Bv9ARM.ch07.html revision b7554e2bc93290f579e392cd86cf8107072130a4
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence>BIND 9 Security Considerations</TITLE
bd5040035c8bb3fe4acdaf6a1f26423b58302188Mark AndrewsNAME="GENERATOR"
bd5040035c8bb3fe4acdaf6a1f26423b58302188Mark AndrewsCONTENT="Modular DocBook HTML Stylesheet Version 1.61
2baa66562a2f119edffded961d3391f87ff98ec0Ondřej SurýTITLE="BIND 9 Administrator Reference Manual"
279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David LawrenceREL="PREVIOUS"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinTITLE="BIND 9 Configuration Reference"
279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David LawrenceTITLE="Troubleshooting"
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob HalleyCLASS="chapter"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinBGCOLOR="#FFFFFF"
a30e7fc23415fd238d067a8a871607bca36068baMichael GraffTEXT="#000000"
a30e7fc23415fd238d067a8a871607bca36068baMichael GraffLINK="#0000FF"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinVLINK="#840084"
8d4257cff01b3821abcb9a21f46c6c6a43bb1e72Bob HalleyALINK="#0000FF"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="NAVHEADER"
dc97fe4ed08488d314ab5bc8e99ed839542cf411David LawrenceCELLPADDING="0"
dc97fe4ed08488d314ab5bc8e99ed839542cf411David LawrenceCELLSPACING="0"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinALIGN="center"
50453ad879d0d93854de5a3385776bd799e8f35cBob Halley>BIND 9 Administrator Reference Manual</TH
6f7660093e70d3a7c80738b681ac0f5c1b661c00Mark AndrewsVALIGN="bottom"
baf7c7e589f313f10b29d9119811fc4d36c2e4bcMark AndrewsALIGN="center"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinVALIGN="bottom"
6286983c506433d642b23e64845c50be30f2a7f6Mark AndrewsALIGN="right"
6286983c506433d642b23e64845c50be30f2a7f6Mark AndrewsVALIGN="bottom"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="chapter"
0eb2572d79822d02ea05448ce4e5f1759c73d171Michael Graff>Chapter 7. <SPAN
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="acronym"
4108eed5092156cf0407a97a9bd8ab7775164694Brian Wellington> 9 Security Considerations</A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Table of Contents</B
876753d5ce1be48f3218fb4875fac501f8adfd6cDavid LawrenceHREF="Bv9ARM.ch07.html#Access_Control_Lists"
876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence>Access Control Lists</A
ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David LawrenceCLASS="command"
49a2cf8f211213712d452287ae8e121cf59e3178David LawrenceCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinUNIX servers)</A
2e61d171bc1fa47ea4d551b87546ebcf78f61e4aMark AndrewsHREF="Bv9ARM.ch07.html#dynamic_update_security"
49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence>Dynamic Update Security</A
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsCLASS="sect1"
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsCLASS="sect1"
49a2cf8f211213712d452287ae8e121cf59e3178David LawrenceNAME="Access_Control_Lists"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>7.1. Access Control Lists</A
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Access Control Lists (ACLs), are address match lists that
489b76292622f5bc18bf1a18845f8166a73bd797Brian Wellingtonyou can set up and nickname for future use in <B
489b76292622f5bc18bf1a18845f8166a73bd797Brian WellingtonCLASS="command"
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-notify</B
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinCLASS="command"
fd837244be31850a764863688bce11df9ce972f4Andreas Gustafsson>allow-query</B
cffc2e06f906dd048af4cc27d487deb157f5a082Mark AndrewsCLASS="command"
cffc2e06f906dd048af4cc27d487deb157f5a082Mark Andrews>allow-recursion</B
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan HuntCLASS="command"
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews>blackhole</B
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark AndrewsCLASS="command"
43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews>allow-transfer</B
f02c22d58ac88777655e0b407b22b07864d39184Evan Hunt>Using ACLs allows you to have finer control over who can access
f02c22d58ac88777655e0b407b22b07864d39184Evan Huntyour nameserver, without cluttering up your config files with huge
f02c22d58ac88777655e0b407b22b07864d39184Evan Huntlists of IP addresses.</P
a44bf3209afdb58360a82cf42e653dee5e0d4f26Automatic UpdaterCLASS="emphasis"
ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews>good idea</I
ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews> to use ACLs, and to
b5f6271f4daf1e54501af2cb7dd278d7e8003d65Mark Andrewscontrol access to your server. Limiting access to your server by
d878b8d87c3f46a25ccae9f5cfe6e39af67562e0Evan Huntoutside parties can help prevent spoofing and DoS attacks against
d878b8d87c3f46a25ccae9f5cfe6e39af67562e0Evan Huntyour server.</P
9a97696b543b9957049a663b4f73245589c47921Mark Andrews>Here is an example of how to properly apply ACLs:</P
4417904b159f826f2009fd3453744057c0d9c82eMark AndrewsCLASS="programlisting"
4417904b159f826f2009fd3453744057c0d9c82eMark Andrews> // Set up an ACL named "bogusnets" that will block RFC1918 space,
43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrews// which is commonly used in spoofing attacks.
