BIND is a popular application used by many to provide name services. However, it is not without certain risks. If you jail it, you can increase the security and reliability of name services.
I decided to share my experience, because I've done this on a handful of machines and have the routine down pretty well, and anybody else with the same problem set, on Ubuntu server, might find this helpful.
Stop BIND:
/etc/init.d/bind9 stop
Edit /etc/default/bind9 to make BIND run chrooted to directory /chroot/named. Change the line:
OPTIONS="-u bind"
OPTIONS="-u bind -t /chroot/named"
Create directories for chrooted environment:
mkdir -p /chroot/named/etc /chroot/named/dev \
/chroot/named/var/cache/bind /chroot/named/var/run/bind/run
Move the config directory:
mv /etc/bind /chroot/named/etc
Create a symlink to the new config directory from the old location:
ln -s /chroot/named/etc/bind /etc/bind
Make null and random devices, and fix permissions for directories:
mknod /chroot/named/dev/null c 1 3
mknod /chroot/named/dev/random c 1 8
chmod 666 /chroot/named/dev/null /chroot/named/dev/random
chown -R bind:bind /chroot/named/var/*
chown -R bind:bind /chroot/named/etc/bind
Edit /etc/default/syslogd to make syslogd to log important messages. Change the line:
SYSLOGD=""
SYSLOGD="-a /chroot/named/dev/log"
Restart syslogd:
/etc/init.d/sysklogd restart
Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
tail -f /var/log/syslog