>BIND 9 Security Considerations</
TITLECONTENT="Modular DocBook HTML Stylesheet Version 1.61 TITLE="BIND 9 Administrator Reference Manual" TITLE="BIND 9 Configuration Reference" >BIND 9 Administrator Reference Manual</
TH> 9 Security Considerations</
A>Dynamic Update Security</
ANAME="Access_Control_Lists" >7.1. Access Control Lists</
A>Access Control Lists (ACLs), are address match lists that
you can set up and nickname for future use in <
B>Using ACLs allows you to have finer control over who can access
your nameserver, without cluttering up your config files with huge
lists of IP addresses.</
Pcontrol access to your server. Limiting access to your server by
outside parties can help prevent spoofing and DoS attacks against
>Here is an example of how to properly apply ACLs:</
P> // Set up an ACL named "bogusnets" that will block RFC1918 space,
// which is commonly used in spoofing attacks.
// Set up an ACL called our-nets. Replace this with the real IP numbers.
allow-query { our-nets; };
allow-recursion { our-nets; };
blackhole { bogusnets; };
>This allows recursive queries of the server from the outside
unless recursion has been previously disabled.</
P>For more information on how to use ACLs to protect your server,
>On UNIX servers, it is possible to run <
SPAN>) by specifying the "<
TToption. This can help improve system security by placing <
SPANa "sandbox," which will limit the damage done if a server is compromised.</
P>Another useful feature in the UNIX version of <
SPANability to run the daemon as a nonprivileged user ( <
TTWe suggest running as a nonprivileged user when using the <
B>Here is an example command line to load <
SPANwork properly in a particular directory
you will need to set up an environment that includes everything
the root of the filesystem. You will need to adjust the values of options like
> Unlike with earlier versions of BIND, you will typically
statically nor install shared libraries under the new root.
> utility (to change file access and
modification times) or the <
Bset the user id
and/
or group id) on files
to write. Note that if the <
Bnonprivileged user, it will not be able to bind to new restricted ports if the
NAME="dynamic_update_security" >7.3. Dynamic Update Security</
Aupdate facility should be strictly limited. In earlier versions of
> the only way to do this was based on the IP
address of the host requesting the update, by listing an IP address or
This method is insecure since the source address of the update UDP packet
is easily forged. Also note that if the IP addresses allowed by the
> option include the address of a slave
server which performs forwarding of dynamic updates, the master can be
trivially attacked by sending the update to the slave, which will
forward it to the master with its own source IP address causing the
master to approve it without question.</
P>For these reasons, we strongly recommend that updates be
cryptographically authenticated by means of transaction signatures
list only TSIG key names, not IP addresses or network
prefixes. Alternatively, the new <
B>Some sites choose to keep all dynamically updated DNS data
in a subdomain and delegate that subdomain to a separate zone. This
way, the top-level zone containing critical data such as the IP addresses
of public web and mail servers need not allow dynamic update at
> 9 Configuration Reference</
TD