doc/arm/Bv9ARM.ch07.html

	Bv9ARM.ch07.html revision 66f25f2ceeb589e67efe7af2413baaa3426b0042
1633838b8255282d10af15c5c84cee5a51466712Bob Halley<!--
499b34cea04a46823d003d4c0520c8b03e8513cbBrian Wellington - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley -
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - Permission to use, copy, modify, and/or distribute this software for any
1633838b8255282d10af15c5c84cee5a51466712Bob Halley - purpose with or without fee is hereby granted, provided that the above
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - copyright notice and this permission notice appear in all copies.
15a44745412679c30a6d022733925af70a38b715David Lawrence -
15a44745412679c30a6d022733925af70a38b715David Lawrence - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
15a44745412679c30a6d022733925af70a38b715David Lawrence - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
15a44745412679c30a6d022733925af70a38b715David Lawrence - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
15a44745412679c30a6d022733925af70a38b715David Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
15a44745412679c30a6d022733925af70a38b715David Lawrence - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
15a44745412679c30a6d022733925af70a38b715David Lawrence - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15a44745412679c30a6d022733925af70a38b715David Lawrence - PERFORMANCE OF THIS SOFTWARE.
1633838b8255282d10af15c5c84cee5a51466712Bob Halley-->
fda0ab6a96a7edb1acbde0c77ead0542979b0f24Bob Halley<!-- $Id: Bv9ARM.ch07.html,v 1.237 2010/12/26 01:14:08 tbox Exp $ -->
7052e191ce63fdf063a977695718ff426a27628eMark Andrews<html>
9c3531d72aeaad6c5f01efe6a1c82023e1379e4dDavid Lawrence<head>
fda0ab6a96a7edb1acbde0c77ead0542979b0f24Bob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fda0ab6a96a7edb1acbde0c77ead0542979b0f24Bob Halley<title>Chapter�7.�BIND 9 Security Considerations</title>
fda0ab6a96a7edb1acbde0c77ead0542979b0f24Bob Halley<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
7aacbd685b2107670e4179689abec9cb82d972abBob Halley<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
d8dcd6ad4617cc8d7df979bd62101fa9c4bac1bcBob Halley<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7aacbd685b2107670e4179689abec9cb82d972abBob Halley<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</head>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<div class="navheader">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<table width="100%" summary="Navigation header">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<tr>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<td width="20%" align="left">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<th width="60%" align="center">�</th>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</td>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</tr>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</table>
f02c1d9431a7bad59ef2d40a341fa2f68a8a7550Michael Graff<hr>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</div>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<div class="chapter" lang="en">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<div class="titlepage"><div><div><h2 class="title">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
af0fce400bfa79289aae239c10ae7f4fb2be8fa6Bob Halley<div class="toc">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<p><b>Table of Contents</b></p>
8321dd2150bea461fbe0333965ef072d576b4f6cMichael Graff<dl>
0d3119d4d1394adf61f5ab69ef3573993cde6fe3Michael Graff<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2602042"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
af0fce400bfa79289aae239c10ae7f4fb2be8fa6Bob Halley<dd><dl>
af0fce400bfa79289aae239c10ae7f4fb2be8fa6Bob Halley<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2602123">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2602183">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</dl></dd>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</dl>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence</div>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<div class="sect1" lang="en">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence<p>
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence          Access Control Lists (ACLs) are address match lists that
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
8321dd2150bea461fbe0333965ef072d576b4f6cMichael Graff          etc.
c5c3b17a0a5668fadc604f16c1b9961bb6a0f249David Lawrence        </p>
81b7c342c4abb496b7b28e1792acc194b805aa79Michael Graff<p>
d2e9c94edbc8d9a32216e69ef812c00955a916e0Michael Graff          Using ACLs allows you to have finer control over who can access
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence          your name server, without cluttering up your config files with huge
1f5eafd61b4c4271dbcf9d9106a722148e51d5ebDavid Lawrence          lists of IP addresses.
96e79f7ede9fd09c79ac6452ab09e4e48b288e4dMichael Graff        </p>
44215b932d4f0ce5257d794cb6f76b9282455eb1Mark Andrews<p>
44215b932d4f0ce5257d794cb6f76b9282455eb1Mark Andrews          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
19e0a2c2d13500712564c59c5feb76f7f4209383Brian Wellington          control access to your server. Limiting access to your server by
fcf28b759c65388e8875f2dbcf8eb5fa786b29ecAndreas Gustafsson          outside parties can help prevent spoofing and denial of service (DoS) attacks against
ee303f481dfefcd4e4994f8b8b17f2de32aa4d69Brian Wellington          your server.
