Bv9ARM.ch07.html revision fd2597f75693a2279fdf588bd40dfe2407c42028
6fe48fb46e53ffc37542853a1edb74cb481b7d94Automatic Updater - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC")
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
1167fc7904c5f0a472f8df207ac46dd52c7f1ec8Automatic Updater - Permission to use, copy, modify, and/or distribute this software for any
0c39b3ed9409ecb277d5e32fa763a4e4d6598df8Automatic Updater - purpose with or without fee is hereby granted, provided that the above
46da3117812814a29432a8d9a9ccf8acdbfdadceAutomatic Updater - copyright notice and this permission notice appear in all copies.
fe84edc17e0d582cf7b4270f8df9d4742a107b1cAutomatic Updater - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
79b273c187a4aa1016a62181983dfdd0521681aeMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
b253dcf9668f95e141bce9556dc88e30d3305a1dTinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User - PERFORMANCE OF THIS SOFTWARE.
6c910bd5e4a85a56e3a61fdf7b237a45bb2553eeTinderbox User<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic Updater<title>Chapter�7.�BIND 9 Security Considerations</title>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
e20309353e6246485c521278131d3fced73d7957Tinderbox User<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<table width="100%" summary="Navigation header">
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<div class="titlepage"><div><div><h1 class="title">
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan Hunt<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.3"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.3.6">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic Updater<dt><span class="section"><a href="Bv9ARM.ch07.html#id-1.8.3.7">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark Andrews<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User Access Control Lists (ACLs) are address match lists that
e20309353e6246485c521278131d3fced73d7957Tinderbox User you can set up and nickname for future use in
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
e5a3fb2b751598fdbcf2cde07a47202aaab93081Tinderbox User <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
e20309353e6246485c521278131d3fced73d7957Tinderbox User <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="command"><strong>match-clients</strong></span>, etc.
c59750de3ea3c7d5890000fb4606e8f5835a52aaTinderbox User Using ACLs allows you to have finer control over who can access
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater your name server, without cluttering up your config files with huge
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews lists of IP addresses.
114f7780384371121918624ae2c80ecfce545683Tinderbox User It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updater control access to your server. Limiting access to your server by
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews outside parties can help prevent spoofing and denial of service
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater (DoS) attacks against your server.
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater ACLs match clients on the basis of up to three characteristics:
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews 1) The client's IP address; 2) the TSIG or SIG(0) key that was
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater used to sign the request, if any; and 3) an address prefix
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson encoded in an EDNS Client Subnet option, if any.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Here is an example of ACLs based on client addresses:
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews// Set up an ACL named "bogusnets" that will block
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews// RFC1918 space and some reserved space, which is
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox User// commonly used in spoofing attacks.
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox Useracl bogusnets {
2a31bd531072824ef252c18303859d6af7451b00Francis Dupont// Set up an ACL called our-nets. Replace this with the
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews// real IP numbers.
bed0874e1a09e810575328c4bfc346a47514b69fMark Andrews allow-query { our-nets; };
24bf1e02f03577db0feb50b80238c4150c96d05dAutomatic Updater allow-recursion { our-nets; };
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews blackhole { bogusnets; };
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews allow-query { any; };
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews This allows authoritative queries for "example.com" from any
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox User address, but recursive queries only from the networks specified
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews in "our-nets", and no queries at all from the networks
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater specified in "bogusnets".
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater In addition to network addresses and prefixes, which are
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater matched against the source address of the DNS request, ACLs
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater may include <code class="option">key</code> elements, which specify the
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater elements, which specify a network prefix but are only matched
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater if that prefix matches an EDNS client subnet option included
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson in the request.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson The EDNS Client Subnet (ECS) option is used by a recursive
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater resolver to inform an authoritative name server of the network
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater address block from which the original query was received, enabling
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic Updater authoritative servers to give different answers to the same
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater resolver for different resolver clients. An ACL containing
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater an element of the form
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater will match if a request arrives in containing an ECS option
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson encoding an address within that prefix. If the request has no
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater ECS option, then "ecs" elements are simply ignored. Addresses
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User in ACLs that are not prefixed with "ecs" are matched only
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User against the source address.
c7ef13f6c9ef4436bc804b150e0a93307b11fa27Tinderbox User When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User ACLs can also be used for geographic access restrictions.
f132a836c4e386b1af045dd8fe7106ae61b90bffAutomatic Updater This is done by specifying an ACL element of the form:
d642d3857129678797a01adee14fbd70335b05a9Mark Andrews <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User The <em class="replaceable"><code>field</code></em> indicates which field
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User to search for a match. Available fields are "country",
269519eeb959d905ed125f96426e01d725c3b597Tinderbox User "region", "city", "continent", "postal" (postal code),
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater "metro" (metro code), "area" (area code), "tz" (timezone),
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater "isp", "org", "asnum", "domain" and "netspeed".
