To improve the security of Bind we are going to run it in a chroot jailed environment.
What is a chroot jail?
Application jails, also known as “change root jails” or “chroot jails,” are security systems that are supported by all Linux and Unix systems. It basically is an application that creates an impenetrable barrier between the “jailed” software and the rest of the system. This creates an enormous level of safety. A chroot jail “incarcerates” untrusted applications, and acts like a guard, almost literally, for applications that already have substantial security measures built-in.
# /etc/init.d/named stop
# mkdir -p /chroot/named
# cd /chroot/named
# mkdir -p dev etc/named var/run/named
# mknod /chroot/named/dev/null c 1 3
# mknod /chroot/named/dev/random c 1 8
# chmod 666 /chroot/named/dev/null
# chmod 666 /chroot/named/dev/random
# cp /etc/localtime /chroot/named/etc/
# mv /etc/named.conf /chroot/named/etc/
# mv /etc/named/* /chroot/named/etc/named/
# chown -R named.named /chroot/named
Now we need to tell BIND to run in the chroot jail
# vi /etc/sysconfig/named
Uncomment the line that reads
Restart BIND and verify that it is working.
# /etc/init.d/bind restart