BIND 8.1.2 and later include an option that allows you to chroot( ) the name server: to change its view of the filesystem so that its root directory is actually a particular directory on your host's filesystem. This effectively traps your name server in this directory, along with any attackers who successfully compromise your name server's security.

1. Install and configure Bind 9.x
2. Create dev, etc, lib, usr, and var subdirectories for the chroot environment. Within usr, create an sbin subdirectory. Within var, create subdirectories named named and run.
• cd /var/named
• mkdir -p dev etc var/named var/run
3. Setup permissions and touch the pid file
• chown -R named:named var/run
• touch var/run/named.pid
4. Copy named.conf into the chroot
• cp /etc/named.conf etc
5. Move the database files into the chroot
• mv pz var/named
6. Create dev/null in the chroot
• mknod dev/null c 1 3
7. Create dev/random in the chroot
• mknod dev/random c 1 8
8. Configure syslog to receive the log entries from the chroot
• vi /etc/rc.d/syslog
• change /sbin/syslogd to /sbin/syslogd -a /var/named/dev/log
9. Restart syslog to have it notice the change. When syslogd restarts next, it will create /var/named/dev/log, and named will log to it.
• /etc/rc.d/syslog stop && /etc/rc.d/syslog start
10. Finally, edit your startup files to start named with the -t option
• vi /etc/rc.d/named
• change /usr/sbin/named -u named to /usr/sbin/named -u named -t /var/named