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater <em class="replaceable"><code>value</code></em> is the value to search
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User for within the database. A string may be quoted if it
e85565067cf73f8cc21ee29b11761659f1d47ee9Automatic Updater contains spaces or other special characters. If this is
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater an "asnum" search, then the leading "ASNNNN" string can be
bc0a53583d92309bebcf93c408e2f3247ebd3d3cAutomatic Updater used, otherwise the full description must be used (e.g.
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater "ASNNNN Example Company Name"). If this is a "country"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater search and the string is two characters long, then it must
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater be a standard ISO-3166-1 two-letter country code, and if it
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater is three characters long then it must be an ISO-3166-1
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater three-letter country code; otherwise it is the full name
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater of the country. Similarly, if this is a "region" search
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater and the string is two characters long, then it must be a
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater standard two-letter state or province abbreviation;
609b8d08176469485edce25f3c2f50365bbd3819Mark Andrews otherwise it is the full name of the state or province.
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater The <em class="replaceable"><code>database</code></em> field indicates which
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater GeoIP database to search for a match. In most cases this is
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater unnecessary, because most search fields can only be found in
7f94d9a8162c9a96b56e66176702b66e79d8e1a2Automatic Updater a single database. However, searches for country can be
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater answered from the "city", "region", or "country" databases,
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater and searches for region (i.e., state or province) can be
5ecad47f69b3fd945472ab2900a9ff826a7ce2f6Automatic Updater answered from the "city" or "region" databases. For these
dbd021853bb1cd6ab128e8da8865f5965030aedcTinderbox User search types, specifying a <em class="replaceable"><code>database</code></em>
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater will force the query to be answered from that database and no
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User other. If <em class="replaceable"><code>database</code></em> is not
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User specified, then these queries will be answered from the "city",
7262eb86f2b465822206122921e2f357218f0cfdAutomatic Updater database if it is installed, or the "region" database if it is
96ea71632887c58a9d00f47eb318bf76b35903c3Mark Andrews installed, or the "country" database, in that order.
bbb069be941f649228760edcc241122933c066d2Automatic Updater By default, if a DNS query includes an EDNS Client Subnet (ECS)
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater option which encodes a non-zero address prefix, then GeoIP ACLs
4cda4fd158d6ded5586bacea8c388445d99611eaAutomatic Updater will be matched against that address prefix. Otherwise, they
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews are matched against the source address of the query. To
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User prevent GeoIP ACLs from matching against ECS options, set
80faf1588895fd26490f82f95a7a1b771df1c324Automatic Updater the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
6a9d2121152c94cb9e35832126c3f2e4d18d81edTinderbox User Some example GeoIP ACLs:
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrewsgeoip country JAP;
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsgeoip db country country Canada;
551271d8198ae06e37edf5da519d8ee153eeac0fTinderbox Usergeoip db region region WA;
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrewsgeoip city "San Francisco";
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatergeoip region Oklahoma;
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox Usergeoip postal 95062;
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updatergeoip org "Internet Systems Consortium";
da59e63e7af147a8bcef985b98b04443e04c3a0eTinderbox User ACLs use a "first-match" logic rather than "best-match":
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User if an address prefix matches an ACL element, then that ACL
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User is considered to have matched even if a later element would
cf7e98f59148b559946a7f1ca728471374f1eef3Automatic Updater have matched more specifically. For example, the ACL
930f6069e5aa157cf6987cdafd412f5757a5a558Automatic Updater <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
27c3c21f41520e8d6336d80a8094389e321cb6d2Mark Andrews match a query from 10.0.0.1, because the first element
dc5552b4df5e3821783821c8d4e734c1608c446eTinderbox User indicated that the query should be accepted, and the second
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater element is ignored.
