Comments on Bind-Chroot-Howto (Debian)

Bind-Chroot-Howto (Debian) This document describes how to install the DNS server Bind on Debian so that it runs out of a chroot jail for security reasons.

17 Comment(s)

Add comment

Please register in our forum first to comment.

Comments

By: Anonymous
Reply  

Firstly thanks for the howto. I had to recently get a name server

up and running and was happy to find your tutorial.

Just one thing! I followed your instructions to the letter but was

unsuccessful in getting the nameserver to start. I looked in the

log files and saw the following:

couldn't open pid file '/var/run/bind/run/named.pid': No such

file or directory.

I created a file /var/lib/named/var/run/bind/run started the server again and all was fine.

Thanks again.

t. ir

By: Anonymous
Reply  

Sorry, the above should read:

I created a directory /var/lib/named/var/run/bind/run...

t. ir

By: Anonymous
Reply  

This line:
mkdir /var/lib/named/var/run

Should read:

mkdir -p /var/lib/named/var/run/bind/run

By: Anonymous
Reply  

Thanks for posting about the /var/lib/named/var/run/bind/run fix. I had the same issue and the posts made short work of fixing it!

By: Anonymous
Reply  

One final required step that I discovered, is that you have to then run chown -R bind:bind /var/lib/named/var/run/bind/run

Dunno if that's supposed to be obvious, but I thought I'd mention it.

By: Anonymous
Reply  

good thing you mentioned it.

By: joe
Reply  

I followed through the tutorial yesterday and found that as well. I also noticed on my Debian box, I have a file /etc/defaults/bind9. Inside is another OPTIONS environment variable. You must comment this out or it will take precedence over the init.d script.

Great guide!

By: admin
Reply  

I've just checked that, it happens if you simply copy over the bind9 init script from the tutorial because it is from Debian Woody. If you simply change the line

OPTS=""

in the existing bind9 init script all works well.

By: Anonymous
Reply  

when i am stop the bind9 show error :

ns1:/home/dadang# /etc/init.d/bind9 stop

Stopping domain name service: namedrndc: connect failed: connection refused

By: Anonymous
Reply  

If you notice in the tutorial, it says - for Sarge - to modify the /etc/default/bind9 so bind runs as the unprivileged user 'bind'. Problem is, later on we chroot everything to the user 'nobody' I changed the opts= line in /etc/default/bind9 as per the instructions but used 'nobody' instead of 'bind' and it all worked fine - got rid of both the 'connect failed' AND the 'named.pid' error in syslog !. btw: Great howto - but I guess even the greatest stuff can have errors :)

By: admin
Reply  

Thanks for the hint. I've corrected the bug. :-)

By:
Reply  

When Bind is not chrooted, it uses all 4 CPU's:

starting BIND 9.3.4 -u bind

found 4 CPUs, using 4 worker threads

 

But when Bind is chrooted, it only detects 1 CPU:

starting BIND 9.3.4 -u bind -t /var/lib/named

found 1 CPU, using 1 worker thread 

 

When I then add "-n 4" to startup, it still uses 1 CPU, but with 4 threads:

starting BIND 9.3.4 -u bind -n 4 -t /var/lib/named

found 1 CPU, using 4 worker threads

 

Anyone also with this problem or a solution for this?

Thnx 

By:
Reply  

G'day Everyone,

The above instructions still work for Debian Wheezy, with 1 additional change. Bind98 need's a file from the SSL library. Simply create the relavent folder in the chroot, then copy the library.

mkdir -p /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/engines
cp /usr/lib/i386-linux-gnu/openssl-1.0.0/engines/libgost.so /var/lib/named/usr/lib/i386-linux-gnu/openssl-1.0.0/engines

Hope this helps someone.

By: Anonymous
Reply  

i have not libgost.so file, what can i do?

By:
Reply  

Thanks, it helped me :)  Re the comment about not having libgost, I had that problem because my system is not i386 (it's amd64).  The simplest solution is to use updatedb (if needed) and locate to look for libgost.  Then make a directory that matches where you found libgost but with /var/lib/named in front, then copy libgost.so to the new directory.

By:
Reply  

After the chroot, If you get this error when you check bind9 status:


# /etc/init.d/bind9 status
bind9 is not running failed!

 you need to edit the PIDFILE in /etc/init.d/bind9 script when bind is running :

...
PIDFILE=/var/run/bind/run/named.pid
...

to

PIDFILE=/var/chroot/var/run/bind/run/named.pid 
( in my case the named.pid is located in this way )

Save bind9 script, and check bind9 status again

 

 

By: Paul Theodoropoulos
Reply  

While it's very useful to have the extended info in the original howto above - once you've mastered it, and want to replicate it again elsewhere, here's a streamlined 'howto' - you can just paste this on the command line (after sudo -i to root!). Works for both deb squeeze and wheezy.

apt-get install bind9
sed -i "s/-u bind/-u bind -t \/var\/lib\/named/g" /etc/default/bind9
mkdir -p /var/lib/named/{etc,dev,var/{cache/bind,run/bind/run}}
mv /etc/bind /var/lib/named/etc
ln -s /var/lib/named/etc/bind /etc/bind
ln -s /var/lib/named/etc/bind /etc/bind9
ln -s /var/lib/named/etc/bind /named
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
service bind restart

In Squeeze and Wheezy, the bind output goes to /var/log/daemon.log, so the logging mods in the original aren't necessary.

Cheers!