port-mac68k: Re: BIND and chroot-SOLVED

Subject: Re: BIND and chroot-SOLVED
To: Don Woodward <dbwoodw@abraxis.com>
From: Joe Laffey <joe@laffeycomputer.com>
List: port-mac68k
Date: 07/09/2000 11:56:14
On Sun, 9 Jul 2000, Don Woodward wrote:

> Joe:
> 
> Thanks for sharing the results - as I think about what you were doing I
> believe the "chrooted" environment is only a security precaution and as long
> as the two binds had separate configuration directories/files there should
> be no problem.

That is pretty much the case. You do need to make separate ndc sockets to
restart them both with ndc (using the -c option).

You also want to have one of the instances forward to the other for a
unified cache.

Decent info for split dns at:
http://www.etherboy.com/dns/chrootdns.html

and better info on chrooting at:
http://www.linuxdoc.org/HOWTO/Chroot-BIND-HOWTO.html

The tricks are to use the mknod from /dev/MAKEDEV for /dev/null also, use
ldd to find out what libs are required and install all of those. Then
CHECK PERMISSIONS on everything.

The directory structure for single DNS (I put split on my linux box) under
NetBSD is:

[11:48am] /home/joe# ls -lR /chroot/
total 1
drwxr-x---  8 root  named  512 Jul  9 10:49 named

/chroot//named:
total 67
drwxr-x---  2 root  named    512 Jul  9 00:46 bin
drwxr-x---  2 root  named    512 Jul  9 10:19 dev
drwxr-x---  3 root  named    512 Jul  9 00:47 etc
drwxr-x---  2 root  named    512 Jul  8 22:14 lib
-rw-------  1 root  named  61748 Jul  9 10:49 named-xfer.core
drwxr-x---  4 root  named    512 Jul  9 10:52 usr
drwxr-x---  3 root  named    512 Jul  8 22:16 var

/chroot//named/bin:
total 6176
-r-x------  1 root  named    57344 Jul  9 00:46 ldconfig
-rwxr-x---  1 root  named  3719447 Jul  8 23:54 named
-rwxr-x---  1 root  named  2517440 Jul  8 23:55 named-xfer

/chroot//named/dev:
total 0
srw-rw-rw-  1 root  named     0 Jul  9 00:29 log
crw-rw-rw-  1 root  wheel  2, 2 Jul  9 11:41 null

/chroot//named/etc:
total 14
-rw-r-----  1 root   named    12 Jul  8 22:20 group
-rw-r-----  1 root   named     9 Jul  9 10:53 ld.so.conf
-rw-r-----  1 root   named  1262 Jul  8 22:20 localtime
-rw-r-----  1 root   named  8551 Jul  9 10:47 named.conf
drwx------  3 named  named   512 Jul  9 11:01 namedb

/chroot//named/etc/namedb:
total 146
-rw-------  1 named  named   2769 Apr 19  1999 named.ca
-rw-------  1 named  named    422 Apr 19  1999 named.local
-rw-------  1 named  named  77168 Jul  8 21:21 named_dump.db
drwx------  2 named  named   1536 Jul  9 11:44 sec
... more primary zone files

/chroot//named/etc/namedb/sec:
total 56
-rw-r--r--  1 named  named   812 Jul  9 11:00 bertramstudio.com
... more zone files

/chroot//named/lib:

/chroot//named/usr:
total 2
drwxr-x---  2 root  named  512 Jul  9 10:54 lib
drwxr-x---  2 root  named  512 Jul  9 00:34 libexec

/chroot//named/usr/lib:
total 481
-r--r-----  1 root  named  451909 Jul  9 10:53 libc.so.12.40
-r--r-----  1 root  named   25221 Jul  9 10:54 libutil.so.5.0

/chroot//named/usr/libexec:
total 56
-rwxr-x---  1 root  named  57344 Jul  9 00:34 ld.so

/chroot//named/var:
total 1
drwxr-x---  2 named  named  512 Jul  9 11:00 run

/chroot//named/var/run:
total 2
-r--r--r--  1 root  named  191 Jul  9 10:54 ld.so.hints
srw-rw-rw-  1 root  named    0 Jul  9 00:29 log
-rw-r--r--  1 root  named    6 Jul  9 11:00 named.pid
srw-------  1 root  wheel    0 Jul  9 11:00 ndc



Note that some of the files are created either by named (like ndc, etc.),
or by running ldconfig (like ld.so.hints). Your shared libs may have
different numbers too.

You also need to setup syslogd, which creates the /dev/log (or
/var/run/log) in the chrooted environment. I ran syslogd like this:
syslogd -p /dev/log -p /var/run/log -p /chroot/named/dev/log -p
/chroot/named/var/run/log

It seems that NetBSD 1.4.2 likes syslogd to listen at /var/run/log. My
NetBSD 1.3.2 box with this setup likes it at /dev/log. I also had to
compile a newer syslog for use under 1.3.2 because the one that came with
it does not support multiple -p options.

If anyone has any questions about this or running the split DNS let me
know as I have learned it all the hard way ;-)


Joe Laffey
LAFFEY Computer Imaging
St. Louis, MO
-------------------------
With no walls or fences on the Internet, who needs Windows or Gates?
---------------------------------------------------------------------