configure bind in chroot jail

Tue Aug 5 14:22:23 UTC 2025

> From: "Renzo Marengo" 
> Sent: Wednesday, July 30, 2025 7:11:02 AM

> I want to install latest rpm of Bind (9.16.23-31) for Oracle Linux 9 to create
> only cache DNS server which is running in chroot jail.
> I installed several Bind packages included bind-chroot.
> What document do you suggest me to follow to configure bind in chroot jail ?

  BIND 9.16.x is end-of-life and has known security vulnerabilities.  It is strongly recommended to run something newer.

  I've run BIND in a chroot for years on Linux.  There was no special document I followed, beyond what is available in the ARM and man pages (although I took hints from many people and posts over the years).  If you need step-by-step hand-holding you should probably avoid complex configurations.  In a greenfield deployment, containerization might be preferable, as has been noted.  If a bunch of people tell you to reconsider, you really should reconsider, or expect to get burned.  Being burned hurts and you should want to avoid being burned.

  All that said, I can tell you what I do.  I run on Debian so it may be different for you.  My config is also set-up to work the way I want it, which may not be the way you want it.  YMMV, etc.

  Set up a directory sub-tree to contain the chroot.  In my case it is: /srv/dns/

  Populate the tree with system essentials.  This includes /srv/dns/dev/ with null, random, urandom, and zero specials, and an empty /proc directory.

  Configure rsyslog to create an extra syslog socket like so:

        input(type="imuxsock" Socket="/srv/dns/dev/log")

  Move the distro's stuff from /etc/bind/ to /srv/dns/etc/bind/ instead.  Replace /etc/bind with a symlink to /srv/dns/etc/bind sub-tree.

  Create /srv/dns/run/ with permissions allowing named to write.

  Create /srv/dns/var/run/named/ subtree and place a symlink /srv/dns/var/run/named/named.pid with target ../../../run/named.pid (the target path must be relative).

  Configure the distro's automation for the chroot.  This meant modifying /etc/default/named to have this line:

        OPTIONS="-u bind -t /srv/dns"

  Configure systemd for the chroot.  This included telling systemd to communicate with named using the traditional forking model, rather than the systemd notify mechanism.  Here are relevant parts of the systemd drop-in, kept in my /etc/systemd/system/named.service.d/override.conf file:

        [Service]
        Type=forking
        PrivateTmp=false
        ExecStart=
        ExecStart=/usr/sbin/named $OPTIONS
        PIDFile=/srv/dns/run/named.pid

  Configure named for the chroot.  That included these lines:

        options {
                directory "/run";
                lock-file          "/run/named.lock";
                pid-file           "/run/named.pid";
                statistics-file    "/run/stats.dns.txt";
                memstatistics-file "/run/stats.mem.txt";
                dump-file          "/run/dump.db.zone";
                secroots-file      "/run/dump.secroots.txt";
                recursing-file     "/run/dump.rec.zone";
                session-keyfile    "/run/session.key";

  Not all of those are necessary, but I can't remember which ones were just me tinkering and which ones were vital.  lock-file is gone in 9.20 IIRC.

  The individual zone config definitions contain lines like this:

        file "/zones/fwd/example.com.zone";

  I think those are all the critical points.

  Hope this helps.

  -- Ben

-- 
Any opinions expressed in this message are those of the author alone.
All information is provided without warranty of any kind.