f743002678eb67b99bbc29fee116b65d9530fec0wrowe<HTML

80833bb9a1bf25dcf19e814438a4b311d2e1f4cffuankg><HEAD

a34684a59b60a4173c25035d0c627ef17e6dc215rpluem><TITLE

1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic>BIND 9 Security Considerations</TITLE

1337c7673efc1f80f634139fbad7cbb98a0dc657ylavic><META

4da61833a1cbbca94094f9653fd970582b97a72etrawick"><LINK

4da61833a1cbbca94094f9653fd970582b97a72etrawickHREF="Bv9ARM.html"><LINK

4789804be088bcd86ae637a29cdb7fda25169521jailletcHREF="Bv9ARM.ch06.html"><LINK

e50c3026198fd496f183cda4c32a202925476778covenerHREF="Bv9ARM.ch08.html"></HEAD

e50c3026198fd496f183cda4c32a202925476778covener><BODY

4f29b65ab4b547ad5dbe506e2d0ff5d12ead9247ylavic><DIV

0a0df13b7f1f4f1a74fe295253d89ca3911b301aylavic><TABLE

69301145375a889e7e37caf7cc7321ac0f91801erpluem><TR

69301145375a889e7e37caf7cc7321ac0f91801erpluem><TH

506bfe33206b2fece40ef25f695af39dd4130facjkaluza>BIND 9 Administrator Reference Manual</TH

506bfe33206b2fece40ef25f695af39dd4130facjkaluza></TR

d58a848a016d401b965111e50ef829e1641f7834minfrin><TR

d58a848a016d401b965111e50ef829e1641f7834minfrin><TD

2e6f4d654c96c98b761fb012fd25c5d5b1558c44sf><A

17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic>Prev</A

17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic></TD

17e6c95f3b22d18acdf8380fb26a8d0e10c80767ylavic><TD

e8bd80a4bb88199d2f9a24a50345688e52d9c116ylavic></TD

330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic><TD

330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic><A

330e16bea8fe9cace4de90c349750c03dfb1fe64ylavic>Next</A

d7205b1a86c51c27b71a2c458dc453fd53a261c1covener></TD

d7205b1a86c51c27b71a2c458dc453fd53a261c1covener></TR

d7205b1a86c51c27b71a2c458dc453fd53a261c1covener></TABLE

d7205b1a86c51c27b71a2c458dc453fd53a261c1covener><HR

44ff304057225e944e220e981d434a046d14cf06covenerWIDTH="100%"></DIV

44ff304057225e944e220e981d434a046d14cf06covener><DIV

44ff304057225e944e220e981d434a046d14cf06covener><H1

5d1ba75b8794925e67591c209085a49279791de9covener><A

5d1ba75b8794925e67591c209085a49279791de9covener>Chapter 7. <SPAN

032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand>BIND</SPAN

032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand> 9 Security Considerations</A

032982212dbcc7c3cce95bf89c503bb56e185ac7kbrand></H1

caad2986f81ab263f7af41467dd622dc9add17f3ylavic><DIV

caad2986f81ab263f7af41467dd622dc9add17f3ylavic><DL

caad2986f81ab263f7af41467dd622dc9add17f3ylavic><DT

45a10d38e6051fd7bdf9d742aaae633d97ff02abjailletc><B

f7317ff316c2b141feea31bddb74d5d3fa1584edjorton>Table of Contents</B

f7317ff316c2b141feea31bddb74d5d3fa1584edjorton></DT

2165214331e4afafca4048f66f303d0253d7b001covener><DT

a34684a59b60a4173c25035d0c627ef17e6dc215rpluem>7.1. <A

1e2d421a36999d292042a5539971070d54aa6c63ylavic>Access Control Lists</A

1e2d421a36999d292042a5539971070d54aa6c63ylavic></DT

1e2d421a36999d292042a5539971070d54aa6c63ylavic><DT

fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh>7.2. <A

fa7ed98b9dc94c5845cf845aea0a44ecacd290c9humbedooh><B

0b67eb8568cd58bb77082703951679b42cf098actrawick>chroot</B

0b67eb8568cd58bb77082703951679b42cf098actrawick> and <B

5ef3c61605a3a021ff71f488983cb0065f8e1a79covener>setuid</B

fb1985a97912b25ec6564c73e610a31e5fc6e25fcovener> (for

09c87c777bed1655621bb20e1c46cb6b1a63279dcovenerUNIX servers)</A

6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic></DT

6502b7b32f980cc2093bb3ebce37e5e4dc68fba4ylavic><DT

3060ce7f798fbda7999cd4ddf89b525d2b294185covener>7.3. <A

c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic>Dynamic Update Security</A

