Bind Vs. Bind-chroot

Home » CentOS » Bind Vs. Bind-chroot
CentOS 11 Comments


On my public servers, I usually run BIND for DNS. I see CentOS offers a preconfigured (sort of) bind-chroot package. I wonder what’s the effective benefit of this vs. a “normal” BIND setup without chroot. On my Slackware servers, I have a rather Keep-It-Simple approach to all things security, e. g. run no unneed services, open only needed ports etc. but I don’t run the extra mile (and haven’t been bitten so far).

Any suggestions? (No flamefest please.)


Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Web : Mail : Tél. : 04 66 63 10 32

11 thoughts on - Bind Vs. Bind-chroot

  • bind went through a rocky stage where there were a LOT of security holes in it. by running it in a chroot, you limit its ability to be used as a hacking point of entry. recent versions of bind (basicially, 9 and newer) are much more secure, so this is less of a concern.

  • I don’t use SELinux because it gets in my way far more than it every actually protects me from anything.

    I’m sure there are systems where it absolutely is necessary, but I don’t like to have stuff fail because I used mv instead of cp to install a certificate, for example.

    For authoritative DNS I also do not use chroot but authoritative DNS is all those servers do, and I use zones signed externally via DNSSEC (no private keys on the server)

  • For basic authoritative server, I have the one magic setting needed in your configuration.

    Otherwise it is working ‘out of the box’.

  • I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not get to sit down with him on this at IETF. So I don’t know what certs I
    will need as yet. For my mailserver, I am using self-signed, and see my Apache setup, towards the end, how I create a set of certs:

    I had some help on this from the OpenSSL list.

    Something to consider, but I would do it on one of my internal systems.
    Not a third party; why should I trust them? Unless they are providing a full DNS PKI service.

  • I meant DNSSEC signing is done externally to the authoritative DNS.

    I do the signing myself. Point being if someone hacked my authoritative DNS server, they could not alter my zone files in a way DNSSEC enforcing resolvers would accept because the signing keys are not there.

  • Another alternative with at least same level of security, though not giving me any trouble I hear people sometimes have with SELinux is to run services in separate jails (or other containers) – with base system mounted inside jail read-only (I use FreeBSD jails – apologies for mentioning, but Linux experts here can suggest fair Linux equivalent).


    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247

  • bind-chroot is a subpackage and quite straight forward (yum install bind-chroot). No need to handle jails and there environment updates when the base system gets updated (we use rpms trigger scripts for that).

  • Correct, no real need for creating something special, bind-chroot has been around for years and just works. Before SELinux it was what we did. My last DNS server was Redsleeve 6 that I could not get SELinux working, so I just ran chroot. Now I have CentOS7-arm with SELinux so no chroot.