configure bind in chroot jail

Danjel Jungersen danjel at jungersen.dk
Fri Aug 1 07:52:26 UTC 2025 

Have you looked here:

https://docs.redhat.com/en/documentation/red_hat_enterprise_linux/9/html/managing_networking_infrastructure_services/assembly_setting-up-and-configuring-a-bind-dns-server_networking-infrastructure-services

They have a short mentioning of chroot.

:-)
Danjel

On 7/31/2025 9:46 PM, Renzo Marengo wrote:
> i know what I want. I asked myself these questions many years ago when 
> I build this server. I am replacing this cache dns server with newer os.
>
>> Il giorno 31 lug 2025, alle ore 09:57, Ondřej Surý <ondrej at isc.org> 
>> ha scritto:
>>
>>  Perhaps the question that you should explore first would be “Why?” 
>> and not “How?”.
>>
>> Ondrej
>> --
>> Ondřej Surý — ISC (He/Him)
>>
>> My working hours and your working hours may be different. Please do 
>> not feel obligated to reply outside your normal working hours.
>>
>>> On 31. 7. 2025, at 8:58, Renzo Marengo <buckroger2011 at gmail.com> wrote:
>>>
>>> 
>>> Thank you very much but my issue is to understand what first step I 
>>> have to do, considering that the following rpm are just installed:
>>>
>>> bind.x86_64
>>> bind-chroot.x86_64
>>> bind-dnssec-doc.noarch
>>> bind-dnssec-utils.x86_64
>>> bind-libs.x86_64
>>> bind-license.noarch
>>> bind-utils.x86_64
>>>
>>> e.g.
>>> chroot folder structure is just set ?
>>> what service I have to enable at boot ? Bind or bind-chroot ?
>>>
>>>
>>>
>>> Il giorno mer 30 lug 2025 alle ore 20:55 Danjel Jungersen via 
>>> bind-users <bind-users at lists.isc.org> ha scritto:
>>>
>>>
>>>     On 7/30/2025 1:11 PM, Renzo Marengo wrote:
>>>     > I want to install latest rpm of Bind (9.16.23-31) for Oracle
>>>     Linux 9
>>>     > to create only cache DNS server which is running in chroot jail.
>>>     > I installed several Bind packages included bind-chroot.
>>>     > What document do you suggest me to follow to configure bind in
>>>     chroot
>>>     > jail ?
>>>     > Thanks
>>>     >
>>>     Setting up as caching / forwarder is pretty straight forward:
>>>
>>>     In named.conf.options :
>>>              recursion yes;
>>>              allow-query { trusted; };
>>>              allow-transfer { none; };
>>>
>>>              forwarders {         // From here
>>>                      192.168.20.10; // Replace with the servers you
>>>     want to use
>>>                      192.168.20.11; // Same here
>>>              };
>>>              forward only;       // to here  -   must be left out if
>>>     you do
>>>     not wish to use forwarders, ie the system will do all the work
>>>     itself.
>>>
>>>              dnssec-validation auto; // Check this setting before going
>>>     online, may not suit your setup.
>>>
>>>              listen-on-v6 { any; };
>>>
>>>
>>>     In named.conf.local:
>>>     acl "trusted" {
>>>     192.168.1.0/24 <http://192.168.1.0/24>; // Replace with your own
>>>     ip's
>>>     192.168.20.15/32 <http://192.168.20.15/32>; // Replace with your
>>>     own ip's
>>>     127.0.0.1/32 <http://127.0.0.1/32>;
>>>              localhost;
>>>     };
>>>
>>>     I do not know anything about redhat, but as I understand, debian
>>>     also
>>>     uses chroot.
>>>     I run debian and have had zero issues with using the default setup.
>>>
>>>     Best of luck!
>>>     Danjel
>>>     -- 
>>>     Visit https://lists.isc.org/mailman/listinfo/bind-users to
>>>     unsubscribe from this list
>>>
>>>     ISC funds the development of this software with paid support
>>>     subscriptions. Contact us at https://www.isc.org/contact/ for
>>>     more information.
>>>
>>>
>>>     bind-users mailing list
>>>     bind-users at lists.isc.org
>>>     https://lists.isc.org/mailman/listinfo/bind-users
>>>
>>> -- 
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to 
>>> unsubscribe from this list
>>>
>>> ISC funds the development of this software with paid support 
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more 
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>
-- 
Med venlig hilsen/Kind regards
Danjel Jungersen
Mail: danjel at jungersen.dk
Mobile: +45 20 42 20 11

Jungersen Grafisk ApS,
Holsbjergvej 39, DK-2620 Albertslund,
Denmark.
Tel: +45 43 64 10 00

WEBSHOP: PRINTLIGHT.DK <https://www.printlight.dk> | WWW.JUNGERSEN.DK 
<https://www.jungersen.dk>

Logo <https://www.jungersen.dk>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250801/dfa224b1/attachment-0001.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo_m_reg_125.png
Type: image/png
Size: 24506 bytes
Desc: not available
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250801/dfa224b1/attachment-0001.png>

More information about the bind-users mailing list