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson When using "nested" ACLs (that is, ACLs included or referenced
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater within other ACLs), a negative match of a nested ACL will
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic Updater the containing ACL to continue looking for matches. This
a382ca49c874d38ad3ac8995b49f9f27128e4ca9Automatic Updater enables complex ACLs to be constructed, in which multiple
fe600c3ad88c0bb078283a953d048087d227c0e5Tinderbox User client characteristics can be checked at the same time. For
bbc0e1c4f47f101c4a64db3469352c49a49e734fTinderbox User example, to construct an ACL which allows queries only when
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User it originates from a particular network <span class="emphasis"><em>and</em></span>
e20309353e6246485c521278131d3fced73d7957Tinderbox User only when it is signed with a particular key, use:
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Userallow-query { !{ !10/8; any; }; key example; };
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Within the nested ACL, any address that is
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User be rejected, and this will terminate processing of the
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews network prefix will be accepted, but this causes a negative
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews match of the nested ACL, so the containing ACL continues
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews processing. The query will then be accepted if it is signed
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User by the key "example", and rejected otherwise. The ACL, then,
f751b1576ee6fef4023bf7101d10167e4fe520f3Tinderbox User will only matches when <span class="emphasis"><em>both</em></span> conditions
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews<a name="id-1.8.3"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews in a <span class="emphasis"><em>chrooted</em></span> environment (using
3351ccbd5c1961404044f8273d54dad405f53960Mark Andrews the <span class="command"><strong>chroot()</strong></span> function) by specifying
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews This can help improve system security by placing
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrews <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
7d12a6b412fe47e6d6582923fd6954ab8cd0baebAutomatic Updater the damage done if a server is compromised.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
01a5c5503482fb3ba52088bf0178a7213273bf96Mark Andrews<div class="titlepage"><div><div><h3 class="title">
82a986aaa5d3384a541b5a7d6dae8cf0726d6513Tinderbox User<a name="id-1.8.3.6"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User In order for a <span class="command"><strong>chroot</strong></span> environment
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews work properly in a particular directory
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater (for example, <code class="filename">/var/named</code>),
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater you will need to set up an environment that includes everything
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <acronym class="acronym">BIND</acronym> needs to run.
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews the root of the filesystem. You will need to adjust the values of
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews options like
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews like <span class="command"><strong>directory</strong></span> and <span class="command"><strong>pid-file</strong></span> to account
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Unlike with earlier versions of BIND, you typically will
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews statically nor install shared libraries under the new root.
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews However, depending on your operating system, you may need
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User to set up things like
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User <code class="filename">/etc/localtime</code>.
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<div class="titlepage"><div><div><h3 class="title">
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updater<a name="id-1.8.3.7"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User Prior to running the <span class="command"><strong>named</strong></span> daemon,
bc0a4c01beede169df81a3ee5b614ed9e82339dbAutomatic Updater the <span class="command"><strong>touch</strong></span> utility (to change file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington modification times) or the <span class="command"><strong>chown</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to which you want <acronym class="acronym">BIND</acronym>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Note that if the <span class="command"><strong>named</strong></span> daemon is running as an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington unprivileged user, it will not be able to bind to new restricted
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ports if the server is reloaded.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Access to the dynamic
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington update facility should be strictly limited. In earlier versions of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym>, the only way to do this was
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington based on the IP
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington address of the host requesting the update, by listing an IP address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network prefix in the <span class="command"><strong>allow-update</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This method is insecure since the source address of the update UDP
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is easily forged. Also note that if the IP addresses allowed by the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>allow-update</strong></span> option include the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington address of a slave
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington server which performs forwarding of dynamic updates, the master can
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington trivially attacked by sending the update to the slave, which will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington forward it to the master with its own source IP address causing the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington master to approve it without question.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington For these reasons, we strongly recommend that updates be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington cryptographically authenticated by means of transaction signatures
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington (TSIG). That is, the <span class="command"><strong>allow-update</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington option should
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington list only TSIG key names, not IP addresses or network
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington option can be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Some sites choose to keep all dynamically-updated DNS data
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in a subdomain and delegate that subdomain to a separate zone. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington way, the top-level zone containing critical data such as the IP
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox User of public web and mail servers need not allow dynamic update at
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User<table width="100%" summary="Navigation footer">
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
ec8755f605d7dcb2de1076040e77bc2d7ec33b4aTinderbox User<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.0pre-alpha</p>