c1a63b8fad09c419c1a64f75993feb8a343a6801ylavic></DT

e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc></DL

e6b4bd1113567627ab6bb6c6a7105e1e01a7d889jailletc></DIV

e466c40e1801982602ee0200c9e8b61cc148742djailletc><DIV

457468b82e59d01eba00dd9d0817309c8f5e414ejim><H1

457468b82e59d01eba00dd9d0817309c8f5e414ejim><A

04983e3bd1754764eec7d6bb772fe3b0bf391771jorton>7.1. Access Control Lists</A

15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem></H1

15660979a30d251681463de2e0584853890082accovener><P

15660979a30d251681463de2e0584853890082accovener>Access Control Lists (ACLs), are address match lists that

49dacedb6c387b786b7911082ff35121a45f414bcoveneryou can set up and nickname for future use in <B

cfd9415521847b2f9394fad04fb701cfb955f503rjung>allow-notify</B

cfd9415521847b2f9394fad04fb701cfb955f503rjung>,

cfd9415521847b2f9394fad04fb701cfb955f503rjung<B

28c31fb73c1264bd1d0ff932573677030b024c7dwrowe>allow-query</B

28c31fb73c1264bd1d0ff932573677030b024c7dwrowe>, <B

28c31fb73c1264bd1d0ff932573677030b024c7dwrowe>allow-recursion</B

8491e0600f69b0405e156ea8a419653c065c645bcovener>,

63b9f1f5880391261705f696d7d65507bbe9ace3covener<B

63b9f1f5880391261705f696d7d65507bbe9ace3covener>blackhole</B

49dacedb6c387b786b7911082ff35121a45f414bcovener>, <B

49dacedb6c387b786b7911082ff35121a45f414bcovener>allow-transfer</B

49dacedb6c387b786b7911082ff35121a45f414bcovener>,

3c990331fc6702119e4f5b8ba9eae3021aea5265jimetc.</P

3c990331fc6702119e4f5b8ba9eae3021aea5265jim><P

3c990331fc6702119e4f5b8ba9eae3021aea5265jim>Using ACLs allows you to have finer control over who can access

3c990331fc6702119e4f5b8ba9eae3021aea5265jimyour name server, without cluttering up your config files with huge

fc42512879dd0504532f52fe5d0d0383dda96a1eniqlists of IP addresses.</P

fc42512879dd0504532f52fe5d0d0383dda96a1eniq><P

fc42512879dd0504532f52fe5d0d0383dda96a1eniq>It is a <I

0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq>good idea</I

0451df5dc50fa5d8b3e07d92ee6a92e36a1181a5niq> to use ACLs, and to

da0442c0440caef34706e2c2f3af05cb65921cc0jailletccontrol access to your server. Limiting access to your server by

983528026996668ea295be95aedb9c7a346af470ylavicoutside parties can help prevent spoofing and DoS attacks against

da0442c0440caef34706e2c2f3af05cb65921cc0jailletcyour server.</P

da0442c0440caef34706e2c2f3af05cb65921cc0jailletc><P

06b8f183140c8e02e0974e938a05078b511d1603covener>Here is an example of how to properly apply ACLs:</P

06b8f183140c8e02e0974e938a05078b511d1603covener><PRE

15890c9306ba98f6fc243e15a3c4778ddc7d773erpluem>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,

259878293a997ff49f5ddfc53d3739cbdc25444ecovener// which is commonly used in spoofing attacks.

259878293a997ff49f5ddfc53d3739cbdc25444ecoveneracl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

259878293a997ff49f5ddfc53d3739cbdc25444ecovener// Set up an ACL called our-nets. Replace this with the real IP numbers.

259878293a997ff49f5ddfc53d3739cbdc25444ecoveneracl our-nets { x.x.x.x/24; x.x.x.x/21; };

15890c9306ba98f6fc243e15a3c4778ddc7d773erpluemoptions {

b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin ...

b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin ...

b54b024c06a19926832d77d40ba35ad8c41e4d3dminfrin allow-query { our-nets; };

65967d05f839dbf27cf91d91fa79585eeae19660minfrin allow-recursion { our-nets; };

65967d05f839dbf27cf91d91fa79585eeae19660minfrin ...

