Running Debian Sarge, 2.6.11 k7, on a server that also serves apache virtual sites. Server has an internal ip address, 192.168.x.x, is behind a router that forwards ports 80, 22, plus additional ports for bind, smtp (not setup yet) and one or two other ports I can't recall right now to the server. Followed your how-to, bind-chroot-debian, # /etc/init.d/bind9 start, get the following in log: named[25046]: starting BIND 9.2.4 -u bind -t /var/lib/named named[25046]: using 1 CPU named[25046]: loading configuration from '/etc/bind/named.conf' named[25046]: none:0: open: /etc/bind/named.conf: permission denied named[25046]: loading configuration: permission denied named[25046]: exiting (due to fatal error) time and server name from log lines above removed to make more readable. I think I have a permission problem in one of the directories created during one of the steps. After it failed the first time and I couldn't figure out what was wrong, I removed (purged) bind9 and started over a couple of times. But the directories that are created during one of the steps in the how-to remained, so the directory/permission problem may remain as well, if that is the problem. Note that I had a restrictive umask setting for root as I am very paranoid about security. After I ran into problems, I changed it back to what was recommended to me on a debian list or what I found on another debian install, can't remember which. Thinking back, I may have bind running as the wrong user, the config file may have the wrong user or group set, and I did try to make the config file readable to all to see if that fixed the problem. Nothing worked. In /etc, the bind directory has root and bind as user/group, with rwxr-sr-x as permissions, the named.conf file is bind/bind with 664, rndc.key is 640 and all the other files in /etc/bind are user/group bind/bind and either 664 or 644 Thanks in advance for any help.
# ls -la /etc/bind total 53 drwxr-sr-x 2 root bind 376 2005-08-06 10:22 . drwxr-xr-x 129 root root 8792 2006-03-08 03:45 .. lrwxrwxrwx 1 bind bind 23 2005-08-06 10:22 bind -> /var/lib/named/etc/bind -rw-r--r-- 1 bind bind 237 2004-09-23 11:25 db.0 -rw-r--r-- 1 bind bind 271 2004-09-23 11:25 db.127 -rw-r--r-- 1 bind bind 237 2004-09-23 11:25 db.255 -rw-r--r-- 1 bind bind 353 2004-09-23 11:25 db.empty -rw-r--r-- 1 bind bind 256 2004-09-23 11:25 db.local -rw-r--r-- 1 bind bind 1507 2004-09-23 11:25 db.root -rw-rw-r-- 1 bind bind 1611 2004-09-23 11:25 named.conf -rw-rw-r-- 1 bind bind 165 2004-09-23 11:25 named.conf.local -rw-rw-r-- 1 bind bind 672 2004-09-23 11:25 named.conf.options -rw-r----- 1 bind bind 77 2005-08-06 10:16 rndc.key -rw-r--r-- 1 bind bind 1317 2004-09-23 11:25 zones.rfc1918 root@22[bind]# ls -la /var/lib/named/etc/bind total 44 drwxrwxr-x 2 bind bind 352 2004-10-21 00:06 . drwx------ 3 root root 72 2005-02-08 12:30 .. -rw-r--r-- 1 bind bind 237 2004-06-18 03:38 db.0 -rw-r--r-- 1 bind bind 271 2004-06-18 03:38 db.127 -rw-r--r-- 1 bind bind 237 2004-06-18 03:38 db.255 -rw-r--r-- 1 bind bind 353 2004-06-18 03:38 db.empty -rw-r--r-- 1 bind bind 256 2004-06-18 03:38 db.local -rw-r--r-- 1 bind bind 1507 2004-06-18 03:38 db.root -rw-rw---- 1 bind bind 1611 2004-09-23 11:25 named.conf -rw-rw---- 1 bind bind 165 2004-06-18 03:38 named.conf.local -rw-rw---- 1 bind bind 672 2004-06-18 03:38 named.conf.options -rw-r----- 1 bind bind 77 2004-08-21 05:59 rndc.key -rw-r--r-- 1 bind bind 1317 2004-06-18 03:38 zones.rfc1918 taking a look at the permissions in /var/lib/named/etc/bind, (link from /etc/bind) I tried: chmod 664 /var/lib/named/etc/bind/named.conf* and received the same error messages when trying to start bind, so I changed it back to where it was: chmod 660 /var/lib/named/etc/bind/named.conf* and the output above is the current condition with nothing changed.
