Started Aug. 28, 2003 (Huge parts stolen from http://www.unixwiz.net/techtips/bind9-chroot.html and customized) (On RedHat) rpm -e bind bind-utils bind-devel bindconf caching-nameserver redhat-config-bind wget ftp://ftp.isc.org/isc/bind9/9.2.2/bind-9.2.3.tar.gz tar -xzvf bind-9.2.3.tar.gz cd bind-9.2.3 ./configure --prefix=/dns --with-openssl[=/prefix] --disable-ipv6 (If this fails with a "can't find openssl" error, download and compile the latest openssl from openssl.org This would have --with-openssl=/usr/local/openssl) make make install cd /dns mkdir -p /dns/etc /dns/dev \ /dns/scripts \ /dns/etc/secondaries \ /dns/logs /dns/var/run \ /dns/zones/external/arpa/in-addr \ /dns/zones/external/com \ /dns/zones/external/net \ /dns/zones/external/org \ /dns/zones/internal/arpa/in-addr \ /dns/zones/internal/com \ /dns/zones/internal/net \ /dns/zones/internal/org cd /dns mknod dev/null c 1 3 mknod dev/zero c 1 5 mknod dev/random c 1 8 For convenience, add /dns/bin, /dns/sbin, and /dns/scripts to the PATH in /etc/profile or root's .bash_profile . Add the following statement to /etc/man.config to get the man pages working: MANPATH /dns/man ensure that user 'named' and group 'named' exist - create them if necessary: groupadd named useradd -g named -d /dns -s /sbin/nologin named passwd -l named NOTE - Be sure that all DNS servers in the setup have the "named" user and group, and also ensure they have the same userid and groupid. This will make things a lot simpler! cp /etc/localtime /dns/etc create /dns/etc/named.conf: -------------------------------------------------------------------- options { directory "/zones"; pid-file "/var/run/named.pid"; statistics-file "/var/run/named.stats"; dump-file "/var/run/named.db"; # hide our "real" version number version "[secured]"; }; # The root nameservers zone "." { type hint; file "root.hints"; }; # localhost - forward zone zone "localhost" { type master; file "localhost.db"; notify no; }; # localhost - inverse zone zone "0.0.127.in-addr.arpa" { type master; file "0.0.127.in-addr.arpa.db"; notify no; }; # put your reverse zone for your IP here zone "25.16.172.in-addr.arpa" { type master; file "external/arpa/in-addr/25.16.172.in-addr.arpa.db"; }; -------------------------------------------------------------------- create root.hints: /dns/bin/dig > /dns/zones/root.hints create /dns/zones/localhost.db: -------------------------------------------------------------------- ; ; localhost.db ; $TTL 86400 @ IN SOA @ root ( 2 ; serial 3H ; refresh 15M ; retry 1W ; expiry 1D ) ; minimum IN NS @ IN A 127.0.0.1 -------------------------------------------------------------------- create /dns/zones/0.0.127.in-addr.arpa.db: -------------------------------------------------------------------- ; ; 0.0.127.in-addr.arpa.db ; $TTL 86400 @ IN SOA localhost. root.localhost. ( 1 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum IN NS localhost. 1 IN PTR localhost. -------------------------------------------------------------------- create /dns/zones/external/arpa/in-addr/25.16.172.in-addr.arpa.db: -------------------------------------------------------------------- ; ; 25.16.172.in-addr.arpa.db ; $TTL 86400 @ IN SOA localhost. root.localhost. ( 1 ; Serial 28800 ; Refresh 14400 ; Retry 3600000 ; Expire 86400 ) ; Minimum @ IN NS localhost. 