Bv9ARM.ch07.html revision 975ff35d8501bd2ef5f9541c4dac1157efc1609d
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews - Copyright (C) 2000-2016 Internet Systems Consortium, Inc. ("ISC")
eae67738cba5ca069e9d1d4e7b836a2f7b00a374Mark Andrews - This Source Code Form is subject to the terms of the Mozilla Public
2a40fdc2d34adb8a5c72a748449699666032d461Mark Andrews - License, v. 2.0. If a copy of the MPL was not distributed with this
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews - file, You can obtain one at http://mozilla.org/MPL/2.0/.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<title>Chapter�7.�BIND 9 Security Considerations</title>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<meta name="generator" content="DocBook XSL Stylesheets V1.78.1">
d56e188030368b835122d759ebbf8d9613c166f4Mark Andrews<link rel="home" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<table width="100%" summary="Navigation header">
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
b6617c5adad7f12e5fcde1e873f7b982d247fe05Mark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews<div class="titlepage"><div><div><h1 class="title">
c6d4f781529d2f28693546b25b2967d44ec89e60Mark Andrews<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h1></div></div></div>
c069a20053d41ae299eb9457e50ea44ae9f73ed2Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot_and_setuid"><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span></a></span></dt>
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews<dt><span class="section"><a href="Bv9ARM.ch07.html#chroot">The <span class="command"><strong>chroot</strong></span> Environment</a></span></dt>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch07.html#setuid">Using the <span class="command"><strong>setuid</strong></span> Function</a></span></dt>
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews<dt><span class="section"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson Access Control Lists (ACLs) are address match lists that
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews you can set up and nickname for future use in
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>allow-notify</strong></span>, <span class="command"><strong>allow-query</strong></span>,
26a77b80bb7ee886c6fa704348d5e80a011d8811Mark Andrews <span class="command"><strong>allow-query-on</strong></span>, <span class="command"><strong>allow-recursion</strong></span>,
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <span class="command"><strong>blackhole</strong></span>, <span class="command"><strong>allow-transfer</strong></span>,
7e5b2100ea65658a7ec3795919b4ecd29a6f118aMark Andrews <span class="command"><strong>match-clients</strong></span>, etc.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews Using ACLs allows you to have finer control over who can access
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews your name server, without cluttering up your config files with huge
e086341ea57e618a60c9f166b95daee1fab71b3bMark Andrews lists of IP addresses.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews control access to your server. Limiting access to your server by
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson outside parties can help prevent spoofing and denial of service
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews (DoS) attacks against your server.
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews ACLs match clients on the basis of up to three characteristics:
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson 1) The client's IP address; 2) the TSIG or SIG(0) key that was
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews used to sign the request, if any; and 3) an address prefix
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington encoded in an EDNS Client Subnet option, if any.
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews Here is an example of ACLs based on client addresses:
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews// Set up an ACL named "bogusnets" that will block
ab81f57ca0c3addfec3df3babdcea9644757cf23Mark Andrews// RFC1918 space and some reserved space, which is
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews// commonly used in spoofing attacks.
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrewsacl bogusnets {
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews// Set up an ACL called our-nets. Replace this with the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews// real IP numbers.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews allow-query { our-nets; };
642e0716c8b4ab82ebc8e60f94c9e897ee89f19aMark Andrews allow-recursion { our-nets; };
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews blackhole { bogusnets; };
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews type master;
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews allow-query { any; };
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews This allows authoritative queries for "example.com" from any
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews address, but recursive queries only from the networks specified
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews in "our-nets", and no queries at all from the networks
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews specified in "bogusnets".
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews In addition to network addresses and prefixes, which are
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews matched against the source address of the DNS request, ACLs
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews may include <code class="option">key</code> elements, which specify the
ed178efa9ab8f813538fce4ff603b81ded9f1799Mark Andrews name of a TSIG or SIG(0) key, or <code class="option">ecs</code>
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews elements, which specify a network prefix but are only matched
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews if that prefix matches an EDNS client subnet option included
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews in the request.
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews The EDNS Client Subnet (ECS) option is used by a recursive
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews resolver to inform an authoritative name server of the network
dd9ad704c3800e3ab07ede8595871eac79984871Mark Andrews address block from which the original query was received, enabling
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews authoritative servers to give different answers to the same
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews resolver for different resolver clients. An ACL containing
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews an element of the form
46e873c835bf7d9ec3e1097e0aceb8db5b1ae93aMark Andrews <span class="command"><strong>ecs <em class="replaceable"><code>prefix</code></em></strong></span>
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews will match if a request arrives in containing an ECS option
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews encoding an address within that prefix. If the request has no
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews ECS option, then "ecs" elements are simply ignored. Addresses
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in ACLs that are not prefixed with "ecs" are matched only
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews against the source address.
