f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<HTML

279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David Lawrence><HEAD

2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý><TITLE

40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence>BIND 9 Security Considerations</TITLE

bd5040035c8bb3fe4acdaf6a1f26423b58302188Mark Andrews><META

2baa66562a2f119edffded961d3391f87ff98ec0Ondřej Surý"><LINK

279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David LawrenceHREF="Bv9ARM.html"><LINK

a14613fce99dee3cad5bf842fd6be78f8e463582Brian WellingtonHREF="Bv9ARM.ch06.html"><LINK

279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David LawrenceHREF="Bv9ARM.ch08.html"></HEAD

279c6ec074be17dce62dd1b2c6ed7c2cc56a7b78David Lawrence><BODY

8d4257cff01b3821abcb9a21f46c6c6a43bb1e72Bob Halley><DIV

8d4257cff01b3821abcb9a21f46c6c6a43bb1e72Bob Halley><TABLE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TR

8d4257cff01b3821abcb9a21f46c6c6a43bb1e72Bob Halley><TH

50453ad879d0d93854de5a3385776bd799e8f35cBob Halley>BIND 9 Administrator Reference Manual</TH

50453ad879d0d93854de5a3385776bd799e8f35cBob Halley></TR

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TR

7005cfed8cd3296d356883dcb414979f22e06b13Brian Wellington><TD

6f7660093e70d3a7c80738b681ac0f5c1b661c00Mark Andrews><A

d8dcd6ad4617cc8d7df979bd62101fa9c4bac1bcBob Halley>Prev</A

d8dcd6ad4617cc8d7df979bd62101fa9c4bac1bcBob Halley></TD

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><TD

a30e7fc23415fd238d067a8a871607bca36068baMichael Graff></TD

a30e7fc23415fd238d067a8a871607bca36068baMichael Graff><TD

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

8313838954d67250d0ed7edf67fba5da0790d1a7Michael Graff>Next</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></TD

8313838954d67250d0ed7edf67fba5da0790d1a7Michael Graff></TR

8313838954d67250d0ed7edf67fba5da0790d1a7Michael Graff></TABLE

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><HR

703e1c0bb66f3cd3d300358ca0c1fdf3cb5fb1c5Brian WellingtonWIDTH="100%"></DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DIV

0eb2572d79822d02ea05448ce4e5f1759c73d171Michael Graff><H1

0eb2572d79822d02ea05448ce4e5f1759c73d171Michael Graff><A

0eb2572d79822d02ea05448ce4e5f1759c73d171Michael Graff>Chapter 7. <SPAN

4108eed5092156cf0407a97a9bd8ab7775164694Brian Wellington>BIND</SPAN

4108eed5092156cf0407a97a9bd8ab7775164694Brian Wellington> 9 Security Considerations</A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein></H1

3f123dcc2fe5d2cd08ca91b732741d86a4036906Brian Wellington><DIV

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DL

64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington><DT

64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington><B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Table of Contents</B

876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence></DT

876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence><DT

876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence>7.1. <A

876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence>Access Control Lists</A

876753d5ce1be48f3218fb4875fac501f8adfd6cDavid Lawrence></DT

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><DT

ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence>7.2. <A

ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence><B

ed71ea51c6ecb5d7d659b6e6a20f6b3f5c2678c6David Lawrence>chroot</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> and <B

49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence>setuid</B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein> (for

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob AusteinUNIX servers)</A

49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence></DT

49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence><DT

49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence>7.3. <A

49a2cf8f211213712d452287ae8e121cf59e3178David Lawrence>Dynamic Update Security</A

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews></DT

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews></DL

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews></DIV

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews><DIV

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews><H1

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein><A

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>7.1. Access Control Lists</A

529ff4b4959fb157194f985394951108ff5286e4Brian Wellington></H1

a14613fce99dee3cad5bf842fd6be78f8e463582Brian Wellington><P

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>Access Control Lists (ACLs), are address match lists that

