Bind Vs. Bind-chroot

Home » CentOS » Bind Vs. Bind-chroot
CentOS 11 Comments

Hi,

On my public servers, I usually run BIND for DNS. I see CentOS offers a preconfigured (sort of) bind-chroot package. I wonder what’s the effective benefit of this vs. a “normal” BIND setup without chroot. On my Slackware servers, I have a rather Keep-It-Simple approach to all things security, e. g. run no unneed services, open only needed ports etc. but I don’t run the extra mile (and haven’t been bitten so far).

Any suggestions? (No flamefest please.)

Niki

Microlinux – Solutions informatiques durables
7, place de l’église – 30730 Montpezat Web : http://www.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32

11 thoughts on - Bind Vs. Bind-chroot

  • bind went through a rocky stage where there were a LOT of security holes in it. by running it in a chroot, you limit its ability to be used as a hacking point of entry. recent versions of bind (basicially, 9 and newer) are much more secure, so this is less of a concern.

  • But make sure to have SELinux enabled if you do not run it chrooted.

    I have mine running that way.

  • I don’t use SELinux because it gets in my way far more than it every actually protects me from anything.

    I’m sure there are systems where it absolutely is necessary, but I don’t like to have stuff fail because I used mv instead of cp to install a certificate, for example.

    For authoritative DNS I also do not use chroot but authoritative DNS is all those servers do, and I use zones signed externally via DNSSEC (no private keys on the server)

  • For basic authoritative server, I have the one magic setting needed in your configuration.

    Otherwise it is working ‘out of the box’.

  • I need to do DNSSEC next; got to bother Mark Andrew over at ISC, did not get to sit down with him on this at IETF. So I don’t know what certs I
    will need as yet. For my mailserver, I am using self-signed, and see my Apache setup, towards the end, how I create a set of certs:

    http://medon.htt-consult.com/CentOS7-mailserver.html#Setting%20up%20Apache

    I had some help on this from the OpenSSL list.

    Something to consider, but I would do it on one of my internal systems.
    Not a third party; why should I trust them? Unless they are providing a full DNS PKI service.

  • I meant DNSSEC signing is done externally to the authoritative DNS.

    I do the signing myself. Point being if someone hacked my authoritative DNS server, they could not alter my zone files in a way DNSSEC enforcing resolvers would accept because the signing keys are not there.

  • Another alternative with at least same level of security, though not giving me any trouble I hear people sometimes have with SELinux is to run services in separate jails (or other containers) – with base system mounted inside jail read-only (I use FreeBSD jails – apologies for mentioning, but Linux experts here can suggest fair Linux equivalent).

    Valeri

    ++++++++++++++++++++++++++++++++++++++++
    Valeri Galtsev Sr System Administrator Department of Astronomy and Astrophysics Kavli Institute for Cosmological Physics University of Chicago Phone: 773-702-4247
    ++++++++++++++++++++++++++++++++++++++++

  • bind-chroot is a subpackage and quite straight forward (yum install bind-chroot). No need to handle jails and there environment updates when the base system gets updated (we use rpms trigger scripts for that).

  • Correct, no real need for creating something special, bind-chroot has been around for years and just works. Before SELinux it was what we did. My last DNS server was Redsleeve 6 that I could not get SELinux working, so I just ran chroot. Now I have CentOS7-arm with SELinux so no chroot.