[Alcatel logo]

Installing BIND version 9 in a chroot jail

revised 28-Jul-2005

DNS provides the core service of name to IP address mapping. It is used throughout the Internet for translating human understood names into the hardware routeable IP addresses. BIND (the Berkeley Internet Name Daemon) is the most ubiquitous implimentaion of DNS. Over the past years BIND has undergone many updates and has had it's share of security problems. This trend is not expected to change in the near future. So, extra security precautions are needed on the DNS (BIND) servers that are directly exposed to the Internet.

In an effort to reduce the risk and contain the damage caused by, as yet, unknown or undiscovered bugs in BIND, we can quarentine the exececution environment into a chroot jail. A program that is started using the chroot command is started with the filesystem root specified on the command line. This will isolate the execution of that process (and all subprocesses) to that directory and below. While it is theoretically possible to break out of this sort of jail, it is not part of the script-kiddie arsenal (yet); therefore, this method provides a form of apriori bug protection (if you will). Additionally we will take advantage of BINDs capibility to run suid as a non-privilidged user.

This procedure covers creation of a chroot jail for the Solaris 7 OS. (The addendum at the bottom of this document covers the specifics for Debian Linux.) To start off we need to decide where to house the jails for various executables. (I am taking the generic approach in that there may be other programs that could use this method for additional security.) I have adopted /opt/jails as the base directory. In this case we'll put BIND in /opt/jails/bind. Note: this procedure is only used to protect BIND instances on external DNS servers.

  1. System File Preparation
    1. Create a psuedo-user called bind with the UID of 51000 in /etc/passwd and /etc/shadow. (use /bin/false as the login shell)
    2. Create a group called bind with the GID of 51000 in /etc/group
    3. mkdir /opt/jails
    4. chown root:other /opt/jails
    5. chmod 700 /opt/jails
    6. mkdir /opt/jails/etc
    7. chown root:other /opt/jails/etc
    8. chmod 700 /opt/jails/etc

  2. Create the BIND jail
    1. mkdir /opt/jails/bind
    2. chown bind:bind /opt/jails/bind
    3. chmod 755 /opt/jails/bind
    4. cd /opt/jails/bind
    5. mkdir bin dev etc opt tmp usr var
    6. chown root:other bin dev etc opt tmp usr var
    7. chmod 755 bin dev etc opt usr var
    8. chmod 777 tmp
    9. chmod o+s tmp
    10. mkdir opt/named usr/lib var/adm var/tmp
    11. chown bind:bind opt/named var/adm
    12. chmod 750 opt/named
    13. chown root:other usr/lib var/tmp
    14. chmod 755 usr/lib
    15. chmod 770 var/adm
    16. chmod 777 var/tmp
    17. chmod o+s var/tmp

  3. Fill in OS required portion of the BIND jail
    1. Setup bin directory
      • cd /opt/jails/bind/bin
      • cp /bin/sh .
      • cp /bin/false .
      • chown bin:bin sh false
      • chmod 555 sh false
    2. Create the needed devices
      • cd /opt/jails/bind/dev
      • mknod conslog c 21 0
      • mknod log c 21 5
      • mknod null c 13 2
      • mknod syscon c 0 0
      • mknod zero c 13 12
      • chmod 666 conslog null zero
      • chmod 640 log
      • chmod 620 syscon
      • chown root:other log null zero
      • chown root:sys conslog
      • chown root:tty syscon
    3. Setup system configuration files
      • cd /opt/jails/bind/etc
      • cp /etc/group .
      • remove all entries except root other bin sys tty and bind
        •
      • cp /etc/hosts .
      • cp /etc/nsswitch.conf .
      • cp /etc/resolv.conf .
      • cp /etc/passwd .
      • remove all entries except root sys bind
        •
      • cp /etc/shadow .
      • remove all entries except root sys bind
      • lock all entries with the *LK* passwd string
      • set the ageing info to 6445 for all entries
        •
      • chmod 444 group hosts nsswitch.conf passwd resolv.conf
      • chmod 400 shadow
      • chown root:sys group hosts nsswitch.conf
      • chown root:other passwd resolv.conf shadow
    4. Copy the needed libraries
      • cd /opt/jails/bind/usr/lib
      • cp /usr/lib/ld.so.1 .
      • cp /usr/lib/libc.so.1 .
      • cp /usr/lib/libdl.so.1 .
      • cp /usr/lib/libl.so.1 .
      • cp /usr/lib/libmp.so.1 .
      • cp /usr/lib/libmp.so.2 .
      • cp /usr/lib/libnsl.so.1 .
      • cp /usr/lib/libpthread.so.1 .
      • cp /usr/lib/libsocket.so.1 .
      • cp /usr/lib/libthread.so.1 .
      • cp /usr/lib/nss_files.so.1 .
      • chmod 755 *
      • chown bin:bin l*

