Securing and Optimizing Linux: RedHat Edition -A Hands on Guide
PrevChapter 21. Software -NetworkingNext

21.8. Clean-up and Test the new chrooted jail

Remove the unnecessary files and directory. 

 [root@deep] /# rm -f  /usr/sbin/named
 [root@deep] /# rm -f  /usr/sbin/named-xfer
 [root@deep] /# rm -f  /etc/named.conf
 [root@deep] /# rm -rf /var/named/
We remove the named and named-xfer binaries from the /usr/sbin directory, since the ones we'll work with now on a daily basis are located under the chroot directory. The same applies for the named.conf file and /var/named directory.

We must test the new chrooted jail configuration of our ISC BIND/DNS software.

  1. The first thing to do is to restart our syslogd daemon with the following command: 
    
 [root@deep] /# /etc/rc.d/init.d/syslog restart
 
    
 Shutting down kernel logger:                               	[  OK  ]
 Shutting down system logger:                               	[  OK  ]
 Starting system logger:                                    	[  OK  ]
 Starting kernel logger:                               		[  OK  ]

  2. Now, start the new chrooted jail ISC BIND/DNS with the following command: 
    
 [root@deep] /# /etc/rc.d/init.d/named start
 
    
 Starting named:                                            		[  OK  ]

  3. Make sure it's running as user named and with the new arguments. To verify that ISC BIND/DNS is running as user named with the new arguments, use the following command: 
    
 [root@deep] /# ps auxw | grep named
 
    
 named 11446 0.0 1.2 2444 1580 ? S 23:09 0:00 /chroot/named/usr/sbin/named -t /chroot/named/ -unamed -gnamed
    The first column should be named, which is the UID named daemon is running under. The end of the line should be named -t /chroot/named/ -unamed -gnamed, which are the new arguments.

  4. Please dont forget to cleanup: 
    
 [root@deep] /# rm -rf /var/tmp/src bind-src.tar.gz
    This will remove the source file and tar archive we used to compile and install ISC BIND/DNS.

Further documentation, for more details there are several man pages you can read:

dnsdomainname(1)

- show the system's DNS domain name

dnskeygen(1)

- generate public, private, and shared secret keys for DNS Security

dnsquery(1)

- query domain name servers using resolver

named(8)

- Internet domain name server DNS

hesiod_to_bind [hesiod](3)

- Hesiod name server interface library

ldconfig(8)

- determine run-time link bindings

lesskey(1)

- specify key bindings for less

raw(8)

- bind a Linux raw character device

mkfifo(1)

- make FIFOs named pipes

named-bootconf(8)

- convert name server configuration files

named-xfer(8)

- ancillary agent for inbound zone transfers

named.conf [named](5)

- configuration file for

Opcode(3)

- Disable named opcodes when compiling perl code

dig(1)

- send domain name query packets to name servers

nslookup(8)

- query Internet name servers interactively

ndc(8)

- name daemon control program

PrevHomeNext
The syslog daemonUpDNS Administrative Tools