Hello. I've got few questions about bind chroot configuration. Many tutorials explane that we must create an entire directory structure in the chroot directory. It means that libraries and binaries of Bind are present in the chroot directory. Many others indicate that CHROOT_DIR/dev, CHROOT_DIR/etc and CHROOT_DIR/var are sufficient and so, libraries and binaries aren't in the chroot directory. What is the difference between these two configurations? What is the best configuration in term of security? Thanks a lot for your response.
I think that those are two different approaches. E.g., in this howto http://www.howtoforge.com/howto_bind_chroot_debian we don't need all the libraries etc. in the chroot jail because we tell Bind's init script to run Bind chrooted (by putting Code: OPTIONS="-u bind -t /var/lib/named" into /etc/default/bind9). I think it's a lot easier than putting all the libraries etc. into the chroot jail...
then should i not see something in either OPTIONS="-u bind -t /var/lib/named" /etc/default/bind9 (as it is, no .../named and no ../bind9) TYIA
does this reference [OPTIONS="-u bind -t /var/lib/named"] point to a directory that is supposed to be there real or symlink?
-u bind means the user bind. /var/lib/named is a directory and must exist. BIND will run chrooted in that directory.
There is no matter how to use BIND in chroot. Take a look to this guide. In that example BIND is running at /chroot/named directory
