Bv9ARM.ch07.html revision 0284e57b9b9dfaf2517a2cc3282ecf766b8ad075
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - Copyright (C) 2000-2003 Internet Software Consortium.
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - Permission to use, copy, modify, and/or distribute this software for any
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - purpose with or without fee is hereby granted, provided that the above
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - copyright notice and this permission notice appear in all copies.
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder - PERFORMANCE OF THIS SOFTWARE.
23f8d286586ff38a9e73052b2c7c04c62c5c638fChristian Maeder<!-- $Id: Bv9ARM.ch07.html,v 1.226 2010/05/15 01:14:25 tbox Exp $ -->
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder<title>Chapter�7.�BIND 9 Security Considerations</title>
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
cf5149eb4d0faef6272231879c04aa740f5abc2bChristian Maeder<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
cf5149eb4d0faef6272231879c04aa740f5abc2bChristian Maeder<table width="100%" summary="Navigation header">
cf5149eb4d0faef6272231879c04aa740f5abc2bChristian Maeder<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<div class="titlepage"><div><div><h2 class="title">
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601190"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601271">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601331">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<div class="titlepage"><div><div><h2 class="title" style="clear: both">
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder Access Control Lists (ACLs) are address match lists that
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder Using ACLs allows you to have finer control over who can access
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder your name server, without cluttering up your config files with huge
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder lists of IP addresses.
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
bf8221af2a4e579e1a616e3d472e9e8533cd8f8cChristian Maeder control access to your server. Limiting access to your server by
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder outside parties can help prevent spoofing and denial of service (DoS) attacks against
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder Here is an example of how to properly apply ACLs:
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder// Set up an ACL named "bogusnets" that will block
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder// RFC1918 space and some reserved space, which is
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder// commonly used in spoofing attacks.
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maederacl bogusnets {
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder// Set up an ACL called our-nets. Replace this with the
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder// real IP numbers.
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder allow-query { our-nets; };
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder allow-recursion { our-nets; };
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder blackhole { bogusnets; };
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder allow-query { any; };
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder This allows recursive queries of the server from the outside
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder unless recursion has been previously disabled.
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder For more information on how to use ACLs to protect your server,
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder<div class="titlepage"><div><div><h2 class="title" style="clear: both">
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder<a name="id2601190"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder in a <span class="emphasis"><em>chrooted</em></span> environment (using
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder the <span><strong class="command">chroot()</strong></span> function) by specifying
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder This can help improve system security by placing
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder the damage done if a server is compromised.
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<div class="titlepage"><div><div><h3 class="title">
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder<a name="id2601271"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder In order for a <span><strong class="command">chroot</strong></span> environment
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder work properly in a particular directory
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder (for example, <code class="filename">/var/named</code>),
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder you will need to set up an environment that includes everything
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder <acronym class="acronym">BIND</acronym> needs to run.
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder the root of the filesystem. You will need to adjust the values of
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder Unlike with earlier versions of BIND, you typically will
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder statically nor install shared libraries under the new root.
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder However, depending on your operating system, you may need
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder to set up things like
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder <code class="filename">/dev/log</code>, and
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder <code class="filename">/etc/localtime</code>.
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<div class="titlepage"><div><div><h3 class="title">
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<a name="id2601331"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder Prior to running the <span><strong class="command">named</strong></span> daemon,
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder the <span><strong class="command">touch</strong></span> utility (to change file
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder modification times) or the <span><strong class="command">chown</strong></span>
3f63b98c111e5e2bb2cf13795cf6e084a78b0a8dChristian Maeder to which you want <acronym class="acronym">BIND</acronym>
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder Note that if the <span><strong class="command">named</strong></span> daemon is running as an
04dada28736b4a237745e92063d8bdd49a362debChristian Maeder unprivileged user, it will not be able to bind to new restricted
f626b1acbe874a48143a6f8d6246bf9d7a055ffbChristian Maeder ports if the server is reloaded.