Securing DNS Operation (2/2)

Discard unnecessary privilege
chroot, setuid
Minimize the damage when (unfortunately) cracked
BIND9 command line options
-t dir: chroot
-u UID: running user
Setup chroot environment for BIND9
working directory
"etc" subdirectory containing named.conf and localtime
"var/run" subdirectory for the PID file
"dev" subdirectory for log, random, null
named.conf options for chroot
directory, pid-file, dump-file, statistics-file