581N/A<HTML

581N/A><HEAD

581N/A><TITLE

581N/A>BIND 9 Security Considerations</TITLE

581N/A><META

581N/ACONTENT="Modular DocBook HTML Stylesheet Version 1.41"><LINK

581N/AHREF="Bv9ARM.html"><LINK

581N/AHREF="Bv9ARM.ch06.html"><LINK

581N/AHREF="Bv9ARM.ch08.html"></HEAD

581N/A><BODY

581N/A><DIV

581N/A><TABLE

581N/A><TR

581N/A><TH

581N/A></TH

581N/A></TR

581N/A><TR

581N/A><TD

581N/A><A

581N/A>Prev</A

581N/A></TD

581N/A><TD

581N/A></TD

581N/A><TD

581N/A><A

581N/A>Next</A

581N/A></TD

581N/A></TR

581N/A></TABLE

581N/A><HR

581N/AWIDTH="100%"></DIV

581N/A><DIV

581N/A><H1

581N/A><A

581N/A>Chapter 7. <SPAN

884N/A>BIND</SPAN

581N/A> 9 Security Considerations</A

581N/A></H1

581N/A><DIV

581N/A><DL

581N/A><DT

581N/A><B

581N/A>Table of Contents</B

581N/A></DT

581N/A><DT

581N/A>7.1. <A

>Access Control Lists</A

></DT

><DT

>7.2. <A

><B

>chroot</B

> and <B

>setuid</B

> (for

UNIX servers)</A

></DT

><DT

>7.3. <A

>Dynamic Updates</A

></DT

></DL

></DIV

><DIV

><H1

><A

>7.1. Access Control Lists</A

></H1

><P

>Access Control Lists (ACLs), are address match lists that

you can set up and nickname for future use in <B

>allow-query</B

>, <B

>allow-recursion</B

>, <B

>blackhole</B

>, <B

>allow-transfer</B

>,

etc.</P

><P

>Using ACLs allows you to have finer control over who can access

your nameserver, without cluttering up your config files with huge

lists of IP addresses.</P

><P

>It is a <I

>good idea</I

> to use ACLs, and to

control access to your server. Limiting access to your server by

outside parties can help prevent spoofing and DoS attacks against

your server.</P

><P

>Here is an example of how to properly apply ACLs:</P

><PRE

>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,

// which is commonly used in spoofing attacks.

acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

// Set up an ACL called our-nets. Replace this with the real IP numbers.

acl our-nets { x.x.x.x/24; x.x.x.x/21; };

options {

...

...

allow-query { our-nets; };

allow-recursion { our-nets; };

...

blackhole { bogusnets; };

...

};

zone "example.com" {

type master;

file "m/example.com";

allow-query { any; };

};

</PRE

><P

>This allows recursive queries of the server from the outside

unless recursion has been previously disabled.</P

><P

>For more information on how to use ACLs to protect your server,

see the <I

>AUSCERT</I

> advisory at

<A

>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A

></P

></DIV

><DIV

><H1

><A

>7.2. <B

>chroot</B

> and <B

>setuid</B

> (for

UNIX servers)</A

></H1

><P

>On UNIX servers, it is possible to run <SPAN

>BIND</SPAN

> in a <I

>chrooted</I

> environment

(<B

>chroot()</B

>) by specifying the "<TT

>-t</TT

>"

option. This can help improve system security by placing <SPAN

>BIND</SPAN

> in

a "sandbox," which will limit the damage done if a server is compromised.</P

><P

>Another useful feature in the UNIX version of <SPAN

>BIND</SPAN

> is the

ability to run the daemon as a nonprivileged user ( <TT

>-u</TT

> <TT

><I

>user</I

></TT

> ).

We suggest running as a nonprivileged user when using the <B

>chroot</B

> feature.</P

><P

>Here is an example command line to load <SPAN

>BIND</SPAN

> in a <B

>chroot()</B

> sandbox,

<B

>/var/named</B

>, and to run <B

>named</B

> <B

>setuid</B

> to

user 202:</P

><P

><TT

><B

>/usr/local/bin/named -u 202 -t /var/named</B

></TT

></P

><DIV

><H2

><A

>7.2.1. The <B

>chroot</B

> Environment</A

></H2

><P

>In order for a <B

>chroot()</B

> environment to

work properly in a particular directory (for example, <TT

>/var/named</TT

>),

you will need to set up an environment that includes everything

<SPAN

>BIND</SPAN

> needs to run. From <SPAN

>BIND</SPAN

>'s point of view, <TT

>/var/named</TT

> is

the root of the filesystem. You will need <TT

>/dev/null</TT

>,

and any library directories and files that <SPAN

>BIND</SPAN

> needs to run on

your system. Please consult your operating system's instructions

if you need help figuring out which library files you need to copy

over to the <B

>chroot()</B

> sandbox.</P

><P

>If you are running an operating system that supports static

binaries, you can also compile <SPAN

>BIND</SPAN

> statically and avoid the need

to copy system libraries over to your <B

>chroot()</B

> sandbox.</P

></DIV

><DIV

><H2

><A

>7.2.2. Using the <B

>setuid</B

> Function</A

></H2

><P

>Prior to running the <B

>named</B

> daemon, use

the <B

>touch</B

> utility (to change file access and

modification times) or the <B

>chown</B

> utility (to

set the user id and/or group id) on files to which you want <SPAN

>BIND</SPAN

>

to write.</P

></DIV

></DIV

><DIV

><H1

><A

>7.3. Dynamic Updates</A

></H1

><P

>Access to the dynamic update facility should be strictly limited.

In earlier versions of <SPAN

>BIND</SPAN

> the only way to do this was based on

the IP address of the host requesting the update. <SPAN

>BIND9</SPAN

> also

supports authenticating updates cryptographically by means of transaction

signatures (TSIG). The use of TSIG is strongly recommended.</P

><P

>Some sites choose to keep all dynamically updated DNS data

in a subdomain and delegate that subdomain to a separate zone. This

way, the top-level zone containing critical data such as the IP addresses

of public web and mail servers need not allow dynamic update at

all.</P

></DIV

></DIV

><DIV

><HR

WIDTH="100%"><TABLE

><TR

><TD

><A

>Prev</A

></TD

><TD

><A

>Home</A

></TD

><TD

><A

>Next</A

></TD

></TR

><TR

><TD

><SPAN

>BIND</SPAN

> 9 Configuration Reference</TD

><TD

>&nbsp;</TD

><TD

>Troubleshooting</TD

></TR

></TABLE

></DIV

></BODY

></HTML

>