<div dir="ltr"><div>Hi greg,</div><div>I'm replacing old DNS virtual server with old Bind with new one.</div><div>So I thought to build the same box with the same chroot which gives me jail environment where <em>Bind is not able to access system files or outside data.</em></div><div>But your words are making me think...<em>if you say it's not necessary.</em></div><div>I installed Oracle Linux 9 with 9.16.23-RH rpm package because it's latest available one.</div><div></div><div><em><br></em></div><div><em><br></em></div></div><br><div class="gmail_quote gmail_quote_container"><div dir="ltr" class="gmail_attr">Il giorno ven 1 ago 2025 alle ore 10:08 Greg Choules <<a href="mailto:gregchoules%2Bbindusers@googlemail.com">gregchoules+bindusers@googlemail.com</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="ltr"><div>Hi Renzo.</div><div>This is not intended to sound negative. But why are you stuck on chroot? What benefit do you think it will bring you? It used to be the case (many years ago) that if you started BIND as root, it ran as root and chroot made sense then. But not anymore. It starts with some privilege, to scan interfaces etc. but then drops to a normal user, subject to the usual restrictions an OS should provide.</div><div><br></div><div>I would suggest that, if you are really worried about losing control of a process, or it being used for remote access to your machine, or something (are either of these why you think you need chroot?) you should either/both run BIND in a VM or take a good look at your server and network security. But many people run BIND natively, without chroot, and have no problems.</div><div><br></div><div>Cheers, Greg</div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">On Thu, 31 Jul 2025 at 20:46, Renzo Marengo <<a href="mailto:buckroger2011@gmail.com" target="_blank">buckroger2011@gmail.com</a>> wrote:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><div dir="auto"><div dir="ltr"></div><div dir="ltr">i know what I want. I asked myself these questions many years ago when I build this server. I am replacing this cache dns server with newer os. </div><div dir="ltr"><br><blockquote type="cite">Il giorno 31 lug 2025, alle ore 09:57, Ondřej Surý <<a href="mailto:ondrej@isc.org" target="_blank">ondrej@isc.org</a>> ha scritto:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr">Perhaps the question that you should explore first would be “Why?” and not “How?”. <div><br></div><div>Ondrej</div><div><div dir="ltr"><div>--</div>Ondřej Surý — ISC (He/Him)<div><br></div><div>My working hours and your working hours may be different. Please do not feel obligated to reply outside your normal working hours.</div></div><div dir="ltr"><br><blockquote type="cite">On 31. 7. 2025, at 8:58, Renzo Marengo <<a href="mailto:buckroger2011@gmail.com" target="_blank">buckroger2011@gmail.com</a>> wrote:<br><br></blockquote></div><blockquote type="cite"><div dir="ltr"><div dir="ltr"><div>Thank you very much but my issue is to understand what first step I have to do, considering that the following rpm are just installed:</div><div></div><div><br></div><div>bind.x86_64</div><div>bind-chroot.x86_64<br>bind-dnssec-doc.noarch<br>bind-dnssec-utils.x86_64<br>bind-libs.x86_64<br>bind-license.noarch<br>bind-utils.x86_64</div><div><br></div><div>e.g. </div><div>chroot folder structure is just set ?</div><div>what service I have to enable at boot ? Bind or bind-chroot ?</div><div><br></div><div><br></div></div><br><div class="gmail_quote"><div dir="ltr" class="gmail_attr">Il giorno mer 30 lug 2025 alle ore 20:55 Danjel Jungersen via bind-users <<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a>> ha scritto:<br></div><blockquote class="gmail_quote" style="margin:0px 0px 0px 0.8ex;border-left:1px solid rgb(204,204,204);padding-left:1ex"><br>
On 7/30/2025 1:11 PM, Renzo Marengo wrote:<br>
> I want to install latest rpm of Bind (9.16.23-31) for Oracle Linux 9 <br>
> to create only cache DNS server which is running in chroot jail.<br>
> I installed several Bind packages included bind-chroot.<br>
> What document do you suggest me to follow to configure bind in chroot <br>
> jail ?<br>
> Thanks<br>
><br>
Setting up as caching / forwarder is pretty straight forward:<br>
<br>
In named.conf.options :<br>
recursion yes;<br>
allow-query { trusted; };<br>
allow-transfer { none; };<br>
<br>
forwarders { // From here<br>
192.168.20.10; // Replace with the servers you want to use<br>
192.168.20.11; // Same here<br>
};<br>
forward only; // to here - must be left out if you do <br>
not wish to use forwarders, ie the system will do all the work itself.<br>
<br>
dnssec-validation auto; // Check this setting before going <br>
online, may not suit your setup.<br>
<br>
listen-on-v6 { any; };<br>
<br>
<br>
In named.conf.local:<br>
acl "trusted" {<br>
<a href="http://192.168.1.0/24" rel="noreferrer" target="_blank">192.168.1.0/24</a>; // Replace with your own ip's<br>
<a href="http://192.168.20.15/32" rel="noreferrer" target="_blank">192.168.20.15/32</a>; // Replace with your own ip's<br>
<a href="http://127.0.0.1/32" rel="noreferrer" target="_blank">127.0.0.1/32</a>;<br>
localhost;<br>
};<br>
<br>
I do not know anything about redhat, but as I understand, debian also <br>
uses chroot.<br>
I run debian and have had zero issues with using the default setup.<br>
<br>
Best of luck!<br>
Danjel<br>
-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>
<span>-- </span><br><span>Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list</span><br><span></span><br><span>ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" target="_blank">https://www.isc.org/contact/</a> for more information.</span><br><span></span><br><span></span><br><span>bind-users mailing list</span><br><span><a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a></span><br><span><a href="https://lists.isc.org/mailman/listinfo/bind-users" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a></span><br></div></blockquote></div></div></blockquote></div>-- <br>
Visit <a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a> to unsubscribe from this list<br>
<br>
ISC funds the development of this software with paid support subscriptions. Contact us at <a href="https://www.isc.org/contact/" rel="noreferrer" target="_blank">https://www.isc.org/contact/</a> for more information.<br>
<br>
<br>
bind-users mailing list<br>
<a href="mailto:bind-users@lists.isc.org" target="_blank">bind-users@lists.isc.org</a><br>
<a href="https://lists.isc.org/mailman/listinfo/bind-users" rel="noreferrer" target="_blank">https://lists.isc.org/mailman/listinfo/bind-users</a><br>
</blockquote></div>
</blockquote></div>