Bv9ARM.ch07.html revision 93a5136c2b37df3232d2da4db2de60f29f6f1162
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - copyright notice and this permission notice appear in all copies.
28a8f5b0de57d269cf2845c69cb6abe18cbd3b3aMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt - PERFORMANCE OF THIS SOFTWARE.
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt<!-- $Id: Bv9ARM.ch07.html,v 1.249 2011/05/17 01:14:37 tbox Exp $ -->
f0a3b10baacb938d91bb59d86657be921b7463f8Evan Hunt<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt<title>Chapter�7.�BIND 9 Security Considerations</title>
dd2a0a6d2dec1c23787351e51b434a838dec5603Evan Hunt<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt<div class="titlepage"><div><div><h2 class="title">
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
d98850b876f251aa515e8b5f1a7eb300257c4a6eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2602908"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603058">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603186">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Access Control Lists (ACLs) are address match lists that
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Using ACLs allows you to have finer control over who can access
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt your name server, without cluttering up your config files with huge
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt lists of IP addresses.
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt control access to your server. Limiting access to your server by
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt outside parties can help prevent spoofing and denial of service (DoS) attacks against
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt your server.
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews Here is an example of how to properly apply ACLs:
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// Set up an ACL named "bogusnets" that will block
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// RFC1918 space and some reserved space, which is
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// commonly used in spoofing attacks.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Huntacl bogusnets {
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// Set up an ACL called our-nets. Replace this with the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt// real IP numbers.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-query { our-nets; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt allow-recursion { our-nets; };
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt blackhole { bogusnets; };
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews type master;
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews allow-query { any; };
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt This allows recursive queries of the server from the outside
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt unless recursion has been previously disabled.
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews For more information on how to use ACLs to protect your server,
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt<a name="id2602908"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt in a <span class="emphasis"><em>chrooted</em></span> environment (using
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the <span><strong class="command">chroot()</strong></span> function) by specifying
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt This can help improve system security by placing
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
2855e2772342e369cc8962659beac7b3001b4ec6Evan Hunt the damage done if a server is compromised.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h3 class="title">
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a name="id2603058"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt In order for a <span><strong class="command">chroot</strong></span> environment
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt work properly in a particular directory
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews (for example, <code class="filename">/var/named</code>),
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt you will need to set up an environment that includes everything
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <acronym class="acronym">BIND</acronym> needs to run.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the root of the filesystem. You will need to adjust the values of
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt options like
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Unlike with earlier versions of BIND, you typically will
c8175ece69d986ccd0671bc4d2571b247dfae177Automatic Updater <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt statically nor install shared libraries under the new root.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt However, depending on your operating system, you may need
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt to set up things like
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt<div class="titlepage"><div><div><h3 class="title">
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews<a name="id2603186"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Prior to running the <span><strong class="command">named</strong></span> daemon,
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt the <span><strong class="command">touch</strong></span> utility (to change file
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt modification times) or the <span><strong class="command">chown</strong></span>
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt to which you want <acronym class="acronym">BIND</acronym>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt Note that if the <span><strong class="command">named</strong></span> daemon is running as an
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt unprivileged user, it will not be able to bind to new restricted
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt ports if the server is reloaded.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Access to the dynamic
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt update facility should be strictly limited. In earlier versions of
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <acronym class="acronym">BIND</acronym>, the only way to do this was
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt based on the IP
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt address of the host requesting the update, by listing an IP address
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt network prefix in the <span><strong class="command">allow-update</strong></span>
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt zone option.
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt This method is insecure since the source address of the update UDP
c8175ece69d986ccd0671bc4d2571b247dfae177Automatic Updater is easily forged. Also note that if the IP addresses allowed by the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt <span><strong class="command">allow-update</strong></span> option include the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt address of a slave
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt server which performs forwarding of dynamic updates, the master can
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt trivially attacked by sending the update to the slave, which will
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt forward it to the master with its own source IP address causing the
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt master to approve it without question.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt For these reasons, we strongly recommend that updates be
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt cryptographically authenticated by means of transaction signatures
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
8bd5bcd2a786dfd501a39008be79187e77735e45Mark Andrews option should
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt list only TSIG key names, not IP addresses or network
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt option can be used.
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt Some sites choose to keep all dynamically-updated DNS data
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt in a subdomain and delegate that subdomain to a separate zone. This
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt way, the top-level zone containing critical data such as the IP
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt of public web and mail servers need not allow dynamic update at
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
b4d8192d210290112e07b0e22b491c45c50ba696Evan Hunt<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
ef421f66f47224a42073deaf087378c5d0c9952eEvan Hunt<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>