We’re going to mitigate some risks that are inherent when running a server by jailing our nsd authoritative name server into it’s own chroot and making sure it runs with the least privileges possible. This manual is split into two parts. The first part is what it’s all about when it comes to jailing your daemon. Luckily this is not a lot of work because nsd has builtin support for chroots. The second part serves as an example of where to put your zone files and how to include them in your configuration.
All commands should be executed as root.
1. Setup chroot
We’ll assume you have nsd installed, if not run
apt-get install nsd.
Before we lock up the daemon into the jail we have to make sure it has some space where it can write out it’s thoughts. We’ll put the zone files in a different directory just to keep things clear.
# mkdir -m 775 /etc/nsd/db /etc/nsd/run /etc/nsd/run/xfr
Create a logging socket in the chroot so that any complaints the daemon might have can be heard.
# mkdir -m 755 /etc/nsd/dev
Create a new config file in /etc/nsd/nsd.conf.d/local.conf that has pointers to the new writable locations and contains the instructions to chroot and drop privileges.
# cat > /etc/nsd/nsd.conf.d/local.conf <<EOF
Include the new config file and restart nsd.
# echo 'include: /etc/nsd/nsd.conf.d/local.conf' >> /etc/nsd/nsd.conf
At last pinch a hole in the firewall so it can communicate with the outside world.
# ufw allow from any to any port 53
Thanks to the fact that nsd has builtin support for chrooting this is all that comes to it.
2. Setup zone example.com
Now a chrooted authoritative name server without zones doesn’t make any sense, at all. I’ll show you how to link a zone by using an example. Say your name server is located at
ns.example.net and it has to answer questions for
example.com. Create a zone file for example.com in
# cat > /etc/nsd/zones/example.com.zone <<EOF
Add this zone to the configuration and restart nsd.
# cat >> /etc/nsd/nsd.conf.d/local.conf <<EOF
The new zone can be tested by using dig(1) to ask the name server the ip address of www.example.com.
$ dig @ns.example.net www.example.com +short
Well there you go. The name server at ns.example.net said that www.example.com is located at 203.0.113.2. You’ve chrooted the nsd daemon and setup an example zone. Once you’ve added all your zones you’re done.
Please contact me for any suggestions or criticism.