Running BIND as a Non-Root User

It's often a good idea to run as little as possible as root, and daemons like BIND are no exception. If you want to be really secure, you should run BIND in a chroot environment, but that's a bit more complicated.

In theory, all you have to do to run BIND as a non-root user is feed it -u and -g switches. In practice, you have to do a bit more.

First of all, you have to make sure that BIND can write to any zone files it needs to (e.g., if your DNS is a slave) in /etc/namedb or /var/named. It also needs to be able to write to its pidfile and the ndc socket. By default, these are located in /var/run. If you don't want to allow the BIND user to write to this location, you can use option directives like pid-file to put it somewhere else.

Finally, make sure that you create a separate user for BIND to run as; don't just reuse something like nobody. Assuming that you created a user and a group called named, you would launch BIND with the command "named -u named -g named". This goes in the script you use to launch BIND (probably /etc/rc.d/init.d/named on most systems).

NOTE: I realise that these instructions are not exactly step-by-step. It is assumed that you have some basic familiarity with UNIX system administration, particularly things like permissions (e.g., chmod) and ownership (chown). I plan to write a more detailed set of instructions, which will also cover chrooting BIND, in the near future.