Here's how I set up a BIND nameserver to run in a FreeBSD jail in December, 2016.

Read Some Good Documentation

Web pages that helped me include:

• FreeBSD Handbook section on Jails
• FreeBSD Handbook page on Managing Jails with ezjail

Choose Initial Configuration

Here are the items for which to choose appropriate values prior to setting up the jail:

• jail name (referred to below as JAIL_NAME)
• IP address for dedicated loopback interface (somewhere in the 127/8 IP address space, for example, 127.0.1.1) (referred to below as JAIL_LOOPBACK_ADDRESS)
• loopback interface clone name (referred to below as JAIL_LOOPBACK_INTERFACE_NAME) - for example, lo2
• name of the host network interface which the jail will use as its network interface (referred to below as JAIL_NETWORK_INTERFACE_NAME) - for example, em0
• name of the computer run by the jail (referred to below as JAIL_HOST_NAME)
• IP address for jail - some unused address in the network in which the FreeBSD host server runs (referred to below as JAIL_IP)
• root password for the jail (referred to below as JAIL_ROOT_PASSWORD)
• (optional) location of jail files in the file system (by default in /usr/jails) (referred to below as JAIL_FILESYSTEM_ROOT)

Set Up Host Computer

Add Another Loopback Interface

First, edit /etc/rc.conf by creating the following line:

cloned_interfaces="JAIL_LOOPBACK_INTERFACE_NAME"

or by adding your JAIL_LOOPBACK_INTERFACE_NAME value to that line if a line for this property already exists, such as "lo1 lo2". Use a name that is not in use by an existing network interface.

Then, run service netif cloneup

Enable ezjail

Add the following line to /etc/rc.conf to ensure that ezjail service starts at boot time:

ezjail_enable="YES"

Then, run service ezjail start to start the service now.

Install ezjail

If you want the root of the jails system to be other than the default of /usr/jails, create/edit /usr/local/etc/ezjail.conf and modify the ezjail_jaildir setting to JAIL_FILESYSTEM_ROOT.

If you haven't yet set up the JAIL_FILESYSTEM_ROOT because you want it to exist on a different partition, do so now. You also have the alternative of accepting the default and mounting a partition there, so that the jails you install won't use up too much of the partition on which /usr resides.

Run ezjail-admin install -p. The -p adds the ports directory to the base jail, so you can build the software you need within the jail.

Create DNS Jail

Run ezjail-admin create JAIL_NAME 'JAIL_LOOPBACK_INTERFACE_NAME|JAIL_LOOPBACK_ADDRESS,JAIL_NETWORK_INTERFACE_NAME|JAIL_IP'. I used em0 for JAIL_NETWORK_INTERFACE_NAME.

When creating, ezjail-admin will generate warnings about servers on the host that are listening on 0.0.0.0 or otherwise listening to the new localhost and external IP for jail. You should reconfigure those and any other servers running on the host that would listen on the jail's IP.

Configure DNS Jail

edit /usr/local/etc/ezjail/JAIL_NAME and change the jail_JAIL_NAME_hostname setting to JAIL_HOST_NAME.

Start the Jail

Start the jail by running ezjail-admin start JAIL_NAME. You'll see messages like the following:

• Starting jails: JAIL_HOST_NAME
• /etc/rc.d/jail: WARNING: Per-jail configuration via jail_* variables is obsolete. Please consider migrating to /etc/jail.conf.

Set Up Jail

Start Jail Console

Start a root console for the jail by running ezjail-admin console JAIL_NAME.

Configure Jail Machine

Here's how to configure the jail in general:

1. set the root password you selected earlier by running passwd
2. configure the time zone by running tzsetup
3. remove or comment out the adjkerntz entry in /etc/crontab by running sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab, or just edit the /etc/crontab file to comment out the adjkerntz entry
4. set upstream remote DNS servers by editing /etc/resolv.conf - add nameserver IPAddress lines
5. edit /etc/hosts as follows:

::1 localhost JAIL_HOST_NAME.(optional domain name) JAIL_HOST_NAME

JAIL_LOOPBACK_ADDRESS localhost JAIL_HOST_NAME.(optional domain name) JAIL_HOST_NAME

Install/Configure BIND 9.9 (or whatever version is current when you read this)

Install BIND 9.0 by running make -C /usr/ports/dns/bind99 install clean.

This build will build the following dependencies:

1. libxml2-2.9.4
2. gmake-4.2.1_1
3. gettext-tools-0.19.8.1
4. gettext-runtime-0.19.8.1_1
5. indexinfo-0.2.6
6. pkgconf-1.0.2
7. idnkit-1.0_6
8. libedit-3.1.20150325_2,1

Next, edit /usr/local/etc/namedb/named.conf.

• add a trusted ACL (see handbook)
• define listen-on (see handbook)
• update forwarders (see handbook)
• reference trusted ACL (see handbook)

Next, edit /etc/rc.conf (you may need to create it) by adding the line:

add named_enable="YES"

Next, start the name server by running service named start.

Test the name server by running /usr/local/bin/dig @JAIL_IP freebsd.org.

Complete Set Up of Host Computer

Have Host Computer use Jailed BIND Server

Start having the host computer resolve using the jailed BIND server by editing /etc/resolv.conf to change the nameserver entry to JAIL_IP.

Then, test name resolution on the host computer.

Complete Set Up of Jail

Enable Logging of namedb Queries

If you want to see logs of your jailed namedb daemon, in the root console for the jail, do the following:

1. run rndc querylog on
2. edit /etc/syslog.conf to include daemon.* in the list of what goes to /var/log/messages
3. run rndc reload
4. test by running nslookup somedomain JAIL_IP

Maintaining Operating System within Jail

Run as root on the host (don't since this doesn't seem to work):

1. running file /usr/jails/basejail/bin/sh
2. reading output of previous command to find out the version of the OS in /usr/jails/basejail, seeing in the output something like for FreeBSD 11.0
3. running ezjail-admin update -U -s 11.0-RELEASE, using the FreeBSD version found in the previous step
4. reboot
5. running /usr/sbin/freebsd-update install
6. running ezjail-admin update -u

Error messages of the form touch: /usr/jails/newjail//boot/kernel.old/.freebsd-update: No such file or directory when running the ezjail-admin update -U command above

Maintaining Software Packages within Jail

Periodically, one must audit the packages in the jail to ensure that they do not contain security vulnerabilities, updating them if so. Do this by:

1. opening a jail root console
2. running pkg audit -F to fetch the latest copy of the audit database and analyze the jail's packages with it

Why doesn't running ezjail-admin update -u work?

What about running ezjail-admin update -p or ezjail-admin update -P?

If there are vulnerable packages in the jail, update the jail's ports collection as follows:

1. in a host shell running as root, run portsnap -p JAIL_FILESYSTEM_ROOT/basejail/usr/ports fetch update to update the ports collection common to all jails
2. back in the jail root console, run the make install clean command for each of the vulnerable patched packages (may need to run make deinstall then make reinstall if the build fails because of an existing package)