How-to – Install BIND9 (chrooted) – Debian

Installation

# apt-get install bind9

…to install BIND9.

For security reasons we want to run BIND chrooted so we have to do the following steps:

# /etc/init.d/bind9 stop

Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named.
Modify the line: OPTIONS=”-u bind” so that it reads OPTIONS=”-u bind -t /var/lib/named”:

# vi /etc/default/bind9

# run resolvconf?
RESOLVCONF=yes # startup options for the server
OPTIONS=”-u bind -t /var/lib/named”

Create the necessary directories under /var/lib:

# mkdir -p /var/lib/named/etc
# mkdir /var/lib/named/dev
# mkdir -p /var/lib/named/var/cache/bind
# mkdir -p /var/lib/named/var/run/bind/run

Then move the config directory from /etc to /var/lib/named/etc:

# mv /etc/bind /var/lib/named/etc

Create a symlink to the new config directory from the old location (to avoid problems when BIND gets updated in the future):

# ln -s /var/lib/named/etc/bind /etc/bind

Make null and random devices, and fix permissions of the directories:

# mknod /var/lib/named/dev/null c 1 3
# mknod /var/lib/named/dev/random c 1 8
# chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
# chown -R bind:bind /var/lib/named/var/*
# chown -R bind:bind /var/lib/named/etc/bind

We need to create the file /etc/rsyslog.d/bind-chroot.conf…

# vi /etc/rsyslog.d/bind-chroot.conf

… with the following line so that we can still get important messages logged to the system logs:

$AddUnixListenSocket /var/lib/named/dev/log

Restart the logging daemon:

# /etc/init.d/rsyslog restart

Start up BIND, and check /var/log/syslog for errors:

# /etc/init.d/bind9 start