=====Chrooted bind9 on Jessie===== credits to: https://wiki.debian.org/Bind9 For Jessie, edit /etc/systemd/system/multi-user.target.wants/bind9.service to add options "-t /var/bind9/chroot": [Unit] Description=BIND Domain Name Server Documentation=man:named(8) After=network.target [Service] ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot ExecReload=/usr/sbin/rndc reload ExecStop=/usr/sbin/rndc stop [Install] WantedBy=multi-user.target For Jessie, after changing the above unit file, reload it with: systemctl daemon-reload Now create the chroot directory structure: mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log} Create the required device special files and set the correct permissions: mknod /var/bind9/chroot/dev/null c 1 3 mknod /var/bind9/chroot/dev/random c 1 8 chmod 660 /var/bind9/chroot/dev/{null,random} chown bind /var/bind9/chroot/dev/random Move the current config directory into the new chroot directory: mv /etc/bind /var/bind9/chroot/etc Now create a symbolic link in /etc for compatibility: ln -s /var/bind9/chroot/etc/bind /etc/bind If you want to use the local timezone in the chroot (e.g. for syslog): cp /etc/localtime /var/bind9/chroot/etc/ Change the ownership on the files you've just moved over and the rest of the newly created chroot directory structure: chown -R bind:bind /etc/bind/* chmod 775 /var/bind9/chroot/var/{cache/bind,run/named} chgrp bind /var/bind9/chroot/var/{cache/bind,run/named} Edit the PIDFILE variable to the correct path: PIDFILE=/var/bind9/chroot/var/run/named/named.pid Finally tell rsyslog to listen to the bind logs in the correct place: echo "\$AddUnixListenSocket /var/bind9/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf Restart rsyslog and start bind: /etc/init.d/rsyslog restart; /etc/init.d/bind9 start ====Logging==== /etc/logrotate.d/named /var/bind9/chroot/var/log/bind.log { daily compress delaycompress rotate 5 missingok postrotate [ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 || true endscript } /var/bind9/chroot/var/log/security_info.log { daily compress delaycompress rotate 5 missingok postrotate [ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 || true endscript } /var/bind9/chroot/var/log/update_debug.log { daily compress delaycompress rotate 5 missingok postrotate [ -e /etc/init.d/bind9 ] && /etc/init.d/bind9 reload > /dev/null 2>&1 || true endscript } ====Long story short:==== apt-get install bind9 bind9-doc service bind9 stop vi /etc/systemd/system/multi-user.target.wants/bind9.service change ExecStart line to: ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot systemctl daemon-reload mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log} mknod /var/bind9/chroot/dev/null c 1 3 mknod /var/bind9/chroot/dev/random c 1 8 chmod 660 /var/bind9/chroot/dev/{null,random} chown bind /var/bind9/chroot/dev/random mv /etc/bind /var/bind9/chroot/etc ln -s /var/bind9/chroot/etc/bind /etc/bind dpkg-reconfigure tzdata cp /etc/localtime /var/bind9/chroot/etc/ chown -R bind:bind /etc/bind/* chmod 775 /var/bind9/chroot/var/{cache/bind,run/named} chgrp bind /var/bind9/chroot/var/{cache/bind,run/named} chown bind /var/bind9/chroot/dev/random touch /var/bind9/chroot/var/log/{bind.log,update_debug.log,security_info.log} ln -s /var/bind9/chroot/var/log/ /var/log/bind chgrp bind /var/bind9/chroot/var/log/*.log vi /etc/init.d/bind9 change PID line to: PIDFILE=/var/bind9/chroot/var/run/named/named.pid echo "\$AddUnixListenSocket /var/bind9/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf /etc/init.d/rsyslog restart; /etc/init.d/bind9 start * Add the logrotate script from above