Setup chroot for bind 9 in FreeBSD 10
October 2019
Sun Mon Tue Wed Thu Fri Sat
    1 2 3 4 5
6 7 8 9 10 11 12
13 14 15 16 17 18 19
20 21 22 23 24 25 26
27 28 29 30 31    
About
This site is an effort to share some of the base knowledge I have gathered through all this years working with Linux, FreeBSD, OpenBSD, Python or Zope, among others. So, take a look around and I hope you will find the contents useful.
Recent Entries
Recent Comments
Recent Trackbacks
Categories
OpenBSD (9 items)
BSD (0 items)
FreeBSD (19 items)
Linux (3 items)
Security (3 items)
Python (22 items)
Zope (13 items)
Daily (144 items)
e-shell (9 items)
Hacks (14 items)
PostgreSQL (3 items)
OSX (8 items)
Nintendo DS (0 items)
enlightenment (0 items)
Apache (3 items)
Nintendo Wii (1 items)
Django (24 items)
Music (12 items)
Plone (7 items)
Varnish (0 items)
Lugo (2 items)
Sendmail (0 items)
europython (7 items)
Cherokee (1 items)
self (1 items)
Nature (1 items)
Hiking (0 items)
uwsgi (0 items)
nginx (0 items)
cycling (10 items)
Networking (1 items)
DNS (0 items)
Archives

Syndicate this site (XML)

RSS/RDF 0.91

19 febrero
2014

Setup chroot for bind 9 in FreeBSD 10

simple instructions if you are upgrading from freebsd 8.x or 9.x

FreeBSD 10 has been released some days ago and this new version comes with lots of new stuff (just take a look at the release notes to learn more about it).

One of those changes is the removal of BIND from the base system, being it replaced by Unbound. More information about this move from the FreeBSD project can be found here:

Maybe you would find interesting this thread from the freebsd-stable mailing list too:

http://blog.des.no/2013/09/dns-again-a-clarification/

(also available here: http://marc.info/?t=138606115200005&r=2&w=2)

There some people complain about the differences between the scripts and setup we had in the base system vs what is available in the bind9 port. Setting up a chrooted dns server was quite easy when BIND was in the base system, as the configuration files and rc.d scripts were already prepared for such a setup, but it seems that what is installed by the port does not handle that so well.

Or so it seems...

These are the steps I followed to keep my BIND servers chrooted after upgrading to FreeBSD 10:

Warning: The following assumes you have a default BIND setup, chrooted under /var/named and with all the config files in /etc/namedb, which should be a symbolic link to /var/named/etc/namedb.

  1. Install BIND 9.x from ports:

    cd /usr/ports/dns/bind99 && sudo make install clean
    

    or, if you prefer to use pre-built packages:

    sudo pkg install bind99
    
  2. The port/package will install the configuration files under /usr/local/etc/namedb, move them aside:

    sudo mv /usr/local/etc/namedb /usr/local/etc/namedb.default
    
  3. Link the existing configuration from our previously chrooted setup to the place where the port will look for them:

    sudo ln -s /var/named/etc/namedb /usr/local/etc/namedb
    
  4. Now, as the configuration files have been moved from /etc/namedb to /usr/local/etc/namedb, we have to recreate such a route inside the chroot environment, ensuring the management scripts will find the configuration files:

    sudo mkdir -p /var/named/usr/local
    
    cd /var/named/usr/local && sudo ln -s ../../etc .
    
  5. Remove the old link under /etc:

    sudo rm /etc/namedb
    
  6. Create a custom devfs ruleset to be used with our chroot environment, adding the following to /etc/devfs.rules:

    # Custom rules for the named chroot dev
    [devfsrules_named_chroot=4]
    add hide
    add path run unhide
    add path random unhide
    
  7. Mount the devfs filesystem from the chroot environment. First add the following to /etc/fstab:

    devfs             /var/named/dev  devfs   rw,ruleset=4      0     0
    

    Then mount it:

    sudo mount /var/named/dev
    
  8. Enable chroot when starting BIND, adding the following line to /etc/rc.conf:

    named_flags="-t /var/named"
    

    You don't have to set the -u flag, because it is already passed by the rc.d script (user bind).

  9. Fix the /usr/local/etc/rc.d/named script, so it will be able to find the proper pidfile when stopping the daemon. Add the following line inside the named_stop() function, just below find_pidfile:

    test "${named_flags#*-t}" != "$named_flags" && pidfile="/var/named${pidfile}"
    

    This will check for the presence of the -t flag in the provided flags and, if exists, will add the path of our chroot directory to the already existing pid file path.

  10. Start BIND:

    sudo /usr/local/etc/rc.d/named start
    

et voilà, BIND should be running now, chrooted under /var/named as user bind, just like in your previous setup.

UPDATE 2014-02-25: Added the mount of the devfs filesystem as mentioned by APz in the comments.