100 IN PTR ns1.server.net. 101 IN PTR ns2.server.net. -------------------------------------------------------------------- enforce permissions with the following script: -------------------------------------------------------------------- # # set-named-perms.sh # # Set the ownership and permissions on the named directory # cd /dns # By default, root owns everything and only root can write, but dirs # have to be executable too. Note that some platforms use a colon # instead of a dot between user/group in the chown parameters} chown -R root.named . # regular files find . -type f -print | grep -v bin | grep -v scripts | xargs chmod 644 # directories find . -type d -print | xargs chmod 755 # the named.conf and rndc.conf must protect their keys chmod o= etc/*.conf # the "secondaries" directory is where we park files from # master nameservers, and named needs to be able to update # these files and create new ones. touch etc/secondaries/.empty # placeholder find etc/secondaries/ -type f -print | xargs chown named.named find etc/secondaries/ -type f -print | xargs chmod ug=r,o= chown root.named etc/secondaries/ chmod 770 etc/secondaries/ # the var/run business is for the PID file chown root.root var/ chmod 711 var/ chown root.named var/run/ chmod 775 var/run/ # named has to be able to create logfiles chown root.named logs/ chmod 775 logs/ -------------------------------------------------------------------- start named (caching mode only for now) : /dns/sbin/named -t /dns -u named -c /etc/named.conf Alternatively, you can create a /dns/scripts/named.start script: -------------------------------------------------------------------- # # named.start # # Note: the path given to the "-c" parameter is relative # to the jail's root, not the system root. # # Add "-n2" if you have multiple CPUs # # usage: named [-c conffile] [-d debuglevel] [-f|-g] [-n number_of_cpus] # [-p port] [-s] [-t chrootdir] [-u username] # make sure the debugging-output file is writable by named touch /dns/var/run/named.run chown named:named /dns/var/run/named.run chmod 664 /dns/var/run/named.run /dns/sbin/named -t /dns -u named -c /etc/named.conf -------------------------------------------------------------------- modify resolv.conf to have 'nameserver 127.0.0.1' generate key: cd /dns/etc dnssec-keygen -a HMAC-MD5 -b 256 -n HOST rndc insert generated key from the "Krndc.+157+14259.private" file into rndc.conf file in "secret" section create /dns/etc/rndc.conf: -------------------------------------------------------------------- # # /chroot/named/etc/rndc.conf # options { default-server 127.0.0.1; default-key "rndckey"; }; server 127.0.0.1 { key "rndckey"; }; key "rndckey" { algorithm "hmac-md5"; secret "insert local secret key here"; }; # # This section below is only for "master" DNS server, # to control a remote dns server with rndc. # #server ns1.server.net { # key "ns1key" #}; # #server 123.45.67.89 { # In case ns1.server.net doesn't resolve... # key "ns1key" #}; # #key "ns1key" { # algorithm "hmac-md5"; # secret "insert ns1's secret key here"; #}; # -------------------------------------------------------------------- [optional] delete the Krndc.+157+14259.* files create /dns/etc/controls.conf: -------------------------------------------------------------------- controls { # to allow rndc from localhost inet 127.0.0.1 allow { 127.0.0.1; } keys { rndckey; }; # to allow rndc from ethernet inet 172.16.25.100 allow { 127.0.0.1; # localhost 172.16.202.100; # itchy 172.16.202.101; # scratchy, just in case } keys { rndckey; }; }; key "rndckey" { algorithm "hmac-md5"; secret "XoKGiXwAUk9yEmZNmCIxQ1Ts+C6alUEVgptGVOiSAqw="; }; -------------------------------------------------------------------- add this line to the top of /dns/etc/named.conf: -------------------------------------------------------------------- include "/etc/controls.conf"; -------------------------------------------------------------------- killall -HUP named Server is now configured to listen on port 953 for rndc /dns/sbin/rndc status # should show "server is up and running" create init script in /etc/init.d/named: -------------------------------------------------------------------- #!/bin/sh # # named # case "$1" in start) # Start daemons. echo -n "Starting named: " /dns/scripts/named.start echo ;; stop) # Stop daemons. echo -n "Shutting down named: " /dns/sbin/rndc stop echo "done" ;; esac exit 0 --------------------------------------------------------------------