Bv9ARM.ch07.html revision b2f07642fd712c8fda81a116bcdde229ab291f33
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<!--
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
a7c412f37cc73d0332887a746e81220cbf09dd00Mark Andrews - Copyright (C) 2000-2003 Internet Software Consortium.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews -
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - Permission to use, copy, modify, and/or distribute this software for any
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - purpose with or without fee is hereby granted, provided that the above
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - copyright notice and this permission notice appear in all copies.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews -
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews - PERFORMANCE OF THIS SOFTWARE.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews-->
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<!-- $Id$ -->
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<html>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<head>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<title>Chapter�7.�BIND 9 Security Considerations</title>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</head>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="navheader">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation header">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="left">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<th width="60%" align="center">�</th>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</table>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<hr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="chapter" lang="en">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="toc">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p><b>Table of Contents</b></p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dl>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605733"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dd><dl>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605882">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605942">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</dl></dd>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</dl>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="sect1" lang="en">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Access Control Lists (ACLs) are address match lists that
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews etc.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Using ACLs allows you to have finer control over who can access
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews your name server, without cluttering up your config files with huge
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews lists of IP addresses.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews control access to your server. Limiting access to your server by
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews outside parties can help prevent spoofing and denial of service (DoS) attacks against
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews your server.
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt </p>
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Here is an example of how to properly apply ACLs:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<pre class="programlisting">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// Set up an ACL named "bogusnets" that will block
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// RFC1918 space and some reserved space, which is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// commonly used in spoofing attacks.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsacl bogusnets {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews};
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// Set up an ACL called our-nets. Replace this with the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews// real IP numbers.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsacl our-nets { x.x.x.x/24; x.x.x.x/21; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewsoptions {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ...
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ...
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { our-nets; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-recursion { our-nets; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ...
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews blackhole { bogusnets; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ...
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews};
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrewszone "example.com" {
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews type master;
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews file "m/example.com";
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews allow-query { any; };
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews};
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</pre>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This allows recursive queries of the server from the outside
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews unless recursion has been previously disabled.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="sect1" lang="en">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2605733"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in a <span class="emphasis"><em>chrooted</em></span> environment (using
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">chroot()</strong></span> function) by specifying
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This can help improve system security by placing
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the damage done if a server is compromised.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews user 202:
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="sect2" lang="en">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2605882"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews In order for a <span><strong class="command">chroot</strong></span> environment
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews work properly in a particular directory
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (for example, <code class="filename">/var/named</code>),
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews you will need to set up an environment that includes everything
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym> needs to run.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the root of the filesystem. You will need to adjust the values of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews options like
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews for this.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Unlike with earlier versions of BIND, you typically will
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews statically nor install shared libraries under the new root.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews However, depending on your operating system, you may need
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to set up things like
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <code class="filename">/dev/zero</code>,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <code class="filename">/dev/random</code>,
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <code class="filename">/dev/log</code>, and
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt <code class="filename">/etc/localtime</code>.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="sect2" lang="en">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h3 class="title">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="id2605942"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Prior to running the <span><strong class="command">named</strong></span> daemon,
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews use
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews the <span><strong class="command">touch</strong></span> utility (to change file
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews access and
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews modification times) or the <span><strong class="command">chown</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews utility (to
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews set the user id and/or group id) on files
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to which you want <acronym class="acronym">BIND</acronym>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews to write.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<h3 class="title">Note</h3>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Note that if the <span><strong class="command">named</strong></span> daemon is running as an
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews unprivileged user, it will not be able to bind to new restricted
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews ports if the server is reloaded.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="sect1" lang="en">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Access to the dynamic
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews update facility should be strictly limited. In earlier versions of
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <acronym class="acronym">BIND</acronym>, the only way to do this was
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews based on the IP
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address of the host requesting the update, by listing an IP address
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews or
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews network prefix in the <span><strong class="command">allow-update</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews zone option.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews This method is insecure since the source address of the update UDP
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews packet
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews is easily forged. Also note that if the IP addresses allowed by the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews <span><strong class="command">allow-update</strong></span> option include the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews address of a slave
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews server which performs forwarding of dynamic updates, the master can
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews trivially attacked by sending the update to the slave, which will
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews forward it to the master with its own source IP address causing the
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews master to approve it without question.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews For these reasons, we strongly recommend that updates be
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews cryptographically authenticated by means of transaction signatures
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option should
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews list only TSIG key names, not IP addresses or network
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews option can be used.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews Some sites choose to keep all dynamically-updated DNS data
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews in a subdomain and delegate that subdomain to a separate zone. This
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt way, the top-level zone containing critical data such as the IP
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt addresses
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews of public web and mail servers need not allow dynamic update at
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews all.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews </p>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="navfooter">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<hr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<table width="100%" summary="Navigation footer">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="left">
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="center">�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</tr>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</table>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</div>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</body>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews</html>
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews