d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
71cef386fae61275b03e203825680b39fedaa8c6Tinderbox User - Copyright (C) 2000-2018 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Chapter�7.�BIND 9 Security Considerations</title>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h1 class="title">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater Access Control Lists (ACLs) are address match lists that
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User you can set up and nickname for future use in
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>match-clients</strong></span>, etc.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Using ACLs allows you to have finer control over who can access
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein your name server, without cluttering up your config files with huge
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein lists of IP addresses.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein control access to your server. Limiting access to your server by
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User outside parties can help prevent spoofing and denial of service
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User (DoS) attacks against your server.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User ACLs match clients on the basis of up to three characteristics:
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User 1) The client's IP address; 2) the TSIG or SIG(0) key that was
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User used to sign the request, if any; and 3) an address prefix
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User encoded in an EDNS Client Subnet option, if any.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Here is an example of ACLs based on client addresses:
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater// Set up an ACL named "bogusnets" that will block
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater// RFC1918 space and some reserved space, which is
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater// commonly used in spoofing attacks.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsacl bogusnets {
77dccf2a5d9327d16b4374a135cdb99bdd48620eAutomatic Updater 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater// Set up an ACL called our-nets. Replace this with the
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater// real IP numbers.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { our-nets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-recursion { our-nets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce blackhole { bogusnets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User This allows authoritative queries for "example.com" from any
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User address, but recursive queries only from the networks specified
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User in "our-nets", and no queries at all from the networks
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User specified in "bogusnets".
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User In addition to network addresses and prefixes, which are
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User matched against the source address of the DNS request, ACLs
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User may include <code class="option">key</code> elements, which specify the
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User elements, which specify a network prefix but are only matched
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User if that prefix matches an EDNS client subnet option included
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User in the request.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The EDNS Client Subnet (ECS) option is used by a recursive
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User resolver to inform an authoritative name server of the network
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User address block from which the original query was received, enabling
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User authoritative servers to give different answers to the same
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User resolver for different resolver clients. An ACL containing
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User an element of the form
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User will match if a request arrives in containing an ECS option
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User encoding an address within that prefix. If the request has no
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User ECS option, then "ecs" elements are simply ignored. Addresses
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User in ACLs that are not prefixed with "ecs" are matched only
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User against the source address.
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User (Note: The authoritative ECS implementation in
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User <span class="command"><strong>named</strong></span> is based on an early version of the
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User specification, and is known to have incompatibilities with
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User other implementations. It is also inefficient, requiring
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User a separate view for each client subnet to be sent different
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User answers, and it is unable to correct for overlapping subnets in
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User the configuration. It can be used for testing purposes, but is
ffe29868b4bbc64953fc5d0de51f988c20158967Tinderbox User not recommended for production use.)
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User ACLs can also be used for geographic access restrictions.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User This is done by specifying an ACL element of the form:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The <em class="replaceable"><code>field</code></em> indicates which field
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User to search for a match. Available fields are "country",
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User "region", "city", "continent", "postal" (postal code),
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User "metro" (metro code), "area" (area code), "tz" (timezone),
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User "isp", "org", "asnum", "domain" and "netspeed".
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <em class="replaceable"><code>value</code></em> is the value to search
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User for within the database. A string may be quoted if it
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User contains spaces or other special characters. If this is
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User an "asnum" search, then the leading "ASNNNN" string can be
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User used, otherwise the full description must be used (e.g.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User "ASNNNN Example Company Name"). If this is a "country"
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User search and the string is two characters long, then it must
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User be a standard ISO-3166-1 two-letter country code, and if it
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User is three characters long then it must be an ISO-3166-1
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User three-letter country code; otherwise it is the full name
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User of the country. Similarly, if this is a "region" search
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User and the string is two characters long, then it must be a
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User standard two-letter state or province abbreviation;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User otherwise it is the full name of the state or province.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User The <em class="replaceable"><code>database</code></em> field indicates which
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User GeoIP database to search for a match. In most cases this is
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User unnecessary, because most search fields can only be found in
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User a single database. However, searches for country can be
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User answered from the "city", "region", or "country" databases,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User and searches for region (i.e., state or province) can be
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User answered from the "city" or "region" databases. For these
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User search types, specifying a <em class="replaceable"><code>database</code></em>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User will force the query to be answered from that database and no
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User other. If <em class="replaceable"><code>database</code></em> is not
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User specified, then these queries will be answered from the "city",
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User database if it is installed, or the "region" database if it is
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User installed, or the "country" database, in that order.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User By default, if a DNS query includes an EDNS Client Subnet (ECS)
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User option which encodes a non-zero address prefix, then GeoIP ACLs
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User will be matched against that address prefix. Otherwise, they
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User are matched against the source address of the query. To
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User prevent GeoIP ACLs from matching against ECS options, set
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Some example GeoIP ACLs:
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <pre class="programlisting">geoip country US;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Usergeoip country JAP;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Usergeoip db country country Canada;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Usergeoip db region region WA;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Usergeoip city "San Francisco";
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Usergeoip region Oklahoma;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Usergeoip postal 95062;
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Usergeoip org "Internet Systems Consortium";
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User ACLs use a "first-match" logic rather than "best-match":
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User if an address prefix matches an ACL element, then that ACL
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User is considered to have matched even if a later element would
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User have matched more specifically. For example, the ACL
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User match a query from 10.0.0.1, because the first element
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User indicated that the query should be accepted, and the second
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User element is ignored.
