在 Debian 上安裝的 DNS Server 預設和 ArchLinux 一樣是沒有 chroot 的,為了 DNS Server 的安全,通常都會建議要以 chroot 的方式來執行。
參考網頁:Mind Reference: How to chroot bind9 in Debian
Bind9 – Debian Wiki
底下以 Script 檔來自動處理這項工作
[@more@]Script 檔案來源,稍做修改
1. 建立 chroot-bind9
# vim /usr/local/bin/chroot-bind9
#!/bin/bash
/etc/init.d/bind9 stop
mkdir -p /var/chroot/bind9/{etc,dev,var/cache/bind,var/run/bind/run}
chown -R bind:bind /var/chroot/bind9/var/*
mknod /var/chroot/bind9/dev/null c 1 3
mknod /var/chroot/bind9/dev/random c 1 8
chmod 666 /var/chroot/bind9/dev/{null,random}
mv /etc/bind /var/chroot/bind9/etc
ln -s /var/chroot/bind9/etc/bind /etc/bind
chown -R bind:bind /etc/bind/*
chmod -R g+w /etc/bind/
echo “$AddUnixListenSocket /var/chroot/bind9/dev/log” > /etc/rsyslog.d/bind-chroot.conf
sed -e ‘s,”-u bind”,”-u bind -t /var/chroot/bind9″,’ /etc/default/bind9 > /tmp/x && mv /tmp/x /etc/default/bind9
/etc/init.d/bind9 start
2. 給予 root 執行權限
# chmod 700 /usr/local/bin/chroot-bind9
3. 執行
# /usr/local/bin/chroot-bind9
4. 驗收成果
# host 192.168.1.3 192.168.1.2
Using domain server:
Name: 192.168.1.2
Address: 192.168.1.2#53
Aliases:
3.1.168.192.in-addr.arpa domain name pointer ftp.test.ilc.edu.tw.
# host ftp.test.ilc.edu.tw 192.168.1.2
Using domain server:
Name: 192.168.1.2
Address: 192.168.1.2#53
Aliases:
ftp.test.ilc.edu.tw has address 192.168.1.3
解決執行 /etc/init.d/bind9 status 會出現的錯誤訊息
# /etc/init.d/bind9 status
* bind9 is not running
先將 PIDFILE=/var/run/named/named.pid 前面加上 # 註解
# sed -i ‘s/^PIDFILE/#PIDFILE/’ /etc/init.d/bind9
在 #PIDFILE 後面插入一行
# sed -i ‘/#PIDFILE/ a PIDFILE=/var/chroot/bind9/var/run/named/named.pid’ /etc/init.d/bind9
# /etc/init.d/bind9 status
* bind9 is running