Bv9ARM.ch07.html revision 4abdfc917e6635a7c81d1f931a0c79227e72d025
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater - Permission to use, copy, modify, and distribute this software for any
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: Bv9ARM.ch07.html,v 1.132 2007/01/26 23:29:04 marka Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<title>Chapter�7.�BIND 9 Security Considerations</title>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h2 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592584"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592661">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592789">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Access Control Lists (ACLs), are address match lists that
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User Using ACLs allows you to have finer control over who can access
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater your name server, without cluttering up your config files with huge
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt lists of IP addresses.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User control access to your server. Limiting access to your server by
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User outside parties can help prevent spoofing and denial of service (DoS) attacks against
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Here is an example of how to properly apply ACLs:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User// Set up an ACL named "bogusnets" that will block RFC1918 space
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User// and some reserved space, which is commonly used in spoofing attacks.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useracl bogusnets {
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User// Set up an ACL called our-nets. Replace this with the real IP numbers.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User allow-query { our-nets; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User allow-recursion { our-nets; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User blackhole { bogusnets; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User allow-query { any; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User This allows recursive queries of the server from the outside
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User unless recursion has been previously disabled.
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User For more information on how to use ACLs to protect your server,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id2592584"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein a "sandbox", which will limit the damage done if a server is
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h3 class="title">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a name="id2592661"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein In order for a <span><strong class="command">chroot</strong></span> environment
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein work properly in a particular directory
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (for example, <code class="filename">/var/named</code>),
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein you will need to set up an environment that includes everything
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <acronym class="acronym">BIND</acronym> needs to run.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User the root of the filesystem. You will need to adjust the values of
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews options like
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Unlike with earlier versions of BIND, you will typically
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater statically nor install shared libraries under the new root.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt However, depending on your operating system, you may need
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt to set up things like
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater <code class="filename">/dev/log</code>, and
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater <code class="filename">/etc/localtime</code>.
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater<div class="titlepage"><div><div><h3 class="title">
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater<a name="id2592789"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Prior to running the <span><strong class="command">named</strong></span> daemon,
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater the <span><strong class="command">touch</strong></span> utility (to change file
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater modification times) or the <span><strong class="command">chown</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to which you want <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note that if the <span><strong class="command">named</strong></span> daemon is running as an
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unprivileged user, it will not be able to bind to new restricted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ports if the server is reloaded.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Access to the dynamic
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein update facility should be strictly limited. In earlier versions of
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <acronym class="acronym">BIND</acronym>, the only way to do this was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein based on the IP
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein address of the host requesting the update, by listing an IP address
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater network prefix in the <span><strong class="command">allow-update</strong></span>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater This method is insecure since the source address of the update UDP
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater is easily forged. Also note that if the IP addresses allowed by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">allow-update</strong></span> option include the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User address of a slave
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server which performs forwarding of dynamic updates, the master can
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein trivially attacked by sending the update to the slave, which will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein forward it to the master with its own source IP address causing the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein master to approve it without question.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein For these reasons, we strongly recommend that updates be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cryptographically authenticated by means of transaction signatures
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User option should
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein list only TSIG key names, not IP addresses or network
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrews option can be used.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Some sites choose to keep all dynamically-updated DNS data
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User in a subdomain and delegate that subdomain to a separate zone. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein way, the top-level zone containing critical data such as the IP
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User of public web and mail servers need not allow dynamic update at
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>