HowTo : Chrooted Bind for FreeBSD 5.3

[interfasys]

This configuration works for us. I'm no expert. Expecting feedback to improve it.

GOAL
Use the more secure chrooted bind environnement that comes as default with FreeBSD >5.3

SYSTEM
FreeBSD >5.3 only.

LIST OF KNOWN PROBLEMS:
Are permissions on files and folders correct and secure?

DISCLAIMER:
Use at your own risk. This Howto could wipe your data or kill your server and neither I, nor interfaSys llc would be held responsible.
No support is available, I will try to update this Howto as soon as things change.

ACKNOWLEDGMENT:
Based on an email from Dr Matthew J Seaman MA, D.Phil. to the FreeBSD lists and scripts from Yikes2000.

HISTORY:
0.9.1, disabled recursion since I don't want my dns to be used to get info about other domain names (security).
0.9, included some fixes by Yikes2000 (reload, perl script) and some copy bugs.
0.8, initial release

//////////////////////////////////////////////////
Modify startup script
------------------------
# pico /etc/rc.conf

remove everything about named because everything is already in /etc/defaults/rc.conf

ie.
--
named_enable="NO"
--



Create the localhost reverse DNS (optional)
------------------------
# cd /var/named/etc/namedb/
# ./make-localhost

Migrate old DNS data
------------------------
We move our old files out of the way (think backup)
# cd /etc
# cp namedb/*.db /var/named/etc/namedb/master
# cp namedb/rndc.* /var/named/etc/namedb
# mv namedb namedb.old


Change some permissions, just in case you don't have them right already
------------------------
# cd /var/named/etc
# chown -R bind:wheel namedb

Modify named.conf
------------------------
All the information you need for the rndc.key sections are in rndc.key (if you don't have a secret key, it will be generated at the first start).

# pico /var/named/etc/namedb/named.conf

1)Add this or modify this at the top
--
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";
};

controls {
inet 127.0.0.1 port 953
allow { 127.0.0.1; } keys { "rndc-key"; };
};

2)Add this to your options block:
version "";
recursion no;
3)Paste your zones from you original /etc/namedb.old/named.conf. We will upgrade them later on.
4)Comment listen-on { 127.0.0.1; };
5)Comment the IPV6 zones
--

Modify the paths in named.conf from /etc/named to /etc/named/master with this command:
#perl -pi -e 's#(/etc/namedb/)([^/]+\.db)#${1}master/$2#' named.conf

Create rndc.conf if it doesn't exist yet
#touch /var/named/etc/namedb/rndc.conf
--
# Start of rndc.conf
key "rndc-key" {
algorithm hmac-md5;
secret "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX=";
};
options {
default-key "rndc-key";
default-server 127.0.0.1;
default-port 953;
};
--

Check you config
------------------------
# cd /var/named/etc/namedb/
# named-checkconf named.conf && echo "Configuration OK"

Configure DirectAdmin
------------------------
# pico /usr/local/directadmin/conf/directadmin.conf

Modify to:
--
nameddir=/etc/namedb/master
--

Now we need to replace the original DA script
--
# pico /usr/local/directadmin/scripts/custom/named

paste this:

#!/bin/sh
if [ "$1" = "reload" ]; then
   /usr/sbin/rndc reload
else
   /etc/rc.d/named $1
fi

Place the script where DA can find it.
# cp /usr/local/directadmin/scripts/custom/named /usr/local/etc/rc.d/named
--

//////////////////////////////////////////////////
That's it.
You can now try:
# /usr/local/etc/rc.d/named restart
and the right folders and links should be created.

If everything is working fine you can see how it survives a reboot.

 

[Chrysalis]

good guide I will try it on a server soon and give feedback.

 

[interfasys]

A lot of steps could be removed if one wouldn't want to use the master folder in namedb. I did it like that because it seems to be the "standard" way of doing things with Bind on FreeBSD 5.3 and it's a lot cleaner

 

[Yikes2000]

Good work, Olivier. With your guide, I setup chrooted Bind9 with DA on my "clean install" of FreeBSD 5.3 server. Some steps were slightly different - mainly, /etc/namedb is soft linked to /var/named/etc/namedb in the "clean install." I also came up with a work-around for the reload problem.

Step 1. Configure the master zone as per the FreeBSD Handbook. This step is necessary for your server to reverse lookup '127.0.0.1', which should resolve to 'localhost.<your_domain>':

# cd /etc/namedb
# sh make-localhost

Step 2. Setup rndc. Same as Olivier did.

