As you know chrooting a process is very beneficial for security as any compromise cannot have effect on the whole system. But be aware escaping from chroot is not impossible. and therefore should not be used as your only security measure on a production DNS resolver.
Chrooting Bind is simple, however there are not good HOWTOs, the good ones are all outdated.
So I made this Asciinema for “chrooting bind 9 in debian 8” (systemd)
[click on it]
Let me know of any inaccuracies or suggestions as usual :)
- UPDATE : Thanks to Behrad Eslamifar for letting me know, This debian 8 package will also do the job if you don’t want to do it manually: https://github.com/cvak/bind-chroot