58N/A - Copyright (C) 2004-2014 Internet Systems Consortium, Inc. ("ISC") 58N/A - Copyright (C) 2000-2003 Internet Software Consortium. 58N/A - Permission to use, copy, modify, and/or distribute this software for any 58N/A - purpose with or without fee is hereby granted, provided that the above 58N/A - copyright notice and this permission notice appear in all copies. 58N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 58N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 58N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 58N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 58N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 58N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 58N/A - PERFORMANCE OF THIS SOFTWARE. 58N/A<
meta http-
equiv="Content-Type" content="text/html; charset=ISO-8859-1">
77N/A<
title>Chapter�7.�BIND 9 Security Considerations</
title>
58N/A<
meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
58N/A<
link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
58N/A<
link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
234N/A<
body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
639N/A<
table width="100%" summary="Navigation header">
639N/A<
tr><
th colspan="3" align="center">Chapter�7.�<
acronym class="acronym">BIND</
acronym> 9 Security Considerations</
th></
tr>
234N/A<
td width="20%" align="left">
234N/A<
th width="60%" align="center">�</
th>
112N/A<
div class="chapter" lang="en">
58N/A<
div class="titlepage"><
div><
div><
h2 class="title">
58N/A<
a name="Bv9ARM.ch07"></
a>Chapter�7.�<
acronym class="acronym">BIND</
acronym> 9 Security Considerations</
h2></
div></
div></
div>
77N/A<
p><
b>Table of Contents</
b></
p>
77N/A<
dt><
span class="sect1"><
a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</
a></
span></
dt>
58N/A<
dt><
span class="sect1"><
a href="Bv9ARM.ch07.html#id2607061"><
span><
strong class="command">Chroot</
strong></
span> and <
span><
strong class="command">Setuid</
strong></
span></
a></
span></
dt>
58N/A<
dt><
span class="sect2"><
a href="Bv9ARM.ch07.html#id2607210">The <
span><
strong class="command">chroot</
strong></
span> Environment</
a></
span></
dt>
773N/A<
dt><
span class="sect2"><
a href="Bv9ARM.ch07.html#id2607270">Using the <
span><
strong class="command">setuid</
strong></
span> Function</
a></
span></
dt>
58N/A<
dt><
span class="sect1"><
a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</
a></
span></
dt>
773N/A<
div class="sect1" lang="en">
773N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
58N/A<
a name="Access_Control_Lists"></
a>Access Control Lists</
h2></
div></
div></
div>
773N/A Access Control Lists (ACLs) are address match lists that
773N/A you can set up and nickname for future use in
773N/A <
span><
strong class="command">allow-notify</
strong></
span>, <
span><
strong class="command">allow-query</
strong></
span>,
58N/A <
span><
strong class="command">allow-query-on</
strong></
span>, <
span><
strong class="command">allow-recursion</
strong></
span>,
58N/A <
span><
strong class="command">blackhole</
strong></
span>, <
span><
strong class="command">allow-transfer</
strong></
span>,
58N/A <
span><
strong class="command">match-clients</
strong></
span>, etc.
65N/A Using ACLs allows you to have finer control over who can access
894N/A your name server, without cluttering up your config files with huge
77N/A lists of IP addresses.
125N/A It is a <
span class="emphasis"><
em>good idea</
em></
span> to use ACLs, and to
112N/A control access to your server. Limiting access to your server by
129N/A outside parties can help prevent spoofing and denial of service
129N/A (DoS) attacks against your server.
318N/A ACLs match clients on the basis of up to three characteristics:
144N/A 1) The client's IP address; 2) the TSIG or SIG(0) key that was
173N/A used to sign the request, if any; and 3) an address prefix
253N/A encoded in an EDNS Client Subnet option, if any.
480N/A Here is an example of ACLs based on client addresses:
816N/A<
pre class="programlisting">
833N/A// Set up an ACL named "bogusnets" that will block
833N/A// RFC1918 space and some reserved space, which is
993N/A// commonly used in spoofing attacks.