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User When using "nested" ACLs (that is, ACLs included or referenced
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User within other ACLs), a negative match of a nested ACL will
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User the containing ACL to continue looking for matches. This
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User enables complex ACLs to be constructed, in which multiple
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User client characteristics can be checked at the same time. For
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User example, to construct an ACL which allows queries only when
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User it originates from a particular network <span class="emphasis"><em>and</em></span>
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User only when it is signed with a particular key, use:
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox Userallow-query { !{ !10/8; any; }; key example; };
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User Within the nested ACL, any address that is
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User be rejected, and this will terminate processing of the
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User network prefix will be accepted, but this causes a negative
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User match of the nested ACL, so the containing ACL continues
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User processing. The query will then be accepted if it is signed
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User by the key "example", and rejected otherwise. The ACL, then,
aa1905addf2f33d90aa020080e4e77a8651e829aTinderbox User will only matches when <span class="emphasis"><em>both</em></span> conditions
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater in a <span class="emphasis"><em>chrooted</em></span> environment (using
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <span class="command"><strong>chroot()</strong></span> function) by specifying
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater This can help improve system security by placing
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater the damage done if a server is compromised.
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
9c6a5d1f22f972232d7a9fd5c5fa64f10bacbdffAutomatic Updater <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt In order for a <span class="command"><strong>chroot</strong></span> environment
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User to work properly in a particular directory (for example,
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User <code class="filename">/var/named</code>), you will need to set
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User up an environment that includes everything
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User <acronym class="acronym">BIND</acronym> needs to run. From
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User <acronym class="acronym">BIND</acronym>'s point of view,
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User <code class="filename">/var/named</code> is the root of the
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User filesystem. You will need to adjust the values of
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User options like <span class="command"><strong>directory</strong></span> and
56bd026e6c96482dccab83778bf8f9c92c36bf11Tinderbox User <span class="command"><strong>pid-file</strong></span> to account for this.
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews Unlike with earlier versions of BIND, you typically will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein statically nor install shared libraries under the new root.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein However, depending on your operating system, you may need
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to set up things like
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Prior to running the <span class="command"><strong>named</strong></span> daemon,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt the <span class="command"><strong>touch</strong></span> utility (to change file
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt modification times) or the <span class="command"><strong>chown</strong></span>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews to which you want <acronym class="acronym">BIND</acronym>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User If the <span class="command"><strong>named</strong></span> daemon is running as an
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews unprivileged user, it will not be able to bind to new restricted
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews ports if the server is reloaded.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Access to the dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein update facility should be strictly limited. In earlier versions of
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews <acronym class="acronym">BIND</acronym>, the only way to do this was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein based on the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein address of the host requesting the update, by listing an IP address
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt network prefix in the <span class="command"><strong>allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This method is insecure since the source address of the update UDP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein is easily forged. Also note that if the IP addresses allowed by the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="command"><strong>allow-update</strong></span> option include the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein address of a slave
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server which performs forwarding of dynamic updates, the master can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein trivially attacked by sending the update to the slave, which will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein forward it to the master with its own source IP address causing the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein master to approve it without question.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein For these reasons, we strongly recommend that updates be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cryptographically authenticated by means of transaction signatures
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt (TSIG). That is, the <span class="command"><strong>allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option should
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein list only TSIG key names, not IP addresses or network
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option can be used.
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews Some sites choose to keep all dynamically-updated DNS data
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein in a subdomain and delegate that subdomain to a separate zone. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein way, the top-level zone containing critical data such as the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein of public web and mail servers need not allow dynamic update at
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
c313914d0e66b20969215e519bbf2ab4ecf39512Tinderbox User<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.3 (Extended Support Version)</p>