Here's how I set up a BIND nameserver to run in a FreeBSD jail in December, 2016.

Read Some Good Documentation

Web pages that helped me include:

Choose Initial Configuration

Here are the items for which to choose appropriate values prior to setting up the jail:

Set Up Host Computer

Add Another Loopback Interface

First, edit /etc/rc.conf by creating the following line:

cloned_interfaces="JAIL_LOOPBACK_INTERFACE_NAME"

or by adding your JAIL_LOOPBACK_INTERFACE_NAME value to that line if a line for this property already exists.

Then, run service netif cloneup

Enable ezjail

Add the following line to /etc/rc.conf to ensure that ezjail service starts at boot time:

ezjail_enable="YES"

Then, run service ezjail start to start the service now.

Install ezjail

If you want the root of the jails system to be other than the default of /usr/jails, create/edit /usr/local/etc/ezjail.conf and modify the ezjail_jaildir setting to JAIL_FILESYSTEM_ROOT.

If you haven't yet set up the JAIL_FILESYSTEM_ROOT because you want it to exist on a different partition, do so now. You also have the alternative of accepting the default and mounting a partition there, so that the jails you install won't use up too much of the partition on which /usr resides.

Run ezjail-admin install -p. The -p adds the ports directory to the base jail, so you can build the software you need within the jail.

Create DNS Jail

Run ezjail-admin create JAIL_NAME 'JAIL_LOOPBACK_INTERFACE_NAME|JAIL_LOOPBACK_ADDRESS,JAIL_NETWORK_INTERFACE_NAME|JAIL_IP'.

When creating, ezjail-admin will generate warnings about servers on the host that are listening on 0.0.0.0 or otherwise listening to the new localhost and external IP for jail. You should reconfigure those and any other servers running on the host that would listen on the jail's IP.

Configure DNS Jail

edit /usr/local/etc/ezjail/JAIL_NAME and change the jail_JAIL_NAME_hostname setting to JAIL_HOST_NAME.

Start the Jail

Start the jail by running ezjail-admin start JAIL_NAME. You'll see messages like the following:

Set Up Jail

Start Jail Console

Start a root console for the jail by running ezjail-admin console JAIL_NAME.

Configure Jail Machine

Here's how to configure the jail in general:

  1. set the root password you selected earlier by running passwd
  2. configure the time zone by running tzsetup
  3. remove or comment out the adjkerntz entry in /etc/crontab by running sed -i .bak -e '/adjkerntz/ s/^/#/' /etc/crontab, or just edit the /etc/crontab file to comment out the adjkerntz entry
  4. set upstream remote DNS servers by editing /etc/resolv.conf - add nameserver IPAddress lines
  5. edit /etc/hosts as follows:

::1 localhost JAIL_HOST_NAME.(optional domain name) JAIL_HOST_NAME

JAIL_LOOPBACK_ADDRESS localhost JAIL_HOST_NAME.(optional domain name) JAIL_HOST_NAME

Install/Configure BIND 9.9 (or whatever version is current when you read this)

Install BIND 9.0 by running make -C /usr/ports/dns/bind99 install clean.

This build will build the following dependencies:

  1. libxml2-2.9.4
  2. gmake-4.2.1_1
  3. gettext-tools-0.19.8.1
  4. gettext-runtime-0.19.8.1_1
  5. indexinfo-0.2.6
  6. pkgconf-1.0.2
  7. idnkit-1.0_6
  8. libedit-3.1.20150325_2,1

Next, edit /usr/local/etc/namedb/named.conf.

Next, edit /etc/rc.conf (you may need to create it) by adding the line:

add named_enable="YES"

Next, start the name server by running service named start.

Test the name server by running /usr/local/bin/dig @JAIL_IP freebsd.org.

Complete Set Up of Host Computer

Have Host Computer use Jailed BIND Server

Start having the host computer resolve using the jailed BIND server by editing /etc/resolv.conf to change the nameserver entry to JAIL_IP.

Then, test name resolution on the host computer.

Complete Set Up of Jail

Enable Logging of namedb Queries

If you want to see logs of your jailed namedb daemon, in the root console for the jail, do the following:

  1. run rndc querylog on
  2. edit /etc/syslog.conf to include daemon.* in the list of what goes to /var/log/messages
  3. run rndc reload
  4. test by running nslookup somedomain JAIL_IP

Maintaining Software Packages within Jail

Periodically, one must audit the packages in the jail to ensure that they do not contain security vulnerabilities, updating them if so. Do this by:

  1. opening a jail root console
  2. running pkg audit -F to fetch the latest copy of the audit database and analyze the jail's packages with it

If there are vulnerable packages in the jail, update the jail's ports collection as follows:

  1. in a host shell running as root, run portsnap -p JAIL_FILESYSTEM_ROOT/basejail/usr/ports fetch update to update the ports collection common to all jails
  2. back in the jail root console, run the make install clean command for each of the vulnerable patched packages (may need to run make deinstall then make reinstall if the build fails because of an existing package)

Back to FreeBSD main page