I should mention that if you have an existing installation of BIND,
such as from an RPM, you should probably remove it before installing
the new one. On Red Hat systems, this probably means removing the
packages bind
and bind-utils
, and possibly bind-devel
and caching-nameserver
, if you have them.
You may want to save a copy of the init script (e.g.,
/etc/rc.d/init.d/named
), if any, before doing so; it'll be
useful later on.
This is the easy part :-). Just run make install
and let it
take care of it for you. You may want to chmod 000
/usr/local/sbin/named
afterwards, to make sure you don't
accidentally run the non-chrooted copy of BIND. (This is
/usr/sbin/named
if you didn't tell it to go in
/usr/local/sbin
like I suggested.)
Only two parts of the package have to live inside the chroot jail: the main
named
daemon itself, and named-xfer
, which it uses for zone
transfers. You can simply copy them in from the source tree:
# cp src/bin/named/named /chroot/named/bin
# cp src/bin/named-xfer/named-xfer /chroot/named/bin
If you have an existing init script from your distribution, it would
probably be best simply to modify it to run
/chroot/named/bin/named
, with the appropriate switches. The
switches are... (drumroll please...)
-u named
, which tells BIND to run as the user named
, rather
than root
.-g named
, to run BIND under the group named
too, rather than
root
or wheel
.-t /chroot/named
, which tells BIND to chroot itself to the jail
that we've set up.The following is the init script I use with my Red Hat 6.0 system. As you can see, it is almost exactly the same as the way it shipped from Red Hat.
#!/bin/sh
#
# named This shell script takes care of starting and stopping
# named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true
# Source function library.
. /etc/rc.d/init.d/functions
# Source networking configuration.
. /etc/sysconfig/network
# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0
[ -f /chroot/named/bin/named ] || exit 0
[ -f /chroot/named/etc/named.conf ] || exit 0
# See how we were called.
case "$1" in
start)
# Start daemons.
echo -n "Starting named: "
daemon /chroot/named/bin/named -u named -g named -t /chroot/named
echo
touch /var/lock/subsys/named
;;
stop)
# Stop daemons.
echo -n "Shutting down named: "
killproc named
rm -f /var/lock/subsys/named
echo
;;
status)
/usr/local/sbin/ndc status
exit $?
;;
restart)
/usr/local/sbin/ndc restart
exit $?
;;
reload)
/usr/local/sbin/ndc reload
exit $?
;;
probe)
# named knows how to reload intelligently; we don't want linuxconf
# to offer to restart every time
/usr/local/sbin/ndc reload >/dev/null 2>&1 || echo start
exit 0
;;
*)
echo "Usage: named {start|stop|status|restart}"
exit 1
esac
exit 0
You will also have to add or change a few options in your
named.conf
to keep the various directories straight. In
particular, you should add (or change, if you already have them) the
following directives in the options
section:
directory "/etc/namedb";
pid-file "/var/run/named.pid";
named-xfer "/bin/named-xfer";
Since this file is being read by the named
daemon, all the paths are of
course relative to the chroot jail.