Solaris DNS : chroot the BIND DNS server

The idea behind running BIND in a chroot jail is to limit the amount of access any malicious individual could gain by exploiting vulnerabilities in BIND. It is for the same reason that we run BIND as a non-root user. This should be considered as a supplement to the normal security precautions (running the latest version, using access control, etc.), certainly not as a replacement for them.



The process described below prevents access to the “/” (root) directory if BIND is hacked. It is possible with BIND version 8 or above, and is supported on Solaris 8 or above.

1. Create the user who will be running BIND. Don’t run BIND as root.

useradd -g nobody -s /usr/bin/false dnsguy

2. Create chroot directory and set permissions:

mkdir -p /chroot/etc /chroot/var /chroot/var/run

chown dnsguy /chroot/var/run

chgrp nobody /chroot/var/run

3. Move zone and named.conf files over:

mv /etc/named.conf /chroot/etc

mv /var/named /chroot/var/named

4. Copy some more /etc/ files over:

cp /etc/TIMEZONE /etc/profile /chroot/etc

5. Start in.named:

/usr/sbin/in.named -u dnsguy -t /chroot

Ramdev

Ramdev

I have started unixadminschool.com ( aka gurkulindia.com) in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' unixadminschool.com. You can connect me at - https://www.linkedin.com/in/unixadminschool/

1 Response

  1. September 16, 2015

    […] Read – chroot the BIND DNS server […]

What is in your mind, about this post ? Leave a Reply

Close
  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us