configure bind in chroot jail

Renzo Marengo buckroger2011 at gmail.com
Wed Aug 6 09:35:15 UTC 2025 

Hi greg,
I'm replacing old DNS virtual server with old Bind with new one.
So I thought to build the same box with the same chroot which gives me jail
environment where *Bind is not able to access system files or outside data.*
But your words are making me think...*if you say it's not necessary.*
I installed Oracle Linux 9 with 9.16.23-RH rpm package because it's latest
available one.



Il giorno ven 1 ago 2025 alle ore 10:08 Greg Choules <
gregchoules+bindusers at googlemail.com> ha scritto:

> Hi Renzo.
> This is not intended to sound negative. But why are you stuck on chroot?
> What benefit do you think it will bring you? It used to be the case (many
> years ago) that if you started BIND as root, it ran as root and chroot made
> sense then. But not anymore. It starts with some privilege, to scan
> interfaces etc. but then drops to a normal user, subject to the usual
> restrictions an OS should provide.
>
> I would suggest that, if you are really worried about losing control of a
> process, or it being used for remote access to your machine, or
> something (are either of these why you think you need chroot?) you should
> either/both run BIND in a VM or take a good look at your server and network
> security. But many people run BIND natively, without chroot, and have no
> problems.
>
> Cheers, Greg
>
> On Thu, 31 Jul 2025 at 20:46, Renzo Marengo <buckroger2011 at gmail.com>
> wrote:
>
>> i know what I want. I asked myself these questions many years ago when I
>> build this server. I am replacing this cache dns server with newer os.
>>
>> Il giorno 31 lug 2025, alle ore 09:57, Ondřej Surý <ondrej at isc.org> ha
>> scritto:
>>
>> Perhaps the question that you should explore first would be “Why?” and
>> not “How?”.
>>
>> Ondrej
>> --
>> Ondřej Surý — ISC (He/Him)
>>
>> My working hours and your working hours may be different. Please do not
>> feel obligated to reply outside your normal working hours.
>>
>> On 31. 7. 2025, at 8:58, Renzo Marengo <buckroger2011 at gmail.com> wrote:
>>
>> 
>> Thank you very much but my issue is to understand what first step I have
>> to do, considering that the following rpm are just installed:
>>
>> bind.x86_64
>> bind-chroot.x86_64
>> bind-dnssec-doc.noarch
>> bind-dnssec-utils.x86_64
>> bind-libs.x86_64
>> bind-license.noarch
>> bind-utils.x86_64
>>
>> e.g.
>> chroot folder structure is just set ?
>> what service I have to enable at boot ? Bind or bind-chroot ?
>>
>>
>>
>> Il giorno mer 30 lug 2025 alle ore 20:55 Danjel Jungersen via bind-users <
>> bind-users at lists.isc.org> ha scritto:
>>
>>>
>>> On 7/30/2025 1:11 PM, Renzo Marengo wrote:
>>> > I want to install latest rpm of Bind (9.16.23-31) for Oracle Linux 9
>>> > to create only cache DNS server which is running in chroot jail.
>>> > I installed several Bind packages included bind-chroot.
>>> > What document do you suggest me to follow to configure bind in chroot
>>> > jail ?
>>> > Thanks
>>> >
>>> Setting up as caching / forwarder is pretty straight forward:
>>>
>>> In named.conf.options :
>>>          recursion yes;
>>>          allow-query { trusted; };
>>>          allow-transfer { none; };
>>>
>>>          forwarders {         // From here
>>>                  192.168.20.10; // Replace with the servers you want to
>>> use
>>>                  192.168.20.11; // Same here
>>>          };
>>>          forward only;       // to here  -   must be left out if you do
>>> not wish to use forwarders, ie the system will do all the work itself.
>>>
>>>          dnssec-validation auto; // Check this setting before going
>>> online, may not suit your setup.
>>>
>>>          listen-on-v6 { any; };
>>>
>>>
>>> In named.conf.local:
>>> acl "trusted" {
>>>          192.168.1.0/24; // Replace with your own ip's
>>>          192.168.20.15/32; // Replace with your own ip's
>>>          127.0.0.1/32;
>>>          localhost;
>>> };
>>>
>>> I do not know anything about redhat, but as I understand, debian also
>>> uses chroot.
>>> I run debian and have had zero issues with using the default setup.
>>>
>>> Best of luck!
>>> Danjel
>>> --
>>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>>> from this list
>>>
>>> ISC funds the development of this software with paid support
>>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>>> information.
>>>
>>>
>>> bind-users mailing list
>>> bind-users at lists.isc.org
>>> https://lists.isc.org/mailman/listinfo/bind-users
>>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>> --
>> Visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
>> from this list
>>
>> ISC funds the development of this software with paid support
>> subscriptions. Contact us at https://www.isc.org/contact/ for more
>> information.
>>
>>
>> bind-users mailing list
>> bind-users at lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20250806/8018d371/attachment-0001.htm>

More information about the bind-users mailing list