Running BIND9 in a chroot cage using NetBSD 1.6.2

Tim Roden,


This article serves as an update to these two papers:

This document does not explain anything more than successfully running BIND9 in a chroot cage under NetBSD. More advanced security measures are not covered. Please note this article was written and tested on NetBSD/alpha.

Installing the BIND9 package

BIND9 can be installed via pkgsrc or from the binary package. Using pkgsrc:

# cd pkgsrc/net/bind9
# make depend
# make
# make install

If circumstances prevent the use of pkgsrc, the most current BIND9 tarball can be found on in the /pub/NetBSD/packages/ directory.

Setting up a chroot cage in /var/chroot/named

With NetBSD 1.6.2, the named user exists and chroot environment is almost completely setup for us. Now, we must add a couple of files. In the chroot cage, the named user will need access to the device files null and random. As the parameters passed to `mknod' for some devices may differ among NetBSD ports, view /dev/MAKEDEV to find the correct major and minor device number.

# cd /var/chroot/named
# mknod dev/null c 2 2
# mknod dev/random c 39 0
# chmod 666 dev/null
# chmod 444 dev/random

We also need a secret rndc key for TSIG-style authentication. I recommend using rndc-confgen to generate a secret key and then adding that key to /etc/rndc.key:

# rndc-confgen -b 512 -r /dev/random

The file, /etc/rndc.key, should contain at least these lines:

key "rndc-key" {
algorithm hmac-md5;
secret "kgV/pkFUVP+6KwCjjLVJz/wVAPYTzcjEV1ccko4EVkSUv7VP67GqZ3DtPNcyJehlWU+r9pMk9qRvTiV0jWSQWQ==";

Now, lets add some options to /etc/named.conf:

options {
directory "/etc/namedb";
pid-file "/var/run/";
version "Your DNS";

And now, let's finish copying the necessary files:

# chgrp named /etc/rndc.key
# chmod 640 /etc/rndc.key /etc/named.conf
# cp -p /etc/rndc.key /var/chroot/named/etc
# cp -p /etc/namedb/* /var/chroot/named/etc/namedb
# cp -p /etc/named.conf /var/chroot/named/etc

Create the file, /etc/rc.conf.d/named, and add these two lines:


Make sure /etc/rc.conf or /etc/defaults/rc.conf (whichever you use) has these lines:

named=YES named_flags="-u named -t /var/chroot/named"
# see below for named_chrootdir

Starting named

The named process is now ready to run in a chroot cage! Using NetBSD's fantastic rc.d system, the quickest way to start named is:

# /etc/rc.d/named start

This command will let you know if the setup has worked:

# ps -auwx | grep named
named 1288 0.0 0.7 1616 4352 ?? Ss 3:35PM 0:11.97 /usr/pkg/sbin/named -u named -t /var/chroot/named

References and Credits

Please read the two articles cited at the beginning of this document, /dev/MAKEDEV, and the following manual pages:

Thanks to all the sites that helped distribute this information by linking to this article. Special thanks to Martii Kuparinen for helping troubleshoot a previous configuration.

Valid XHTML 1.1!