489b76292622f5bc18bf1a18845f8166a73bd797Brian Wellingtonyou can set up and nickname for future use in <B

60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein>allow-notify</B

bff8ac12a8c099257bdbf7d0c55d2d5b77591926Mark Andrews>,

bff8ac12a8c099257bdbf7d0c55d2d5b77591926Mark Andrews<B

fd837244be31850a764863688bce11df9ce972f4Andreas Gustafsson>allow-query</B

fd837244be31850a764863688bce11df9ce972f4Andreas Gustafsson>, <B

cffc2e06f906dd048af4cc27d487deb157f5a082Mark Andrews>allow-recursion</B

cffc2e06f906dd048af4cc27d487deb157f5a082Mark Andrews>,

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt<B

aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews>blackhole</B

43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews>, <B

43fe2897fc80bbec2115310ca79d432a252f3ea4Mark Andrews>allow-transfer</B

70e854766f5304f43e94212dc38ebaefe214148cMark Andrews>,

70e854766f5304f43e94212dc38ebaefe214148cMark Andrewsetc.</P

70e854766f5304f43e94212dc38ebaefe214148cMark Andrews><P

f02c22d58ac88777655e0b407b22b07864d39184Evan Hunt>Using ACLs allows you to have finer control over who can access

f02c22d58ac88777655e0b407b22b07864d39184Evan Huntyour nameserver, without cluttering up your config files with huge

f02c22d58ac88777655e0b407b22b07864d39184Evan Huntlists of IP addresses.</P

a44bf3209afdb58360a82cf42e653dee5e0d4f26Automatic Updater><P

a44bf3209afdb58360a82cf42e653dee5e0d4f26Automatic Updater>It is a <I

ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews>good idea</I

ce67023ae3ad39a77da5361d0187ab6f3f0219cbMark Andrews> to use ACLs, and to

b5f6271f4daf1e54501af2cb7dd278d7e8003d65Mark Andrewscontrol access to your server. Limiting access to your server by

d878b8d87c3f46a25ccae9f5cfe6e39af67562e0Evan Huntoutside parties can help prevent spoofing and DoS attacks against

d878b8d87c3f46a25ccae9f5cfe6e39af67562e0Evan Huntyour server.</P

d878b8d87c3f46a25ccae9f5cfe6e39af67562e0Evan Hunt><P

9a97696b543b9957049a663b4f73245589c47921Mark Andrews>Here is an example of how to properly apply ACLs:</P

4417904b159f826f2009fd3453744057c0d9c82eMark Andrews><PRE

4417904b159f826f2009fd3453744057c0d9c82eMark Andrews>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,

43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrews// which is commonly used in spoofing attacks.

43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrewsacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrews// Set up an ACL called our-nets. Replace this with the real IP numbers.

43501e6570e9081d459fb5c1a81b73c2c53c5df0Mark Andrewsacl our-nets { x.x.x.x/24; x.x.x.x/21; };

2b66a51a7d72e9cc07917fb583ad528b0539d2a3Mark Andrewsoptions {

2b66a51a7d72e9cc07917fb583ad528b0539d2a3Mark Andrews ...

2b66a51a7d72e9cc07917fb583ad528b0539d2a3Mark Andrews ...

8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews allow-query { our-nets; };

8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews allow-recursion { our-nets; };

8b56b8956fc1e6c70efacb4f71db28d0d1f0c577Mark Andrews ...

19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki blackhole { bogusnets; };

19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki ...

