2N/A<html>

2N/A<head>

2N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

2414N/A<title>Chapter�7.�BIND 9 Security Considerations</title>

2N/A<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

2N/A<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

32N/A<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

32N/A<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">

313N/A<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">

313N/A</head>

313N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

313N/A<div class="navheader">

313N/A<table width="100%" summary="Navigation header">

313N/A<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>

313N/A<tr>

313N/A<td width="20%" align="left">

313N/A<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>

2104N/A<th width="60%" align="center">�</th>

2104N/A<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>

313N/A</td>

313N/A</tr>

313N/A</table>

313N/A<hr>

2104N/A</div>

313N/A<div class="chapter" lang="en">

2104N/A<div class="titlepage"><div><div><h2 class="title">

127N/A<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>

127N/A<div class="toc">

1256N/A<p><b>Table of Contents</b></p>

1256N/A<dl>

1256N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>

127N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2593736"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>

538N/A<dd><dl>

538N/A<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593813">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>

538N/A<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2593873">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>

538N/A</dl></dd>

538N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>

538N/A</dl>

538N/A</div>

538N/A<div class="sect1" lang="en">

327N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">

327N/A<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>

327N/A<p>

327N/A Access Control Lists (ACLs), are address match lists that

327N/A you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,

327N/A <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,

327N/A <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,

327N/A <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,

327N/A etc.

327N/A </p>

327N/A<p>

327N/A Using ACLs allows you to have finer control over who can access

2217N/A your name server, without cluttering up your config files with huge

2217N/A lists of IP addresses.

2217N/A </p>

2217N/A<p>

177N/A It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to

177N/A control access to your server. Limiting access to your server by

2N/A outside parties can help prevent spoofing and denial of service (DoS) attacks against

145N/A your server.

883N/A </p>

26N/A<p>

38N/A Here is an example of how to properly apply ACLs:

38N/A </p>

1043N/A<pre class="programlisting">

1256N/A// Set up an ACL named "bogusnets" that will block RFC1918 space

26N/A// and some reserved space, which is commonly used in spoofing attacks.

1043N/Aacl bogusnets {

1043N/A 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;

477N/A 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;

538N/A};

38N/A

2N/A// Set up an ACL called our-nets. Replace this with the real IP numbers.

6N/Aacl our-nets { x.x.x.x/24; x.x.x.x/21; };

2818N/Aoptions {

2818N/A ...

2818N/A ...

2818N/A allow-query { our-nets; };

2818N/A allow-recursion { our-nets; };

2N/A ...

2818N/A blackhole { bogusnets; };

2818N/A ...

2818N/A};

2N/A

34N/Azone "example.com" {

34N/A type master;

94N/A file "m/example.com";

94N/A allow-query { any; };

156N/A};

156N/A</pre>

34N/A<p>

59N/A This allows recursive queries of the server from the outside

1251N/A unless recursion has been previously disabled.

1251N/A </p>

1256N/A<p>

72N/A For more information on how to use ACLs to protect your server,

72N/A see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:

59N/A </p>

2N/A<p>

85N/A <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>

61N/A </p>

61N/A</div>

220N/A<div class="sect1" lang="en">

61N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">

61N/A<a name="id2593736"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>

1119N/A</h2></div></div></div>

172N/A<p>

61N/A On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment

61N/A (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"

220N/A option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in

220N/A a "sandbox", which will limit the damage done if a server is

61N/A compromised.

172N/A </p>

454N/A<p>

61N/A Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the

172N/A ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).

61N/A We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.

152N/A </p>

74N/A<p>

61N/A Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,

220N/A <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to

85N/A user 202:

172N/A </p>

61N/A<p>

172N/A <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>

61N/A </p>

1119N/A<div class="sect2" lang="en">

172N/A<div class="titlepage"><div><div><h3 class="title">

61N/A<a name="id2593813"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>

61N/A<p>

220N/A In order for a <span><strong class="command">chroot</strong></span> environment

61N/A to

454N/A work properly in a particular directory

61N/A (for example, <code class="filename">/var/named</code>),

172N/A you will need to set up an environment that includes everything

61N/A <acronym class="acronym">BIND</acronym> needs to run.

