Like other large software, the BINDDNS server also has many problems due to its large size and complicated functions. Therefore, the number of system intrusions targeting the BIND Security Vulnerabilities is also greatly increased, and the most serious one can even obtain all remote control of the target host. Because the DNS server host has a great impact on the network system, it is also crucial to avoid these system intrusions.
The main purpose of this article is to describe how to use the chroot environment to build a secure BIND8.x server in RedHatLinux or similar systems. The content of this article mainly comes from the AdamShostack and his article Solaris version in this regard ).
Step 1: obtain and install the software
Please go to the ISCFTP site to download the latest BIND version. This article has been tested in BIND8.x ).
Download the required free software: holelogd and other useful tools from the ObtuseSystemFTP site ). This software is used to establish/dev/log socket (socket) in the chroot environment, so that syslogd can record the logs of the named process. Syslogd of OpenBSD has built-in this function "syslogd-a/chroot/dev/log"), but this function has not been implemented in Linux. The Holelogd software is used to simulate this function of OpenBSD.
Install holelogd in accordance with the software documentation is usually installed to/usr/local/sbin ).
Step 2: Construct static named and named-xfer binary files
After compilation and installation, You need to construct the static link version of the executable file. You only need to slightly modify the Makefile. set file in the % BIND %/src/port/linux directory.
'Cdebug =-O2-g 'is replaced with 'cdebug =-O2-static' |
Switch to the BIND source code path and run the "makeclean" and "make" commands. In the following steps, these files will be copied to the chroot () directory.
The static link execution file constructed in this step does not need to load the dynamic link library at runtime. In the chroot () environment, this "independent" executable file can avoid the lack of linked library files. It does not require any static Link Library in the chroot () environment, which simplifies service configuration. All other network daemon can also compile and use this static link version.
Step 3: Construct the BIND directory
Construct the BIND directory for the chroot () environment. This directory will be treated as the system root directory by BIND in the chroot () environment.
/dev/etc/namedb/usr/sbin/var/run |
Copy the following files to the corresponding subdirectories and perform necessary processing:
/
None
/Etc
Copy the named. conf file in the/etc directory.
Copy the localtime file in the/etc directory to provide the correct named log record time For syslog)
Create a/etc/group file that only contains namedGID
/Etc/namedb
Copy all "zone" databases and files under the/etc/namedb directory.
/Dev
Mknod./nullc13; For chmod666null, see the mknod command of the corresponding version)
/Usr/sbin
Copy the static link version of the system % BIND %/src/bin/named directory and the named and named-xfer binary files under the System % BIND %/src/bin/named-xfer directory)
/Var/run
None
You can also specify the log record directory as needed, such as/var/log ).