993N/A// Set up an ACL called our-nets. Replace this with the
816N/A allow-query { our-nets; };
58N/A allow-recursion { our-nets; };
773N/A blackhole { bogusnets; };
129N/A address, but recursive queries only from the networks specified
129N/A in "our-nets", and no queries at all from the networks
129N/A specified in "bogusnets".
144N/A In addition to network addresses and prefixes, which are
173N/A matched against the source address of the DNS request, ACLs
253N/A may include <
code class="option">key</
code> elements, which specify the
296N/A name of a TSIG or SIG(0) key, or <
code class="option">ecs</
code>
335N/A elements, which specify a network prefix but are only matched
480N/A if that prefix matches an EDNS client subnet option included
58N/A The EDNS Client Subnet (ECS) option is used by a recursive
937N/A resolver to inform an authoritative name server of the network
58N/A address block from which the original query was received, enabling
58N/A authoritative servers to give different answers to the same
58N/A resolver for different resolver clients. An ACL containing
58N/A <
span><
strong class="command">ecs <
em class="replaceable"><
code>prefix</
code></
em></
strong></
span>
58N/A will match if a request arrives in containing an ECS option
58N/A encoding an address within that prefix. If the request has no
937N/A ECS option, then "ecs" elements are simply ignored. Addresses
816N/A in ACLs that are not prefixed with "ecs" are matched only
816N/A against the source address.
816N/A When <
acronym class="acronym">BIND</
acronym> 9 is built with GeoIP support,
816N/A ACLs can also be used for geographic access restrictions.
816N/A This is done by specifying an ACL element of the form:
816N/A <
span><
strong class="command">geoip [<
span class="optional">db <
em class="replaceable"><
code>database</
code></
em></
span>] <
em class="replaceable"><
code>field</
code></
em> <
em class="replaceable"><
code>value</
code></
em></
strong></
span>
816N/A The <
em class="replaceable"><
code>field</
code></
em> indicates which field
816N/A to search for a match. Available fields are "country",
816N/A "region", "city", "continent", "postal" (postal code),
816N/A "metro" (metro code), "area" (area code), "tz" (timezone),
816N/A "isp", "org", "asnum", "domain" and "netspeed".
773N/A <
em class="replaceable"><
code>value</
code></
em> is the value to search
773N/A for within the database. A string may be quoted if it
773N/A contains spaces or other special characters. If this is
773N/A an "asnum" search, then the leading "ASNNNN" string can be
58N/A used, otherwise the full description must be used (
e.g. 58N/A "ASNNNN Example Company Name"). If this is a "country"
58N/A search and the string is two characters long, then it must
773N/A be a standard ISO-3166-1 two-letter country code, and if it
773N/A is three characters long then it must be an ISO-3166-1
773N/A three-letter country code; otherwise it is the full name
773N/A of the country. Similarly, if this is a "region" search
773N/A and the string is two characters long, then it must be a
58N/A standard two-letter state or province abbreviation;
58N/A otherwise it is the full name of the state or province.
773N/A The <
em class="replaceable"><
code>database</
code></
em> field indicates which
773N/A GeoIP database to search for a match. In most cases this is
773N/A unnecessary, because most search fields can only be found in
773N/A a single database. However, searches for country can be
773N/A answered from the "city", "region", or "country" databases,
773N/A and searches for region (
i.e., state or province) can be
773N/A answered from the "city" or "region" databases. For these
773N/A search types, specifying a <
em class="replaceable"><
code>database</
code></
em>
58N/A will force the query to be answered from that database and no
58N/A other. If <
em class="replaceable"><
code>database</
code></
em> is not
58N/A specified, then these queries will be answered from the "city",
773N/A database if it is installed, or the "region" database if it is
773N/A installed, or the "country" database, in that order.
