August 23rd, 2009, 04:38 PM
After a post I was trying to help out a couple of weeks ago, my interests were spired in setting up a DNS server (again).

Found an interesting guild on how to setup an over all server. Decided to actually implement the section on the DNS server on a virtual machine just to give it a go and well this is what ensued.

Following code segments are from the guide

apt-get install bind9

##For security reasons we want to run BIND chrooted so we have to do the
##following steps:
/etc/init.d/bind9 stop

##Edit the file /etc/default/bind9 so that the daemon will run as the unprivileged
##user bind, chrooted to /var/lib/named. Modify the line: OPTIONS="-u bind" so
##that it reads OPTIONS="-u bind -t /var/lib/named":
vi /etc/default/bind9

##Create the necessary directories under /var/lib:
mkdir -p /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir -p /var/lib/named/var/cache/bind
mkdir -p /var/lib/named/var/run/bind/run

##Then move the config directory from /etc to /var/lib/named/etc:
mv /etc/bind /var/lib/named/etc

##Create a symlink to the new config directory from the old location (to avoid
##problems when bind gets updated in the future)
ln -s /var/lib/named/etc/bind /etc/bind

##Make null and random devices, and fix permissions of the directories:
mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chmod 666 /var/lib/named/dev/null /var/lib/named/dev/random
chown -R bind:bind /var/lib/named/var/*
chown -R bind:bind /var/lib/named/etc/bind

##Start up BIND, and check /var/log/syslog for errors:
/etc/init.d/bind9 start
PS: I love how they put that second to last line in, because there was an error.

Ok, so everything went perfectly without a hitch until the last step with restarting.
Won't restart, I check the log and it says I don't have permission to do this action, although I am doing it as root.

Aug 23 10:42:49 user-VM named[3116]: starting BIND 9.5.1-P2 -u bind -t /var/lib/na$
Aug 23 10:42:49 user-VM named[3116]: found 1 CPU, using 1 worker thread
Aug 23 10:42:49 user-VM named[3116]: using up to 4096 sockets
Aug 23 10:42:49 user-VM named[3116]: loading configuration from '/etc/bind/named.conf'
Aug 23 10:42:49 user-VM named[3116]: none:0: open: /etc/bind/named.conf: permission denied
Aug 23 10:42:49 user-VM named[3116]: loading configuration: permission denied
Aug 23 10:42:49 user-VM named[3116]: exiting (due to fatal error)

So I do a "ls -la /etc/bind/named.conf" and it says it belongs to "bind:bind".I go to the user and group management window to try a quick fix, I added myself and root to the "bind" group, nadda, no good still won't work. Tried "su bind" but seems there is a password ???.

So my question, after all this, how do I get this bad boy working and what went wrong, or over looked. And is there a better way.

August 25th, 2009, 01:29 PM
August 29th, 2009, 01:29 PM
I'm in no way a linux guru but I have been working with bind9 as well. Have you tried to put the "bind" user in the "root" group just to see if that would work?

August 29th, 2009, 01:33 PM
I was searching Bind9 related problems in the ubuntuforums and i found this thread: http://ubuntuforums.org/showthread.php?t=1131636&highlight=Bind9 it seems like he had the same problem as you did and seems like he also used the same how-to as you did but he found a way to fix the problem. You may want to take a look at it and see if his methods will work for your situation as well.

August 29th, 2009, 07:56 PM
August 30th, 2009, 06:13 PM
Hey I was working with Bind9 prior to your post and was having problems with it as well but today I finally got things sorted out. Heres a link to my thread if you want to take a look at it. Maybe it'll help you setup your DNS server.



September 1st, 2009, 03:43 AM
OK, for this problem as it is posted, the problem was resolved by disabling/removing AppArmor application.

Thx for the help, I see I now I got to do a lot reading to figure out how to get everything working as it should.

September 14th, 2009, 08:28 PM
Check out this thread:


There is a Bind9 profile setting for Apparmor. See the #9 post for a fix. This applies to Hardy but I think it may help here.

I hope this helps, I was about to install Bind9 and do this too.


September 15th, 2009, 01:28 PM
September 19th, 2009, 09:26 PM
I installed Bind9 and did not chroot it like the above instructions. I have it set up as a caching nameserver for now and it is working.

I wonder if chrooting bind is still needed when it is running under Apparmor...