Linux.com

4. Installing Your Shiny New BIND

I should mention that if you have an existing installation of BIND, such as from an RPM, you should probably remove it before installing the new one. On Red Hat systems, this probably means removing the packages bind and bind-utils, and possibly bind-devel and caching-nameserver, if you have them.

You may want to save a copy of the init script (e.g., /etc/rc.d/init.d/named), if any, before doing so; it'll be useful later on.

4.1 Installing the Tools Outside the Jail

This is the easy part :-). Just run make install and let it take care of it for you. You may want to chmod 000 /usr/local/sbin/named afterwards, to make sure you don't accidentally run the non-chrooted copy of BIND. (This is /usr/sbin/named if you didn't tell it to go in /usr/local/sbin like I suggested.)

4.2 Installing the Binaries in the Jail

Only two parts of the package have to live inside the chroot jail: the main named daemon itself, and named-xfer, which it uses for zone transfers. You can simply copy them in from the source tree:

# cp src/bin/named/named /chroot/named/bin

# cp src/bin/named-xfer/named-xfer /chroot/named/bin

4.3 Setting up the Init Script

If you have an existing init script from your distribution, it would probably be best simply to modify it to run /chroot/named/bin/named, with the appropriate switches. The switches are... (drumroll please...)

• -u named, which tells BIND to run as the user named, rather than root.
• -g named, to run BIND under the group named too, rather than root or wheel.
• -t /chroot/named, which tells BIND to chroot itself to the jail that we've set up.

The following is the init script I use with my Red Hat 6.0 system. As you can see, it is almost exactly the same as the way it shipped from Red Hat. I have also modified the ndc restart command so that it restarts the server properly, and keeps it chrooted. You should probably do the same in your init script, even if you don't copy this one.

---

#!/bin/sh
#
# named           This shell script takes care of starting and stopping
#                 named (BIND DNS server).
#
# chkconfig: 345 55 45
# description: named (BIND) is a Domain Name Server (DNS) \
# that is used to resolve host names to IP addresses.
# probe: true

# Source function library.
. /etc/rc.d/init.d/functions

# Source networking configuration.
. /etc/sysconfig/network

# Check that networking is up.
[ ${NETWORKING} = "no" ] && exit 0

[ -f /chroot/named/bin/named ] || exit 0

[ -f /chroot/named/etc/named.conf ] || exit 0

# See how we were called.
case "$1" in
  start)
        # Start daemons.
        echo -n "Starting named: "
        daemon /chroot/named/bin/named -u named -g named -t /chroot/named
        echo
        touch /var/lock/subsys/named
        ;;
  stop)
        # Stop daemons.
        echo -n "Shutting down named: "
        killproc named
        rm -f /var/lock/subsys/named
        echo
        ;;
  status)
        /usr/local/sbin/ndc status
        exit $?
        ;;
  restart)
        /usr/local/sbin/ndc -n /chroot/named/bin/named "restart -u named -g named -t /chroot/named"
        exit $?
        ;;
  reload)
        /usr/local/sbin/ndc reload
        exit $?
        ;; 
  probe)
        # named knows how to reload intelligently; we don't want linuxconf
        # to offer to restart every time
        /usr/local/sbin/ndc reload >/dev/null 2>&1 || echo start
        exit 0
        ;;
  
  *)
        echo "Usage: named {start|stop|status|restart}"
        exit 1
esac

exit 0

---

On Caldera OpenLinux systems, you simply need to modify the variables defined at the top, and it will apparently take care of the rest for you:

NAME=named
DAEMON=/chroot/named/bin/$NAME
OPTIONS="-t /chroot/named -u named -g named"

4.4 Configuration Changes

You will also have to add or change a few options in your named.conf to keep the various directories straight. In particular, you should add (or change, if you already have them) the following directives in the options section:

directory "/etc/namedb";
pid-file "/var/run/named.pid";
named-xfer "/bin/named-xfer";

Some people have also reported having to add an extra block to their named.conf to get ndc working properly:

controls {
    unix "/var/run/ndc" perm 0600 owner 0 group 0;
};