7357590beef5f671cfdd4ec4304e5210adfb0d8aBrian Wellington        </p>
a13ca8a12516081b93edd9cbf6f07b7e0fcb02cfBrian Wellington<p>
19872fdfb75357354a83b74932f661d4b0b6e4ddAndreas Gustafsson          Here is an example of how to properly apply ACLs:
1255d388f034dc556d235a002527101781dbeb29Mark Andrews        </p>
242bba8991b030b7764f0bdca3922d75c34ea51eAndreas Gustafsson<pre class="programlisting">
0ffaee887ff5674b8c3bb0435ae838f641981706Mark Andrews// Set up an ACL named "bogusnets" that will block
7052e191ce63fdf063a977695718ff426a27628eMark Andrews// RFC1918 space and some reserved space, which is
19872fdfb75357354a83b74932f661d4b0b6e4ddAndreas Gustafsson// commonly used in spoofing attacks.
f6f4d7ee0f04474a13f4c28f1d05112325f3c8b0David Lawrenceacl bogusnets {
cd5a526372c715217370f7639dc56e6d48600329David Lawrence        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
f6f4d7ee0f04474a13f4c28f1d05112325f3c8b0David Lawrence        224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12;
7052e191ce63fdf063a977695718ff426a27628eMark Andrews        192.168.0.0/16;
fda0ab6a96a7edb1acbde0c77ead0542979b0f24Bob Halley};
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrence
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrence// Set up an ACL called our-nets. Replace this with the
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence// real IP numbers.
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrenceacl our-nets { x.x.x.x/24; x.x.x.x/21; };
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrenceoptions {
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrence  ...
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrence  ...
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrence  allow-query { our-nets; };
0c33e418cb443ade8ed55f5433bc4d409c7af0b8David Lawrence  allow-recursion { our-nets; };
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence  ...
87cafc5e70f79f2586d067fbdd64f61bbab069d2David Lawrence  blackhole { bogusnets; };
fda0ab6a96a7edb1acbde0c77ead0542979b0f24Bob Halley  ...
7aacbd685b2107670e4179689abec9cb82d972abBob Halley};
7aacbd685b2107670e4179689abec9cb82d972abBob Halley
fda0ab6a96a7edb1acbde0c77ead0542979b0f24Bob Halleyzone "example.com" {
  type master;
  file "m/example.com";
  allow-query { any; };
};
</pre>
<p>
          This allows recursive queries of the server from the outside
          unless recursion has been previously disabled.
        </p>
<p>
          For more information on how to use ACLs to protect your server,
          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
        </p>
<p>
          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
        </p>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="id2602042"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
</h2></div></div></div>
<p>
          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
          in a <span class="emphasis"><em>chrooted</em></span> environment (using
          the <span><strong class="command">chroot()</strong></span> function) by specifying
          the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
          This can help improve system security by placing
          <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
          the damage done if a server is compromised.
        </p>
<p>
          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
        </p>
<p>
          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
          user 202:
        </p>
<p>
          <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
        </p>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2602123"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
<p>
            In order for a <span><strong class="command">chroot</strong></span> environment
            to
            work properly in a particular directory
            (for example, <code class="filename">/var/named</code>),
            you will need to set up an environment that includes everything
            <acronym class="acronym">BIND</acronym> needs to run.
            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
            the root of the filesystem.  You will need to adjust the values of
            options like
            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
            for this.
          </p>
<p>
            Unlike with earlier versions of BIND, you typically will
            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
            statically nor install shared libraries under the new root.
            However, depending on your operating system, you may need
            to set up things like
            <code class="filename">/dev/zero</code>,
            <code class="filename">/dev/random</code>,
            <code class="filename">/dev/log</code>, and
            <code class="filename">/etc/localtime</code>.
          </p>
</div>
<div class="sect2" lang="en">
<div class="titlepage"><div><div><h3 class="title">
<a name="id2602183"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
<p>
            Prior to running the <span><strong class="command">named</strong></span> daemon,
            use
            the <span><strong class="command">touch</strong></span> utility (to change file
            access and
            modification times) or the <span><strong class="command">chown</strong></span>
            utility (to
            set the user id and/or group id) on files
            to which you want <acronym class="acronym">BIND</acronym>
            to write.
          </p>
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
<h3 class="title">Note</h3>
            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
            unprivileged user, it will not be able to bind to new restricted
            ports if the server is reloaded.
          </div>
</div>
</div>
<div class="sect1" lang="en">
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
<p>
          Access to the dynamic
          update facility should be strictly limited.  In earlier versions of
          <acronym class="acronym">BIND</acronym>, the only way to do this was
          based on the IP
          address of the host requesting the update, by listing an IP address
          or
          network prefix in the <span><strong class="command">allow-update</strong></span>
          zone option.
          This method is insecure since the source address of the update UDP
          packet
          is easily forged.  Also note that if the IP addresses allowed by the
          <span><strong class="command">allow-update</strong></span> option include the
          address of a slave
          server which performs forwarding of dynamic updates, the master can
          be
          trivially attacked by sending the update to the slave, which will
          forward it to the master with its own source IP address causing the
          master to approve it without question.
        </p>
<p>
          For these reasons, we strongly recommend that updates be
          cryptographically authenticated by means of transaction signatures
          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
          option should
          list only TSIG key names, not IP addresses or network
          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
          option can be used.
        </p>
<p>
          Some sites choose to keep all dynamically-updated DNS data
          in a subdomain and delegate that subdomain to a separate zone. This
          way, the top-level zone containing critical data such as the IP
          addresses
          of public web and mail servers need not allow dynamic update at
          all.
        </p>
</div>
</div>
<div class="navfooter">
<hr>
<table width="100%" summary="Navigation footer">
<tr>
<td width="40%" align="left">
<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
<td width="20%" align="center">�</td>
<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
</td>
</tr>
<tr>
<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
</tr>
</table>
</div>
</body>
</html>