Bv9ARM.ch07.html revision 24e79a68e1b16324e17364fcd8959379ff6e20e9
ec79b29695b183f794264bbb578c51e93d1f9b1emartin - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
6aa2272cc4af77e605ba2c4a4781f8567408b7e3pquerna - Copyright (C) 2000-2003 Internet Software Consortium.
7e5a8c14bf68438e4098f74999e154d157e33eb7wrowe - Permission to use, copy, modify, and distribute this software for any
7e5a8c14bf68438e4098f74999e154d157e33eb7wrowe - purpose with or without fee is hereby granted, provided that the above
7e5a8c14bf68438e4098f74999e154d157e33eb7wrowe - copyright notice and this permission notice appear in all copies.
79d4b708d021714647aab8b138ae671ed24765cewrowe - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
79d4b708d021714647aab8b138ae671ed24765cewrowe - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
79d4b708d021714647aab8b138ae671ed24765cewrowe - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
79d4b708d021714647aab8b138ae671ed24765cewrowe - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
79d4b708d021714647aab8b138ae671ed24765cewrowe - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
6666167d402bfbfe002ab2626b788f5822e831e6niq - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
6666167d402bfbfe002ab2626b788f5822e831e6niq - PERFORMANCE OF THIS SOFTWARE.
88d0e50f16b21d4d0af0a48da7ad28fb5991834crpluem<!-- $Id: Bv9ARM.ch07.html,v 1.157 2008/02/18 12:53:14 marka Exp $ -->
88d0e50f16b21d4d0af0a48da7ad28fb5991834crpluem<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
15264721069299ec26493e21d56bf8ff7faf6f0drpluem<title>Chapter�7.�BIND 9 Security Considerations</title>
15264721069299ec26493e21d56bf8ff7faf6f0drpluem<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
15264721069299ec26493e21d56bf8ff7faf6f0drpluem<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
d4d8fbf75076eccfed70c8f715f7ed4210ab5ccdbnicholes<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a085f5ab771cff650b27e7a761b7f19adf884686rpluem<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
25a81ea1bca1c89cda713c4d23660e487b1488a0rpluem<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
42ace93dfd997e0c9b4fbae8185288320e95eb72rpluem<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593709"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593854">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593914">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
60262a02cfeba50d60d990b56d0e0c1d1fafb672sctemme<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60262a02cfeba50d60d990b56d0e0c1d1fafb672sctemme<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
60262a02cfeba50d60d990b56d0e0c1d1fafb672sctemme Access Control Lists (ACLs), are address match lists that
60262a02cfeba50d60d990b56d0e0c1d1fafb672sctemme you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
60262a02cfeba50d60d990b56d0e0c1d1fafb672sctemme <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
60262a02cfeba50d60d990b56d0e0c1d1fafb672sctemme <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
3ddec0f3e161d5a5afab12c522d92c44e4d7d8fcgregames <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
db78659055df54243bca678c35bd2ce7e31a9237rooneg Using ACLs allows you to have finer control over who can access
edf6757df85878dc8ce11fb3840ee4cde6de5b2frooneg your name server, without cluttering up your config files with huge
db78659055df54243bca678c35bd2ce7e31a9237rooneg lists of IP addresses.
95817edd05387a5276f51fcd5db79fc21b89b55brooneg It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
63689d77e084e36b8194fb6df5adfc0344965e01trawick control access to your server. Limiting access to your server by
63689d77e084e36b8194fb6df5adfc0344965e01trawick outside parties can help prevent spoofing and denial of service (DoS) attacks against
63689d77e084e36b8194fb6df5adfc0344965e01trawick your server.
5714cdd83e23557d801437daa5e3ab8ba78ae595jorton Here is an example of how to properly apply ACLs:
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes// Set up an ACL named "bogusnets" that will block RFC1918 space
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes// and some reserved space, which is commonly used in spoofing attacks.
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholesacl bogusnets {
a1a615ca49b162d71d88089210395c9a9cfeb539rpluem 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes// Set up an ACL called our-nets. Replace this with the real IP numbers.
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes allow-query { our-nets; };
a1a615ca49b162d71d88089210395c9a9cfeb539rpluem allow-recursion { our-nets; };
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes blackhole { bogusnets; };
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes type master;
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes allow-query { any; };
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes This allows recursive queries of the server from the outside
a1a615ca49b162d71d88089210395c9a9cfeb539rpluem unless recursion has been previously disabled.
1b0dce86d7fc8a5aa4c89b05255be26e508c615crpluem For more information on how to use ACLs to protect your server,
1b0dce86d7fc8a5aa4c89b05255be26e508c615crpluem see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
6c05afd314b4ddd545d63b4ff5de822cc30eec79trawick <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
13cd67e9c1dacbd6b9f040bda337c725cedd98f3brianp<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a623efbff95aab78da9e030524b0fa69b054f6d0brianp<a name="id2593709"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
a623efbff95aab78da9e030524b0fa69b054f6d0brianp On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
a623efbff95aab78da9e030524b0fa69b054f6d0brianp (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
a623efbff95aab78da9e030524b0fa69b054f6d0brianp option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
0b4b04d8621478ba59f0a6ba2950ddc02ab92b58colm a "sandbox", which will limit the damage done if a server is
0b4b04d8621478ba59f0a6ba2950ddc02ab92b58colm compromised.
