doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 3d9b2687475344a87c377a5158c41b43a03fc443
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<HTML
11e9368a226272085c337e9e74b79808c16fbdbaTinderbox User><HEAD
75c0816e8295e180f4bc7f10db3d0d880383bc1cMark Andrews><TITLE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND 9 Security Considerations</TITLE
4a14ce5ba00ab7bc55c99ffdcf59c7a4ab902721Automatic Updater><META
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinNAME="GENERATOR"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCONTENT="Modular DocBook HTML Stylesheet Version 1.41"><LINK
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinREL="HOME"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.html"><LINK
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinREL="PREVIOUS"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinTITLE="BIND 9 Configuration Reference"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.ch06.html"><LINK
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinREL="NEXT"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinTITLE="Troubleshooting"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.ch08.html"></HEAD
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><BODY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinBGCOLOR="#FFFFFF"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinTEXT="#000000"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinLINK="#0000FF"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinVLINK="#840084"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserALINK="#0000FF"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><DIV
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="NAVHEADER"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TABLE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinWIDTH="100%"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinBORDER="0"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCELLPADDING="0"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCELLSPACING="0"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCOLSPAN="3"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinALIGN="center"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TD
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinWIDTH="10%"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinALIGN="left"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinVALIGN="bottom"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserHREF="Bv9ARM.ch06.html"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Prev</A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TD
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TD
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinWIDTH="80%"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserALIGN="center"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntVALIGN="bottom"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></TD
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><TD
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntWIDTH="10%"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserALIGN="right"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserVALIGN="bottom"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.ch08.html"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Next</A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TD
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TR
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></TABLE
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><HR
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserALIGN="LEFT"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinWIDTH="100%"></DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="chapter"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><H1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserNAME="ch07"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Chapter 7. <SPAN
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="acronym"
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater>BIND</SPAN
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> 9 Security Considerations</A
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater></H1
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="TOC"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DL
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Table of Contents</B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>7.1. <A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserHREF="Bv9ARM.ch07.html#Access_Control_Lists"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Access Control Lists</A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater>7.2. <A
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntHREF="Bv9ARM.ch07.html#AEN4021"
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater><B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>chroot</B
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User> and <B
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntCLASS="command"
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User>setuid</B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> (for
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserUNIX servers)</A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>7.3. <A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserHREF="Bv9ARM.ch07.html#dynamic_update_security"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Dynamic Update Security</A
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater></DT
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></DL
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater></DIV
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="sect1"
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User><H1
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntCLASS="sect1"
bcf15a19ae0efa72a22cdfb50666a3c6ce39eb9fTinderbox User><A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserNAME="Access_Control_Lists"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>7.1. Access Control Lists</A
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User></H1
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User>Access Control Lists (ACLs), are address match lists that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useryou can set up and nickname for future use in <B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-notify</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-query</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>, <B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews>allow-recursion</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>blackhole</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>, <B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews>allow-transfer</B
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntetc.</P
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>Using ACLs allows you to have finer control over who can access
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinyour nameserver, without cluttering up your config files with huge
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinlists of IP addresses.</P
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>It is a <I
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntCLASS="emphasis"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>good idea</I
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> to use ACLs, and to
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntcontrol access to your server. Limiting access to your server by
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsoutside parties can help prevent spoofing and DoS attacks against
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsyour server.</P
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><P
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Here is an example of how to properly apply ACLs:</P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><PRE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="programlisting"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// which is commonly used in spoofing attacks.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Set up an ACL called our-nets. Replace this with the real IP numbers.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinacl our-nets { x.x.x.x/24; x.x.x.x/21; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoptions {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  ...
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews  ...
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  allow-query { our-nets; };
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  allow-recursion { our-nets; };
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater  ...
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User  blackhole { bogusnets; };
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  ...
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater};
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updaterzone "example.com" {
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  type master;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt  file "m/example.com";
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater  allow-query { any; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User};
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater</PRE
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater><P
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>This allows recursive queries of the server from the outside
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntunless recursion has been previously disabled.</P
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater>For more information on how to use ACLs to protect your server,
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updatersee the <I
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic UpdaterCLASS="emphasis"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>AUSCERT</I
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> advisory at
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater<A
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic UpdaterHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic UpdaterTARGET="_top"
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater></P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DIV
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DIV
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="sect1"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H1
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="sect1"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinNAME="AEN4021"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>7.2. <B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>chroot</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> and <B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>setuid</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> (for
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserUNIX servers)</A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H1
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>On UNIX servers, it is possible to run <SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="acronym"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND</SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> in a <I
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic UpdaterCLASS="emphasis"
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater>chrooted</I
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater> environment
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater(<B
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic UpdaterCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>chroot()</B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>) by specifying the "<TT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="option"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>-t</TT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinoption. This can help improve system security by placing <SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="acronym"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> in
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeina "sandbox," which will limit the damage done if a server is compromised.</P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Another useful feature in the UNIX version of <SPAN
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="acronym"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND</SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> is the
b05bdb520d83f7ecaad708fe305268c3420be01dMark Andrewsability to run the daemon as a nonprivileged user ( <TT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="option"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>-u</TT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> <TT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="replaceable"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><I
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User>user</I
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User></TT
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> ).
