Archive:Docs/Drafts/AdministrationGuide/Servers/DNSBIND/BINDChroot

= DNS and BIND =

Running BIND in a Chroot Jail
Run the following command as root to install the  packages:

yum install bind-chroot

Run the following command as root to remove the symbolic link,. This file is not needed. The only file required for rndc is the symbolic link,, which points to the   file:

rm /etc/rndc.key

If the  file exists in the chroot environment, run the following command as root to remove it:

rm /var/named/chroot/etc/rndc.key

A new directory structure,, is created after installing the   package. After the  package is installed,   is copied into the   directory, and   becomes a symbolic link, which points to. The  file is copied into the   directory, and   becomes a symbolic link, which points to. The  symbolic link must exist, otherwise the service named stop command will fail. If the symbolic link does not exist, change into the  directory, and run the following command as root to create it:

ln -s /var/named/chroot/etc/rndc.conf rndc.conf

If you were running bind in a non-chroot environment, prior to installing, then all files in the   directory are automatically copied to the   directory.

Permissions
This sections assumes you used the same names for configuration files, as mentioned in previous sections. All commands in this section and the SELinux Contexts section must be run as the root user. Run the following command to set the correct user, group, and mode for the  directory:

chown named:named /var/named/chroot/etc/bind/; chmod 755 /var/named/chroot/etc/bind/

Run the following command to set the correct user, group, and mode for the  file:

chown named:named /var/named/chroot/etc/named.conf; chmod 600 /var/named/chroot/etc/named.conf

Run the follwoing command to set the correct user, group, and mode for the  file:

chown root:named /var/named/chroot/etc/rndc.conf; chmod 440 /var/named/chroot/etc/rndc.conf

Run the following command to set the correct user, group, and mode for the  file:

chown named:named /var/named/chroot/etc/bind/bind.log; chmod 600 /var/named/chroot/etc/bind/bind.log

Run the following command to set the correct user, group, and mode for the  file, which is used to define the logging used for named:

chown named:named /var/named/chroot/etc/bind/logging; chmod 400 /var/named/chroot/etc/bind/logging

Change into the  directory and run the following command to set the correct user and group ownership for each zone database file:

chown named:named *

Run the following command to set the correct user, group, and mode for the  file:

chown named:root /var/named/chroot/etc/bind/named-stats.log; chmod 660 /var/named/chroot/etc/bind/named-stats.log

Once zone database files have been configured, it is recommended to only have read permission on them. Change into the directory containing the zone database files, and run the following command as root to set the correct user and group for each zone database file, replacing all instances of  with the correct file name:

chown named:named

For example, if you used the database names from the previous steps, run the following command:

chown named:named root.hint db.testdomain.com db.127 db.0.168.192.in-­addr.arpa

To set read-only permissions, run the following command as root:

chmod 400 zone-database-name zone-database-name zone-database-name

SELinux Contexts
If you are running SELinux, run the following commands as root to set the correct SELinux contexts for the  directory, and the ,  ,  ,  , and   files:

chcon -t named_zone_t /var/named/chroot/etc/bind/

chcon -t named_zone_t /var/named/chroot/etc/named.conf

chcon -t named_cache_t /var/named/chroot/etc/bind/bind.log

chcon -t named_conf_t /var/named/chroot/etc/rndc.conf

chcon -t named_cache_t /var/named/chroot/etc/bind/named-stats.log

chcon -t named_zone_t /var/named/chroot/etc/bind/logging

Run the following command as root on each zone database file to set the correct SELinux context:

chcon -t named_zone_t

{| border="1"
 * Administration Guide - TOC || Previous Page - Starting, Stopping, and Testing BIND || Next Page - Cache-only Nameserver
 * Administration Guide - TOC || Previous Page - Starting, Stopping, and Testing BIND || Next Page - Cache-only Nameserver