doc/arm/Bv9ARM.7.html

	Bv9ARM.7.html revision 15a44745412679c30a6d022733925af70a38b715
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN">
<!--
 - Copyright (C) 2000  Internet Software Consortium.
 -
 - Permission to use, copy, modify, and distribute this software for any
 - purpose with or without fee is hereby granted, provided that the above
 - copyright notice and this permission notice appear in all copies.
 -
 - THE SOFTWARE IS PROVIDED "AS IS" AND INTERNET SOFTWARE CONSORTIUM
 - DISCLAIMS ALL WARRANTIES WITH REGARD TO THIS SOFTWARE INCLUDING ALL
 - IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL
 - INTERNET SOFTWARE CONSORTIUM BE LIABLE FOR ANY SPECIAL, DIRECT,
 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING
 - FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT,
 - NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION
 - WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
-->

<!-- $Id: Bv9ARM.7.html,v 1.9 2000/07/27 09:41:58 tale Exp $ -->

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML EXPERIMENTAL 970324//EN">
<HTML>
<HEAD>
<META NAME="GENERATOR" CONTENT="Adobe FrameMaker 5.5/HTML Export Filter">
<LINK REL="STYLESHEET" HREF="Bv9ARM.css">
<TITLE> Section 7.	BIND&nbsp;9 Security Considerations</TITLE></HEAD>
<BODY BGCOLOR="#ffffff">
<OL>
<H1 CLASS="1Level">
<A NAME="pgfId=997350">
 </A>
Section 7.	BIND&nbsp;9 Security Considerations</H1>
</OL>
<DIV>
<OL>
<H3 CLASS="2Level">
<A NAME="pgfId=997352">
 </A>
7.1	<A NAME="32222">
 </A>
Access Control Lists</H3>
</OL>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997353">
 </A>
Access Control Lists (ACLs), are address match lists that you can set up and nickname for future use in <CODE CLASS="Program-Process">
allow-query</CODE>
, <CODE CLASS="Program-Process">
allow-recursion</CODE>
, <CODE CLASS="Program-Process">
blackhole</CODE>
, <CODE CLASS="Program-Process">
allow-transfer</CODE>
, etc.</P>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997354">
 </A>
Using ACLs allows you to have finer control over who can access your nameserver, without cluttering up your config files with huge lists of IP addresses.</P>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997355">
 </A>
It is a <EM CLASS="Emphasis">
good idea</EM>
 to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and DoS attacks against your server.</P>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997356">
 </A>
Here is an example of how to properly apply ACLs:</P>
<PRE>


<CODE><STRONG>// Set up an ACL named &quot;bogusnets&quot; that will block RFC1918 space,
// which is commonly used in spoofing attacks.

acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

// Set up an ACL called our-nets. Replace this with the real IP numbers.

acl our-nets { x.x.x.x/24; x.x.x.x/21; };

options {
  ...
  ...
  allow-query { our-nets; };
  allow-recursion { our-nets; };
  ...
  blackhole { bogusnets; };
  ...
};
zone &quot;example.com&quot; {
  type master;
  file &quot;m/example.com&quot;;
  allow-query { any; };
};
</STRONG></CODE>
</PRE>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997363">
 </A>
This allows recursive queries of the server from the outside unless recursion has been previously disabled.</P>
<P CLASS="2LevelContinued">
<A NAME="pgfId=1028031">
 </A>
For more information on how to use ACLs to protect your server, see the <EM CLASS="Emphasis">
AUSCERT</EM>
 advisory at<BR>
<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">
ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
</DIV>
<DIV>
<OL>
<H3 CLASS="2Level">
<A NAME="pgfId=997365">
 </A>
7.2	<CODE CLASS="Program-Process">
chroot</CODE>
 and <CODE CLASS="Program-Process">
setuid</CODE>
 (for UNIX servers)</H3>
</OL>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997366">
 </A>
On UNIX servers, it is possible to run BIND in a <EM CLASS="Emphasis">
chrooted</EM>
 environment (<CODE CLASS="Program-Process">
chroot()</CODE>
) by specifying the &quot;<CODE CLASS="Program-Process">
-t</CODE>
&quot; option. This can help improve system security by placing BIND in a &quot;sandbox,&quot; which will limit the damage done if a server is compromised.</P>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997367">
 </A>
Another useful feature in the UNIX version of BIND is the ability to run the daemon as a nonprivileged user ( <CODE CLASS="Program-Process">
-u</CODE>
<EM CLASS="variable">
user</EM>
 ).  We suggest running as a nonprivileged user when using the <CODE CLASS="Program-Process">
chroot</CODE>
 feature.</P>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997368">
</A>
Here is an example command line to load BIND in a <CODE CLASS="Program-Process">
chroot()</CODE>
 sandbox, <BR>
<CODE CLASS="Program-Process">
<STRONG>/var/named</STRONG></CODE>
, and to run <CODE CLASS="Program-Process">
<STRONG>named setuid</STRONG></CODE>
 to user 202:</P>