62ee2c9f460d2e2e45dcf1abc8b4b4a4a43f5618Mark Andrews <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews (Note: The authoritative ECS implementation in
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews <span class="command"><strong>named</strong></span> is based on an early version of the
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson specification, and is known to have incompatibilities with
ea206aebcafe1ed5d470dd99daab9a1cedc81c7cMark Andrews other implementations. It is also inefficient, requiring
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews a separate view for each client subnet to be sent different
ca12f7f4cf72e2368ee946f3eb4915ab73576cdcMark Andrews answers, and it is unable to correct for overlapping subnets in
7e1a8f402e3881388db37152f71c698cb1f1c426Mark Andrews the configuration. It can be used for testing purposes, but is
1eb1e1e838d2ea00b166c918bf50764a95826be8Mark Andrews not recommended for production use.)
c718d15a9a95054ee3c71540c02335426071fc6dMark Andrews When <acronym class="acronym">BIND</acronym> 9 is built with GeoIP support,
605bd686e437162b5ab65ac4e7c1be0bba1886ddMark Andrews ACLs can also be used for geographic access restrictions.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews This is done by specifying an ACL element of the form:
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews <span class="command"><strong>geoip [<span class="optional">db <em class="replaceable"><code>database</code></em></span>] <em class="replaceable"><code>field</code></em> <em class="replaceable"><code>value</code></em></strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington The <em class="replaceable"><code>field</code></em> indicates which field
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews to search for a match. Available fields are "country",
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews "region", "city", "continent", "postal" (postal code),
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews "metro" (metro code), "area" (area code), "tz" (timezone),
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews "isp", "org", "asnum", "domain" and "netspeed".
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews <em class="replaceable"><code>value</code></em> is the value to search
6b5c57e52ac8c3e0af1547be3140ebbfb41a85b3Mark Andrews for within the database. A string may be quoted if it
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews contains spaces or other special characters. If this is
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews an "asnum" search, then the leading "ASNNNN" string can be
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews used, otherwise the full description must be used (e.g.
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews "ASNNNN Example Company Name"). If this is a "country"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews search and the string is two characters long, then it must
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews be a standard ISO-3166-1 two-letter country code, and if it
e076d0c88be69de7c190ab924d095e69d2e11f7aAndreas Gustafsson is three characters long then it must be an ISO-3166-1
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews three-letter country code; otherwise it is the full name
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews of the country. Similarly, if this is a "region" search
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews and the string is two characters long, then it must be a
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews standard two-letter state or province abbreviation;
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews otherwise it is the full name of the state or province.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews The <em class="replaceable"><code>database</code></em> field indicates which
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews GeoIP database to search for a match. In most cases this is
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson unnecessary, because most search fields can only be found in
821d2613356f81e5bb5c107288d6d5cf35c2a1e8Mark Andrews a single database. However, searches for country can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answered from the "city", "region", or "country" databases,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington and searches for region (i.e., state or province) can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington answered from the "city" or "region" databases. For these
282e38d96feb488fddbbc0b0409491094786977fMark Andrews search types, specifying a <em class="replaceable"><code>database</code></em>
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews will force the query to be answered from that database and no
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews other. If <em class="replaceable"><code>database</code></em> is not
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews specified, then these queries will be answered from the "city",
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews database if it is installed, or the "region" database if it is
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews installed, or the "country" database, in that order.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington By default, if a DNS query includes an EDNS Client Subnet (ECS)
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews option which encodes a non-zero address prefix, then GeoIP ACLs
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington will be matched against that address prefix. Otherwise, they
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington are matched against the source address of the query. To
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington prevent GeoIP ACLs from matching against ECS options, set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the <span class="command"><strong>geoip-use-ecs</strong></span> to <code class="literal">no</code>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Some example GeoIP ACLs:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <pre class="programlisting">geoip country US;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtongeoip country JAP;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtongeoip db country country Canada;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtongeoip db region region WA;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtongeoip city "San Francisco";
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtongeoip region Oklahoma;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtongeoip postal 95062;
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtongeoip org "Internet Systems Consortium";
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ACLs use a "first-match" logic rather than "best-match":
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington if an address prefix matches an ACL element, then that ACL
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is considered to have matched even if a later element would
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington have matched more specifically. For example, the ACL
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong> { 10/8; !10.0.0.1; }</strong></span> would actually
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington match a query from 10.0.0.1, because the first element
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington indicated that the query should be accepted, and the second
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington element is ignored.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington When using "nested" ACLs (that is, ACLs included or referenced
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington within other ACLs), a negative match of a nested ACL will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the containing ACL to continue looking for matches. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington enables complex ACLs to be constructed, in which multiple
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington client characteristics can be checked at the same time. For
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington example, to construct an ACL which allows queries only when
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington it originates from a particular network <span class="emphasis"><em>and</em></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington only when it is signed with a particular key, use:
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonallow-query { !{ !10/8; any; }; key example; };
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Within the nested ACL, any address that is
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="emphasis"><em>not</em></span> in the 10/8 network prefix will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington be rejected, and this will terminate processing of the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ACL. Any address that <span class="emphasis"><em>is</em></span> in the 10/8
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network prefix will be accepted, but this causes a negative
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington match of the nested ACL, so the containing ACL continues
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington processing. The query will then be accepted if it is signed
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews by the key "example", and rejected otherwise. The ACL, then,
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews will only matches when <span class="emphasis"><em>both</em></span> conditions
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="chroot_and_setuid"></a><span class="command"><strong>Chroot</strong></span> and <span class="command"><strong>Setuid</strong></span>
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews in a <span class="emphasis"><em>chrooted</em></span> environment (using
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the <span class="command"><strong>chroot()</strong></span> function) by specifying
bf54ac86eeddce16b67c525d38d1096cc956f478Mark Andrews the <code class="option">-t</code> option for <span class="command"><strong>named</strong></span>.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This can help improve system security by placing
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington the damage done if a server is compromised.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews We suggest running as an unprivileged user when using the <span class="command"><strong>chroot</strong></span> feature.