Do I uderstand you right that you have a symlink /etc/bind/bind -> /var/lib/named/etc/bind instead of /etc/bind -> /var/lib/named/etc/bind?
Ok, fixed that newbie mistake! now linking /etc/bind -> Should it be a soft link? I used "ln" without the -s flag. After fixing some more permissions on directories (some were 700, changing to 775 and changing group root to bind in relevant subdirectories under /var), I get the following in the logs at startup attempt: 05:53:26 serv named[925]: starting BIND 9.2.4 -u bind -t /var/lib/named 05:53:26 serv named[925]: using 1 CPU 05:53:26 serv named[925]: loading configuration from '/etc/bind/named.conf' 05:53:26 serv named[925]: listening on IPv4 interface lo, 127.0.0.1#53 05:53:26 serv named[925]: listening on IPv4 interface eth0, 192.168.1.4#53 05:53:26 serv named[925]: command channel listening on 127.0.0.1#953 05:53:26 serv named[925]: command channel listening on ::1#953 05:53:26 serv named[925]: couldn't open pid file '/var/run/bind/run/named.pid': No such file or directory 05:53:26 serv named[925]: exiting (due to early fatal error) Note that /var/run/bind/run/ is empty. Should I "touch" named.pid in /var/run/bind/run/ and if so, what permissions and user/group? Or will this file be created on its own when bind runs? I tried both ways, with directory empty and touching file with 664 root/bind named.pid file, and the error message in logs was same as above. Just in case it matters, I only have port 53 forwarded from router, and port 53 open on firewall, do not have port 953 open on firewall or forwarded from router. Thanks so far, a bit of progress.
After googling the error message in the syslog, I found this: http://www.howtoforge.com/howto_bind_chroot_debian#comment-275 then followed this in the above post: I created a file /var/lib/named/var/run/bind/run started the server again and all was fine. and the syslog indicates bind is running: 08:10:24 serv named[6395]: starting BIND 9.2.4 -u bind -t /var/lib/named 08:10:24 serv named[6395]: using 1 CPU 08:10:24 serv named[6395]: loading configuration from '/etc/bind/named.conf' 08:10:24 serv named[6395]: listening on IPv4 interface lo, 127.0.0.1#53 08:10:24 serv named[6395]: listening on IPv4 interface eth0, 192.168.1.4#53 08:10:24 serv named[6395]: command channel listening on 127.0.0.1#953 08:10:24 serv named[6395]: command channel listening on ::1#953 08:10:24 serv named[6395]: zone 0.in-addr.arpa/IN: loaded serial 1 08:10:24 serv named[6395]: zone 127.in-addr.arpa/IN: loaded serial 1 08:10:24 serv named[6395]: zone 255.in-addr.arpa/IN: loaded serial 1 08:10:24 serv named[6395]: zone localhost/IN: loaded serial 1 08:10:24 serv named[6395]: running A few questions: 1. directory ownership: should I follow a subsequent post and do this: chown -R bind:bind /var/lib/named/var/run/bind/run since I created some of the directories manually, and some are currently owner root, group bind? Should I change the entire path to owner bind, group bind? Or leave as is? Second question, What next? Which file(s) am I looking at for my web sites which are currently using xname.org as primary and secondary name servers? Should I pull the zone info from xname.org, then make my dns server primary and xname.org secondary (until I can get access to another subnet and secondary dns server on my own), or should I manually create the zone info for the dozen domains I have and risk breaking them, instead of pulling data from what already works? 3rd question: My dns server is on a local /29 subnet of public ip addresses. Our internal lan is on the same /29. Can I restrict the dns server to use by only the /29 subnet and for authoritative use for the handful of domains? Or will everyone have access to the nameserver because port 53 is open? Can the restriction be directly in the bind configuration, or can this only be done by the firewall, if at all? 4th question, relevant to everybody following guide: Doesn't the link in /etc/bind to a different directory or partition (/var) keep the actual configuration file out of /etc, which creates a problem when bind is upgraded due to security reasons in Debian Sarge? Wouldn't the configuration file and any changes made to it be overwritten if/when there is an update because the configuration file is outside of /etc? I'm figuring this is necessary for the chroot, but shouldn't an extra step such as pinning be taken to help prevent inadvertent overwriting of the config files? A big thanks for all the help!
