Subtitles of the Movie

If BIND is running normally, and it's attacked successfully by a malicious attacker, that attacker can gain access to everything that the user of BIND running it can access, which is root by default. You can change the user under which BIND runs using the -u option. For example /user/local/sbin/named -u named would start BIND as the named user. This gives some security as the named user doesn't have many rights on the system and should not be able to do much damage. The problem can occur when the attacker uses the named user to launch a local route exploit, using some vulnerable program on the system. While running BIND as the named user helps security, it is possible to go even farther to preventing damage from attacks. Jailing BIND refers to running it in its own environment using the ch root function. The ch root function changes what the program sees as its file system root to another directory. For example, in this lesson, we will jail BIND in the /var/named directory, so an attacker will never be able to traverse out of that directory as the BIND application will consider that its root. Make sure another instance of named isn't running. The first step is to create the jail; as BIND will see this as its root, you will need to copy everything BIND needs to run to this folder. If it doesn't already exist, create the /var/named directory. We can use this as the jail. Now create a /var/named/var, a /var/named/etc, /var/named/var/run and /var/named/var/named directories. This may look confusing, but to the BIND application /var/named will now look like /copy/etc/named.conf to /var/named/etc. Move your zone files from /var/named to /var/named/var/named. Ensure that all those files are readable by the named user, and the /var/named/var/run directory is write-able by the named user. Use the command chmod 777/var/named/var/run if you need to. Now you can start BIND using the jail. Type /user/local/sbin/named -u named -t /var/named; the -u option specifies which user should be used to start the domain and the -t option specifies the jail directory. Your sever should now be running and responding to queries. Check it with NS LOOKUP. If everything is working properly, edit your startup files to reflect the new BIND start up command. You should now be safer if an attacker takes control of your BIND service.