Bv9ARM.ch07.html revision 18914183d997fe982136cdb8c45b41e857d96551
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>BIND 9 Security Considerations</TITLE
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsNAME="GENERATOR"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCONTENT="Modular DocBook HTML Stylesheet Version 1.61
dafcb997e390efa4423883dafd100c975c4095d6Mark AndrewsTITLE="BIND 9 Administrator Reference Manual"
dafcb997e390efa4423883dafd100c975c4095d6Mark AndrewsREL="PREVIOUS"
dafcb997e390efa4423883dafd100c975c4095d6Mark AndrewsTITLE="BIND 9 Configuration Reference"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsTITLE="Troubleshooting"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="chapter"
ab023a65562e62b85a824509d829b6fad87e00b1Rob AusteinBGCOLOR="#FFFFFF"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsTEXT="#000000"
ab023a65562e62b85a824509d829b6fad87e00b1Rob AusteinVLINK="#840084"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsALINK="#0000FF"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="NAVHEADER"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCELLPADDING="0"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCELLSPACING="0"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsALIGN="center"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>BIND 9 Administrator Reference Manual</TH
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsVALIGN="bottom"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsALIGN="center"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsVALIGN="bottom"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsALIGN="right"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsVALIGN="bottom"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="chapter"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Chapter 7. <SPAN
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> 9 Security Considerations</A
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein>Table of Contents</B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsHREF="Bv9ARM.ch07.html#Access_Control_Lists"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Access Control Lists</A
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
ab023a65562e62b85a824509d829b6fad87e00b1Rob AusteinUNIX servers)</A
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsHREF="Bv9ARM.ch07.html#dynamic_update_security"
be2c2c29a88db96bd51f11d671ec207f0b6b0d45Mark Andrews>Dynamic Update Security</A
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect1"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect1"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsNAME="Access_Control_Lists"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>7.1. Access Control Lists</A
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Access Control Lists (ACLs), are address match lists that
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsyou can set up and nickname for future use in <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>allow-notify</B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>allow-query</B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>allow-recursion</B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>blackhole</B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>allow-transfer</B
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Using ACLs allows you to have finer control over who can access
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsyour nameserver, without cluttering up your config files with huge
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewslists of IP addresses.</P
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="emphasis"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>good idea</I
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> to use ACLs, and to
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewscontrol access to your server. Limiting access to your server by
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrewsoutside parties can help prevent spoofing and DoS attacks against
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsyour server.</P
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Here is an example of how to properly apply ACLs:</P
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="programlisting"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> // Set up an ACL named "bogusnets" that will block RFC1918 space,
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews// which is commonly used in spoofing attacks.
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews// Set up an ACL called our-nets. Replace this with the real IP numbers.
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews allow-query { our-nets; };
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews allow-recursion { our-nets; };
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews blackhole { bogusnets; };
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews type master;
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews allow-query { any; };
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>This allows recursive queries of the server from the outside
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsunless recursion has been previously disabled.</P
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>For more information on how to use ACLs to protect your server,
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="emphasis"
18d0b5e54be891a1aa938c165b6d439859121ec8Mark Andrews> advisory at
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsTARGET="_top"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect1"
18d0b5e54be891a1aa938c165b6d439859121ec8Mark AndrewsCLASS="sect1"
18d0b5e54be891a1aa938c165b6d439859121ec8Mark AndrewsNAME="AEN4165"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsUNIX servers)</A
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>On UNIX servers, it is possible to run <SPAN
18d0b5e54be891a1aa938c165b6d439859121ec8Mark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="emphasis"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> environment
18d0b5e54be891a1aa938c165b6d439859121ec8Mark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>) by specifying the "<TT
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="option"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsoption. This can help improve system security by placing <SPAN
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsa "sandbox," which will limit the damage done if a server is compromised.</P
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Another useful feature in the UNIX version of <SPAN
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsability to run the daemon as a nonprivileged user ( <TT
be2c2c29a88db96bd51f11d671ec207f0b6b0d45Mark AndrewsCLASS="option"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="replaceable"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsWe suggest running as a nonprivileged user when using the <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> feature.</P
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Here is an example command line to load <SPAN
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>, and to run <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="userinput"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect2"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect2"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsNAME="AEN4188"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>7.2.1. The <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> Environment</A
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>In order for a <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> environment to
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewswork properly in a particular directory
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews(for example, <TT
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="filename"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsyou will need to set up an environment that includes everything
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> needs to run.
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>'s point of view, <TT
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="filename"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsthe root of the filesystem. You will need to adjust the values of options like
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>directory</B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> Unlike with earlier versions of BIND, you will typically
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="emphasis"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> need to compile <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsstatically nor install shared libraries under the new root.
5d7849ad7ffc6d08870dbfbc8d6bfffd90007488Tatuya JINMEI 神明達哉However, depending on your operating system, you may need
5d7849ad7ffc6d08870dbfbc8d6bfffd90007488Tatuya JINMEI 神明達哉to set up things like
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="filename"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="filename"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="filename"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="filename"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect2"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect2"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsNAME="AEN4206"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>7.2.2. Using the <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> Function</A
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Prior to running the <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> daemon, use
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> utility (to change file access and
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsmodification times) or the <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> utility (to
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsto which you want <SPAN
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsto write. Note that if the <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> daemon is running as a
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsnonprivileged user, it will not be able to bind to new restricted ports if the
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsserver is reloaded.</P
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect1"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="sect1"
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsNAME="dynamic_update_security"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>7.3. Dynamic Update Security</A
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>Access to the dynamic
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsupdate facility should be strictly limited. In earlier versions of
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="acronym"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> the only way to do this was based on the IP
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsaddress of the host requesting the update, by listing an IP address or
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrewsnetwork prefix in the <B
1e107b3d7b54de5022c3328423164e533afcc15eMark AndrewsCLASS="command"
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews>allow-update</B
1e107b3d7b54de5022c3328423164e533afcc15eMark Andrews> zone option.
HREF="Bv9ARM.ch06.html"
HREF="Bv9ARM.html"
HREF="Bv9ARM.ch08.html"