Bv9ARM.ch07.html revision 5329b4137e5c0c309e589d1b019014dc6a383e3d
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
c124a83e09115de88ecccd4f689983f42a1d53bdRobert Mustacchi - Copyright (C) 2000-2003 Internet Software Consortium.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - Permission to use, copy, modify, and/or distribute this software for any
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - purpose with or without fee is hereby granted, provided that the above
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - copyright notice and this permission notice appear in all copies.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi - PERFORMANCE OF THIS SOFTWARE.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<!-- $Id: Bv9ARM.ch07.html,v 1.242 2011/01/13 05:13:50 tbox Exp $ -->
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<title>Chapter�7.�BIND 9 Security Considerations</title>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<table width="100%" summary="Navigation header">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<div class="titlepage"><div><div><h2 class="title">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2602595"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2602676">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2602736">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
c124a83e09115de88ecccd4f689983f42a1d53bdRobert Mustacchi<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<div class="titlepage"><div><div><h2 class="title" style="clear: both">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Access Control Lists (ACLs) are address match lists that
c124a83e09115de88ecccd4f689983f42a1d53bdRobert Mustacchi you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Using ACLs allows you to have finer control over who can access
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi your name server, without cluttering up your config files with huge
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi lists of IP addresses.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi control access to your server. Limiting access to your server by
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi outside parties can help prevent spoofing and denial of service (DoS) attacks against
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Here is an example of how to properly apply ACLs:
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi// Set up an ACL named "bogusnets" that will block
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi// RFC1918 space and some reserved space, which is
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi// commonly used in spoofing attacks.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchiacl bogusnets {
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi// Set up an ACL called our-nets. Replace this with the
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi// real IP numbers.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi allow-query { our-nets; };
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi allow-recursion { our-nets; };
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi blackhole { bogusnets; };
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi allow-query { any; };
c124a83e09115de88ecccd4f689983f42a1d53bdRobert Mustacchi This allows recursive queries of the server from the outside
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi unless recursion has been previously disabled.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi For more information on how to use ACLs to protect your server,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<div class="titlepage"><div><div><h2 class="title" style="clear: both">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a name="id2602595"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi in a <span class="emphasis"><em>chrooted</em></span> environment (using
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi the <span><strong class="command">chroot()</strong></span> function) by specifying
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi This can help improve system security by placing
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi the damage done if a server is compromised.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<div class="titlepage"><div><div><h3 class="title">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a name="id2602676"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi In order for a <span><strong class="command">chroot</strong></span> environment
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi work properly in a particular directory
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi (for example, <code class="filename">/var/named</code>),
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi you will need to set up an environment that includes everything
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <acronym class="acronym">BIND</acronym> needs to run.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi the root of the filesystem. You will need to adjust the values of
c124a83e09115de88ecccd4f689983f42a1d53bdRobert Mustacchi like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Unlike with earlier versions of BIND, you typically will
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi statically nor install shared libraries under the new root.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi However, depending on your operating system, you may need
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi to set up things like
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <code class="filename">/dev/log</code>, and
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <code class="filename">/etc/localtime</code>.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<div class="titlepage"><div><div><h3 class="title">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a name="id2602736"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Prior to running the <span><strong class="command">named</strong></span> daemon,
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi the <span><strong class="command">touch</strong></span> utility (to change file
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi modification times) or the <span><strong class="command">chown</strong></span>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi to which you want <acronym class="acronym">BIND</acronym>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Note that if the <span><strong class="command">named</strong></span> daemon is running as an
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi unprivileged user, it will not be able to bind to new restricted
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi ports if the server is reloaded.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<div class="titlepage"><div><div><h2 class="title" style="clear: both">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Access to the dynamic
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi update facility should be strictly limited. In earlier versions of
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <acronym class="acronym">BIND</acronym>, the only way to do this was
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi based on the IP
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi address of the host requesting the update, by listing an IP address
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi network prefix in the <span><strong class="command">allow-update</strong></span>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi This method is insecure since the source address of the update UDP
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi is easily forged. Also note that if the IP addresses allowed by the
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi <span><strong class="command">allow-update</strong></span> option include the
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi address of a slave
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi server which performs forwarding of dynamic updates, the master can
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi trivially attacked by sending the update to the slave, which will
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi forward it to the master with its own source IP address causing the
c124a83e09115de88ecccd4f689983f42a1d53bdRobert Mustacchi master to approve it without question.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi For these reasons, we strongly recommend that updates be
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi cryptographically authenticated by means of transaction signatures
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi option should
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi list only TSIG key names, not IP addresses or network
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi option can be used.
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi Some sites choose to keep all dynamically-updated DNS data
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi in a subdomain and delegate that subdomain to a separate zone. This
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi way, the top-level zone containing critical data such as the IP
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi of public web and mail servers need not allow dynamic update at
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<table width="100%" summary="Navigation footer">
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
75eba5b6d79ed4d2ce3daf7b2806306b6b69a938Robert Mustacchi<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>