(Still in /etc/namedb)
# touch rndc.conf
# cat rndc.key >> rndc.conf
# ee rndc.conf
----- APPEND -----

options {
   default-key "rndc-key";
   default-server 127.0.0.1;
   default-port 953;
};

# cat rndc.key >> named.conf
# ee named.conf
----- APPEND -----

controls {
   inet 127.0.0.1 port 953
   allow { 127.0.0.1; } keys { "rndc-key"; };
};

Note: To enable external access of your DNS, be sure to comment out 'listen-on { 127.0.0.1; };' in named.conf.

Step 3. To fix reload, use this simple script to calls /etc/rc.d/named for everything except reload, for which it runs 'rndc reload':

# ee /usr/local/directadmin/scripts/custom/named

#!/bin/sh
if [ $1 = "reload" ]; then
   /usr/sbin/rndc reload
else
   /etc/rc.d/named $1
fi

# cp /usr/local/directadmin/scripts/custom/named /usr/local/etc/rc.d/named

Step 4. (Optional) To move named DB files into the master directory, do the following:

# cd /etc/namedb
# mv *.db master
# perl -pi -e 's#(/etc/namedb/)([^/]+\.db)#${1}master/$2#' named.conf
# ee /usr/local/directadmin/conf/directadmin.conf
----- MODIFY -----
nameddir=/etc/namedb/master

Step 5. Stop old named and start the new chrooted named:

# ee /etc/rc.conf
----- APPEND -----
named_enable="YES"

# /usr/local/directadmin/scripts/named stop
# /usr/local/etc/rc.d/named start

That's it!

 

[kamsel]

Will it work with 4.x ?

 

[Yikes2000]

No, the above steps won't work for FreeBSD 4.x. A lot more work is needed. FreeBSD 5.2.1 and below (including 4.x) have Bind8 installed by default. To upgrade to Bind9, you need to install port net/bind9, but it isn't setup to run chroot. So you need to consult FreeBSD Handbook section 23.6.8 "Running named in a Sandbox" for that. Then you could use the above steps as a guide (as some directories will be located in different paths) to copy old named DB files over to Bind9. And the 'reload work-around' above will need to be modified to run the port Bind9. Unless you're experienced with Unix, I wouldn't recommend you try it.

 

[interfasys]

Updated the original Howto with some useful scripts from Yikes2000. Thanks!

 

[interfasys]

Added recursion no; to named.conf so that our dns cannot be used by outside parties to get info on external domains.

 

[nobaloney]

Great idea, Olivier, and one well worth others considering as well.

Don't forget, though, that if you do that your /etc/resolv.conf file cannot use your own nameserver.

Jeff

 

[GITK Services]

Tip for the script: I suggest altering it to the following:

#!/bin/sh
if [ "$1" = "reload" ]; then
/usr/sbin/rndc reload
else
/etc/rc.d/named $1
fi

The quotes around the $1 prevent an error when executing with no parameters, and just runs the /etc/rc.d one.

 

[Atari]

What's wrong with doing it this way...

As root:

cd /
mkdir /bind
mkdir /bind/etc
chown -R bind:bind /bind
chmod -R 755 /bind

In rc.conf:

named_enable="YES"
named_flags="-u bind -g bind -t /"



Or I suppose for directadmin, in the
'named' rc script in /usr/local/etc/rc.d/named you you could change the line from:

echo -n "Starting Named: ";
daemon /usr/sbin/named -u bind

to

echo -n "Starting Named: ";
daemon /usr/sbin/named -u bind -g bind -t /

??


Question for directadmin team: in your rc script 'named', if you do a restart (/usr/sbin/ndc restart) is it still going to use the -u bind?





Keep in mind.... the /bind and /bind/etc directory are just the empty sandbox. Everything is really stored in /etc/namedb as usual.

 

[Atari]

Restart it using the non-privileged user and group:

# ndc -p /var/named/named.pid start -u bind -g bind

Note that when not running as the root user, named will lose the
ability to re-bind to interfaces which change address, or which are
added to the system after named has been started. If such an event
takes place, named will need to be stopped and restarted in order to
re-bind to the interface(s). See the ndc(8) manual page for more
information about how to do this.

Use of the -t option to named will also increase security when run as
a non-privileged user by confining the named process to a chroot
environment and thereby partially limiting the access it has to the
rest of the system. Configuration of these options is beyond the
scope of the advisory. The following website contains information
which may be useful to administrators wishing to perform this step:

http://www.losurs.org/docs/howto/Chroot-BIND.html

Note that this tutorial does not specifically relate to FreeBSD, and
the information contained therein may need to be modified for FreeBSD
systems.

Some more information & the thing that had/has me thinking about the way ndc is used by DA.