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox UserWe suggest running as a nonprivileged user when using the <B
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox UserCLASS="command"
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User>chroot</B
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt> feature.</P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Here is an example command line to load <SPAN
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="acronym"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt>BIND</SPAN
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User> in a <B
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox UserCLASS="command"
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User>chroot()</B
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User> sandbox,
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<B
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox UserCLASS="command"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>/var/named</B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>, and to run <B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>named</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> <B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>setuid</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinuser 202:</P
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="userinput"
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews><B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>/usr/local/bin/named -u 202 -t /var/named</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="sect2"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H2
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntCLASS="sect2"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinNAME="AEN4044"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>7.2.1. The <B
71c66a876ecca77923638d3f94cc0783152b2f03Mark AndrewsCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>chroot</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> Environment</A
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt></H2
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>In order for a <B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>chroot()</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> environment to
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userwork properly in a particular directory (for example, <TT
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="filename"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>/var/named</TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>),
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsyou will need to set up an environment that includes everything
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="acronym"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> needs to run. From <SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="acronym"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND</SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>'s point of view, <TT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="filename"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>/var/named</TT
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsthe root of the filesystem. You will need <TT
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsCLASS="filename"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews>/dev/null</TT
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews>,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsand any library directories and files that <SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="acronym"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>BIND</SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> needs to run on
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinyour system. Please consult your operating system's instructions
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinif you need help figuring out which library files you need to copy
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinover to the <B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>chroot()</B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> sandbox.</P
bea931e17b7567f09107f93ab7e25c7f00abeb9cMark Andrews><P
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>If you are running an operating system that supports static
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userbinaries, you can also compile <SPAN
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="acronym"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>BIND</SPAN
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> statically and avoid the need
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userto copy system libraries over to your <B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>chroot()</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> sandbox.</P
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="sect2"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><H2
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="sect2"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><A
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserNAME="AEN4059"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>7.2.2. Using the <B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>setuid</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> Function</A
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></H2
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Prior to running the <B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>named</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> daemon, use
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userthe <B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>touch</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> utility (to change file access and
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usermodification times) or the <B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>chown</B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> utility (to
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userset the user id and/or group id) on files to which you want <SPAN
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="acronym"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>BIND</SPAN
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userto write.</P
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User></DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="sect1"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><H1
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="sect1"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserNAME="dynamic_update_security"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>7.3. Dynamic Update Security</A
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></H1
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Access to the dynamic
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userupdate facility should be strictly limited.  In earlier versions of
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<SPAN
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="acronym"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>BIND</SPAN
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User> the only way to do this was based on the IP
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Useraddress of the host requesting the update, by listing an IP address or
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usernetwork prefix in the <B
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="command"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>allow-update</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> zone option.
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserThis method is insecure since the source address of the update UDP packet
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Useris easily forged.  Also note that if the IP addresses allowed by the
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>allow-update</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> option include the address of a slave
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userserver which performs forwarding of dynamic updates, the master can be
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usertrivially attacked by sending the update to the slave, which will
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userforward it to the master with its own source IP address causing the
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usermaster to approve it without question.</P
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><P
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>For these reasons, we strongly recommend that updates be
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Usercryptographically authenticated by means of transaction signatures
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User(TSIG).  That is, the <B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>allow-update</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User> option should
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userlist only TSIG key names, not IP addresses or network
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Userprefixes. Alternatively, the new <B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserCLASS="command"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>update-policy</B
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useroption can be used.</P
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt><P
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Some sites choose to keep all dynamically updated DNS data
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userin a subdomain and delegate that subdomain to a separate zone. This
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userway, the top-level zone containing critical data such as the IP addresses
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox Userof public web and mail servers need not allow dynamic update at
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Huntall.</P
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></DIV
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><DIV
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCLASS="NAVFOOTER"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><HR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinALIGN="LEFT"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserWIDTH="100%"><TABLE
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserWIDTH="100%"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserBORDER="0"
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserCELLPADDING="0"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntCELLSPACING="0"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><TR
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><TD
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserWIDTH="33%"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserALIGN="left"
14a656f94b1fd0ababd84a772228dfa52276ba15Evan HuntVALIGN="top"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><A
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserHREF="Bv9ARM.ch06.html"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Prev</A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TD
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><TD
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserWIDTH="34%"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserALIGN="center"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox UserVALIGN="top"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User><A
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserHREF="Bv9ARM.html"
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User>Home</A
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User></TD
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TD
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinWIDTH="33%"
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric LuceALIGN="right"
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric LuceVALIGN="top"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric LuceHREF="Bv9ARM.ch08.html"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Next</A
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TD
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></TR
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce><TR
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater><TD
ac93437301f55ed69bf85883a497a75598c628f9Automatic UpdaterWIDTH="33%"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark AndrewsALIGN="left"
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric LuceVALIGN="top"
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater><SPAN
ac93437301f55ed69bf85883a497a75598c628f9Automatic UpdaterCLASS="acronym"
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater>BIND</SPAN
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater> 9 Configuration Reference</TD
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater><TD
ac93437301f55ed69bf85883a497a75598c628f9Automatic UpdaterWIDTH="34%"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceALIGN="center"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="top"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>&nbsp;</TD
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce><TD
ac93437301f55ed69bf85883a497a75598c628f9Automatic UpdaterWIDTH="33%"
ac93437301f55ed69bf85883a497a75598c628f9Automatic UpdaterALIGN="right"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric LuceVALIGN="top"
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce>Troubleshooting</TD
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater></TR
ac93437301f55ed69bf85883a497a75598c628f9Automatic Updater></TABLE
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></DIV
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></BODY
f293a69bcd1c1dd7bdac8f4102fc2398b9e475c8Eric Luce></HTML
c71787bd6356c92e9c7d0a174cd63ab17fcf34c6Eric Luce>