Running a Name Server in a chroot( ) Jail
Running a Name Server in a chroot() Jail
7.8.1 Problem
You want to run a name server in a chroot( ) jail, so that a hacker successfully breaking in through the named process has limited access to the host's filesystem.
7.8.2 Solution
Set up an environment for the name server to chroot( ) into, then use named's -t command-line option to specify the name of the directory to chroot( ) to.
A BIND 9 chroot( ) environment, on most Unix systems, should include:
- A working directory for the name server (which can be the chroot( ) directory itself)
- An etc subdirectory, which includes named.conf and the localtime file, copied from /etc/localtime
- A var/run subdirectory for the name server's PID file
- A dev subdirectory, which may need to include the log, random, and zero devices
On my FreeBSD system, here's how I set up the chroot( ) environment:
# mkdir /etc/namedb # cd /etc/namedb # mkdir -p dev etc/namedb var/run etc/namedb is the working directory # cp /etc/localtime etc # mknod dev/random c 2 3 # mknod dev/zero c 2 12 # vi etc/named.conf
To create the log device, I added the command-line option -a /etc/namedb/dev/log to the startup of the syslog daemon. This tells syslogd to create an extra log device with the specified path (in the chroot( ) environment) and listen on it for logged messages.
Piece of cake!
Once you've set up the chroot( ) environment, start named with the -t command-line option, specifying the directory to chroot( ) to as the option's argument. The first time you do it, check named's syslog output for any startup errors caused by missing files or directories. Once named starts cleanly in the chroot( ) environment, add the -t option to your system's startup scripts.
7.8.3 Discussion
When running a name server in a chroot( ) environment, be sure to run as a non-root user, too. On many operating systems, a hacker gaining access to a process as root can break out of a chroot( ) jail. See Section 7.9 for instructions on running named as a non-root user.
BIND 8 name servers require a considerably more complicated chroot( ) environment, including a passwd file, shared libraries (unless you build BIND statically linked), and various device files, which is a good reason to recommend using BIND 9 in a chroot( )d setup. If you insist on running a BIND 8 name server chroot( )ed, see "Running BIND with Least Privilege" in Chapter 11 of DNS and BIND for instructions.
You can simplify the chroot( ) environment slightly by using the pid-file options substatement to tell named to create the PID file with a different pathname. For example, to create the PID file in the name server's working directory, use:
options {
directory "/var/named";
pid-file "named.pid";
};
In fact, unless you use dynamically updated zones with DNSSEC, you can do without dev/random in the chroot( ) environment, too. But then you'll have to put up with named logging an error each time it starts.
7.8.4 See Also
Section 1.21 for editing startup scripts, Section 7.9 for running BIND as a user other than root, and "Running BIND with Least Privilege" in Chapter 11 of DNS and BIND.
Getting Started
- Introduction
- Finding More Information About DNS and BIND
- Asking Questions You Cant Find Answers To
- Getting a List of Top-Level Domains
- Checking Whether a Domain Name Is Registered
- Registering a Domain Name
- Registering Name Servers
- Registering a Reverse-Mapping Domain
- Transferring Your Domain Name to Another Registrar
- Choosing a Version of BIND
- Finding Out Which Version of BIND Youre Running
- Getting BIND
- Building and Installing BIND
- Getting a Precompiled Version of BIND
- Creating a named.conf File
- Configuring a Name Server as the Primary Master for a Zone
- Configuring a Name Server as a Slave for a Zone
- Configuring a Name Server as Authoritative for Multiple Zones
- Starting a Name Server
- Stopping a Name Server
- Starting named at Boot Time
Zone Data
- Introduction
- Creating a Zone Data File
- Adding a Host
- Adding an Alias
- Adding a Mail Destination
- Making the Domain Name of Your Zone Point to Your Web Server
- Pointing a Domain Name to a Particular URL
- Setting Up Round Robin Load Distribution
- Adding a Domain Name in a Subdomain Without Creating a New Zone
- Preventing Remote Name Servers from Caching a Resource Record
- Adding a Multihomed Host
- Updating a Name Servers Root Hints File
- Using a Single Data File for Multiple Zones
- Using Multiple Data Files for a Single Zone
- Resetting Your Zones Serial Number
- Making Manual Changes to a Dynamically Updated Zone
- Moving a Host
- Mapping Any Domain Name in a Zone to a Single IP Address
- Adding Similar Records
- Making Your Services Easy to Find
- Storing the Location of a Host in DNS
- Filtering a Host Table into Zone Data Files
BIND Name Server Configuration
- Introduction
- Configuring a Name Server to Work with ndc
- Configuring a Name Server to Work with rndc
- Using rndc with a Remote Name Server
- Allowing Illegal Characters in Domain Names
- Dividing a Large named.conf File into Multiple Files
- Organizing Zone Data Files in Different Directories
- Configuring a Name Server as Slave for All of Your Zones
