Re: configure bind in chroot jail

Thu, 31 Jul 2025 00:57:45 -0700

Perhaps the question that you should explore first would be “Why?” and not “How?”. Then perhaps you should define what you are trying to achieve and ask yourself if it still make sense and what is the current state of art.

I believe that dropping caps and having properly set up selinux (or AppArmor) + Private* in the systemd unit is much better than chroot.

Ondrej
--
Ondřej Surý — ISC (He/Him)

My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.

On 31. 7. 2025, at 8:58, Renzo Marengo <buckroger2...@gmail.com> wrote:


Thank you very much but my issue is to understand what first step I have to do, considering that the following rpm are just installed:

bind.x86_64
bind-chroot.x86_64
bind-dnssec-doc.noarch
bind-dnssec-utils.x86_64
bind-libs.x86_64
bind-license.noarch
bind-utils.x86_64

e.g. 
chroot folder structure is just set ?
what service I have to enable at boot ? Bind or bind-chroot ?



Il giorno mer 30 lug 2025 alle ore 20:55 Danjel Jungersen via bind-users <bind-users@lists.isc.org> ha scritto:

On 7/30/2025 1:11 PM, Renzo Marengo wrote:
> I want to install latest rpm of Bind (9.16.23-31) for Oracle Linux 9
> to create only cache DNS server which is running in chroot jail.
> I installed several Bind packages included bind-chroot.
> What document do you suggest me to follow to configure bind in chroot
> jail ?
> Thanks
>
Setting up as caching / forwarder is pretty straight forward:

In named.conf.options :
         recursion yes;
         allow-query { trusted; };
         allow-transfer { none; };

         forwarders {         // From here
                 192.168.20.10; // Replace with the servers you want to use
                 192.168.20.11; // Same here
         };
         forward only;       // to here  -   must be left out if you do
not wish to use forwarders, ie the system will do all the work itself.

         dnssec-validation auto; // Check this setting before going
online, may not suit your setup.

         listen-on-v6 { any; };


In named.conf.local:
acl "trusted" {
         192.168.1.0/24; // Replace with your own ip's
         192.168.20.15/32; // Replace with your own ip's
         127.0.0.1/32;
         localhost;
};

I do not know anything about redhat, but as I understand, debian also
uses chroot.
I run debian and have had zero issues with using the default setup.

Best of luck!
Danjel
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
--
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

ISC funds the development of this software with paid support subscriptions. Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
-- 
Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from 
this list

ISC funds the development of this software with paid support subscriptions. 
Contact us at https://www.isc.org/contact/ for more information.


bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Reply via email to