#修改在/var/named下运行
vim /etc/default/bind9
OPTIONS="-u bind -t /var/named"
system daemon-reload //守护进程重新加载
#启用chroot
mkdir -p /var/named/{etc,dev,run/named,/var/cache/bind} //创建运行目录
mknod /var/named/dev/null c 1 3
mknod /var/named/dev/random c 1 8
mknod /var/named/dev/urandom c 1 9
chmod 660 /var/named/dev/{null,random,urandom} //修改权限
mv /etc/bind /var/named/etc //将bind移动到chroot目录中
ln -s /var/named/etc/bind /etc/bind //创建软连接
chown bind:bind /var/named/etc/bind/rndc.key
chown bind:bind /var/named/run/named
chmod 775 /var/named/{var/cache/bind,/run/named}
chgrp bind /var/named/{var/cache/bind,/run/named} //更改所有权
vim /etc/apparmor.d/local/usr.sbin.named
#从Buster开始,Debian默认开启apparmor,所以需要添加权限
/var/named/etc/bind/** r,
/var/named/dev/** rw,
/var/named/var/** rw,
/var/named/run/** rw,
/var/named/usr/** rw,
#重新加载apparmor配置文件
systemctl reload apparmor
#对于Debian 10 Buster,要启用chroot还需要/usr/share/dns下的文件
mkdir -p /var/named/usr/share/dns //创建目录
cp /usr/share/dns /var/named/usr/share/dns/ //复制文件
#最后告诉rsyslog在正确位置监听绑定日志
echo "\$AddUnixListenSocket /var/named/dev/log" > /etc/rsyslog.d/bind-chroot.conf
#重启rsyslog和bind9
systemctl restart rsyslog
systemctl restart bind9