Posts Tagged ‘bind’
This tutorial is about chrooting a BIND (named) installation on Debian 6. Chrooting is used for security reasons, in case that BIND gets hacked on the server, the hacker is jailed into the chroot and can not get access to other services.
apt-get install bind9
to install BIND9.
For security reasons we want to run BIND chrooted so we have to do the following steps:
Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so that it reads OPTIONS="-u bind -t /var/lib/named":
# run resolvconf?
# startup options for the server
OPTIONS="-u bind -t /var/lib/named"
Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run
Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc
Create a symlink to the new config directory from the old location (to avoid problems when BIND gets updated in the future):
ln -s /var/lib/named/etc/bind /etc/bind
Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind
We need to create the file /etc/rsyslog.d/bind-chroot.conf...
... with the following line so that we can still get important messages logged to the system logs:
Restart the logging daemon:
Start up BIND, and check /var/log/syslog for errors:
Thanks to Falko Timme from Howtoforge.com for this tutorial.
When a server has more then one IP address, then postfix will use all IP addresses randomly to send out emails. This can cause your emails to be listed as SPAM on other servers because the sending IP does not match the reverse IP of the server hostname. The solution is to bind postfix to the primary IP address of the server.
Edit the postfix main.cf file:
and add the line:
smtp_bind_address = 192.168.0.1
were 192.168.0.1 has to be replaced with the primary IP address of the server. Then restart postfix: