Bv9ARM.ch07.html revision 8de0d8a6905e397ed0a26054815420685f9b435e
80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem - Copyright (C) 2000-2003 Internet Software Consortium.
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic - Permission to use, copy, modify, and/or distribute this software for any
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic - purpose with or without fee is hereby granted, provided that the above
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic - copyright notice and this permission notice appear in all copies.
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
d7205b1a86c51c27b71a2c458dc453fd53a261c1covener - PERFORMANCE OF THIS SOFTWARE.
44ff304057225e944e220e981d434a046d14cf06covener<!-- $Id: Bv9ARM.ch07.html,v 1.208 2009/10/11 01:14:49 tbox Exp $ -->
ea30bfa68d711e27206df00abb140174b4e65ed7ylavic<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
ea30bfa68d711e27206df00abb140174b4e65ed7ylavic<title>Chapter�7.�BIND 9 Security Considerations</title>
ea30bfa68d711e27206df00abb140174b4e65ed7ylavic<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ea30bfa68d711e27206df00abb140174b4e65ed7ylavic<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
291eb44b3adaf8247425286615b4f4b69fbea274minfrin<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
291eb44b3adaf8247425286615b4f4b69fbea274minfrin<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
291eb44b3adaf8247425286615b4f4b69fbea274minfrin<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
5d1ba75b8794925e67591c209085a49279791de9covener<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
caad2986f81ab263f7af41467dd622dc9add17f3ylavic<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
939a5386274c80af51ee9fff4b0ca29f0c799da5covener<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
2165214331e4afafca4048f66f303d0253d7b001covener<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
a34684a59b60a4173c25035d0c627ef17e6dc215rpluem<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2600468"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
08e054046d0c7e5532c66769ba80c69a7b4d8245ylavic<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2600685">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
08e054046d0c7e5532c66769ba80c69a7b4d8245ylavic<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2600745">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
9bfe773a084210dd794672fbfd3d6d401d7fe122ylavic<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
1e2d421a36999d292042a5539971070d54aa6c63ylavic<div class="titlepage"><div><div><h2 class="title" style="clear: both">
1e2d421a36999d292042a5539971070d54aa6c63ylavic<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh Access Control Lists (ACLs) are address match lists that
fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
0b67eb8568cd58bb77082703951679b42cf098actrawick <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
0b67eb8568cd58bb77082703951679b42cf098actrawick <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
0b67eb8568cd58bb77082703951679b42cf098actrawick <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
2165214331e4afafca4048f66f303d0253d7b001covener Using ACLs allows you to have finer control over who can access
06bb3e11d3e997937534ae7bd45b3631d3b5e5bacovener your name server, without cluttering up your config files with huge
5ef3c61605a3a021ff71f488983cb0065f8e1a79covener lists of IP addresses.
cf8b985ec0a63b15a1c8f2990d96009a11e0d68ecovener It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
cf8b985ec0a63b15a1c8f2990d96009a11e0d68ecovener control access to your server. Limiting access to your server by
cf8b985ec0a63b15a1c8f2990d96009a11e0d68ecovener outside parties can help prevent spoofing and denial of service (DoS) attacks against
6bbcfe3fb8489d6e87770d37d97b7a5cd4fabceeylavic your server.
6bbcfe3fb8489d6e87770d37d97b7a5cd4fabceeylavic Here is an example of how to properly apply ACLs:
3060ce7f798fbda7999cd4ddf89b525d2b294185covener// Set up an ACL named "bogusnets" that will block
c85eff31536e6bfef1537b2435564d48665435d3rpluem// RFC1918 space and some reserved space, which is
c85eff31536e6bfef1537b2435564d48665435d3rpluem// commonly used in spoofing attacks.
c85eff31536e6bfef1537b2435564d48665435d3rpluemacl bogusnets {
e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc// Set up an ACL called our-nets. Replace this with the
e466c40e1801982602ee0200c9e8b61cc148742djailletc// real IP numbers.
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton allow-query { our-nets; };
04983e3bd1754764eec7d6bb772fe3b0bf391771jorton allow-recursion { our-nets; };
15660979a30d251681463de2e0584853890082accovener blackhole { bogusnets; };
cfd9415521847b2f9394fad04fb701cfb955f503rjung type master;
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe allow-query { any; };
28c31fb73c1264bd1d0ff932573677030b024c7dwrowe This allows recursive queries of the server from the outside
8491e0600f69b0405e156ea8a419653c065c645bcovener unless recursion has been previously disabled.
63b9f1f5880391261705f696d7d65507bbe9ace3covener For more information on how to use ACLs to protect your server,
87a26948305eab2bab8a4fb3f2a21f6725055790covener see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
4efd27d2bd53a819a194f8a942f8881c1927755eylavic <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
983528026996668ea295be95aedb9c7a346af470ylavic<div class="titlepage"><div><div><h2 class="title" style="clear: both">
983528026996668ea295be95aedb9c7a346af470ylavic<a name="id2600468"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
249ab52ef73a2b33446ae07904e3526b57251411ylavic On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
249ab52ef73a2b33446ae07904e3526b57251411ylavic in a <span class="emphasis"><em>chrooted</em></span> environment (using
1f0836d4b1a203c7b375daae691beb95f6036205ylavic the <span><strong class="command">chroot()</strong></span> function) by specifying
1f0836d4b1a203c7b375daae691beb95f6036205ylavic the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
1f0836d4b1a203c7b375daae691beb95f6036205ylavic This can help improve system security by placing
3b11e6ec1c5273d6a8968460db650e7ca99c49c0ylavic <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
3b11e6ec1c5273d6a8968460db650e7ca99c49c0ylavic the damage done if a server is compromised.
