DNS BIND之bind-chroot
bind-chroot是bind的一个功能,使bind可以在一个chroot的模式下运行.也就是说,bind运行时的/(根)目录,并不是系统真正的/(根)目录,只是系统中的一个子目录而已.这样做的目的是为了提高安全性.因为在chroot的模式下,bind可以访问的范围仅限于这个子目录的范围里,无法进一步提升,进入到系统的其他目录中。bind的默认启动方式就是chroot方式。
再上一节的基础上我们对named.conf进行修改:
将其中的所有绝对路径改为相对路径,如下:
/home/slim/chroot/var/named --> /var/named
key "rndc-key" {
algorithm hmac-md5;
secret "WTHTSrZYMNFPjOGjMUHQUQ==";
};
controls {
inet 127.0.0.1 port 6953
allow { 127.0.0.1; } keys { "rndc-key"; };
};
options{
listen-on port 6053{
192.168.13.102;
};
version "vdns3.0";
directory "/var/named";
pid-file "/var/run/named.pid";
session-keyfile "/var/run/session.key";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
memstatistics-file "/var/named/data/named_mem_stats.txt";
allow-query{
any;
};
allow-query-cache{
any;
};
allow-transfer{
none;
};
/* Path to ISC DLV key */
bindkeys-file "/etc/named.iscdlv.key";
managed-keys-directory "/var/named/dynamic";
};
logging {
channel default_debug {
file "/var/named/data/named.run";
severity dynamic;
};
channel queries_info {
file "/var/named/log/query.log" versions 1 size 100m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category queries {
queries_info;
default_debug;
};
channel notify_info {
file "/var/named/log/notify.log" versions 8 size 128m;
severity info;
print-category yes;
print-severity yes;
print-time yes;
};
category notify {
notify_info;
default_debug;
};
};
zone "." in{
type hint;
file "named.root";
};
zone "localhost" in{
type master;
file "localhost.zone";
};
zone "0.0.127.in-addr.arpa" in{
type master;
file "localhost.rev";
allow-update { none; };
};
zone "test.com" IN {
type master;
file "zone/test.com.zone";
};
我们通过如下命令检查配置:
./bind/sbin/named-checkconf -t ./chroot /etc/named.conf
增加-t 参数指定chroot路径
如提示“isc_dir_chroot: permission denied”,没有权限,需要使用root运行
启动服务:
/home/slim/bind/sbin/named -u slim -t /home/slim/chroot/ -c /etc/named.conf