  4. Install the following BIND9 executables from omni. If you have installed the ISCbind9 package (which you should have by now, 29-Jul-2005), then simply move (or copy) the whole /opt/ISCbind9 directory into the .../opt directory of the jail area.
    1. /usr/local/bind-9.1.0/bin/named/named to /opt/jails/bind/bin
    2. /usr/local/bind-9.1.0/bin/check/named-checkconf to /opt/jails/bind/bin
    3. /usr/local/bind-9.1.0/bin/check/named-checkzone to /opt/jails/bind/bin
    4. /usr/local/bind-9.1.0/contrib/chroot/S73bind to /opt/jails/bind/etc

  5. Strip the symbol tables off
    1. strip /opt/jails/bind/bin/named
    2. strip /opt/jails/bind/bin/named-checkconf
    3. strip /opt/jails/bind/bin/named-checkzone

  6. Install the zone data and config files into /opt/jails/bind/opt/named - Note: this will describe the general file layout and intent, but note the specifics of how to create the zone data. (see http:/// for configuration info)
    1. Create a symlink to the real configuration file, so BIND will start....
    2. cd /opt/jails/bind/etc
    3. ln -s ../opt/named/named.conf named.conf
    4. The following directory structure will be used to house the zone data and configuration files:
    5. conf - holds the include files for named.conf
    6. in-addr - holds the reverse DNS zone data files
    7. legacy - holds the legacy zone data, such as xylan.com
    8. master - holds the master zone data, such as ind, localhost
    9. slave - holds the secondary data, this comes from a primary server
    10. vanity - holds the vanity zone data, such as omnipcx.com
      11.

    11. mkdir conf
    12. mkdir in-addr
    13. mkdir legacy
    14. mkdir master
    15. mkdir slave
    16. mkdir vanity
      17.
    17. The generic named.conf file will hold configuration data that is common across all zones that are served. While spcefic zone configuration data will be held in include files that are located in the conf directory. The naming convetion for the include files is conf.DIR-NAME. Where DIR-NAME is one of in-addr, legacy, master, or vanity. The common common configuration shall include:
    18. ACLs to define internal hosts, DMZ hosts, classes of nameservers.
    19. An ACL that describs the 'bogon' networks. I.E. those IP blocks that are NOT valid in Internet space.
    20. recursion shall be disabled
    21. version data shall be forged to avoid divulging real BIND version
    22. glue record fetching shall be disabled
    23. zone transfers shall be restricted to properly delegated nameservers
    24. the 'bogon' networks shall be blackholed
    25. logging channels shall be enabled for both security and lame-servers that report back to the syslog host
      26.

  7. Configure startup scripts
    1. Comment out the bind startup lines in /etc/init.d/inetsvc
    2. cp /opt/jails/etc/S73bind /etc/rc2.d

  8. Test BIND

  9. Post-install
    1. Ensure that chroot area is maintained at the current revision levels for security patches that affect the usr/lib and bin files.
    2. Maintain BIND executables as required.

 

Addendum 1 - Chroot jail for Debian Linux

The creation of the jail area is very similar in the Linux environment. These directions are based on a Debian Sarge install with the Bind-9.3.1-2 package. Several assumptions are made here: the package automatically creates the bind user and group, the /opt directory resides on a seperate filesystem. Note: we really should use the Debian jailer package to automate the creation and maintainance of the Bind jail, the process of updating the jail after package upgrades is handled very nicely by the updatejail utility. See the reference jailer configuration file: jailer.conf.

The following lists the Debian packages used at the time this document was updated (28-Jul-2005).

Note: when the Debian bind package is installed, the bind user and group is created using adduser(). This will use 'the next higest' unused system UID/GID, which will vary from machine to machine. This is undesireable. You must change the UID and GID to 51000 and change the owner and group for the /etc/bind, /var/cache/bind and /var/run/bind directories (and files within). You must do this prior to running the jailer tool.

The detailed steps are as follows:

  1. Create the basic jail structure

  2. Configure basic authentication mechanisms

    You need to remove most of the entries from these files. Specifically leave root, daemon, bin, sys, and bind in passwd/shadow and leave wheel, root, daemon, tty, and bind in group/gshadow

  3. Add bind and support executables (libs also...)

  4. Configure the zone data and startup

 

References

  1. Secure BIND template by Rob Thomas
  2. chroot Jail for BIND on Solaris 7 by Rob Thomas
  3. chroot-BIND HOWTO by Scott Wunsch
  4. Run ISC BIND/DNS in a chroot jail