Bv9ARM.ch07.html revision 2cbb4ab75757fbb656997a82c14ca07db37d481a
cbf0854acc9f5d11142dba30b1ab23e0532baaf2Automatic Updater - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - Copyright (C) 2000-2003 Internet Software Consortium.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - Permission to use, copy, modify, and distribute this software for any
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - purpose with or without fee is hereby granted, provided that the above
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - copyright notice and this permission notice appear in all copies.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 - PERFORMANCE OF THIS SOFTWARE.
cbf0854acc9f5d11142dba30b1ab23e0532baaf2Automatic Updater<!-- $Id: Bv9ARM.ch07.html,v 1.200 2009/07/04 01:13:18 tbox Exp $ -->
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<title>Chapter�7.�BIND 9 Security Considerations</title>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a84724de8db9e52857fb11bbcdb195658f9a05b2Michael Graff<table width="100%" summary="Navigation header">
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<div class="titlepage"><div><div><h2 class="title">
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599921"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2600070">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2600130">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉 Access Control Lists (ACLs) are address match lists that
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉 you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
1c3ed2a83d176d9023b51b60dfc96c133f678362Tatuya JINMEI 神明達哉 <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 Using ACLs allows you to have finer control over who can access
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 your name server, without cluttering up your config files with huge
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 lists of IP addresses.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
cbf0854acc9f5d11142dba30b1ab23e0532baaf2Automatic Updater control access to your server. Limiting access to your server by
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 outside parties can help prevent spoofing and denial of service (DoS) attacks against
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 Here is an example of how to properly apply ACLs:
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉// Set up an ACL named "bogusnets" that will block
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉// RFC1918 space and some reserved space, which is
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉// commonly used in spoofing attacks.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉acl bogusnets {
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉// Set up an ACL called our-nets. Replace this with the
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉// real IP numbers.
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 allow-query { our-nets; };
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 allow-recursion { our-nets; };
5597be9bb88de138dfec9fa9176708443813925eTatuya JINMEI 神明達哉 blackhole { bogusnets; };
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 allow-query { any; };
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 This allows recursive queries of the server from the outside
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 unless recursion has been previously disabled.
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 For more information on how to use ACLs to protect your server,
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉<a name="id2599921"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 in a <span class="emphasis"><em>chrooted</em></span> environment (using
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 the <span><strong class="command">chroot()</strong></span> function) by specifying
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 This can help improve system security by placing
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 the damage done if a server is compromised.
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉<div class="titlepage"><div><div><h3 class="title">
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉<a name="id2600070"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 In order for a <span><strong class="command">chroot</strong></span> environment
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 work properly in a particular directory
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 (for example, <code class="filename">/var/named</code>),
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 you will need to set up an environment that includes everything
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <acronym class="acronym">BIND</acronym> needs to run.
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 the root of the filesystem. You will need to adjust the values of
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 Unlike with earlier versions of BIND, you typically will
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 statically nor install shared libraries under the new root.
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 However, depending on your operating system, you may need
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 to set up things like
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <code class="filename">/dev/random</code>,
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <code class="filename">/dev/log</code>, and
c528bd698637d84a0081d26a58813607c7f52bb7Tatuya JINMEI 神明達哉 <code class="filename">/etc/localtime</code>.
<a name="id2600130"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>