Sun Dublan
HistoryHistory 
Notes 
ArchivesArchives 
B of M LexiconB of M Lexicon 
BIND JailBIND Jail 
CDRCDR 
ConversionConversion 
EmacsEmacs 
FirewallFirewall 
FreeBSDFreeBSD 
FunnyFunny 
HouseHouse 
IndexIndex 
jrfmsjrfms 
LinksLinks 
PerlPerl 
Perl umaskPerl umask 
PGP Key TroyPGP Key Troy 
PinoutsPinouts 
RandomTint.plRandomTint.pl 
RandomTint ScreenshotRandomTint Screenshot 
SHFSHF 
SnapshotSnapshot 
StatisticsStatistics 
UtopiaUtopia 
PhotosPhotos 
SecureSecure 
BIND Jail  
This was taken from http://www.fxp.org/jedgar/misc/bind.jail.txt
but I added a step or two that he skipped.

To set up jail'd bind, assumes jail dir of /home/jail/bind:

- checkout the following:
  cvs co -PA -rRELENG_4 src/contrib/bind	\
      src/lib/libbind				\
      src/lib/libisc				\
      src/libexec/named-xfer			\
	          src/usr.sbin/named
- create all necessary directories
  mkdir -p /home/jail/bind/etc/namedb
  mkdir -p /home/jail/bind/usr/libexec
  mkdir -p /home/jail/bind/usr/sbin
  mkdir -p /home/jail/bind/var/run
  mkdir -p /home/jail/bind/var/tmp
  mkdir -p /home/jail/bind/var/log
  mkdir -p /home/jail/bind/dev
  chmod -R 750 /home/jail/bind
  chown -R root:bind /home/jail/bind
  mknod /home/jail/bind/dev/null c 2 2 0:0
  chmod 666 /home/jail/bind/dev/null
  ln -fs /home/jail/bind/var/run/ndc /var/run
  ln -fs /home/jail/bind/var/log named
  ln -fs /home/jail/bind/etc/namedb /etc/namedb
- compile/install the static binaries:
  cd src/lib/libbind && make obj && make depend && \
      make NOMAN=YES NOSHARED=YES NOPROFILE=YES all
      cd ../libisc && make obj && make depend && \
      make NOMAN=YES NOSHARED=YES NOPROFILE=YES all
      cd ../../libexec/named-xfer && make obj && make depend && \
      make NOMAN=YES NOSHARED=YES BINDIR=/home/jail/bind/usr/libexec \
      all install
      cd ../../usr.sbin/named && make obj && make depend && \
      make NOMAN=YES NOSHARED=YES BINDIR=/home/jail/bind/usr/sbin \
      all install
- copy configs to /home/jail/bind/etc/namedb
  edit configs to point logs to /var/log
  edit configs to use the right IP address or "any;"
- create minimal /etc/{group,hosts,master.passwd} in /home/jail/bind/etc,
      group:
          wheel:*:0:root
          bind:*:53:
      master.passwd:
          root:*:0:0::0:0:r00t:/:/dev/null
          bind:*:53:53::0:0:Bind Sandbox:/:/dev/null
      hosts:
          w.x.y.z         hostname.example.com     hostname
      passwd:
          root:*:0:0:r00t:/:/dev/null
          bind:*:53:53:Bind Sandbox:/:/dev/null
  and rebuild the password db's
     pwd_mkdb -d /home/jail/bind/etc master.passwd
  and verify permissions in /home/jail/bind/etc are something like:
    -rw-r-----  1 root  bind     26 Feb  7 23:29 group
    -rw-r-----  1 root  bind     89 Feb  7 23:29 hosts
    -rw-------  1 root  bind     88 Feb  7 23:29 master.passwd
    drwxr-x---  2 root  bind    512 Feb  7 23:29 namedb
    -rw-r-----  1 root  bind     78 Feb  7 23:29 passwd
    -rw-r-----  1 root  bind  40960 Feb  7 23:29 pwd.db
    -rw-------  1 root  bind  40960 Feb  7 23:29 spwd.db
- place 'ln -fs /home/jail/bind/var/run/ndc /var/run/ndc' in /etc/rc.local
  to allow ndc(8) to find the correct socket without having to specify the
  -c option (you may not want to do this if you have multiple jail'd binds)
- add "-l /home/jail/bind/var/run/log" to syslogd_flags in /etc/rc.conf
  (and restart syslogd with the added args)
- execute: jail /home/jail/bind <hostname> <ip> /usr/sbin/named -u bind -g bind
  also, you may wish to add the following to /etc/rc.conf:
    named_enable="YES"
    named_flags="-u bind -g bind"
    named_program="jail /home/jail/bind <hostname> <ip> /usr/sbin/named"
- you may need to copy /etc/localtime to /home/bind/etc/localtime in order
  for the correct times to be logged
1/31/2003 Webmaster: Troy Bowman