User Tools

Site Tools


This is an old revision of the document!

Chrooted bind9 on Jessie

credits to:

For Jessie, edit /etc/systemd/system/ to add options “-t /var/bind9/chroot”:

Description=BIND Domain Name Server

ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot
ExecReload=/usr/sbin/rndc reload
ExecStop=/usr/sbin/rndc stop


For Jessie, after changing the above unit file, reload it with:

systemctl daemon-reload

Now create the chroot directory structure:

mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log}

Create the required device special files and set the correct permissions:

mknod /var/bind9/chroot/dev/null c 1 3
mknod /var/bind9/chroot/dev/random c 1 8
chmod 660 /var/bind9/chroot/dev/{null,random}

Move the current config directory into the new chroot directory:

mv /etc/bind /var/bind9/chroot/etc

Now create a symbolic link in /etc for compatibility:

ln -s /var/bind9/chroot/etc/bind /etc/bind 

If you want to use the local timezone in the chroot (e.g. for syslog):

cp /etc/localtime /var/bind9/chroot/etc/

Change the ownership on the files you've just moved over and the rest of the newly created chroot directory structure:

chown -R bind:bind /etc/bind/*
chmod 775 /var/bind9/chroot/var/{cache/bind,run/named}
chgrp bind /var/bind9/chroot/var/{cache/bind,run/named}

Edit the PIDFILE variable to the correct path:


Finally tell rsyslog to listen to the bind logs in the correct place:

echo "\$AddUnixListenSocket /var/bind9/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf

Restart rsyslog and start bind:

/etc/init.d/rsyslog restart; /etc/init.d/bind9 start

A good idea too

chown bind /var/bind9/chroot/dev/random

Long story short:

apt-get install bind9 bind9-doc
service bind9 stop
vi /etc/systemd/system/

change ExecStart line to: ExecStart=/usr/sbin/named -f -u bind -t /var/bind9/chroot

systemctl daemon-reload
mkdir -p /var/bind9/chroot/{etc,dev,var/cache/bind,var/run/named,var/log}
mknod /var/bind9/chroot/dev/null c 1 3
mknod /var/bind9/chroot/dev/random c 1 8
chmod 660 /var/bind9/chroot/dev/{null,random}
mv /etc/bind /var/bind9/chroot/etc
ln -s /var/bind9/chroot/etc/bind /etc/bind 
dpkg-reconfigure tzdata
cp /etc/localtime /var/bind9/chroot/etc/
chown -R bind:bind /etc/bind/*
chmod 775 /var/bind9/chroot/var/{cache/bind,run/named}
chgrp bind /var/bind9/chroot/var/{cache/bind,run/named}
chown bind /var/bind9/chroot/dev/random
vi /etc/init.d/bind9

change PID line to: PIDFILE=/var/bind9/chroot/var/run/named/

echo "\$AddUnixListenSocket /var/bind9/chroot/dev/log" > /etc/rsyslog.d/bind-chroot.conf
/etc/init.d/rsyslog restart; /etc/init.d/bind9 start
jessie_bind_chroot.1452503517.txt.gz · Last modified: 2016/01/11 09:11 by admin