172N/A From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is

61N/A the root of the filesystem. You will need to adjust the values of

152N/A options like

152N/A like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account

220N/A for this.

61N/A </p>

61N/A<p>

43N/A Unlike with earlier versions of BIND, you typically will

220N/A <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>

43N/A statically nor install shared libraries under the new root.

120N/A However, depending on your operating system, you may need

64N/A to set up things like

64N/A <code class="filename">/dev/zero</code>,

64N/A <code class="filename">/dev/random</code>,

43N/A <code class="filename">/dev/log</code>, and

43N/A <code class="filename">/etc/localtime</code>.

120N/A </p>

64N/A</div>

64N/A<div class="sect2" lang="en">

64N/A<div class="titlepage"><div><div><h3 class="title">

220N/A<a name="id2593873"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>

64N/A<p>

64N/A Prior to running the <span><strong class="command">named</strong></span> daemon,

486N/A use

486N/A the <span><strong class="command">touch</strong></span> utility (to change file

64N/A access and

64N/A modification times) or the <span><strong class="command">chown</strong></span>

64N/A utility (to

64N/A set the user id and/or group id) on files

64N/A to which you want <acronym class="acronym">BIND</acronym>

64N/A to write.

64N/A </p>

43N/A<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">

16N/A<h3 class="title">Note</h3>

16N/A Note that if the <span><strong class="command">named</strong></span> daemon is running as an

16N/A unprivileged user, it will not be able to bind to new restricted

34N/A ports if the server is reloaded.

34N/A </div>

16N/A</div>

6N/A</div>

12N/A<div class="sect1" lang="en">

1256N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">

12N/A<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>

12N/A<p>

12N/A Access to the dynamic

12N/A update facility should be strictly limited. In earlier versions of

12N/A <acronym class="acronym">BIND</acronym>, the only way to do this was

12N/A based on the IP

12N/A address of the host requesting the update, by listing an IP address

12N/A or

12N/A network prefix in the <span><strong class="command">allow-update</strong></span>

369N/A zone option.

369N/A This method is insecure since the source address of the update UDP

3056N/A packet

369N/A is easily forged. Also note that if the IP addresses allowed by the

61N/A <span><strong class="command">allow-update</strong></span> option include the

61N/A address of a slave

61N/A server which performs forwarding of dynamic updates, the master can

61N/A be

61N/A trivially attacked by sending the update to the slave, which will

12N/A forward it to the master with its own source IP address causing the

181N/A master to approve it without question.

181N/A </p>

12N/A<p>

61N/A For these reasons, we strongly recommend that updates be

61N/A cryptographically authenticated by means of transaction signatures

12N/A (TSIG). That is, the <span><strong class="command">allow-update</strong></span>

279N/A option should

279N/A list only TSIG key names, not IP addresses or network

181N/A prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>

181N/A option can be used.

181N/A </p>

2N/A<p>

99N/A Some sites choose to keep all dynamically-updated DNS data

99N/A in a subdomain and delegate that subdomain to a separate zone. This

99N/A way, the top-level zone containing critical data such as the IP

181N/A addresses

181N/A of public web and mail servers need not allow dynamic update at

181N/A all.

181N/A </p>

181N/A</div>

99N/A</div>

3040N/A<div class="navfooter">

3040N/A<hr>

3040N/A<table width="100%" summary="Navigation footer">

40N/A<tr>

1042N/A<td width="40%" align="left">

40N/A<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>

40N/A<td width="20%" align="center">�</td>

2414N/A<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>

40N/A</td>

2693N/A</tr>

1845N/A<tr>

2051N/A<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>

814N/A<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

814N/A<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>

814N/A</tr>

814N/A</table>

814N/A</div>

814N/A</body>

2051N/A</html>

2051N/A