Run DNS Software in a chroot Jail

An XCCDF Group

Description

Install the bind-chroot package:

$ sudo yum install bind-chroot

Place a valid named.conf file inside the chroot jail:

$ sudo cp /etc/named.conf /var/named/chroot/etc/named.conf
$ sudo chown root:root /var/named/chroot/etc/named.conf
$ sudo chmod 644 /var/named/chroot/etc/named.conf

Create and populate an appropriate zone directory within the jail, based on the options directive. If your named.conf includes:

options {
directory "/path/to/DIRNAME ";
...
}

then copy that directory and its contents from the original zone directory:

$ sudo cp -r /path/to/DIRNAME /var/named/chroot/DIRNAME

Add or correct the following line within /etc/sysconfig/named:

ROOTDIR=/var/named/chroot

warning alert: Warning

If you are running BIND in a chroot jail, then you should use the jailed named.conf as the primary nameserver configuration file. That is, when this guide recommends editing /etc/named.conf, you should instead edit /var/named/chroot/etc/named.conf.

ID: xccdf_org.ssgproject.content_group_dns_server_chroot
Child Items: 0
Updated: about 1 year ago