2f1bb5376c5c4022383bb729679ca751dd75a2eabrianp Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
ad862ab5716726a2d72a292ba1dfb29566c86153brianp ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
ad862ab5716726a2d72a292ba1dfb29566c86153brianp We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
17d53ea32c4968e47733f1c2c063ae07d280efd6jerenkrantz Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
17d53ea32c4968e47733f1c2c063ae07d280efd6jerenkrantz <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
b38565306421ff53e9f7499bc728d6df5cec294dpquerna <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem<a name="id2593854"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem In order for a <span><strong class="command">chroot</strong></span> environment
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem work properly in a particular directory
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem (for example, <code class="filename">/var/named</code>),
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem you will need to set up an environment that includes everything
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem <acronym class="acronym">BIND</acronym> needs to run.
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem the root of the filesystem. You will need to adjust the values of
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem options like
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem Unlike with earlier versions of BIND, you typically will
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem statically nor install shared libraries under the new root.
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem However, depending on your operating system, you may need
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem to set up things like
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem<a name="id2593914"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem Prior to running the <span><strong class="command">named</strong></span> daemon,
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem the <span><strong class="command">touch</strong></span> utility (to change file
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem modification times) or the <span><strong class="command">chown</strong></span>
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem utility (to
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem to which you want <acronym class="acronym">BIND</acronym>
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
200fd0ce73d992a43b500ddfe94487a840bd56darpluem Note that if the <span><strong class="command">named</strong></span> daemon is running as an
200fd0ce73d992a43b500ddfe94487a840bd56darpluem unprivileged user, it will not be able to bind to new restricted
200fd0ce73d992a43b500ddfe94487a840bd56darpluem ports if the server is reloaded.
200fd0ce73d992a43b500ddfe94487a840bd56darpluem<div class="titlepage"><div><div><h2 class="title" style="clear: both">
200fd0ce73d992a43b500ddfe94487a840bd56darpluem<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
cbb903af5066589fe0e73f3ecf06abdc71e38effrpluem Access to the dynamic
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem update facility should be strictly limited. In earlier versions of
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem <acronym class="acronym">BIND</acronym>, the only way to do this was
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem based on the IP
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem address of the host requesting the update, by listing an IP address
60262a02cfeba50d60d990b56d0e0c1d1fafb672sctemme network prefix in the <span><strong class="command">allow-update</strong></span>
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem zone option.
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem This method is insecure since the source address of the update UDP
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem is easily forged. Also note that if the IP addresses allowed by the
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem <span><strong class="command">allow-update</strong></span> option include the
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem address of a slave
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem server which performs forwarding of dynamic updates, the master can
c9ce3d3ead2ba4ea6f5bb176745172f3538aed60rpluem trivially attacked by sending the update to the slave, which will
c9ce3d3ead2ba4ea6f5bb176745172f3538aed60rpluem forward it to the master with its own source IP address causing the
c9ce3d3ead2ba4ea6f5bb176745172f3538aed60rpluem master to approve it without question.
c9ce3d3ead2ba4ea6f5bb176745172f3538aed60rpluem For these reasons, we strongly recommend that updates be
c9ce3d3ead2ba4ea6f5bb176745172f3538aed60rpluem cryptographically authenticated by means of transaction signatures
c9ce3d3ead2ba4ea6f5bb176745172f3538aed60rpluem (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
c9ce3d3ead2ba4ea6f5bb176745172f3538aed60rpluem option should
0deb1a75b17945f30e56e81b851a2a2ab08af50drpluem list only TSIG key names, not IP addresses or network
0deb1a75b17945f30e56e81b851a2a2ab08af50drpluem prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
0deb1a75b17945f30e56e81b851a2a2ab08af50drpluem option can be used.
0deb1a75b17945f30e56e81b851a2a2ab08af50drpluem Some sites choose to keep all dynamically-updated DNS data
0deb1a75b17945f30e56e81b851a2a2ab08af50drpluem in a subdomain and delegate that subdomain to a separate zone. This
0deb1a75b17945f30e56e81b851a2a2ab08af50drpluem way, the top-level zone containing critical data such as the IP
0deb1a75b17945f30e56e81b851a2a2ab08af50drpluem of public web and mail servers need not allow dynamic update at
8e72243380282ce619a2c6bce8f8359b8d95306fjim<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
317b1987e48bbdbfe8b1dcccdcf5cd6c10a26436jim<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
317b1987e48bbdbfe8b1dcccdcf5cd6c10a26436jim<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
317b1987e48bbdbfe8b1dcccdcf5cd6c10a26436jim<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>