0N/A<html>

873N/A<head>

0N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">

0N/A<title>Chapter�7.�BIND 9 Security Considerations</title>

0N/A<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">

0N/A<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

0N/A<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">

868N/A<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">

0N/A<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">

0N/A</head>

0N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">

0N/A<div class="navheader">

0N/A<table width="100%" summary="Navigation header">

1242N/A<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>

1242N/A<tr>

1242N/A<td width="20%" align="left">

1242N/A<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>

1242N/A<th width="60%" align="center">�</th>

0N/A<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>

0N/A</td>

0N/A</tr>

0N/A</table>

1242N/A<hr>

1242N/A</div>

1242N/A<div class="chapter" lang="en">

1242N/A<div class="titlepage"><div><div><h2 class="title">

1242N/A<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>

1242N/A<div class="toc">

1242N/A<p><b>Table of Contents</b></p>

1242N/A<dl>

0N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>

0N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605733"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>

0N/A<dd><dl>

0N/A<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605882">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>

338N/A<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605942">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>

0N/A</dl></dd>

0N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>

0N/A</dl>

0N/A</div>

0N/A<div class="sect1" lang="en">

0N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">

0N/A<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>

0N/A<p>

0N/A Access Control Lists (ACLs) are address match lists that

0N/A you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,

0N/A <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,

1242N/A <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,

1242N/A <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,

1242N/A etc.

1242N/A </p>

0N/A<p>

0N/A Using ACLs allows you to have finer control over who can access

0N/A your name server, without cluttering up your config files with huge

0N/A lists of IP addresses.

0N/A </p>

0N/A<p>

0N/A It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to

0N/A control access to your server. Limiting access to your server by

0N/A outside parties can help prevent spoofing and denial of service (DoS) attacks against

0N/A your server.

0N/A </p>

0N/A<p>

0N/A Here is an example of how to properly apply ACLs:

0N/A </p>

0N/A<pre class="programlisting">

0N/A// Set up an ACL named "bogusnets" that will block

0N/A// RFC1918 space and some reserved space, which is

0N/A// commonly used in spoofing attacks.

0N/Aacl bogusnets {

0N/A 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;

0N/A 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;

0N/A};

0N/A

0N/A// Set up an ACL called our-nets. Replace this with the

0N/A// real IP numbers.

0N/Aacl our-nets { x.x.x.x/24; x.x.x.x/21; };

0N/Aoptions {

0N/A ...

0N/A ...

0N/A allow-query { our-nets; };

0N/A allow-recursion { our-nets; };

1242N/A ...

1242N/A blackhole { bogusnets; };

1242N/A ...

1242N/A};

1242N/A

0N/Azone "example.com" {

1242N/A type master;

1242N/A file "m/example.com";

1242N/A allow-query { any; };

1242N/A};

0N/A</pre>

1242N/A<p>

1242N/A This allows recursive queries of the server from the outside

0N/A unless recursion has been previously disabled.

1242N/A </p>

1242N/A</div>

1242N/A<div class="sect1" lang="en">

0N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">

1242N/A<a name="id2605733"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>

1242N/A</h2></div></div></div>

1242N/A<p>

1242N/A On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>

0N/A in a <span class="emphasis"><em>chrooted</em></span> environment (using

1242N/A the <span><strong class="command">chroot()</strong></span> function) by specifying

1242N/A the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.

0N/A This can help improve system security by placing

1242N/A <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit

1242N/A the damage done if a server is compromised.

1242N/A </p>

0N/A<p>

0N/A Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the

0N/A ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).

0N/A We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.

0N/A </p>

0N/A<p>

0N/A Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,

1242N/A <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to

0N/A user 202:

1242N/A </p>

1242N/A<p>

1242N/A <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>

1242N/A </p>

0N/A<div class="sect2" lang="en">

1242N/A<div class="titlepage"><div><div><h3 class="title">

1242N/A<a name="id2605882"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>

0N/A<p>

1242N/A In order for a <span><strong class="command">chroot</strong></span> environment

0N/A to

1242N/A work properly in a particular directory

1242N/A (for example, <code class="filename">/var/named</code>),

1242N/A you will need to set up an environment that includes everything

1242N/A <acronym class="acronym">BIND</acronym> needs to run.

