CentOS 6.3 - Chroot Bind or not?

Hi

[I posted this as a forum thread by mistake, instead of a ticket. So since its important to me I'll post it again here. Mods please feel free to edit or delete whichever]

I'm setting up a new box with centos 6.3 (first time I've used centos 6)

I always understood its better to run bind in a jailed env. But I see various threads on here and elsewhere about problems using using bind in a chroot.

So should bind be chrooted under centos 6.3 or not? Is there a definitive answer?

I also notice that recursion is enabled by default. This is normally not a good thing, but I also see various thread about this needing to be enabled in centos 6. As above: Is there a definitive answer?

thanks

l.

Status: 
Active

Comments

Howdy -- we've seen some issues come up with using BIND in a chroot environment. Those issues don't tend to come up, or come up as often, when not using that setup.

That said, it can work, and the more common problem is switching from one to the other once everything is setup already.

But yeah, if you haven't installed Virtualmin yet, my suggestion is to not install the chroot BIND package.

As far as recursive lookups -- I don't recall hearing that it needs to be enabled on CentOS. In theory, that shouldn't be necessary. At least, not for remote clients (you'd want that enabled for your own server).

If you run into issues with that, feel free to let us know and we can try to sort out what's going on.

thanks for reply

its a complete new install of a minimal centos and then directly virtualmin. So most stuff has been pulled in via vm, but bind-chroot isnt installed.

I've run bind in a chroot for years and it feels kinda naked without it! But I dont have time to unravel potential issues just now - so path of least resistance I guess!

About dns recursion issue: As installed named.conf looks like this:

options { ... recursion yes;

there is no allow-recursion {}; option

afaik that config should not be allowed

I usually have something like this: acl myacl {123.123.123.123; 123.123.123.124; 127.0.0.1}

allow-recursion{myacl};

If you wish to disable recursion by default, there's some information here on the BIND website that describes some changes that may affect how that works, and how to configure it.

You can read about it here in the section "What has changed in the behavior of "allow-recursion" and "allow-query-cache"":

https://www.isc.org/software/bind/faq

thanks for link

yes thats pretty much where I am

Its just I dont remember seeing recursion enabled by default (recently), and was surprised finding posts saying it needed to be on.

so anyway no problem, and your work here is done!

thanks again.

l.