Bv9ARM.ch07.html revision ffe29868b4bbc64953fc5d0de51f988c20158967
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - This Source Code Form is subject to the terms of the Mozilla Public
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - License, v. 2.0. If a copy of the MPL was not distributed with this
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - file, You can obtain one at http://mozilla.org/MPL/2.0/.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<title>Chapter�7.�BIND 9 Security Considerations</title>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<table width="100%" summary="Navigation header">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<div class="titlepage"><div><div><h1 class="title">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont Access Control Lists (ACLs) are address match lists that
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont you can set up and nickname for future use in
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont <span class="command"><strong>match-clients</strong></span>, etc.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont Using ACLs allows you to have finer control over who can access
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont your name server, without cluttering up your config files with huge
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont lists of IP addresses.
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont control access to your server. Limiting access to your server by
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont outside parties can help prevent spoofing and denial of service
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont (DoS) attacks against your server.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont ACLs match clients on the basis of up to three characteristics:
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User 1) The client's IP address; 2) the TSIG or SIG(0) key that was
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User used to sign the request, if any; and 3) an address prefix
33d0a7767d53cb366039fd0ac4f63cf8a9c351b0Tinderbox User encoded in an EDNS Client Subnet option, if any.
b091b4bb803b830d2d5a9e71b6648b669655d7dcFrancis Dupont Here is an example of ACLs based on client addresses:
zone "example.com" {
This allows authoritative queries for "example.com" from any
<span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
used, otherwise the full description must be used (e.g.
and searches for region (i.e., state or province) can be
<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
<span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
<span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>