43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrewsacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrews// Set up an ACL called our-nets. Replace this with the real IP numbers.
8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews allow-query { our-nets; };
8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews allow-recursion { our-nets; };
19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki blackhole { bogusnets; };
87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews type master;
87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews allow-query { any; };
4e9775118dbf128dd296f01638733ba221f76c34Mark Andrews>This allows recursive queries of the server from the outside
4e9775118dbf128dd296f01638733ba221f76c34Mark Andrewsunless recursion has been previously disabled.</P
5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews>For more information on how to use ACLs to protect your server,
5b02fc32d693bb811199308a40143df0adf818c1Mark AndrewsCLASS="emphasis"
5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews> advisory at
5b02fc32d693bb811199308a40143df0adf818c1Mark AndrewsHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
5b02fc32d693bb811199308a40143df0adf818c1Mark AndrewsTARGET="_top"
294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis BlackburnNAME="AEN4265"
a16f42441a0bdfc911aafe841a975af55181f2f0Mukund SivaramanCLASS="command"
d1dbf6b20fdcfa95acd75cdb96fcd57067a31144Mukund SivaramanCLASS="command"
9935447b51456f598b45246d0114b8006049244dMark AndrewsUNIX servers)</A
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt>On UNIX servers, it is possible to run <SPAN
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan HuntCLASS="acronym"
c0a76b3c0b42a110e14eb56103973944900400c4Mark AndrewsCLASS="emphasis"
aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrews> environment
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsCLASS="command"
64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington>) by specifying the "<TT
aa5b977943f9ee38241c804484cd84fafec6ff2bMark AndrewsCLASS="option"
aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrewsoption. This can help improve system security by placing <SPAN
aa5b977943f9ee38241c804484cd84fafec6ff2bMark AndrewsCLASS="acronym"
b66b333f59cf51ef87f973084a5023acd9317fb2Evan Hunta "sandbox," which will limit the damage done if a server is compromised.</P
2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrews>Another useful feature in the UNIX version of <SPAN
2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark AndrewsCLASS="acronym"
294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburnability to run the daemon as a nonprivileged user ( <TT
294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis BlackburnCLASS="option"
294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis BlackburnCLASS="replaceable"
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark AndrewsWe suggest running as a nonprivileged user when using the <B
aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark AndrewsCLASS="command"
9a97696b543b9957049a663b4f73245589c47921Mark Andrews> feature.</P
b5252fcde512405a68dd4becfe683d9763bd0feaMukund Sivaraman>Here is an example command line to load <SPAN
b5252fcde512405a68dd4becfe683d9763bd0feaMukund SivaramanCLASS="acronym"
a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob HalleyCLASS="command"
0906df5e2937cb2dd0a937676c5dbb661a45cb48Tinderbox UserCLASS="command"
d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews>, and to run <B
d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark AndrewsCLASS="command"
d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark AndrewsCLASS="command"
501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan HuntCLASS="userinput"
8bcd80824c51c802c2927236b012cd526f569b04Mark AndrewsCLASS="sect2"
289ae548d52bc8f982d9823af64cafda7bd92232Mark AndrewsNAME="AEN4288"
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews>7.2.1. The <B
289ae548d52bc8f982d9823af64cafda7bd92232Mark AndrewsCLASS="command"
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt> Environment</A
289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews>In order for a <B
289ae548d52bc8f982d9823af64cafda7bd92232Mark AndrewsCLASS="command"
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt> environment to
71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Huntwork properly in a particular directory
1831311ac6179951c8fcca75aa29dc2f5c0218b9Francis Dupont(for example, <TT
70be3889746884692aa49939833d624ddd432bf0Mark AndrewsCLASS="filename"
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrewsyou will need to set up an environment that includes everything
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan HuntCLASS="acronym"
feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt> needs to run.
8a9bac8dec81997fec38fb880dc81b41eb026c27Mark AndrewsCLASS="acronym"
3a7b1fb32a27df5326f7fea318f68703c0de7e2eMark Andrews>'s point of view, <TT
3a7b1fb32a27df5326f7fea318f68703c0de7e2eMark AndrewsCLASS="filename"
a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrewsthe root of the filesystem. You will need to adjust the values of options like
a20996ab6ff2be473b85470fddd2380a3e180e7bMark AndrewsCLASS="command"
a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrews>directory</B
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsCLASS="command"
9a97696b543b9957049a663b4f73245589c47921Mark Andrews> Unlike with earlier versions of BIND, you will typically
9a97696b543b9957049a663b4f73245589c47921Mark AndrewsCLASS="emphasis"
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews> need to compile <B
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsCLASS="command"
d5518bf5bc1830f89f411288f39c5c9e6eb7511cMark Andrewsstatically nor install shared libraries under the new root.
