Bv9ARM.ch07.html revision afb33f777af856f8c3382604a7a8ffdfe2b512c5
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Copyright (C) 2004-2009 Internet Systems Consortium, Inc. ("ISC")
a908d41cb4b0658c958383375c5a8f0bcaaf843dFrancis Dupont - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - copyright notice and this permission notice appear in all copies.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
dbb012765c735ee0d82dedb116cdc7cf18957814Evan Hunt<!-- $Id: Bv9ARM.ch07.html,v 1.196 2009/05/30 01:13:58 tbox Exp $ -->
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki<title>Chapter�7.�BIND 9 Security Considerations</title>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation header">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2599642"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599723">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2599783">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Access Control Lists (ACLs) are address match lists that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Using ACLs allows you to have finer control over who can access
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews your name server, without cluttering up your config files with huge
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lists of IP addresses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews control access to your server. Limiting access to your server by
9f5443280fcfd625a06f63a1b457ed2335840278Mark Andrews outside parties can help prevent spoofing and denial of service (DoS) attacks against
095c47be5456c17087d7b39dfc97ebee65e0dfbbMark Andrews your server.
095c47be5456c17087d7b39dfc97ebee65e0dfbbMark Andrews Here is an example of how to properly apply ACLs:
095c47be5456c17087d7b39dfc97ebee65e0dfbbMark Andrews// Set up an ACL named "bogusnets" that will block
095c47be5456c17087d7b39dfc97ebee65e0dfbbMark Andrews// RFC1918 space and some reserved space, which is
095c47be5456c17087d7b39dfc97ebee65e0dfbbMark Andrews// commonly used in spoofing attacks.
095c47be5456c17087d7b39dfc97ebee65e0dfbbMark Andrewsacl bogusnets {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// Set up an ACL called our-nets. Replace this with the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// real IP numbers.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { our-nets; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-recursion { our-nets; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews blackhole { bogusnets; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type master;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { any; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This allows recursive queries of the server from the outside
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews unless recursion has been previously disabled.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For more information on how to use ACLs to protect your server,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2599642"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in a <span class="emphasis"><em>chrooted</em></span> environment (using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">chroot()</strong></span> function) by specifying
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This can help improve system security by placing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki the damage done if a server is compromised.
45fd95544cd650a8e6a0fc39b656d1109b811ac0Evan Hunt Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2599723"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
cc51cd2d2076e33117c60c9effcb8caccde4983bWitold Krecicki In order for a <span><strong class="command">chroot</strong></span> environment
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews work properly in a particular directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (for example, <code class="filename">/var/named</code>),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews you will need to set up an environment that includes everything
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> needs to run.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the root of the filesystem. You will need to adjust the values of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews options like
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Unlike with earlier versions of BIND, you typically will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statically nor install shared libraries under the new root.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews However, depending on your operating system, you may need
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to set up things like
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2599783"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Prior to running the <span><strong class="command">named</strong></span> daemon,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">touch</strong></span> utility (to change file
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt modification times) or the <span><strong class="command">chown</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to which you want <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note that if the <span><strong class="command">named</strong></span> daemon is running as an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews unprivileged user, it will not be able to bind to new restricted
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ports if the server is reloaded.
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt<div class="titlepage"><div><div><h2 class="title" style="clear: both">
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt Access to the dynamic
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt update facility should be strictly limited. In earlier versions of
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt <acronym class="acronym">BIND</acronym>, the only way to do this was
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt based on the IP
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt address of the host requesting the update, by listing an IP address
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews network prefix in the <span><strong class="command">allow-update</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone option.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This method is insecure since the source address of the update UDP
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is easily forged. Also note that if the IP addresses allowed by the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-update</strong></span> option include the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address of a slave
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server which performs forwarding of dynamic updates, the master can
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews trivially attacked by sending the update to the slave, which will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forward it to the master with its own source IP address causing the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews master to approve it without question.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For these reasons, we strongly recommend that updates be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographically authenticated by means of transaction signatures
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option should
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews list only TSIG key names, not IP addresses or network
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
2ae159b376dac23870d8005563c585acf85a4b5aEvan Hunt option can be used.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Some sites choose to keep all dynamically-updated DNS data
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in a subdomain and delegate that subdomain to a separate zone. This
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews way, the top-level zone containing critical data such as the IP
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of public web and mail servers need not allow dynamic update at
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation footer">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>