Bv9ARM.ch07.html revision 7a7a44400d49122d4cc207b43922a7b9c5afe443
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Copyright (C) 2000-2003 Internet Software Consortium.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - Permission to use, copy, modify, and distribute this software for any
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - purpose with or without fee is hereby granted, provided that the above
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - copyright notice and this permission notice appear in all copies.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington - PERFORMANCE OF THIS SOFTWARE.
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<!-- $Id: Bv9ARM.ch07.html,v 1.190 2009/03/06 01:12:32 tbox Exp $ -->
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<title>Chapter�7.�BIND 9 Security Considerations</title>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence<table width="100%" summary="Navigation header">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<div class="titlepage"><div><div><h2 class="title">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599273"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599422">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599482">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Access Control Lists (ACLs) are address match lists that
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Using ACLs allows you to have finer control over who can access
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington your name server, without cluttering up your config files with huge
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington lists of IP addresses.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington control access to your server. Limiting access to your server by
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington outside parties can help prevent spoofing and denial of service (DoS) attacks against
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Here is an example of how to properly apply ACLs:
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington// Set up an ACL named "bogusnets" that will block RFC1918 space
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington// and some reserved space, which is commonly used in spoofing attacks.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellingtonacl bogusnets {
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson// Set up an ACL called our-nets. Replace this with the real IP numbers.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington allow-query { our-nets; };
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington allow-recursion { our-nets; };
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington blackhole { bogusnets; };
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence allow-query { any; };
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence This allows recursive queries of the server from the outside
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence unless recursion has been previously disabled.
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence For more information on how to use ACLs to protect your server,
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
532989b206894bdaf6de6cb883d2e31169c4bfacAndreas Gustafsson <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a name="id2599273"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington in a <span class="emphasis"><em>chrooted</em></span> environment (using
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington the <span><strong class="command">chroot()</strong></span> function) by specifying
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington This can help improve system security by placing
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington the damage done if a server is compromised.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<div class="titlepage"><div><div><h3 class="title">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a name="id2599422"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington In order for a <span><strong class="command">chroot</strong></span> environment
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington work properly in a particular directory
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (for example, <code class="filename">/var/named</code>),
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington you will need to set up an environment that includes everything
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <acronym class="acronym">BIND</acronym> needs to run.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington the root of the filesystem. You will need to adjust the values of
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Unlike with earlier versions of BIND, you typically will
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington statically nor install shared libraries under the new root.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington However, depending on your operating system, you may need
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington to set up things like
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <code class="filename">/dev/log</code>, and
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <code class="filename">/etc/localtime</code>.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<div class="titlepage"><div><div><h3 class="title">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a name="id2599482"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Prior to running the <span><strong class="command">named</strong></span> daemon,
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington the <span><strong class="command">touch</strong></span> utility (to change file
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington modification times) or the <span><strong class="command">chown</strong></span>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington to which you want <acronym class="acronym">BIND</acronym>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence Note that if the <span><strong class="command">named</strong></span> daemon is running as an
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington unprivileged user, it will not be able to bind to new restricted
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington ports if the server is reloaded.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Access to the dynamic
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington update facility should be strictly limited. In earlier versions of
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington <acronym class="acronym">BIND</acronym>, the only way to do this was
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington based on the IP
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington address of the host requesting the update, by listing an IP address
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington network prefix in the <span><strong class="command">allow-update</strong></span>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington This method is insecure since the source address of the update UDP
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence is easily forged. Also note that if the IP addresses allowed by the
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence <span><strong class="command">allow-update</strong></span> option include the
7332e47e11ceb87928f801b925269aa6a91838b1David Lawrence address of a slave
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington server which performs forwarding of dynamic updates, the master can
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington trivially attacked by sending the update to the slave, which will
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington forward it to the master with its own source IP address causing the
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington master to approve it without question.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington For these reasons, we strongly recommend that updates be
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington cryptographically authenticated by means of transaction signatures
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington option should
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington list only TSIG key names, not IP addresses or network
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington option can be used.
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington Some sites choose to keep all dynamically-updated DNS data
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington in a subdomain and delegate that subdomain to a separate zone. This
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington way, the top-level zone containing critical data such as the IP
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington of public web and mail servers need not allow dynamic update at
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<table width="100%" summary="Navigation footer">
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
1b4e6163bed546ca7f8ad186f3eabfebacc36bc1Brian Wellington<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>