Bv9ARM.ch07.html revision f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>BIND 9 Security Considerations</TITLE
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="GENERATOR"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCONTENT="Modular DocBook HTML Stylesheet Version 1.54"><LINK
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceREL="PREVIOUS"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTITLE="BIND 9 Configuration Reference"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTITLE="Troubleshooting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="chapter"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceBGCOLOR="#FFFFFF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTEXT="#000000"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceLINK="#0000FF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVLINK="#840084"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALINK="#0000FF"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="NAVHEADER"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLPADDING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLSPACING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="bottom"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="chapter"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Chapter 7. <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 Security Considerations</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Table of Contents</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="Bv9ARM.ch07.html#Access_Control_Lists"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Access Control Lists</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceUNIX servers)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Dynamic Updates</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="Access_Control_Lists"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>7.1. Access Control Lists</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Access Control Lists (ACLs), are address match lists that
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceyou can set up and nickname for future use in <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>allow-query</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>allow-recursion</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>blackhole</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>allow-transfer</B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Using ACLs allows you to have finer control over who can access
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceyour nameserver, without cluttering up your config files with huge
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucelists of IP addresses.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>good idea</I
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> to use ACLs, and to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucecontrol access to your server. Limiting access to your server by
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceoutside parties can help prevent spoofing and DoS attacks against
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceyour server.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example of how to properly apply ACLs:</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="programlisting"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> // Set up an ACL named "bogusnets" that will block RFC1918 space,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// which is commonly used in spoofing attacks.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce// Set up an ACL called our-nets. Replace this with the real IP numbers.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { our-nets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-recursion { our-nets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce blackhole { bogusnets; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce type master;
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce allow-query { any; };
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>This allows recursive queries of the server from the outside
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceunless recursion has been previously disabled.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>For more information on how to use ACLs to protect your server,
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> advisory at
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceTARGET="_top"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="AEN3802"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceUNIX servers)</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>On UNIX servers, it is possible to run <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="emphasis"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> environment
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>) by specifying the "<TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceoption. This can help improve system security by placing <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucea "sandbox," which will limit the damage done if a server is compromised.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Another useful feature in the UNIX version of <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceability to run the daemon as a nonprivileged user ( <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="option"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="replaceable"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceWe suggest running as a nonprivileged user when using the <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> feature.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Here is an example command line to load <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>, and to run <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="userinput"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="AEN3825"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>7.2.1. The <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> Environment</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>In order for a <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> environment to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucework properly in a particular directory (for example, <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceyou will need to set up an environment that includes everything
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> needs to run. From <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>'s point of view, <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe root of the filesystem. You will need <TT
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="filename"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceand any library directories and files that <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> needs to run on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceyour system. Please consult your operating system's instructions
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceif you need help figuring out which library files you need to copy
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceover to the <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> sandbox.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>If you are running an operating system that supports static
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucebinaries, you can also compile <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> statically and avoid the need
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceto copy system libraries over to your <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> sandbox.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect2"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="AEN3840"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>7.2.2. Using the <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> Function</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Prior to running the <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> daemon, use
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> utility (to change file access and
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucemodification times) or the <B
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="command"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> utility (to
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceset the user id and/or group id) on files to which you want <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="sect1"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceNAME="AEN3848"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>7.3. Dynamic Updates</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Access to the dynamic update facility should be strictly limited.
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceIn earlier versions of <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> the only way to do this was based on
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucethe IP address of the host requesting the update. <SPAN
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucesupports authenticating updates cryptographically by means of transaction
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucesignatures (TSIG). The use of TSIG is strongly recommended.</P
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Some sites choose to keep all dynamically updated DNS data
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Lucein a subdomain and delegate that subdomain to a separate zone. This
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceway, the top-level zone containing critical data such as the IP addresses
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luceof public web and mail servers need not allow dynamic update at
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="NAVFOOTER"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLPADDING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCELLSPACING="0"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceCLASS="acronym"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce> 9 Configuration Reference</TD
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="right"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Troubleshooting</TD