65967d05f839dbf27cf91d91fa79585eeae19660minfrin blackhole { bogusnets; };

65967d05f839dbf27cf91d91fa79585eeae19660minfrin ...

8152945ae46857b170cb227e79bb799f4fc7710dminfrin};

8152945ae46857b170cb227e79bb799f4fc7710dminfrinzone "example.com" {

8152945ae46857b170cb227e79bb799f4fc7710dminfrin type master;

8152945ae46857b170cb227e79bb799f4fc7710dminfrin file "m/example.com";

75f5c2db254c0167a0e396254460de09b775d203trawick allow-query { any; };

75f5c2db254c0167a0e396254460de09b775d203trawick};

75f5c2db254c0167a0e396254460de09b775d203trawick</PRE

4f0358189bfa57b8e75bd6b94db264302a8f336amrumph><P

4f0358189bfa57b8e75bd6b94db264302a8f336amrumph>This allows recursive queries of the server from the outside

4f0358189bfa57b8e75bd6b94db264302a8f336amrumphunless recursion has been previously disabled.</P

5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick><P

5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawick>For more information on how to use ACLs to protect your server,

5716f9c6daa92dde5f2f9d11ed63f7c9549c223atrawicksee the <I

54d750a84a175d8e338880514d440773eb986b50covener>AUSCERT</I

54d750a84a175d8e338880514d440773eb986b50covener> advisory at

54d750a84a175d8e338880514d440773eb986b50covener<A

54d750a84a175d8e338880514d440773eb986b50covener>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A

54d750a84a175d8e338880514d440773eb986b50covener></P

54d750a84a175d8e338880514d440773eb986b50covener></DIV

7a3aa12f0eda24793ee26d6a179bd53132e9dae8covener><DIV

54d750a84a175d8e338880514d440773eb986b50covener><H1

4e30ef014533a7e93c92d88306291f5e49c9692ftrawick><A

5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick>7.2. <B

5f066f496cd9f20a2a701255bc67d44e7cb46daetrawick>chroot</B

2e15620d724fb8e3a5be183b917359a2fd6e9468covener> and <B

2e15620d724fb8e3a5be183b917359a2fd6e9468covener>setuid</B

2e15620d724fb8e3a5be183b917359a2fd6e9468covener> (for

1b988c41ee505962781d110a3e4c2c90f1ea0aa4covenerUNIX servers)</A

1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener></H1

1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener><P

1b988c41ee505962781d110a3e4c2c90f1ea0aa4covener>On UNIX servers, it is possible to run <SPAN

b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener>BIND</SPAN

b8efdc95bec9cf089aa1be0bfd07d46aa1137a7acovener> in a <I

f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd>chrooted</I

f06e7c4b1bce6b6491e5de0b7998d3f5696b293dchrisd> environment

179565be4043d7e5f9161aa75271fa0a001866d9covener(<B

179565be4043d7e5f9161aa75271fa0a001866d9covener>chroot()</B

111436a32ba1254291e4883292fb116d15fe8f64covener>) by specifying the "<TT

fce4949fb0b309a5744afcd503c6ed2d35621ee2covener>-t</TT

fce4949fb0b309a5744afcd503c6ed2d35621ee2covener>"

fce4949fb0b309a5744afcd503c6ed2d35621ee2coveneroption. This can help improve system security by placing <SPAN

7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick>BIND</SPAN

7b7430e701e9a31ce809da7c220bb8dfcf68c86etrawick> in

ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantza "sandbox", which will limit the damage done if a server is compromised.</P

ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz><P

ccc20788c1e5fc973f36df634399c89acb70deaejerenkrantz>Another useful feature in the UNIX version of <SPAN

273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza>BIND</SPAN

273e512f20f262e5e2aa8e0e83371d1929fb76adjkaluza> is the

efe780dcf13b2b95effabf897d694d8f23feac74trawickability to run the daemon as an unprivileged user ( <TT

fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin>-u</TT

fe83f60b41477b14a37edcfcd1f7f5c5a1ebfe44minfrin> <TT

993d1261a278d7322bccef219101220b7b4fb8c5jkaluza><I

993d1261a278d7322bccef219101220b7b4fb8c5jkaluza>user</I

ba050a6f942b9fa0e81ed73437588005c569655ccovener></TT

ba050a6f942b9fa0e81ed73437588005c569655ccovener> ).

