This is an old revision of the document!
We are running a caching name server on the server, bound to the loopback interface only.
We decided to use bind 9, as it is well supported now. (Note that Debian's default is bind 8, if you just say "bind".) We also decided to put it into a chroot jail, as it's pretty simple to do and well-documented. This will protect us from most bind and DNS exploits.
First, we install the required packages:
apt-get install bind9 dnsutils bind9-doc libisccc0 libisccfg0
Next we build out /var/lib/named to contain enough so that bind9 can run chrooted within it:
mkdir -p /var/lib/named mkdir -p /var/lib/named/etc /var/lib/named/dev mkdir -p /var/lib/named/var/run/bind/run /var/lib/named/var/cache/bind chown bind:bind /var/lib/named/var/run/bind/run chown -R bind:bind /var/lib/named/var/* mknod /var/lib/named/dev/random c 1 8 mknod /var/lib/named/dev/null c 1 3 chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
Next we copy the configuration into the chroot directory, and link back to the original locations, so we can update the configuration from the original config-file location:
mv /etc/bind /var/lib/named/etc/bind ln -s /var/lib/named/etc/bind /etc/bind
Next we edit /etc/default/bind9 to tell it to start up chrooted to /var/lib/named:
OPTIONS="-u bind -t /var/lib/named"
Edit /var/lib/named/etc/bind/named.conf.options and tell it which interfaces to listen on, and who to forward requests to if we don't know the answer:
listen-on {127.0.0.1;}; forwarders {24.217.0.3;};
TODO: Our forwarder will need to change to whoever our upstream ISP is. This is Charter.
Start the named server:
/etc/init.d/bind9 start
Edit /etc/resolv.conf to tell it to use localhost to resolve DNS names:
domain sluug.info nameserver 127.0.0.1
Run nslookup and/or dig to resolve some DNS names. Make sure you get answers back from 127.0.0.1.
Run some client programs to make sure they are resolving host names properly.
Need to re-run the entire thing again (except the apt-get install) as several changes have been made since then.
Change the domain to sluug.org when appropriate.
Much of this is based on the Bind-Chroot-Howto for Debian.