Bind

Bind doesn't have a great security record, and worse it runs as root by default on most systems (I think newer Redhat Distributions have fixed this). If you read the file INSTALL that comes with it the changes you need to make are described, but roughly speaking they are:

• Add -u username -g groupname the the scripts that start bind (named). This is /etc/rc.d/init.d/named on RedHat.
• chown the /var/named directory and subdirectories to the user/group specified.
• chown the logfiles that named logs to (this is not normally needed since it normally logs via 'syslog'.
• This will break the `ndc' program, you can get it to do a reload with "/usr/sbin/ndc -p /var/run/named.pid reload", but "restart" will cause the new server to run as root again.

Another possibility is to run named in a `chroot' environment so that it does not have access to your normal filesystem (this really needs to be combined with not running it as root). I'm not going to describe how to do that here.

You should be running at least BIND 8.2.2 patchlevel 3