We’re going to mitigate some risks that are inherent when running a server by jailing our nsd authoritative name server into it’s own chroot and making sure it runs with the least privileges possible. This manual is split into two parts. The first part is what it’s all about when it comes to jailing your daemon. Luckily this is not a lot of work because nsd has builtin support for chroots. The second part serves as an example of where to put your zone files and how to include them in your configuration.
All commands should be executed as root.
1. Setup chroot
We’ll assume you have nsd installed, if not run apt-get install nsd
.
Before we lock up the daemon into the jail we have to make sure it has some space where it can write out it’s thoughts. We’ll put the zone files in a different directory just to keep things clear.
1 | # mkdir -m 775 /etc/nsd/db /etc/nsd/run /etc/nsd/run/xfr |
Create a logging socket in the chroot so that any complaints the daemon might have can be heard.
1 | # mkdir -m 755 /etc/nsd/dev |
Create a new config file in /etc/nsd/nsd.conf.d/local.conf that has pointers to the new writable locations and contains the instructions to chroot and drop privileges.
1 | # cat > /etc/nsd/nsd.conf.d/local.conf <<EOF |
Include the new config file and restart nsd.
1 | # echo 'include: /etc/nsd/nsd.conf.d/local.conf' >> /etc/nsd/nsd.conf |
At last pinch a hole in the firewall so it can communicate with the outside world.
1 | # ufw allow from any to any port 53 |
Thanks to the fact that nsd has builtin support for chrooting this is all that comes to it.
2. Setup zone example.com
Now a chrooted authoritative name server without zones doesn’t make any sense, at all. I’ll show you how to link a zone by using an example. Say your name server is located at ns.example.net
and it has to answer questions for example.com
. Create a zone file for example.com in /etc/nsd/zones/example.com.zone
.
1 | # cat > /etc/nsd/zones/example.com.zone <<EOF |
Add this zone to the configuration and restart nsd.
1 | # cat >> /etc/nsd/nsd.conf.d/local.conf <<EOF |
The new zone can be tested by using dig(1) to ask the name server the ip address of www.example.com.
1 | $ dig @ns.example.net www.example.com +short |
Well there you go. The name server at ns.example.net said that www.example.com is located at 203.0.113.2. You’ve chrooted the nsd daemon and setup an example zone. Once you’ve added all your zones you’re done.
Please contact me for any suggestions or criticism.