d6fa26d0adaec6c910115be34fe7a5a5f402c14fMark Andrews<HTML

ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson><HEAD

5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User><TITLE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND 9 Security Considerations</TITLE

5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User><META

ddccd5811feff696ba460dabfb666ce61040f545Andreas Gustafsson"><LINK

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.html"><LINK

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinHREF="Bv9ARM.ch06.html"><LINK

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserHREF="Bv9ARM.ch08.html"></HEAD

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><BODY

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><TABLE

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TH

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND 9 Administrator Reference Manual</TH

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User></TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TR

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><TD

2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User><A

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>Prev</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TD

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TD

2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User></TD

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><TD

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Next</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TD

2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User></TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TABLE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><HR

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox UserWIDTH="100%"></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Chapter 7. <SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>BIND</SPAN

2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User> 9 Security Considerations</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User><DL

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Table of Contents</B

2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User></DT

e21a2904f02a03fa06b6db04d348f65fe9c67b2bMark Andrews><DT

2eeb74d1cf5355dd98f6d507a10086e16bb08c4bTinderbox User>7.1. <A

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>Access Control Lists</A

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User></DT

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><DT

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>7.2. <A

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>chroot</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> and <B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>setuid</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> (for

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox UserUNIX servers)</A

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User></DT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>7.3. <A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Dynamic Update Security</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></DL

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User></DIV

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><H1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>7.1. Access Control Lists</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H1

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><P

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>Access Control Lists (ACLs), are address match lists that

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinyou can set up and nickname for future use in <B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-notify</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-query</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>, <B

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>allow-recursion</B

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User>,

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User<B

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>blackhole</B

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>, <B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-transfer</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>,

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinetc.</P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Using ACLs allows you to have finer control over who can access

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinyour name server, without cluttering up your config files with huge

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austeinlists of IP addresses.</P

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><P

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>It is a <SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>good idea</I

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></SPAN

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> to use ACLs, and to

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Usercontrol access to your server. Limiting access to your server by

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Useroutside parties can help prevent spoofing and DoS attacks against

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useryour server.</P

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><P

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>Here is an example of how to properly apply ACLs:</P

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User><PRE

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User// which is commonly used in spoofing attacks.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Useracl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein// Set up an ACL called our-nets. Replace this with the real IP numbers.

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Useracl our-nets { x.x.x.x/24; x.x.x.x/21; };

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox Useroptions {

fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User ...

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ...

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User allow-query { our-nets; };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein allow-recursion { our-nets; };

7911e6f9de303bca5a3d8b34f4330c8f7cecffaeTinderbox User ...

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein blackhole { bogusnets; };

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ...

};

zone "example.com" {

type master;

file "m/example.com";

allow-query { any; };

};

</PRE

><P

>This allows recursive queries of the server from the outside

unless recursion has been previously disabled.</P

><P

>For more information on how to use ACLs to protect your server,

see the <SPAN

><I

>AUSCERT</I

></SPAN

> advisory at

<A

>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A

></P

></DIV

><DIV

><H1

><A

>7.2. <B

>chroot</B

> and <B

>setuid</B

> (for

UNIX servers)</A

></H1

><P

>On UNIX servers, it is possible to run <SPAN

>BIND</SPAN

> in a <SPAN

><I

>chrooted</I

></SPAN

> environment

(<B

>chroot()</B

>) by specifying the "<TT

>-t</TT

>"

option. This can help improve system security by placing <SPAN

>BIND</SPAN

> in

a "sandbox", which will limit the damage done if a server is compromised.</P

><P

>Another useful feature in the UNIX version of <SPAN

>BIND</SPAN

> is the

ability to run the daemon as an unprivileged user ( <TT

>-u</TT

> <TT

><I

>user</I

></TT

> ).

We suggest running as an unprivileged user when using the <B

>chroot</B

> feature.</P

><P

>Here is an example command line to load <SPAN

>BIND</SPAN

> in a <B

>chroot()</B

> sandbox,

<B

>/var/named</B

>, and to run <B

>named</B

> <B

>setuid</B

> to

user 202:</P

><P

><TT

><B

>/usr/local/bin/named -u 202 -t /var/named</B

></TT

></P

><DIV

><H2

><A

>7.2.1. The <B

>chroot</B

> Environment</A

></H2

><P

>In order for a <B

>chroot()</B

> environment to

work properly in a particular directory

(for example, <TT

>/var/named</TT

>),

you will need to set up an environment that includes everything

<SPAN

>BIND</SPAN

> needs to run.

From <SPAN

>BIND</SPAN

>'s point of view, <TT

>/var/named</TT

> is

the root of the filesystem. You will need to adjust the values of options like

like <B

>directory</B

> and <B

>pid-file</B

> to account

for this.

</P

><P

>&#13;Unlike with earlier versions of BIND, you will typically

<SPAN

><I

>not</I

></SPAN

> need to compile <B

>named</B

>

statically nor install shared libraries under the new root.

However, depending on your operating system, you may need

to set up things like

<TT

>/dev/zero</TT

>,

<TT

>/dev/random</TT

>,

<TT

>/dev/log</TT

>, and/or

<TT

>/etc/localtime</TT

>.

</P

></DIV

><DIV

><H2

><A

>7.2.2. Using the <B

>setuid</B

> Function</A

></H2

><P

>Prior to running the <B

>named</B

> daemon, use

the <B

>touch</B

> utility (to change file access and

modification times) or the <B

>chown</B

> utility (to

set the user id and/or group id) on files

to which you want <SPAN

>BIND</SPAN

>

to write. Note that if the <B

>named</B

> daemon is running as an

unprivileged user, it will not be able to bind to new restricted ports if the

server is reloaded.</P

></DIV

></DIV

><DIV

><H1

><A

>7.3. Dynamic Update Security</A

></H1

><P

>Access to the dynamic

update facility should be strictly limited. In earlier versions of

<SPAN

>BIND</SPAN

> the only way to do this was based on the IP

address of the host requesting the update, by listing an IP address or

network prefix in the <B

>allow-update</B

> zone option.

This method is insecure since the source address of the update UDP packet

is easily forged. Also note that if the IP addresses allowed by the

<B

>allow-update</B

> option include the address of a slave

server which performs forwarding of dynamic updates, the master can be

trivially attacked by sending the update to the slave, which will

forward it to the master with its own source IP address causing the

master to approve it without question.</P

><P

>For these reasons, we strongly recommend that updates be

cryptographically authenticated by means of transaction signatures

(TSIG). That is, the <B

>allow-update</B

> option should

list only TSIG key names, not IP addresses or network

prefixes. Alternatively, the new <B

>update-policy</B

>

option can be used.</P

><P

>Some sites choose to keep all dynamically updated DNS data

in a subdomain and delegate that subdomain to a separate zone. This

way, the top-level zone containing critical data such as the IP addresses

of public web and mail servers need not allow dynamic update at

all.</P

></DIV

></DIV

><DIV

><HR

WIDTH="100%"><TABLE

><TR

><TD

><A

>Prev</A

></TD

><TD

><A

>Home</A

></TD

><TD

><A

>Next</A

></TD

></TR

><TR

><TD

><SPAN

>BIND</SPAN

> 9 Configuration Reference</TD

><TD

>&nbsp;</TD

><TD

>Troubleshooting</TD

></TR

></TABLE

></DIV

></BODY

></HTML

>