I'm wondering what the best way to setup a DNS server on a Solaris system is??
I do run Bind on Solaris 9 of which I've grabbed the Bind9 packages from Blastwave but of course NS1 and NS2 currently run in root filesystem.
On Linux I used to chroot Bind editing /etc/default/bind9 on a Debian based system thus making the chroot jail /var/lib/named.....
On Solaris 10/11 the new feature of zones has been added and I'm wondering that if I ran svcadm dns/server obviously it would run in Global or 'root' zone.
So is chrooting the best way for security here in the Global zone or which from what I've read from various posts on forums that it's tedious and the legacy way to do things or is it better to set things up in a Small-Zone with only /etc and /var available for modification???
Using methodology described here: http://www.solarisinternals.com/wiki/index.php/Zones , running a zone is comparable to having a new instance of OS similar to hypervisor sharing the systems resources but using a sub-interface on the NIC to create a new network L3 address. So although Big-Zone will give completely new instance of OS, can the named service be started separately in the Small-Zone with shared /usr but have it's own pid???
-Effectively meaning that if someone compromises the DNS server their root be the new root within the Small-Zone, similar to chrooting in that comparative sense??
If the Small-Zone then should be used , doesn't this sort of make it not necessary to run 2 physical DNS servers as NS1 and NS2 (primary/secondary) as they can all be run from one multi-core or multi-socket system since they have their own instance of OS and own IP addresses??
Could someone help me out understanding or making sense of all this? Many thanks!!
Edited by: Johnny_SSH on Sep 15, 2009 1:49 PM
Ok I attempted this in a little test setup running on a laptop PC with vbox and OpenSolaris.
Unfortunately I couldn't find find the SMF value for Bind in the small-zone I created so svcadm enable dns/server didn't work as couldn't find dns/server anywhere.
In global zone was absolutely fine though and was hitting the root name servers without any issues, so another words self resolving.
I am not sure if I'd need a big-zone for this to work?? But then that would not be as secure as the users then have more access to resources.