Information
The chroot() system call causes an application to run with limited file system access so that a subdirectory becomes the root directory for the application environment. When this is done, the application is jailed and no longer has access to the entire file structure but is limited to the given subdirectory.
Rationale:
Although there are ways that a chroot jail can be broken, most methods require that a process be running as root in order to escape. Since BIND should be run as a different user than root, a chroot is an effective defense, to limit access to sensitive system configuration files. In the event that BIND has a vulnerability that allows code execution, the attack will not have access to the real system files such as /etc/password, but will be limited to the files placed in the chroot subdirectory.
Solution
Perform the following:
- Stop the named service and install the bind-chroot package to provide the chroot directories.
# systemctl stop named.service
# yum install bind-chroot
- Edit the /etc/sysconfig/named configuration file to have a line similar to the one shown below that sets the ROOTDIR environment variable.
ROOTDIR="/var/named/chroot"
- Move all the configuration files and any master zone files into their respective directions under the subdirectory /var/named/chroot/??
- It may be helpful to create symbolic links from a couple of system /etc files such as /etc/named.conf and /etc/rndc.key to the real files in the chroot-ed subdirectory, so that utilities like rndc will work as expected. Do not create symbolic links or hard links from inside the chroot to external resources! Instead use symbolic links to point from the outside resources into the chroot.
- Restart the named service and test the configuration.
# systemctl start named.service
Default Value:
The BIND service is not chroot'ed by default.
3 Restricting Queries
Recommendations in this section pertain to configurable access control mechanisms that are available in ISC BIND to restrict queries.