Running BIND chroot on Solaris
ISCs DNS implementation BIND is by far
the most widely deployed DNS server on the internet. BINDs infamous
reputation for security is also widely known, so I won't go into
details here.
Later Bind releases (8.2) add two very nice features:
- Running in a chrooted environment
- Running as a user other than root
Using these two features in combination will greatly reduce the risc
of running bind. If you are running bind on Solaris (as I do),
this is how it works.
Disclaimer
I'm providing this information hoping it will be usefull but there
are no warranties. You have been warned. Everything I say applies to
Solaris 8 Sparc, since this is my platform of choice at the moment.
The script provided probably needs at least Solaris 7 but that's untested.
Details
The ability to run chrooted is built into later BIND-releases, so you
don't have to fiddle with chroot(1m). Note that this is not true for
Solaris` (up to and including 8) own bind, even though it is quite
recent. So you have to get you own and build it from source.
You have to setup a complete chroot-environment (including
shared libraries) if and only if you need zone-transfers (this is because bind
needs to start an external command named-xfer to do zone-transfers).
You need them if are hosting secondary zones.
So including some minor items we have the following TODOs on the machine
to run BIND:
- Get and install BIND
- Setup complete chroot environment with all required files
- Setup resolver to point to localhost
- Disable hosts cache in nscd
- Setup start script in /etc/init.d and /etc/rc2.d
The Script
To automate steps two through five I have written a short shellscript. I
certainly don't recommend you let it loose on your system without taking some
closer look at it. Comments to me.
Get the script.
References