Questions on setting up BIND

Jukas · 05-14-2007, 06:06 PM

I'm setting up BIND on a Debian 4.0 server. My understanding is that on Debian, the named service is chrooted by default running from /usr/sbin/named /var/lib/named. Looking at the running processes on my box shows

Code:

bind     11618  0.0  0.3  30556  3192 ?        Ssl  Mar15   0:01 /usr/sbin/named -u bind -t /var/lib/named

The question I'm running into is where to put my db.domain.com files? By default I show all the db.0 db.local db.root in the /var/lib/named/etc/bind directory but when I search named.conf.options the directory statement says

Code:

named.conf.options:     directory "/var/cache/bind";

So lets say I'm trying to manage the zone file for db.widgets.com My understanding is as-is I'd have to put db.widgets.com in /var/cache/bind but will the chrooted version installed on Debian be able to read it? If not, where should I put it?

nx5000 · 05-15-2007, 09:21 AM

Try it? Put wrong lines in the file and see which one is taken?

I don't use bind so I'll talk on a general level.
If the options are read before bind calls chroot() then just leave the file where it is.
Otherwise you need to create the /var/cache/bind under the chroot root.
A chrooted process CAN NOT access anything outside its root dir (a directory outside the root dir can be mapped inside the root dir with a special mount option though)
You can check the root dir of a process like this:

sudo ls -l /proc/`pidof bind`/root

lrwxrwxrwx 1 root root 0 2007-05-15 16:19 /proc/3514/root -> /

Example here the process with id 3514 has its root set to / which means it's not chrooted.
Beware that a process can have children. Some maybe chrooted, some not..

Jukas · 05-15-2007, 09:33 AM

Quote:

Originally Posted by nx5000

Try it? Put wrong lines in the file and see which one is taken?

I don't use bind so I'll talk on a general level.
If the options are read before bind calls chroot() then just leave the file where it is.
Otherwise you need to create the /var/cache/bind under the chroot root.
A chrooted process CAN NOT access anything outside its root dir (a directory outside the root dir can be mapped inside the root dir with a special mount option though)
You can check the root dir of a process like this:

sudo ls -l /proc/`pidof bind`/root

lrwxrwxrwx 1 root root 0 2007-05-15 16:19 /proc/3514/root -> /

Example here the process with id 3514 has its root set to / which means it's not chrooted.
Beware that a process can have children. Some maybe chrooted, some not..

Yup, I've already done that.. which shows

Code:

$ sudo ls -l /proc/`pidof named`/root
lrwxrwxrwx 1 bind bind 0 2007-05-15 07:29 /proc/4104/root -> /var/lib/named

I guess the real question is is there any harm in creating /var/lib/named/etc/bind/zone (/var/lib/named/etc/bind is already present) and putting the zone data files there? Considering the chrooted bind would already be able to access those directories I can't think of any reason not to, but I may be missing something.

nx5000 · 05-15-2007, 09:39 AM

No I don't see any harm.
You just need to be sure that the chroot is issued before reading the configuration file.
Put garbage in the chrooted one and see if it is read.

JimBass · 05-15-2007, 10:21 PM

I don't think Debian puts BIND in a chroot, but I always install BIND from source, so I can't be certain.

In any case, you can put the zone file anywhere you want that the user named can read. You can specify a different location than the default in the named.conf file, and can probably find the location of the chroot if such a thing exists there as well.

Peace,
JimBass