'll assume that most
|
|
of you are probably in the same situation, and will simply be transferring over
|
|
and modifying the configuration files from your existing BIND installation, and
|
|
then removing the package before installing the new one. Don't remove the
|
|
package yet, though; we may want some files from it first.
|
|
<P>If this is not the case for you, you should still be able to follow this
|
|
document. The only difference is that, where I refer to copying an existing
|
|
file, you first have to create it yourself. The DNS HOWTO may be helpful for
|
|
this.
|
|
<P>
|
|
<H2><A NAME="ss1.5">1.5 Disclaimer</A>
|
|
</H2>
|
|
|
|
<P>These steps worked for me, on my system; your mileage may vary. This is but
|
|
one way to approach this; there are other ways to set the same thing up
|
|
(although the general approach will be the same). It just happens that this
|
|
was the first way that I tried that worked, so I wrote it down.
|
|
<P>My BIND experience to date has been installing on Linux servers. However, most
|
|
of the instructions in this document should be easily applicable to other
|
|
flavours of UNIX as well, and I shall try to point out differences of which I am
|
|
aware. I've also received suggestions from people using other distributions
|
|
and other platforms, and I've tried to incorporate their comments where
|
|
possible.
|
|
<P>If you run Linux, you need to make sure that you're running a 2.4 kernel before
|
|
attempting this. The <CODE>-u</CODE> switch (to run as a non-root user) requires
|
|
this newer kernel.
|
|
<P>
|
|
<HR>
|
|
<A HREF="Chroot-BIND-HOWTO-2.html">Next</A>
|
|
Previous
|
|
<A HREF="Chroot-BIND-HOWTO.html#toc1">Contents</A>
|
|
</BODY>
|
|
</HTML>
|