0N/A From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is

1242N/A the root of the filesystem. You will need to adjust the values of

1242N/A options like

0N/A like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account

1242N/A for this.

868N/A </p>

1242N/A<p>

1242N/A Unlike with earlier versions of BIND, you typically will

868N/A <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>

0N/A statically nor install shared libraries under the new root.

0N/A However, depending on your operating system, you may need

1242N/A to set up things like

0N/A <code class="filename">/dev/zero</code>,

0N/A <code class="filename">/dev/random</code>,

0N/A <code class="filename">/dev/log</code>, and

0N/A <code class="filename">/etc/localtime</code>.

0N/A </p>

1242N/A</div>

0N/A<div class="sect2" lang="en">

1242N/A<div class="titlepage"><div><div><h3 class="title">

1242N/A<a name="id2605942"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>

1242N/A<p>

0N/A Prior to running the <span><strong class="command">named</strong></span> daemon,

1242N/A use

1242N/A the <span><strong class="command">touch</strong></span> utility (to change file

1242N/A access and

1242N/A modification times) or the <span><strong class="command">chown</strong></span>

0N/A utility (to

1242N/A set the user id and/or group id) on files

1242N/A to which you want <acronym class="acronym">BIND</acronym>

1242N/A to write.

1242N/A </p>

1242N/A<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">

1242N/A<h3 class="title">Note</h3>

0N/A Note that if the <span><strong class="command">named</strong></span> daemon is running as an

1242N/A unprivileged user, it will not be able to bind to new restricted

1242N/A ports if the server is reloaded.

1242N/A </div>

0N/A</div>

1242N/A</div>

0N/A<div class="sect1" lang="en">

1242N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">

0N/A<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>

0N/A<p>

1242N/A Access to the dynamic

0N/A update facility should be strictly limited. In earlier versions of

0N/A <acronym class="acronym">BIND</acronym>, the only way to do this was

1242N/A based on the IP

1242N/A address of the host requesting the update, by listing an IP address

1242N/A or

1242N/A network prefix in the <span><strong class="command">allow-update</strong></span>

1242N/A zone option.

1242N/A This method is insecure since the source address of the update UDP

1242N/A packet

1242N/A is easily forged. Also note that if the IP addresses allowed by the

1242N/A <span><strong class="command">allow-update</strong></span> option include the

1242N/A address of a slave

1242N/A server which performs forwarding of dynamic updates, the master can

1242N/A be

1242N/A trivially attacked by sending the update to the slave, which will

1242N/A forward it to the master with its own source IP address causing the

1242N/A master to approve it without question.

0N/A </p>

1242N/A<p>

1242N/A For these reasons, we strongly recommend that updates be

0N/A cryptographically authenticated by means of transaction signatures

0N/A (TSIG). That is, the <span><strong class="command">allow-update</strong></span>

1242N/A option should

0N/A list only TSIG key names, not IP addresses or network

1242N/A prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>

0N/A option can be used.

1242N/A </p>

1242N/A<p>

1242N/A Some sites choose to keep all dynamically-updated DNS data

0N/A in a subdomain and delegate that subdomain to a separate zone. This

0N/A way, the top-level zone containing critical data such as the IP

1242N/A addresses

0N/A of public web and mail servers need not allow dynamic update at

0N/A all.

0N/A </p>

0N/A</div>

0N/A</div>

1242N/A<div class="navfooter">

0N/A<hr>

1242N/A<table width="100%" summary="Navigation footer">

1242N/A<tr>

1242N/A<td width="40%" align="left">

1242N/A<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>

0N/A<td width="20%" align="center">�</td>

1242N/A<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>

1242N/A</td>

1242N/A</tr>

0N/A<tr>

1242N/A<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>

0N/A<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>

0N/A<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>

0N/A</tr>

0N/A</table>

1242N/A</div>

1242N/A</body>

0N/A</html>

1242N/A