<PRE>
<CODE><STRONG>/usr/local/bin/named -u 202 -t /var/named
</STRONG></CODE></PRE>
<DIV>
<OL>
<H4 CLASS="3Level">
<A NAME="pgfId=997370">
</A>
7.2.1	The <CODE CLASS="Program-Process">
chroot</CODE>
 Environment</H4>
</OL>
<P CLASS="3LevelContinued">
<A NAME="pgfId=997371">
 </A>
In order for a <CODE CLASS="Program-Process">
chroot()</CODE>
 environment to work properly in a particular directory (for example, <EM CLASS="pathname">
/var/named</EM>
), you will need to set up an environment that includes everything BIND needs to run. From BIND's point of view, <EM CLASS="pathname">
/var/named</EM>
 is the root of the filesystem. You will need <EM CLASS="pathname">
/dev/null</EM>
, and any library directories and files that BIND needs to run on your system. Please consult your operating system's instructions if you need help figuring out which library files you need to copy over to the <CODE CLASS="Program-Process">
chroot()</CODE>
 sandbox.</P>
<P CLASS="3LevelContinued">
<A NAME="pgfId=997372">
 </A>
If you are running an operating system that supports static binaries, you can also compile BIND statically and avoid the need to copy system libraries over to your <CODE CLASS="Program-Process">
chroot()</CODE>
 sandbox.</P>
</DIV>
<DIV>
<OL>
<H4 CLASS="3Level">
<A NAME="pgfId=997373">
 </A>
7.2.2	Using the <CODE CLASS="Program-Process">
setuid</CODE>
 Function </H4>
</OL>
<P CLASS="3LevelContinued">
<A NAME="pgfId=997374">
 </A>
Prior to running the <CODE CLASS="Program-Process">
named</CODE>
 daemon, use the <CODE CLASS="Program-Process">
touch</CODE>
 utility (to change file access and modification times) or the <CODE CLASS="Program-Process">
chown</CODE>
 utility (to set the user id and/or group id) on files to which you want BIND to write.</P>
</DIV>
</DIV>
<DIV>
<OL>
<H3 CLASS="2Level">
<A NAME="pgfId=997375">
 </A>
7.3	Dynamic Updates</H3>
</OL>
<P CLASS="2LevelContinued">
<A NAME="pgfId=997376">
 </A>
Access to the dynamic update facility should be strictly limited. In earlier versions of BIND the only way to do this was based on the IP address of the host requesting the update. BIND&nbsp;9BIND&nbsp;9 also supports authenticating updates cryptographically by means of transaction signatures (TSIG). The use of TSIG is strongly recommended.</P>
<P CLASS="2LevelContinued">
<A NAME="pgfId=1006806">
 </A>
Some sites choose to keep all dynamically updated DNS data in a subdomain and delegate that subdomain to a separate zone. This way, the top-level zone containing critical data such as the IP addresses of public web and mail servers need not allow dynamic update at all.</P>
</DIV>
<HR ALIGN="center">
<p>Return to <A href="Bv9ARM.html">BIND 9 Administrator Reference Manual</A> table of contents.</p>

</BODY>
</HTML>