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span class="command"><strong>chroot</strong></span> sandbox,
68baa2d193672c482b7ea07ece349e7b1ceb96e6Mark Andrews <span class="command"><strong>/var/named</strong></span>, and to run <span class="command"><strong>named</strong></span> <span class="command"><strong>setuid</strong></span> to
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="chroot"></a>The <span class="command"><strong>chroot</strong></span> Environment</h3></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington In order for a <span class="command"><strong>chroot</strong></span> environment
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to work properly in a particular directory (for example,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">/var/named</code>), you will need to set
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington up an environment that includes everything
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym> needs to run. From
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym>'s point of view,
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">/var/named</code> is the root of the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington filesystem. You will need to adjust the values of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington options like <span class="command"><strong>directory</strong></span> and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>pid-file</strong></span> to account for this.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Unlike with earlier versions of BIND, you typically will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="emphasis"><em>not</em></span> need to compile <span class="command"><strong>named</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington statically nor install shared libraries under the new root.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington However, depending on your operating system, you may need
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to set up things like
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">/dev/log</code>, and
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <code class="filename">/etc/localtime</code>.
01bf5871f8861eb805dd8ca79bdb9b0b9e4e6a5eMark Andrews<div class="titlepage"><div><div><h3 class="title">
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<a name="setuid"></a>Using the <span class="command"><strong>setuid</strong></span> Function</h3></div></div></div>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews Prior to running the <span class="command"><strong>named</strong></span> daemon,
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews the <span class="command"><strong>touch</strong></span> utility (to change file
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington modification times) or the <span class="command"><strong>chown</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington to which you want <acronym class="acronym">BIND</acronym>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington If the <span class="command"><strong>named</strong></span> daemon is running as an
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington unprivileged user, it will not be able to bind to new restricted
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington ports if the server is reloaded.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<div class="titlepage"><div><div><h2 class="title" style="clear: both">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Access to the dynamic
a9789e288ee11ae4315e27235c33bae5405bd7c4Mark Andrews update facility should be strictly limited. In earlier versions of
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <acronym class="acronym">BIND</acronym>, the only way to do this was
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington based on the IP
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington address of the host requesting the update, by listing an IP address
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington network prefix in the <span class="command"><strong>allow-update</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington This method is insecure since the source address of the update UDP
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington is easily forged. Also note that if the IP addresses allowed by the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington <span class="command"><strong>allow-update</strong></span> option include the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews address of a slave
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews server which performs forwarding of dynamic updates, the master can
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews trivially attacked by sending the update to the slave, which will
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews forward it to the master with its own source IP address causing the
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews master to approve it without question.
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews For these reasons, we strongly recommend that updates be
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews cryptographically authenticated by means of transaction signatures
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews (TSIG). That is, the <span class="command"><strong>allow-update</strong></span>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews option should
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington list only TSIG key names, not IP addresses or network
75216e007570b8ea36b3ac9cca096bf70c0ca6f6Mark Andrews prefixes. Alternatively, the new <span class="command"><strong>update-policy</strong></span>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington option can be used.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington Some sites choose to keep all dynamically-updated DNS data
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington in a subdomain and delegate that subdomain to a separate zone. This
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington way, the top-level zone containing critical data such as the IP
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington of public web and mail servers need not allow dynamic update at
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<table width="100%" summary="Navigation footer">
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
abf32d940f8f674b3971ef41b306a01b3da8d2cfMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
068a66979695c77359e7a9181bb3f831c965b21cMark Andrews<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
eaccf5e805405de257b5a4840256c580fefe00e3Mark Andrews<p xmlns:db="http://docbook.org/ns/docbook" style="text-align: center;">BIND 9.11.1rc3</p>