01402a0fbec8bd11f6c10d8ef9c9cceac68bb787ylavic Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
01402a0fbec8bd11f6c10d8ef9c9cceac68bb787ylavic ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
49dacedb6c387b786b7911082ff35121a45f414bcovener We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
49dacedb6c387b786b7911082ff35121a45f414bcovener Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
3c990331fc6702119e4f5b8ba9eae3021aea5265jim <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
fc42512879dd0504532f52fe5d0d0383dda96a1eniq <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq<a name="id2600685"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc In order for a <span><strong class="command">chroot</strong></span> environment
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc work properly in a particular directory
da0442c0440caef34706e2c2f3af05cb65921cc0jailletc (for example, <code class="filename">/var/named</code>),
06b8f183140c8e02e0974e938a05078b511d1603covener you will need to set up an environment that includes everything
06b8f183140c8e02e0974e938a05078b511d1603covener <acronym class="acronym">BIND</acronym> needs to run.
06b8f183140c8e02e0974e938a05078b511d1603covener From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem the root of the filesystem. You will need to adjust the values of
259878293a997ff49f5ddfc53d3739cbdc25444ecovener options like
259878293a997ff49f5ddfc53d3739cbdc25444ecovener like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin Unlike with earlier versions of BIND, you typically will
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin statically nor install shared libraries under the new root.
65967d05f839dbf27cf91d91fa79585eeae19660minfrin However, depending on your operating system, you may need
65967d05f839dbf27cf91d91fa79585eeae19660minfrin to set up things like
75f5c2db254c0167a0e396254460de09b775d203trawick<a name="id2600745"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
11f1871b90149f8af3bf4e884dcc404436686967ylavic Prior to running the <span><strong class="command">named</strong></span> daemon,
11f1871b90149f8af3bf4e884dcc404436686967ylavic the <span><strong class="command">touch</strong></span> utility (to change file
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph modification times) or the <span><strong class="command">chown</strong></span>
4f0358189bfa57b8e75bd6b94db264302a8f336amrumph utility (to
5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick to which you want <acronym class="acronym">BIND</acronym>
54d750a84a175d8e338880514d440773eb986b50covener<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
54d750a84a175d8e338880514d440773eb986b50covener Note that if the <span><strong class="command">named</strong></span> daemon is running as an
54d750a84a175d8e338880514d440773eb986b50covener unprivileged user, it will not be able to bind to new restricted
54d750a84a175d8e338880514d440773eb986b50covener ports if the server is reloaded.
54d750a84a175d8e338880514d440773eb986b50covener<div class="titlepage"><div><div><h2 class="title" style="clear: both">
54d750a84a175d8e338880514d440773eb986b50covener<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
4e30ef014533a7e93c92d88306291f5e49c9692ftrawick Access to the dynamic
83b50288fa7d306324bba68832011ea08f5c7832covener update facility should be strictly limited. In earlier versions of
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick <acronym class="acronym">BIND</acronym>, the only way to do this was
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick based on the IP
5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick address of the host requesting the update, by listing an IP address
2e15620d724fb8e3a5be183b917359a2fd6e9468covener network prefix in the <span><strong class="command">allow-update</strong></span>
2e15620d724fb8e3a5be183b917359a2fd6e9468covener zone option.
2e15620d724fb8e3a5be183b917359a2fd6e9468covener This method is insecure since the source address of the update UDP
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener is easily forged. Also note that if the IP addresses allowed by the
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener <span><strong class="command">allow-update</strong></span> option include the
1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener address of a slave
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener server which performs forwarding of dynamic updates, the master can
b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener trivially attacked by sending the update to the slave, which will
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd forward it to the master with its own source IP address causing the
f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd master to approve it without question.
179565be4043d7e5f9161aa75271fa0a001866d9covener For these reasons, we strongly recommend that updates be
179565be4043d7e5f9161aa75271fa0a001866d9covener cryptographically authenticated by means of transaction signatures
111436a32ba1254291e4883292fb116d15fe8f64covener (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener option should
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener list only TSIG key names, not IP addresses or network
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
fce4949fb0b309a5744afcd503c6ed2d35621ee2covener option can be used.
7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick Some sites choose to keep all dynamically-updated DNS data
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz in a subdomain and delegate that subdomain to a separate zone. This
ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz way, the top-level zone containing critical data such as the IP
273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza of public web and mail servers need not allow dynamic update at
ba050a6f942b9fa0e81ed73437588005c569655ccovener<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
ba050a6f942b9fa0e81ed73437588005c569655ccovener<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
135ddda3a989215d2bedbcf1529bfb269c3eda23niq<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>