112 lines
5.4 KiB
HTML
112 lines
5.4 KiB
HTML
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
|
|
<HTML>
|
|
<HEAD>
|
|
<META NAME="GENERATOR" CONTENT="SGML-Tools 1.0.9">
|
|
<TITLE>Chroot-BIND8 HOWTO: Introduction</TITLE>
|
|
<LINK HREF="Chroot-BIND8-HOWTO-2.html" REL=next>
|
|
|
|
<LINK HREF="Chroot-BIND8-HOWTO.html#toc1" REL=contents>
|
|
</HEAD>
|
|
<BODY>
|
|
<A HREF="Chroot-BIND8-HOWTO-2.html">Next</A>
|
|
Previous
|
|
<A HREF="Chroot-BIND8-HOWTO.html#toc1">Contents</A>
|
|
<HR>
|
|
<H2><A NAME="s1">1. Introduction</A></H2>
|
|
|
|
<P>This is the Chroot-BIND8 HOWTO; see
|
|
<A HREF="#where">Where?</A> for the
|
|
master site, which contains the latest copy. It is assumed that you already
|
|
know how to configure and use BIND (the Berkeley Internet Name Domain). If
|
|
not, I would recommend that you read the DNS HOWTO first. It is also assumed
|
|
that you have a basic familiarity with compiling and installing software on
|
|
your UNIX-like system.
|
|
<P>
|
|
<H2><A NAME="ss1.1">1.1 What?</A>
|
|
</H2>
|
|
|
|
<P>This document describes some extra security precautions that you can take when
|
|
you install BIND. It explains how to configure BIND so that it resides in a
|
|
``chroot jail'', meaning that it cannot see or access files outside its own
|
|
little directory tree. We shall also configure it to run as a non-root user.
|
|
<P>The idea behind chroot is fairly simple. When you run BIND (or any other
|
|
process) in a chroot jail, the process is simply unable to see any part of the
|
|
filesystem outside the jail. For example, in this document, we'll set BIND up
|
|
to run chrooted to the directory <CODE>/chroot/named</CODE>. Well, to BIND, the
|
|
contents of this directory will appear to be <CODE>/</CODE>, the root directory.
|
|
Nothing outside this directory will be accessible to it. You've probably
|
|
encounted a chroot jail before, if you've ever ftped into a public system.
|
|
<P>
|
|
<H2><A NAME="ss1.2">1.2 Why?</A>
|
|
</H2>
|
|
|
|
<P>The idea behind running BIND in a chroot jail is to limit the amount of access
|
|
any malicious individual could gain by exploiting vulnerabilities in BIND. It
|
|
is for the same reason that we run BIND as a non-root user.
|
|
<P>This should be considered as a supplement to the normal security precautions
|
|
(running the latest version, using access control, etc.), not a replacement for
|
|
them.
|
|
<P>If you're interested in DNS security, you might also be interested in a few
|
|
other products. Building BIND with
|
|
<A HREF="http://www.immunix.org/products.html#stackguard">StackGuard</A> would
|
|
probably be a good idea for even more protection. Using it is easy; it's
|
|
just like using ordinary gcc. Also,
|
|
<A HREF="http://cr.yp.to/dnscache.html">DNScache</A> is a secure replacement
|
|
for BIND, written by Dan Bernstein. Dan is the author of qmail, and DNScache
|
|
appears to follow a similar philosophy.
|
|
<P>
|
|
<H2><A NAME="where"></A> <A NAME="ss1.3">1.3 Where?</A>
|
|
</H2>
|
|
|
|
<P>The latest version of this document is always available from the web site of the
|
|
Linux/Open Source Users of Regina, Sask., at
|
|
<A HREF="http://www.losurs.org/docs/howto/Chroot-BIND8.html">http://www.losurs.org/docs/howto/Chroot-BIND8.html</A>.
|
|
<P>There is now a Japanese translation of this document, maintained by <CODE>nakano
|
|
at apm.seikei.ac.jp</CODE>. This is available at
|
|
<A HREF="http://www.linux.or.jp/JF/JFdocs/Chroot-BIND8-HOWTO.html">http://www.linux.or.jp/JF/JFdocs/Chroot-BIND8-HOWTO.html</A>.
|
|
<P>BIND is available from
|
|
<A HREF="http://www.isc.org/">the Internet Software Consortium</A> at
|
|
<A HREF="http://www.isc.org/bind.html">http://www.isc.org/bind.html</A>. As of this
|
|
writing, the current version of BIND 8 is 8.2.4. BIND 9.x has now been
|
|
released, and has been around for a little while. You may consider upgrading
|
|
to it; the chroot process is certainly much simpler and cleaner. If you are
|
|
running BIND 9, then you want the Chroot-BIND HOWTO, which should be available
|
|
from the same location as this document.
|
|
<P>Keep in mind that there are <B>known</B> security holes in all
|
|
versions of BIND 8 less than <B>8.2.3</B>, so make very sure that you're
|
|
running the latest version!
|
|
<P>
|
|
<H2><A NAME="ss1.4">1.4 How?</A>
|
|
</H2>
|
|
|
|
<P>I wrote this document based on my experiences in setting BIND up in a chroot
|
|
environment. In my case, I already had an existing BIND installation in the
|
|
form of a package that came with my Linux distribution. I'll assume that most
|
|
of you are probably in the same situation, and will simply be transferring over
|
|
and modifying the configuration files from your existing BIND installation, and
|
|
then removing the package before installing the new one. Don't remove the
|
|
package yet, though; we may want some files from it first.
|
|
<P>If this is not the case for you, you should still be able to follow this
|
|
document. The only difference is that, where I refer to copying an existing
|
|
file, you first have to create it yourself. The DNS HOWTO may be helpful for
|
|
this.
|
|
<P>
|
|
<H2><A NAME="ss1.5">1.5 Disclaimer</A>
|
|
</H2>
|
|
|
|
<P>These steps worked for me, on my system. Your mileage may vary. This is but
|
|
one way to approach this; there are other ways to set the same thing up
|
|
(although the general approach will be the same). It just happens that this
|
|
was the first way that I tried that worked, so I wrote it down.
|
|
<P>My BIND experience to date has been installing on Linux servers. However, most
|
|
of the instructions in this document should be easily applicable to other
|
|
flavours of UNIX as well, and I shall try to point out differences of which I am
|
|
aware.
|
|
<P>
|
|
<HR>
|
|
<A HREF="Chroot-BIND8-HOWTO-2.html">Next</A>
|
|
Previous
|
|
<A HREF="Chroot-BIND8-HOWTO.html#toc1">Contents</A>
|
|
</BODY>
|
|
</HTML>
|