LDP
/
old-www
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity
old-www/HOWTO/Chroot-BIND8-HOWTO-1.html

112 lines
5.4 KiB
HTML
Raw Permalink Blame History

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
<TITLE>Chroot-BIND8 HOWTO: Introduction</TITLE>
<LINK HREF="Chroot-BIND8-HOWTO-2.html" REL=next>
<LINK HREF="Chroot-BIND8-HOWTO.html#toc1" REL=contents>
</HEAD>
<BODY>
<A HREF="Chroot-BIND8-HOWTO-2.html">Next</A>
Previous
<A HREF="Chroot-BIND8-HOWTO.html#toc1">Contents</A>
<HR>
<H2><A NAME="s1">1. Introduction</A></H2>
<P>This is the Chroot-BIND8 HOWTO; see
<A HREF="#where">Where?</A> for the
master site, which contains the latest copy. It is assumed that you already
know how to configure and use BIND (the Berkeley Internet Name Domain). If
not, I would recommend that you read the DNS HOWTO first. It is also assumed
that you have a basic familiarity with compiling and installing software on
your UNIX-like system.
<P>
<H2><A NAME="ss1.1">1.1 What?</A>
</H2>
<P>This document describes some extra security precautions that you can take when
you install BIND. It explains how to configure BIND so that it resides in a
``chroot jail'', meaning that it cannot see or access files outside its own
little directory tree. We shall also configure it to run as a non-root user.
<P>The idea behind chroot is fairly simple. When you run BIND (or any other
process) in a chroot jail, the process is simply unable to see any part of the
filesystem outside the jail. For example, in this document, we'll set BIND up
to run chrooted to the directory <CODE>/chroot/named</CODE>. Well, to BIND, the
contents of this directory will appear to be <CODE>/</CODE>, the root directory.
Nothing outside this directory will be accessible to it. You've probably
encounted a chroot jail before, if you've ever ftped into a public system.
<P>
<H2><A NAME="ss1.2">1.2 Why?</A>
</H2>
<P>The idea behind running BIND in a chroot jail is to limit the amount of access
any malicious individual could gain by exploiting vulnerabilities in BIND. It
is for the same reason that we run BIND as a non-root user.
<P>This should be considered as a supplement to the normal security precautions
(running the latest version, using access control, etc.), not a replacement for
them.
<P>If you're interested in DNS security, you might also be interested in a few
other products. Building BIND with
<A HREF="http://www.immunix.org/products.html#stackguard">StackGuard</A> would
probably be a good idea for even more protection. Using it is easy; it's
just like using ordinary gcc. Also,
<A HREF="http://cr.yp.to/dnscache.html">DNScache</A> is a secure replacement
for BIND, written by Dan Bernstein. Dan is the author of qmail, and DNScache
appears to follow a similar philosophy.
<P>
<H2><A NAME="where"></A> <A NAME="ss1.3">1.3 Where?</A>
</H2>
<P>The latest version of this document is always available from the web site of the
Linux/Open Source Users of Regina, Sask., at
<A HREF="http://www.losurs.org/docs/howto/Chroot-BIND8.html">http://www.losurs.org/docs/howto/Chroot-BIND8.html</A>.
<P>There is now a Japanese translation of this document, maintained by <CODE>nakano
at apm.seikei.ac.jp</CODE>. This is available at
<A HREF="http://www.linux.or.jp/JF/JFdocs/Chroot-BIND8-HOWTO.html">http://www.linux.or.jp/JF/JFdocs/Chroot-BIND8-HOWTO.html</A>.
<P>BIND is available from
<A HREF="http://www.isc.org/">the Internet Software Consortium</A> at
<A HREF="http://www.isc.org/bind.html">http://www.isc.org/bind.html</A>. As of this
writing, the current version of BIND 8 is 8.2.4. BIND 9.x has now been
released, and has been around for a little while. You may consider upgrading
to it; the chroot process is certainly much simpler and cleaner. If you are
running BIND 9, then you want the Chroot-BIND HOWTO, which should be available
from the same location as this document.
<P>Keep in mind that there are <B>known</B> security holes in all
versions of BIND 8 less than <B>8.2.3</B>, so make very sure that you're
running the latest version!
<P>
<H2><A NAME="ss1.4">1.4 How?</A>
</H2>
<P>I wrote this document based on my experiences in setting BIND up in a chroot
environment. In my case, I already had an existing BIND installation in the
form of a package that came with my Linux distribution. I'll assume that most
of you are probably in the same situation, and will simply be transferring over
and modifying the configuration files from your existing BIND installation, and
then removing the package before installing the new one. Don't remove the
package yet, though; we may want some files from it first.
<P>If this is not the case for you, you should still be able to follow this
document. The only difference is that, where I refer to copying an existing
file, you first have to create it yourself. The DNS HOWTO may be helpful for
this.
<P>
<H2><A NAME="ss1.5">1.5 Disclaimer</A>
</H2>
<P>These steps worked for me, on my system. Your mileage may vary. This is but
one way to approach this; there are other ways to set the same thing up
(although the general approach will be the same). It just happens that this
was the first way that I tried that worked, so I wrote it down.
<P>My BIND experience to date has been installing on Linux servers. However, most
of the instructions in this document should be easily applicable to other
flavours of UNIX as well, and I shall try to point out differences of which I am
aware.
<P>
<HR>
<A HREF="Chroot-BIND8-HOWTO-2.html">Next</A>
Previous
<A HREF="Chroot-BIND8-HOWTO.html#toc1">Contents</A>
</BODY>
</HTML>
Reference in New Issue View Git Blame Copy Permalink