How-To : Configure chroot/jailed DNS Server in Solaris 10
Currently my DNS server was running on Solaris 8, so when we upgraded our environment to Solaris 10, there was a need to migrate existing DNS setup to new version of Solaris, i.e Solaris 10, along with new version of BIND 9. As Solaris 10 has changed a lot in comparison to Solaris 8, so we have to do some adjustments in order to get DNS start/stop procedure under SMF utility.
So here we go:
Default DNS Configuration file : /etc/named.conf
Default Zone files location : /var/named
Now,
Download desired BIND version package from “sunfreeware.com” or any other source you prefer.
Install it using “pkgadd” command.
NOTE: By default Solaris 10 has “SUNWbind” package shipped with it. Use “pkginfo” command with grep to get a list of installed BIND packages on your system.Optionally, you can remove that.
Step 1: Create group and user.
# useradd -g named -d /var/named -c "DNS User" -s /bin/false named
Step 2: Create Directory structure for chroot environment.
# mkdir -p /dns/var/{named,run,log}
(-p option to mkdir command will create the paths automatically)
Step 3: Create named.conf and Populate it.
# touch named.conf
(NOTE : Do NOT forget to include “directory” tag inside named.conf, this will be used to place ZONE files under that location. In our case it will be “/var/named”)
Step 4: Change user and group ownership of /dns directory.
Step 5: Block other users access to this directory.
Step 6: Take backup of default DNS file.
# cp server.xml server-chroot.xml
Edit the new file.
Add the following entry:
grouping='require_all'
restart_on='none'
type='path'>
This will add a new dependency for DNS service ( use –d option with svcs, to list all dependencies for a service)
Edit the following lines:
to
<propval name='server' type='astring' value='/usr/local/sbin/named' />
<propval name='configuration_file' type='astring' value='' />
to
<propval name='configuration_file' type='astring' value='/etc/named.conf' />
<propval name='chroot_dir' type='astring' value='' />
to
<propval name='chroot_dir' type='astring' value='/dns' />
Save and exit the file.
Step 7: Validate the changes made in file before importing it into SMF. There should be no errors.
Step 8: Now we are ready to import “server-chroot.xml” into SMF, using svccfg.
Step 9: Use “svcs” to list all DNS services in your system.
disabled Dec_04 svc:/network/dns/server:default ----------- This one is default
online Dec_04 svc:/network/dns/client:default
online Dec_31 svc:/network/dns/server:chroot ------------ This one with chroot environment
Step 10: Disable the default DNS service, if running.
Step 11: Enable the new chroot DNS service.
NOTE : If your system has default BIND package from SUN, i.e SUNWbind. After installing new version of BIND, your system will be having TWO named binaries installed and all the related packages like “dig” etc. It means whenever you will try to figure out the version of your packages, it will be the binaries from the SUNWbind package.
So do a search on your system in that case using “find” command.
But, if you have removed the default package from SUN, then you need to set the PATH in /etc/profile file for the new installed package
If you enjoyed this post, make sure you subscribe to my RSS feed!!!!