773N/A By default, if a DNS query includes an EDNS Client Subnet (ECS)
773N/A option which encodes a non-zero address prefix, then GeoIP ACLs
773N/A will be matched against that address prefix. Otherwise, they
58N/A are matched against the source address of the query. To
58N/A prevent GeoIP ACLs from matching against ECS options, set
58N/A the <
span><
strong class="command">geoip-use-ecs</
strong></
span> to <
code class="literal">no</
code>.
773N/A Some example GeoIP ACLs:
773N/A<
pre class="programlisting">geoip country US;
773N/Ageoip db country country Canada;
773N/Ageoip db region region WA;
773N/Ageoip city "San Francisco";
773N/Ageoip org "Internet Systems Consortium";
773N/A ACLs use a "first-match" logic rather than "best-match":
773N/A if an address prefix matches an ACL element, then that ACL
773N/A is considered to have matched even if a later element would
773N/A have matched more specifically. For example, the ACL
773N/A <
span><
strong class="command"> { 10/8; !10.0.0.1; }</
strong></
span> would actually
773N/A match a query from 10.0.0.1, because the first element
773N/A indicated that the query should be accepted, and the second
58N/A When using "nested" ACLs (that is, ACLs included or referenced
58N/A within other ACLs), a negative match of a nested ACL will
937N/A the containing ACL to continue looking for matches. This
58N/A enables complex ACLs to be constructed, in which multiple
58N/A client characteristics can be checked at the same time. For
58N/A example, to construct an ACL which allows queries only when
937N/A it originates from a particular network <
span class="emphasis"><
em>and</
em></
span>
58N/A only when it is signed with a particular key, use:
58N/A<
pre class="programlisting">
937N/Aallow-query { !{ !10/8; any; }; key example; };
58N/A Within the nested ACL, any address that is
937N/A <
span class="emphasis"><
em>not</
em></
span> in the 10/8 network prefix will
58N/A be rejected, and this will terminate processing of the
58N/A ACL. Any address that <
span class="emphasis"><
em>is</
em></
span> in the 10/8
58N/A network prefix will be accepted, but this causes a negative
937N/A match of the nested ACL, so the containing ACL continues
58N/A processing. The query will then be accepted if it is signed
58N/A by the key "example", and rejected otherwise. The ACL, then,
58N/A will only matches when <
span class="emphasis"><
em>both</
em></
span> conditions
58N/A<
div class="sect1" lang="en">
937N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
664N/A<
a name="id2607061"></
a><
span><
strong class="command">Chroot</
strong></
span> and <
span><
strong class="command">Setuid</
strong></
span>
58N/A</
h2></
div></
div></
div>
937N/A On UNIX servers, it is possible to run <
acronym class="acronym">BIND</
acronym>
58N/A in a <
span class="emphasis"><
em>chrooted</
em></
span> environment (using
58N/A the <
span><
strong class="command">chroot()</
strong></
span> function) by specifying
58N/A the "<
code class="option">-t</
code>" option for <
span><
strong class="command">named</
strong></
span>.
937N/A This can help improve system security by placing
58N/A <
acronym class="acronym">BIND</
acronym> in a "sandbox", which will limit
58N/A the damage done if a server is compromised.
65N/A Another useful feature in the UNIX version of <
acronym class="acronym">BIND</
acronym> is the
65N/A ability to run the daemon as an unprivileged user ( <
code class="option">-u</
code> <
em class="replaceable"><
code>user</
code></
em> ).
65N/A We suggest running as an unprivileged user when using the <
span><
strong class="command">chroot</
strong></
span> feature.
65N/A Here is an example command line to load <
acronym class="acronym">BIND</
acronym> in a <
span><
strong class="command">chroot</
strong></
span> sandbox,
65N/A <
span><
strong class="command">/
var/
named</
strong></
span>, and to run <
span><
strong class="command">named</
strong></
span> <
span><
strong class="command">setuid</
strong></
span> to
77N/A<
div class="sect2" lang="en">
77N/A<
div class="titlepage"><
div><
div><
h3 class="title">
77N/A<
a name="id2607210"></
a>The <
span><
strong class="command">chroot</
strong></
span> Environment</
h3></
div></
div></
div>
99N/A In order for a <
span><
strong class="command">chroot</
strong></
span> environment
99N/A work properly in a particular directory
99N/A you will need to set up an environment that includes everything
99N/A <
acronym class="acronym">BIND</
acronym> needs to run.