ba050a6f942b9fa0e81ed73437588005c569655ccovenerWe suggest running as an unprivileged user when using the <B

135ddda3a989215d2bedbcf1529bfb269c3eda23niq>chroot</B

135ddda3a989215d2bedbcf1529bfb269c3eda23niq> feature.</P

135ddda3a989215d2bedbcf1529bfb269c3eda23niq><P

001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh>Here is an example command line to load <SPAN

001a44c352f89c9ec332ffd3e0a6927dcd19432chumbedooh>BIND</SPAN

efe780dcf13b2b95effabf897d694d8f23feac74trawick> in a <B

cc5a4a08dc9783fcbc52ce86f11e01c281a43810minfrin>chroot()</B

9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener> sandbox,

9b0076ddd1103e5fa9c1f9bafde4b06ce244fbaecovener<B

249d09d51808cb7981af99762c3b3736ca126cd5jkaluza>/var/named</B

249d09d51808cb7981af99762c3b3736ca126cd5jkaluza>, and to run <B

249d09d51808cb7981af99762c3b3736ca126cd5jkaluza>named</B

56589be3d7a3e9343370df240010c6928cc78b39jkaluza> <B

56589be3d7a3e9343370df240010c6928cc78b39jkaluza>setuid</B

77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc> to

77ca16c5676da23155311e13cee61e7eaba9fa3ejailletcuser 202:</P

77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc><P

77ca16c5676da23155311e13cee61e7eaba9fa3ejailletc><TT

f87299dab99bc04b51a6b8cad51b6795db862c0atrawick><B

f87299dab99bc04b51a6b8cad51b6795db862c0atrawick>/usr/local/bin/named -u 202 -t /var/named</B

4d12805e6c18253040223ea637acd6b3b3c18f60jorton></TT

4d12805e6c18253040223ea637acd6b3b3c18f60jorton></P

4d12805e6c18253040223ea637acd6b3b3c18f60jorton><DIV

85eacfc96a04547ef25aabbc06440039715084c2jorton><H2

a4df2cd1e1391575a327c2a90ba4315f805a0a78covener><A

a4df2cd1e1391575a327c2a90ba4315f805a0a78covener>7.2.1. The <B

cb666b29f81df1d11d65002250153353568021fccovener>chroot</B

cb666b29f81df1d11d65002250153353568021fccovener> Environment</A

6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener></H2

1c2cab00d988fc48cbe59032cf76cc0bab20d6f7covener><P

6a80c3c6f4b8ea7ba5e89402b8b779b09ce020e0covener>In order for a <B

75a230a728338d84dcfe81edd375352f34de22d0covener>chroot()</B

75a230a728338d84dcfe81edd375352f34de22d0covener> environment to

1f50dc34ae069adeed20b2986e5ffdefa5c410e0covenerwork properly in a particular directory

1f50dc34ae069adeed20b2986e5ffdefa5c410e0covener(for example, <TT

63a5ea80bddcc84a462e40f402b4f330e0e05411covener>/var/named</TT

63a5ea80bddcc84a462e40f402b4f330e0e05411covener>),

63a5ea80bddcc84a462e40f402b4f330e0e05411coveneryou will need to set up an environment that includes everything

63a5ea80bddcc84a462e40f402b4f330e0e05411covener<SPAN

65a4e663b82f8bce28ac22ab2edfd7502de36998sf>BIND</SPAN

65a4e663b82f8bce28ac22ab2edfd7502de36998sf> needs to run.

65a4e663b82f8bce28ac22ab2edfd7502de36998sfFrom <SPAN

74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin>BIND</SPAN

74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin>'s point of view, <TT

74e7f6c55fd67b10cb400b3f6d1dc718a303d944minfrin>/var/named</TT

a511a29faf2ff7ead3b67680154a624effb31aafminfrin> is

a511a29faf2ff7ead3b67680154a624effb31aafminfrinthe root of the filesystem. You will need to adjust the values of options like

a511a29faf2ff7ead3b67680154a624effb31aafminfrinlike <B

a511a29faf2ff7ead3b67680154a624effb31aafminfrin>directory</B

63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin> and <B

63921358ef93fcb41bc71d9894221ba3d7fbb87bminfrin>pid-file</B

deec48c67d4786bc77112ffbf3a4e70b931097edminfrin> to account

6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrinfor this.