- Finding an Offsite Slave Name Server for Your Zone
- Protecting a Slave Name Server from Abuse
- Allowing Dynamic Updates
- Configuring a Name Server to Forward Dynamic Updates
- Notifying a Slave Name Server Not in a Zones NS Records
- Limiting NOTIFY Messages
- Configuring a Name Server to Forward Queries to Another Name Server
- Configuring a Name Server to Forward Some Queries to Other Name Servers
- Configuring a Name Server Not to Forward Certain Queries
- Returning Different Answers to Different Queriers
- Determining the Order in Which a Name Server Returns Answers
- Setting Up a Slave Name Server for a Zone in Multiple Views
- Disabling Caching
- Limiting the Memory a Name Server Uses
- Configuring IXFR
- Limiting the Size of the IXFR Log File
- Configuring a Name Server to Listen Only on Certain Network Interfaces
- Running a Name Server on an Alternate Port
- Setting Up a Root Name Server
- Returning a Default Record
- Configuring DNS to Let Clients Find the Closest Server
- Handling Dialup Connections
Electronic Mail
- Introduction
- Configuring a Backup Mail Server in DNS
- Configuring Multiple Mail Servers in DNS
- Configuring Mail to Go to One Server and the Web to Another
- Configuring DNS for Virtual Email Addresses
- Configuring DNS So a Mail Server and the Email It Sends Pass Anti-Spam Tests
BIND Name Server Operations
- Introduction
- Figuring Out How Much Memory a Name Server Will Need
- Testing a Name Servers Configuration
- Viewing a Name Servers Cache
- Flushing (Clearing) a Name Servers Cache
- Modifying Zone Data Without Restarting the Name Server
- Adding or Removing Zones Without Restarting or Reloading the Name Server
- Initiating a Zone Transfer
- Restarting a Name Server Automatically If It Dies
- Restarting a Name Server with the Same Arguments
- Controlling Multiple named Processes with rndc
- Controlling Multiple named Processes with ndc
- Finding Out Whos Querying a Name Server
- Measuring a Name Servers Performance
- Measuring Queries for Records in Particular Zones
- Monitoring a Name Server
- Limiting Concurrent Zone Transfers
- Limiting Concurrent TCP Clients
- Limiting Concurrent Recursive Clients
- Dynamically Updating a Zone
- Sending Dynamic Updates to a Particular Name Server
- Setting Prerequisites in a Dynamic Update
- Sending TSIG-Signed Dynamic Updates
- Setting Up a Backup Primary Master Name Server
- Promoting a Slave Name Server to the Primary Master
- Running Multiple Primary Master Name Servers for the Same Zone
- Creating a Zone Programmatically
- Migrating from One Domain Name to Another
Delegation and Registration
- Introduction
- Delegating a Subdomain
- Delegating a Subdomain of a Reverse-Mapping Zone
- Delegating Reverse-Mapping for Networks with Non-Octet Masks
- Delegating Reverse-Mapping for Networks Smaller than a /24
- Checking Delegation
- Moving a Name Server
- Changing Your Zones Name Servers
Security
- Introduction
- Concealing a Name Servers Version
- Configuring a Name Server to Work with a Firewall (or Vice Versa)
- Setting Up a Hidden Primary Master Name Server
- Setting Up a Stealth Slave Name Server
- Configuring an Authoritative-Only Name Server
- Configuring a Caching-Only Name Server
- Running a Name Server in a chroot( ) Jail
- Running the Name Server as a User Other than Root
- Defining a TSIG Key
- Securing Zone Transfers
- Restricting the Queries a Name Server Answers
- Preventing a Name Server from Querying a Particular Remote Name Server
- Preventing a Name Server from Responding to DNS Traffic from Certain Networks
- Protecting a Name Server from Spoofing
Interoperability and Upgrading
- Introduction
- Upgrading from BIND 4 to BIND 8 or 9
- Upgrading from BIND 8 to BIND 9
- Configuring a Name Server to Accommodate a Slave Running BIND 4
- Configuring a BIND Name Server to Accommodate a Slave Running the Microsoft DNS Server
- Configuring a BIND Name Server as a Slave to a Microsoft DNS Server
- Preventing Windows Computers from Trying to Update Your Zones
- Handling Windows Registration with a BIND Name Server
- Handling Active Directory with a Name Server
- Configuring a DHCP Server to Update a BIND Name Server
Resolvers and Programming
- Introduction
- Configuring a Resolver to Query a Remote Name Server
- Configuring a Resolver to Resolve Single-Label Domain Names
- Configuring a Resolver to Append Multiple Domain Names to Arguments
- Sorting Multiple Addresses in a Response
- Changing the Resolvers Timeout
- Configuring the Order in Which a Resolver Uses DNS, /etc/hosts, and NIS
- Looking Up Records Programmatically
- Transferring a Zone Programmatically
- Updating a Zone Programmatically
- Signing Queries and Dynamic Updates with TSIG Programmatically
Logging and Troubleshooting
- Introduction
- Finding a Syntax Error in a named.conf File
- Finding a Syntax Error in a Zone Data File
- Sending Log Messages to a Particular File
- Discarding a Category of Messages
- Determining Which Category a Message Is In
- Sending syslog Output to Another Host
- Logging Dynamic Updates
- Rotating Log Files
- Looking Up Records with dig
- Reverse-Mapping an Address with dig
- Transferring a Zone Using dig
- Tracing Name Resolution Using dig
IPv6
