Bv9ARM.ch07.html revision 7329012471d165cd3dc4180ad2a0a43de91e7f01
5569e7de51513952d89f29de08049ed6bb054d6eAutomatic Updater - Copyright (C) 2004-2006 Internet Systems Consortium, Inc. ("ISC")
a7038d1a0513c8e804937ebc95fc9cb3a46c04f5Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
ec5347e2c775f027573ce5648b910361aa926c01Automatic Updater - Permission to use, copy, modify, and distribute this software for any
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - purpose with or without fee is hereby granted, provided that the above
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence - copyright notice and this permission notice appear in all copies.
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
dafcb997e390efa4423883dafd100c975c4095d6Mark Andrews - PERFORMANCE OF THIS SOFTWARE.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<!-- $Id: Bv9ARM.ch07.html,v 1.113 2006/01/27 05:17:12 marka Exp $ -->
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<title>Chapter�7.�BIND 9 Security Considerations</title>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
29747dfe5e073a299b3681e01f5c55540f8bfed7Mark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
899f7f9af527d3dfe8345dcc8210d7c23fc950afDavid Lawrence<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation header">
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer<tr><th colspan="3" align="center">Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</th></tr>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h2 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="Bv9ARM.ch07"></a>Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2573081"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2573225">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2573353">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Access Control Lists (ACLs), are address match lists that
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Using ACLs allows you to have finer control over who can access
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence your name server, without cluttering up your config files with huge
2918b5bda6a55c301eb87992b5f2acd7176d0737David Lawrence lists of IP addresses.
959cf5e112c41ba8da2a202f51bc0c7a3cf47f68Tatuya JINMEI 神明達哉 It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein control access to your server. Limiting access to your server by
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence outside parties can help prevent spoofing and DoS attacks against
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein your server.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Here is an example of how to properly apply ACLs:
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence// Set up an ACL named "bogusnets" that will block RFC1918 space
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence// and some reserved space, which is commonly used in spoofing attacks.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrenceacl bogusnets {
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein// Set up an ACL called our-nets. Replace this with the real IP numbers.
d409ceeda41a256e8114423674d844d5f5035ee8Bob Halley allow-query { our-nets; };
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence allow-recursion { our-nets; };
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence blackhole { bogusnets; };
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein type master;
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence allow-query { any; };
8f804834e2b537da5c8bc81f986143a46147b490Andreas Gustafsson This allows recursive queries of the server from the outside
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence unless recursion has been previously disabled.
0cfbb9285a96f1355e5a3bd458624eaed2f16846Automatic Updater For more information on how to use ACLs to protect your server,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h2 class="title" style="clear: both">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2573081"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></h2></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein (<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>"
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein option. This can help improve system security by placing <span class="acronym">BIND</span> in
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence a "sandbox", which will limit the damage done if a server is
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
61e9c1cdbe29683bb2db388e4fc6a6fd59315cefDavid Lawrence We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<div class="titlepage"><div><div><h3 class="title">
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<a name="id2573225"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein In order for a <span><strong class="command">chroot()</strong></span> environment
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence work properly in a particular directory
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence (for example, <code class="filename">/var/named</code>),
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence you will need to set up an environment that includes everything
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff <span class="acronym">BIND</span> needs to run.
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer the root of the filesystem. You will need to adjust the values of
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer options like
c4958494a98a59ce25e9fecad76a9ab0e36cc59fDanny Mayer like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Unlike with earlier versions of BIND, you will typically
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff statically nor install shared libraries under the new root.
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff However, depending on your operating system, you may need
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence to set up things like
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence <code class="filename">/dev/log</code>, and/or
1a487fb7d230403bf1b5d6628542134f52c80653Michael Graff<div class="titlepage"><div><div><h3 class="title">
b161f87be81548d1b6d0210a7e138a08fbb2d3e5David Lawrence<a name="id2573353"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence Prior to running the <span><strong class="command">named</strong></span> daemon,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein the <span><strong class="command">touch</strong></span> utility (to change file
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence modification times) or the <span><strong class="command">chown</strong></span>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence to which you want <span class="acronym">BIND</span>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Note that if the <span><strong class="command">named</strong></span> daemon is running as an
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence unprivileged user, it will not be able to bind to new restricted
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence ports if the server is reloaded.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Access to the dynamic
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein update facility should be strictly limited. In earlier versions of
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span class="acronym">BIND</span> the only way to do this was
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence based on the IP
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence address of the host requesting the update, by listing an IP address
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein network prefix in the <span><strong class="command">allow-update</strong></span>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence This method is insecure since the source address of the update UDP
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence is easily forged. Also note that if the IP addresses allowed by the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence <span><strong class="command">allow-update</strong></span> option include the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence address of a slave
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence server which performs forwarding of dynamic updates, the master can
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence trivially attacked by sending the update to the slave, which will
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence forward it to the master with its own source IP address causing the
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence master to approve it without question.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein For these reasons, we strongly recommend that updates be
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence cryptographically authenticated by means of transaction signatures
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
863ac191b448a13ae1a3a8ee3458344e11602737David Lawrence option should
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein list only TSIG key names, not IP addresses or network
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence option can be used.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein Some sites choose to keep all dynamically updated DNS data
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence in a subdomain and delegate that subdomain to a separate zone. This
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein way, the top-level zone containing critical data such as the IP
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence of public web and mail servers need not allow dynamic update at
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<table width="100%" summary="Navigation footer">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
fc80027fb54b501cdd88461bf879d078259e0226David Lawrence<td width="40%" align="left" valign="top">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference�</td>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
edcd1247ad7e81bb8b430e610d9718f64c70f05dDavid Lawrence<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>