this tutorial was done on Debian but it could be easily done in other linuxes too.
1. stop bind9:
root@pluto:~# /etc/init.d/bind9 stop Stopping domain name service...: bind9waiting for pid 1951 to die .
2. Edit OPTIONS in /etc/default/bind9 as follows (originally is OPTIONS="-u bind"):
OPTIONS="-u bind -t /var/lib/named"
3. Create the chroot hierarchy:
mkdir -p /var/lib/named/{etc,dev,var/cache/bind,var/run/named}
Example:
root@pluto:~# [color=green]mkdir -p /var/lib/named/{etc,dev,var/cache/bind,var/run/named}[/color]
root@pluto:~# ls -la /var/lib/named/*
/var/lib/named/dev:
total 0
drwxr-xr-x 2 root bind 96 Jun 17 21:06 .
drwxr-xr-x 5 root bind 120 Jun 17 20:57 ..
crw-rw---- 1 root root 1, 3 Jun 17 21:06 null
crw-rw---- 1 root root 1, 8 Jun 17 21:06 random
/var/lib/named/etc:
total 1
drwxr-xr-x 3 root bind 72 Jun 17 20:57 .
drwxr-xr-x 5 root bind 120 Jun 17 20:57 ..
drwxr-xr-x 5 root bind 976 Jun 17 20:57 bind
/var/lib/named/var:
total 0
drwxr-xr-x 5 root bind 120 Jun 17 20:57 .
drwxr-xr-x 5 root bind 120 Jun 17 20:57 ..
drwxr-xr-x 3 root bind 72 Jun 17 20:57 cache
drwxr-xr-x 3 root bind 72 Jun 17 20:57 log
drwxr-xr-x 4 root bind 96 Jun 17 20:57 run4. Now we need some special files with correct permissions:
A chrooted application is not able to access the system so it needs some files in its own environment.
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 660 /var/lib/named/dev/{null,random}
Example:
root@pluto:~# [color=green]mknod /var/lib/named/dev/null c 1 3[/color]
root@pluto:~# [color=green]mknod /var/lib/named/dev/random c 1 8[/color]
root@pluto:~# [color=green]chmod 660 /var/lib/named/dev/{null,random}[/color]
root@pluto:~# ls -la /var/lib/named/dev/
total 0
drwxr-xr-x 2 root bind 96 Jun 17 21:06 .
drwxr-xr-x 5 root bind 120 Jun 17 20:57 ..
crw-rw---- 1 root root 1, 3 Jun 17 21:06 null
crw-rw---- 1 root root 1, 8 Jun 17 21:06 random5. move the bind configuration files to the new chrooted etc and create a symoblic link for compatibility:
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
Example:
root@pluto:/etc# [color=green]mv /etc/bind /var/lib/named/etc[/color] root@pluto:/etc# [color=green]ln -s /var/lib/named/etc/bind /etc/bind[/color] root@pluto:/etc# ls -lad bind lrwxrwxrwx 1 root root 23 Jun 17 21:18 bind -> /var/lib/named/etc/bind
6. Change the ownership of files/dirs to bind user:
chown -R bind:bind /etc/bind/*
chown -R bind:bind /var/lib/named/*
chmod 775 /var/lib/named/var/{cache/bind,run/named}
chgrp bind /var/lib/named/var/{cache/bind,run/named}7. Modify PIDFILE variable in /etc/init.d/bind9 to reflect the new path:
PIDFILE=/var/lib/named/var/run/named/named.pid
8. Configure syslog to listen to the correct bind logs:
# echo "\$AddUnixListenSocket /var/lib/named/var/log/named" > /etc/rsyslog.d/bind-chroot.conf