Posted by wu at 13:08 | Comments (12) | Trackbacks (0)
<< Got a new bike | Main | Bogons in your DNS setup >>
Comments
Re: Setup chroot for bind 9 in FreeBSD 10

I managed to completely miss the disappearance of bind from the base system at 10.0. I came to a very same spirited conclusion as you did, pulling bind 9.9 from the ports and then stabbing the init script to find the pid-file, except I just overrode the variable and pointed it directly to the correct file.

One thing however remains; doesn't the newly set up chroot directly still need a limited devfs on it?

Posted by: APz at febrero 23,2014 16:01
Re: Setup chroot for bind 9 in FreeBSD 10

>
> One thing however remains; doesn't the newly set up chroot directly still need a limited devfs on it?
>

Good point. I forgot about that part. It seems named starts without complain even without that special devfs, but I've updated the post to reflect the mount of the existing devfs too.

Thanks a lot!

Posted by: Wu at febrero 25,2014 09:12
Re: Setup chroot for bind 9 in FreeBSD 10

Just had my VPS go tits up on me, spent most of yesterday getting it back to the way I wanted. I was warned that bind was missing from 10-base, which was fine. pulled bind99 from ports and used your guide from above to adjust it for a chroot. But I encountered this and I'm confused as to how to get passed it;

/usr/local/etc/namedb/named.conf:2: change directory to '/etc/namedb/working' failed: file not found

/usr/local/etc/namedb/named.conf:2: parsing failed
/usr/local/etc/rc.d/named: ERROR: named-checkconf for $named_conf failed

Posted by: Christopher at abril 25,2014 16:35
Re: Setup chroot for bind 9 in FreeBSD 10

@Christopher: check your named.conf file for directive/line like this:


directory "/etc/namedb/working";


Sounds like that to me, maybe you can post your config files and the contents of /usr/local/etc and /var/named here:

http://paste.e-shell.org

So I can take a look?

Posted by: Wu at abril 25,2014 18:02
Re: Setup chroot for bind 9 in FreeBSD 10

Here ya go; http://paste.e-shell.org/bash873742102

Posted by: Christopher at abril 25,2014 19:07
Re: Setup chroot for bind 9 in FreeBSD 10

Try replacing this line from your named.conf:


directory "/etc/namedb/working";


with:


directory "/usr/local/etc/namedb/working";


In my configs I've this value for that:


directory "/usr/local/etc/namedb";


(which was "/etc/namedb" when running bind from base).

Posted by: Wu at abril 27,2014 07:59
Re: Setup chroot for bind 9 in FreeBSD 10

Have you come up with a way to make the changes to the init script a bit more permanent? While everything has worked fine with my lone FreeBSD 10 name server, I'm considering on upgrading the others from 9-series to 10 in the near future and changing the configuration file on every upgrade will start to feel like a chore.

I wonder if a feature request should be filed, adding either an option for chroot path, would would change the pid file path, or to have variable for defining a custom pid file altogether.

Posted by: APz at julio 05,2014 11:13
Re: Setup chroot for bind 9 in FreeBSD 10

Good article. Only inconsistency that was a pain to work through was the configuration of devfs. Devfs rules don't get passed through fstab, at least not in 10.0..

You will want to setup your mount point with fstab, and then add to your rc.conf:

devfs_set_rulesets="/var/named/dev=devfsrules_named_chroot"

devfsrules_named_chroot being the rule name that was entered into /etc/devfs.rules.

Thanks!

Posted by: Daniel Keery at julio 07,2014 14:50
Re: Setup chroot for bind 9 in FreeBSD 10

thanks for the great how-to, esp the devfs stuff.

but I couldn't get named up without

mkdir /var/named/dev

Len

Posted by: Len Connrad at julio 23,2014 16:22
Re: Setup chroot for bind 9 in FreeBSD 10

In 10.0 there is already a good devfs ruleset in /etc/defaults/devfs.rules:

[devfsrules_jail=4]

This one can be used as-is without touching /etc/devfs.rules

And devfs rules DO get passed via fstab, you just need to install the OS patch of 2014-04-30:
https://www.freebsd.org/security/advisories/FreeBSD-SA-14:07.devfs.asc


Posted by: rustyx at agosto 27,2014 15:38
Re: Setup chroot for bind 9 in FreeBSD 10

Thanks for this -- works, mostly, for me.

My setup required one change in step 3. The existing named.conf from FreeBSD 9.x has this directive:

directory "/etc/namedb/working";

This required me to re-symlink /var/named/etc/namedb to /etc/namedb -- bind would not start without that step.

With that symlink in place, everything works fine. Thanks again!

Posted by: David Newman at octubre 17,2014 00:14
Re: Setup chroot for bind 9 in FreeBSD 10

Actually it's much more simpler, just need to setup directories and named_chrootdir flag in /etc/rc.conf, as described in attached URL (doesn't know is it viewable).
But anyway, thank you!

Posted by: Denis at agosto 10,2015 12:22
Trackbacks
Please send trackback to:http://blog.e-shell.org/301/tbping
There are no trackbacks.
Post a comment