6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin</P

6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin><P

6d601599d3d65df0410eae6e573e75b2dbfb1fb4minfrin>&#13;Unlike with earlier versions of BIND, you will typically

684e0cfc200f66287a93bbd1708d1dd8a92a7eefcovener<I

5c43d2fb853f84497b5ece2d414ef9484aa87e5fsf>not</I

05a5a9c3e16f21566e1b61f4bd68025ce1b741ccjoes> need to compile <B

ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq>named</B

26c5829347f6a355c00f1ba0301d575056b69536niq>

ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niqstatically nor install shared libraries under the new root.

ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niqHowever, depending on your operating system, you may need

ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niqto set up things like

ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq<TT

ef82e8fa164e0a1f8b813f7deb6b7ead96018c94niq>/dev/zero</TT

413ee814748f37be168ff12407fa6dba0ceeabe6trawick>,

c12917da693bae4028a1d5a5e8224bceed8c739dsf<TT

eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf>/dev/random</TT

eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf>,

eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf<TT

eafcc0ebf263d0ba69855b6e10958c4c1a2361bdsf>/dev/log</TT

d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf>, and/or

d7ffd2da16d58b1a0de212e4d56f7aebb72bef26sf<TT

4576c1a9ef54cd1e5555ee07d016a7f559f80338sf>/etc/localtime</TT

4576c1a9ef54cd1e5555ee07d016a7f559f80338sf>.

4576c1a9ef54cd1e5555ee07d016a7f559f80338sf</P

9811aed12bbc71783d2e544ccb5fecd193843eadsf></DIV

9811aed12bbc71783d2e544ccb5fecd193843eadsf><DIV

88fac54d9d64f85bbdab5d7010816f4377f95bd7rjung><H2

bd3f5647b96d378d9c75c954e3f13582af32c643sf><A

bd3f5647b96d378d9c75c954e3f13582af32c643sf>7.2.2. Using the <B

bd3f5647b96d378d9c75c954e3f13582af32c643sf>setuid</B

2a7beea91d46beb41f043a84eaad060047ee04aafabien> Function</A

2a7beea91d46beb41f043a84eaad060047ee04aafabien></H2

2a7beea91d46beb41f043a84eaad060047ee04aafabien><P

2a7beea91d46beb41f043a84eaad060047ee04aafabien>Prior to running the <B

584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf>named</B

584a85dd4047e38d3ed3a29b6662fcc9d100ae4csf> daemon, use

f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sfthe <B

f21e9e3d0bfb7a507ecc5bc963f2159d693503d1sf>touch</B

f6b9c755a0b793e8a3a3aebd327ca20a86478117sf> utility (to change file access and

f6b9c755a0b793e8a3a3aebd327ca20a86478117sfmodification times) or the <B

132ee6ac1c26d6e8953836316ba50734eefab47bsf>chown</B

132ee6ac1c26d6e8953836316ba50734eefab47bsf> utility (to

132ee6ac1c26d6e8953836316ba50734eefab47bsfset the user id and/or group id) on files

85eacfc96a04547ef25aabbc06440039715084c2jortonto which you want <SPAN

85eacfc96a04547ef25aabbc06440039715084c2jorton>BIND</SPAN

536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick>

536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawickto write. Note that if the <B

536d2e7cd1fdec1255b8c3bdf41fdc714c506a54trawick>named</B

79c5787b92ac5f0e1cc82393816c77a006399316trawick> daemon is running as an

79c5787b92ac5f0e1cc82393816c77a006399316trawickunprivileged user, it will not be able to bind to new restricted ports if the

