Bv9ARM.ch07.html revision 52ece689e0265f9a3e518de5b2539e749f6d35ac
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
f0aad5341752aefe5059832f6cf3abc3283c6e16Tinderbox User - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - copyright notice and this permission notice appear in all copies.
d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
cd32f419a8a5432fbb139f56ee73cbf68b9350ccTinderbox User - PERFORMANCE OF THIS SOFTWARE.
9a5087bf58f651bfff841192aba5afd06760d6ceTinderbox User<!-- $Id: Bv9ARM.ch07.html,v 1.121 2006/04/23 10:14:12 marka Exp $ -->
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<title>Chapter�7.�BIND 9 Security Considerations</title>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation header">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<tr><th colspan="3" align="center">Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</th></tr>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h2 class="title">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="Bv9ARM.ch07"></a>Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2573242"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2573386">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2573446">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Access Control Lists (ACLs), are address match lists that
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Using ACLs allows you to have finer control over who can access
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User your name server, without cluttering up your config files with huge
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User lists of IP addresses.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User control access to your server. Limiting access to your server by
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User outside parties can help prevent spoofing and DoS attacks against
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Here is an example of how to properly apply ACLs:
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User// Set up an ACL named "bogusnets" that will block RFC1918 space
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews// and some reserved space, which is commonly used in spoofing attacks.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrewsacl bogusnets {
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt// Set up an ACL called our-nets. Replace this with the real IP numbers.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews allow-query { our-nets; };
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User allow-recursion { our-nets; };
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User blackhole { bogusnets; };
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User allow-query { any; };
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews This allows recursive queries of the server from the outside
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User unless recursion has been previously disabled.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User For more information on how to use ACLs to protect your server,
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="id2573242"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></h2></div></div></div>
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews (<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>"
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews option. This can help improve system security by placing <span class="acronym">BIND</span> in
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews a "sandbox", which will limit the damage done if a server is
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews compromised.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="id2573386"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt In order for a <span><strong class="command">chroot()</strong></span> environment
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User work properly in a particular directory
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User (for example, <code class="filename">/var/named</code>),
8ec3c085233cedb22b05da36e2773c8f357a7e45Automatic Updater you will need to set up an environment that includes everything
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <span class="acronym">BIND</span> needs to run.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User the root of the filesystem. You will need to adjust the values of
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User Unlike with earlier versions of BIND, you will typically
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User statically nor install shared libraries under the new root.
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User However, depending on your operating system, you may need
6ea2385360e9e2167e65f9286447da9eea189457Tinderbox User to set up things like
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <code class="filename">/etc/localtime</code>.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="titlepage"><div><div><h3 class="title">
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<a name="id2573446"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Prior to running the <span><strong class="command">named</strong></span> daemon,
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews the <span><strong class="command">touch</strong></span> utility (to change file
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User modification times) or the <span><strong class="command">chown</strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User to which you want <span class="acronym">BIND</span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
0eea9763d88e3edf9b6de585f7cfbb08de977124Tinderbox User Note that if the <span><strong class="command">named</strong></span> daemon is running as an
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User unprivileged user, it will not be able to bind to new restricted
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ports if the server is reloaded.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
a1b05dea35aa30b152a47115e18bbe679d3fcf19Mark Andrews Access to the dynamic
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User update facility should be strictly limited. In earlier versions of
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span class="acronym">BIND</span> the only way to do this was
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt based on the IP
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt address of the host requesting the update, by listing an IP address
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt network prefix in the <span><strong class="command">allow-update</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt zone option.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt This method is insecure since the source address of the update UDP
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt is easily forged. Also note that if the IP addresses allowed by the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User <span><strong class="command">allow-update</strong></span> option include the
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User address of a slave
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews server which performs forwarding of dynamic updates, the master can
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User trivially attacked by sending the update to the slave, which will
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews forward it to the master with its own source IP address causing the
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews master to approve it without question.
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews For these reasons, we strongly recommend that updates be
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews cryptographically authenticated by means of transaction signatures
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User option should
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews list only TSIG key names, not IP addresses or network
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User option can be used.
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User Some sites choose to keep all dynamically updated DNS data
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User in a subdomain and delegate that subdomain to a separate zone. This
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews way, the top-level zone containing critical data such as the IP
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User of public web and mail servers need not allow dynamic update at
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews<table width="100%" summary="Navigation footer">
7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
c4d99a62407cebca29653666ae11f87e4f56ebbcAutomatic Updater<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User<td width="40%" align="left" valign="top">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference�</td>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0e1dece22e128f9dfa723316a35c4b3f06912381Tinderbox User<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>