DNS configuration
 Chroot jail
Bind is an essential service installed everywhere. Because of this it makes a good target / vector for attacks, and in the past its been subject to several. I prefer therefore, to install it in a chroot jail, so that attacks are limited in potential for danger. The instructions I followed for jailing it are available at: Debian Chroot Howto. Others are available too, including one classic but out of date one at faqs.org. Below is a concise description of the steps I followed in order to jail the bind service. For a more detailed explanation, please see one of the tutorials mentioned above.
- Create the directory structure for bind under /var/lib/named
- Create devices such as /dev/null under /var/lib/named/dev
- Edit /etc/default/bind9 so that the line OPTS="-u bind" reads OPTS="-u bind -t /var/lib/named" which tells bind to start as the user 'bind' chrooted to '/var/lib/named'
- Chown -R /var/lib/named to bind:bind
- Edit the file /etc/init.d/sysklogd so that the line SYSLOGD="" so that it reads SYSLOGD="-a /var/lib/named/dev/log", which allows the chrooted bind to send messages to the syslog
- Move /etc/bind to /var/lib/named/etc/bind
- Symlink /var/lib/named/etc/bind to /etc/bind so that there are no problems with debian updates, and to make backup scripts easier.
 Configuration File Convention
Bind provides a way to modularize its config files via the include statement. Debian takes advantage of this by splitting the files into named.conf, named.conf.options, and named.conf.local. Debian policy suggests that local configuration should take place in named.conf.local. I have split this up further to keep us from stepping on each other's domains. Please follow the layout below to minimize confusion.
- Each of us has a directory /etc/bind/yourname containing a file named.conf.yourname. This file is included in named.conf.local
- In that file you should put stanzas asking bind to load the forward dns zones that you are configuring. See /etc/bind/grant/named.conf.yourname for an example.
- Then put the zone files for the zones you are configuring inside your directory.
- Finally, follow the instructions below to add reverse DNS zones.
 Reverse DNS
Because reverse DNS must by neccessity work for a ip block, it isn't easy (possible?) to split it up between users. Instead there is a file /etc/bind/db.199.166.207 which acts as reverse DNS for the full block. When you create a new forward zone file it is good practice to create a reverse mapping for ip addresses you've used, although, bear in mind there should only be one PTR entry for a given ip. Multiple reverse entries are not allowed.
Reverse ip is currently set up to generate stub ip entries for undefined hosts, using the last portion of the dotted quad as a placeholder. For example, 184.108.40.206 will resolve to server67.dataparc.com This could easily be removed if it proves to be problematic.
- To add a reverse DNS entry, simply edit the file /etc/bind/db.199.166.207
- In order to maintain the automatically generated reverse dns entries you'll need to edit the GENERATE statements. Make sure to be careful in doing this. If you forget to edit the GENERATE statements you could end up with multiple PTR records for your IP. This will confuse the rest of the world.
For more information about the GENERATE statements, reverse DNS, or DNS zone files in general, please see the Bind 9 manual linked above Dns cofigaration file remains in /var/named/chroot/etc