79c5787b92ac5f0e1cc82393816c77a006399316trawickserver is reloaded.</P

79c5787b92ac5f0e1cc82393816c77a006399316trawick></DIV

c967bf3bc89e8aa60dbd30d9da388e448ddc1cc4trawick></DIV

79c5787b92ac5f0e1cc82393816c77a006399316trawick><DIV

79c5787b92ac5f0e1cc82393816c77a006399316trawick><H1

79c5787b92ac5f0e1cc82393816c77a006399316trawick><A

7b395e4e878c28a4784919cfd2e704ddd14a3390jorton>7.3. Dynamic Update Security</A

7b395e4e878c28a4784919cfd2e704ddd14a3390jorton></H1

7b395e4e878c28a4784919cfd2e704ddd14a3390jorton><P

536e48c08d674acac5d44929318f2ad928edc361jorton>Access to the dynamic

536e48c08d674acac5d44929318f2ad928edc361jortonupdate facility should be strictly limited. In earlier versions of

e81785da447b469da66f218b3f0244aab507958djorton<SPAN

3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton>BIND</SPAN

3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jorton> the only way to do this was based on the IP

3e4e54d4e3fc0123c63d57aa84ac7ad7a8c73ff8jortonaddress of the host requesting the update, by listing an IP address or

53e9b27aba029b18be814df40bcf6f0428771d1efuankgnetwork prefix in the <B

53e9b27aba029b18be814df40bcf6f0428771d1efuankg>allow-update</B

53e9b27aba029b18be814df40bcf6f0428771d1efuankg> zone option.

53e9b27aba029b18be814df40bcf6f0428771d1efuankgThis method is insecure since the source address of the update UDP packet

6bb524f1895f30265a1431afc460977d391cb36bsfis easily forged. Also note that if the IP addresses allowed by the

6bb524f1895f30265a1431afc460977d391cb36bsf<B

6bb524f1895f30265a1431afc460977d391cb36bsf>allow-update</B

e6dd71992459d05a676b98b7963423dc5dc1e24aminfrin> option include the address of a slave

e6dd71992459d05a676b98b7963423dc5dc1e24aminfrinserver which performs forwarding of dynamic updates, the master can be

e6dd71992459d05a676b98b7963423dc5dc1e24aminfrintrivially attacked by sending the update to the slave, which will

e6dd71992459d05a676b98b7963423dc5dc1e24aminfrinforward it to the master with its own source IP address causing the

23f1535d6a60817d2846bac0aea230ea475d7dccminfrinmaster to approve it without question.</P

23f1535d6a60817d2846bac0aea230ea475d7dccminfrin><P

23f1535d6a60817d2846bac0aea230ea475d7dccminfrin>For these reasons, we strongly recommend that updates be

23f1535d6a60817d2846bac0aea230ea475d7dccminfrincryptographically authenticated by means of transaction signatures

ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung(TSIG). That is, the <B

ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung>allow-update</B

ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung> option should

ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjunglist only TSIG key names, not IP addresses or network

ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjungprefixes. Alternatively, the new <B

ec7520b24cd80d34d82bbcaca153cbb23cc04bc0rjung>update-policy</B

6249dfa569d3b4f1f539665b979a80c6e335d93etrawick>

6249dfa569d3b4f1f539665b979a80c6e335d93etrawickoption can be used.</P

0827cb14e550f6f65018431c22c2c913631c8f25kbrand><P

6249dfa569d3b4f1f539665b979a80c6e335d93etrawick>Some sites choose to keep all dynamically updated DNS data

ae600ca541efc686b34f8b1f21bd3d0741d37674covenerin a subdomain and delegate that subdomain to a separate zone. This

6249dfa569d3b4f1f539665b979a80c6e335d93etrawickway, the top-level zone containing critical data such as the IP addresses

cfa64348224b66dd1c9979b809406c4d15b1c137fieldingof public web and mail servers need not allow dynamic update at

74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajimall.</P

cfa64348224b66dd1c9979b809406c4d15b1c137fielding></DIV

74499a117b3b2cd9666715a14f90c0e5d1a4ee8ajim></DIV

cfa64348224b66dd1c9979b809406c4d15b1c137fielding><DIV

cfa64348224b66dd1c9979b809406c4d15b1c137fielding><HR

cfa64348224b66dd1c9979b809406c4d15b1c137fieldingWIDTH="100%"><TABLE

><TR

><TD

><A

>Prev</A

></TD

><TD

><A

>Home</A

></TD

><TD

><A

>Next</A

></TD

></TR

><TR

><TD

><SPAN

>BIND</SPAN

> 9 Configuration Reference</TD

><TD

>&nbsp;</TD

><TD

>Troubleshooting</TD

></TR

></TABLE

></DIV

></BODY

></HTML

>