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsHowever, depending on your operating system, you may need
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrewsto set up things like
03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark AndrewsCLASS="filename"
23ac30603a7639bea1d331537634b079b046b122Mark AndrewsCLASS="filename"
6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan HuntCLASS="filename"
c870001ae1bff0e38f622c4ed56872c7f1d2d336Mark AndrewsCLASS="filename"
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsCLASS="sect2"
850b5e80930907e4747347201dc41e4d04e036f8Mark AndrewsCLASS="sect2"
850b5e80930907e4747347201dc41e4d04e036f8Mark AndrewsNAME="AEN4306"
850b5e80930907e4747347201dc41e4d04e036f8Mark Andrews>7.2.2. Using the <B
850b5e80930907e4747347201dc41e4d04e036f8Mark AndrewsCLASS="command"
5c00d1c90030a311d2700970fa7cffc8f828a48cBob Halley> Function</A
c174d5c13c03dd59283243e3fd5461d41140a798Evan Hunt>Prior to running the <B
801707fe19600313a0b1f7845a518100f69e58b6Evan HuntCLASS="command"
801707fe19600313a0b1f7845a518100f69e58b6Evan Hunt> daemon, use
cae2cb086244dfb883739edbe79e34756079f70eMark AndrewsCLASS="command"
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews> utility (to change file access and
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrewsmodification times) or the <B
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsCLASS="command"
5506903c9215faf42586307c2288942fd804c579Evan Hunt> utility (to
9935447b51456f598b45246d0114b8006049244dMark Andrewsto which you want <SPAN
9935447b51456f598b45246d0114b8006049244dMark AndrewsCLASS="acronym"
fd837244be31850a764863688bce11df9ce972f4Andreas Gustafssonto write. Note that if the <B
fd837244be31850a764863688bce11df9ce972f4Andreas GustafssonCLASS="command"
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews> daemon is running as a
62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrewsnonprivileged user, it will not be able to bind to new restricted ports if the
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Huntserver is reloaded.</P
b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark AndrewsCLASS="sect1"
78608b0a454246d0e1e0169f1d671b8427e48199Francis DupontNAME="dynamic_update_security"
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont>7.3. Dynamic Update Security</A
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt>Access to the dynamic
98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Huntupdate facility should be strictly limited. In earlier versions of
9fffc937a9d0ba8f6c08f7502763f5d3107259c4Mark AndrewsCLASS="acronym"
9fffc937a9d0ba8f6c08f7502763f5d3107259c4Mark Andrews> the only way to do this was based on the IP
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Huntaddress of the host requesting the update, by listing an IP address or
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Huntnetwork prefix in the <B
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan HuntCLASS="command"
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont>allow-update</B
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont> zone option.
78608b0a454246d0e1e0169f1d671b8427e48199Francis DupontThis method is insecure since the source address of the update UDP packet
78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupontis easily forged. Also note that if the IP addresses allowed by the
78608b0a454246d0e1e0169f1d671b8427e48199Francis DupontCLASS="command"
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt>allow-update</B
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt> option include the address of a slave
ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Huntserver which performs forwarding of dynamic updates, the master can be
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunttrivially attacked by sending the update to the slave, which will
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Huntforward it to the master with its own source IP address causing the
8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Huntmaster to approve it without question.</P
8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt>For these reasons, we strongly recommend that updates be
8b9c4592ed718c4187971f1104381faf538bf4f7Evan Huntcryptographically authenticated by means of transaction signatures
8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt(TSIG). That is, the <B
8b9c4592ed718c4187971f1104381faf538bf4f7Evan HuntCLASS="command"
8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt>allow-update</B
8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt> option should
8b9c4592ed718c4187971f1104381faf538bf4f7Evan Huntlist only TSIG key names, not IP addresses or network
8b9c4592ed718c4187971f1104381faf538bf4f7Evan Huntprefixes. Alternatively, the new <B
03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark AndrewsCLASS="command"
03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews>update-policy</B
03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrewsoption can be used.</P
03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews>Some sites choose to keep all dynamically updated DNS data
1d32b1df372d6be6bac6450739b9e5ea23819995Evan Huntin a subdomain and delegate that subdomain to a separate zone. This
1d32b1df372d6be6bac6450739b9e5ea23819995Evan Huntway, the top-level zone containing critical data such as the IP addresses
1d32b1df372d6be6bac6450739b9e5ea23819995Evan Huntof public web and mail servers need not allow dynamic update at
2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark AndrewsCLASS="NAVFOOTER"
03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark AndrewsCELLPADDING="0"
03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark AndrewsCELLSPACING="0"
cae2cb086244dfb883739edbe79e34756079f70eMark AndrewsALIGN="center"
f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsALIGN="right"
dc2a0aa7aaa8b85398ae183c7274c0eeec5009afMark AndrewsCLASS="acronym"
101a7960b7989a18d873f3302b3b2415aeafb108Mark Andrews> 9 Configuration Reference</TD
146484aced3e6c1b9cc88db5e75b8cbfd166f701Mark AndrewsALIGN="center"
2b50e0d877db0d668f363d50914232f82ad8c454Mark AndrewsALIGN="right"
2b50e0d877db0d668f363d50914232f82ad8c454Mark Andrews>Troubleshooting</TD