99N/A From <
acronym class="acronym">BIND</
acronym>'s point of view, <
code class="filename">/
var/
named</
code> is
99N/A the root of the filesystem. You will need to adjust the values of
99N/A like <
span><
strong class="command">directory</
strong></
span> and <
span><
strong class="command">pid-file</
strong></
span> to account
99N/A Unlike with earlier versions of BIND, you typically will
99N/A <
span class="emphasis"><
em>not</
em></
span> need to compile <
span><
strong class="command">named</
strong></
span>
937N/A statically nor install shared libraries under the new root.
125N/A However, depending on your operating system, you may need
106N/A<
div class="sect2" lang="en">
937N/A<
div class="titlepage"><
div><
div><
h3 class="title">
106N/A<
a name="id2607270"></
a>Using the <
span><
strong class="command">setuid</
strong></
span> Function</
h3></
div></
div></
div>
106N/A Prior to running the <
span><
strong class="command">named</
strong></
span> daemon,
106N/A the <
span><
strong class="command">touch</
strong></
span> utility (to change file
106N/A modification times) or the <
span><
strong class="command">chown</
strong></
span>
112N/A to which you want <
acronym class="acronym">BIND</
acronym>
112N/A<
div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
112N/A<
h3 class="title">Note</
h3>
112N/A Note that if the <
span><
strong class="command">named</
strong></
span> daemon is running as an
129N/A unprivileged user, it will not be able to bind to new restricted
129N/A ports if the server is reloaded.
129N/A<
div class="sect1" lang="en">
129N/A<
div class="titlepage"><
div><
div><
h2 class="title" style="clear: both">
129N/A<
a name="dynamic_update_security"></
a>Dynamic Update Security</
h2></
div></
div></
div>
129N/A update facility should be strictly limited. In earlier versions of
129N/A <
acronym class="acronym">BIND</
acronym>, the only way to do this was
129N/A address of the host requesting the update, by listing an IP address
129N/A network prefix in the <
span><
strong class="command">allow-update</
strong></
span>
129N/A This method is insecure since the source address of the update UDP
129N/A is easily forged. Also note that if the IP addresses allowed by the
129N/A <
span><
strong class="command">allow-update</
strong></
span> option include the
129N/A server which performs forwarding of dynamic updates, the master can
937N/A trivially attacked by sending the update to the slave, which will
318N/A forward it to the master with its own source IP address causing the
318N/A master to approve it without question.
318N/A For these reasons, we strongly recommend that updates be
318N/A cryptographically authenticated by means of transaction signatures
318N/A (TSIG). That is, the <
span><
strong class="command">allow-update</
strong></
span>
318N/A list only TSIG key names, not IP addresses or network
318N/A prefixes. Alternatively, the new <
span><
strong class="command">update-policy</
strong></
span>
318N/A Some sites choose to keep all dynamically-updated DNS data
318N/A in a subdomain and delegate that subdomain to a separate zone. This
144N/A way, the top-level zone containing critical data such as the IP
144N/A of public web and mail servers need not allow dynamic update at
173N/A<
table width="100%" summary="Navigation footer">
173N/A<
td width="40%" align="left">
173N/A<
td width="20%" align="center">�</
td>
253N/A<
td width="40%" align="left" valign="top">Chapter�6.�<
acronym class="acronym">BIND</
acronym> 9 Configuration Reference�</
td>
253N/A<
td width="20%" align="center"><
a accesskey="h" href="Bv9ARM.html">Home</
a></
td>
253N/A<
td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</
td>
253N/A<
p style="text-align: center;">BIND 9.11.0pre-alpha</
p>