Chrooting DNS

In DMZ it is often desirable to run dual dns servers. This allows internal clients to have a local view of a domain (mydomain.com for example), while external (Internet) clients have a different view, being served from a different name server daemon/zone file.

All DMZ DNZ servers should be chrooted for security reasons. It's a just good security practice to run DNS chrooted, and with minimal priviliges.

The internal DNS server daemon listens on the internal network interface. It has whatever zone files that it needs to provide an intranet's view of DNS space. For internal DNS queries that don't refer to a local host, it forwards the request to the external named daemon.

The external server daemon listens on the external network interface and the loopback interface. It handles dns queries from external clients, as well as handling the forwarded requests from the internal named daemon.

freshmeat.net Project details for ctk-adm-dns-chroot

ctk-adm-dns-chroot creates the minimum file structure needed to run bind as a chrooted unprivileged user.

Chroot-BIND HOWTO

Adam Shostack's Homepage -- older staff about chroot.

Dual chrooted Bind/DNS server by Dave Lugo

How to set up one machine with two BIND servers, to implement a split internal/external view of DNS, using the chroot environment. Targeted to Redhat Linux 6.0. Note that some people regard chroot environments as not especially secure. 05-Mar-2000