19d80ce5844e00a021643759adcbe27c11b485a0Witold Krecicki};

87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrewszone "example.com" {

87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews type master;

87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews file "m/example.com";

87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews allow-query { any; };

87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews};

87708bde16713bc02ff2598f4a82f98c699a2f2dMark Andrews</PRE

4e9775118dbf128dd296f01638733ba221f76c34Mark Andrews><P

4e9775118dbf128dd296f01638733ba221f76c34Mark Andrews>This allows recursive queries of the server from the outside

4e9775118dbf128dd296f01638733ba221f76c34Mark Andrewsunless recursion has been previously disabled.</P

5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews><P

5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews>For more information on how to use ACLs to protect your server,

5b02fc32d693bb811199308a40143df0adf818c1Mark Andrewssee the <I

5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews>AUSCERT</I

5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews> advisory at

5b02fc32d693bb811199308a40143df0adf818c1Mark Andrews<A

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn></P

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn></DIV

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn><DIV

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn><H1

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn><A

a16f42441a0bdfc911aafe841a975af55181f2f0Mukund Sivaraman>7.2. <B

a16f42441a0bdfc911aafe841a975af55181f2f0Mukund Sivaraman>chroot</B

d1dbf6b20fdcfa95acd75cdb96fcd57067a31144Mukund Sivaraman> and <B

d1dbf6b20fdcfa95acd75cdb96fcd57067a31144Mukund Sivaraman>setuid</B

9935447b51456f598b45246d0114b8006049244dMark Andrews> (for

9935447b51456f598b45246d0114b8006049244dMark AndrewsUNIX servers)</A

9935447b51456f598b45246d0114b8006049244dMark Andrews></H1

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt><P

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt>On UNIX servers, it is possible to run <SPAN

c0a76b3c0b42a110e14eb56103973944900400c4Mark Andrews>BIND</SPAN

c0a76b3c0b42a110e14eb56103973944900400c4Mark Andrews> in a <I

aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrews>chrooted</I

aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrews> environment

aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrews(<B

64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington>chroot()</B

64b92523f9333ba053f4b2860335583be455b0b3Brian Wellington>) by specifying the "<TT

aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrews>-t</TT

aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrews>"

aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrewsoption. This can help improve system security by placing <SPAN

aa5b977943f9ee38241c804484cd84fafec6ff2bMark Andrews>BIND</SPAN

b66b333f59cf51ef87f973084a5023acd9317fb2Evan Hunt> in

b66b333f59cf51ef87f973084a5023acd9317fb2Evan Hunta "sandbox," which will limit the damage done if a server is compromised.</P

b66b333f59cf51ef87f973084a5023acd9317fb2Evan Hunt><P

2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrews>Another useful feature in the UNIX version of <SPAN

2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrews>BIND</SPAN

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn> is the

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburnability to run the daemon as a nonprivileged user ( <TT

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn>-u</TT

294ef74e5ad68d898207c4fb36d8b18d526a11f6Curtis Blackburn> <TT

9a97696b543b9957049a663b4f73245589c47921Mark Andrews><I

9a97696b543b9957049a663b4f73245589c47921Mark Andrews>user</I

9a97696b543b9957049a663b4f73245589c47921Mark Andrews></TT

aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark Andrews> ).

aaaf8d4f4873d21e55c3ffb4f656203d08339865Mark AndrewsWe suggest running as a nonprivileged user when using the <B

9a97696b543b9957049a663b4f73245589c47921Mark Andrews>chroot</B

9a97696b543b9957049a663b4f73245589c47921Mark Andrews> feature.</P

9a97696b543b9957049a663b4f73245589c47921Mark Andrews><P

b5252fcde512405a68dd4becfe683d9763bd0feaMukund Sivaraman>Here is an example command line to load <SPAN

b5252fcde512405a68dd4becfe683d9763bd0feaMukund Sivaraman>BIND</SPAN

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews> in a <B

a5d43b72413db3edd6b36a58f9bdf2cf6ff692f2Bob Halley>chroot()</B

0906df5e2937cb2dd0a937676c5dbb661a45cb48Tinderbox User> sandbox,

0906df5e2937cb2dd0a937676c5dbb661a45cb48Tinderbox User<B

d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews>/var/named</B

d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews>, and to run <B

d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews>named</B

d8f2dd46cba3a16c2433e85657a5b15543013ca6Mark Andrews> <B

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Hunt>setuid</B

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Hunt> to

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Huntuser 202:</P

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Hunt><P

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Hunt><TT

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Hunt><B

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Hunt>/usr/local/bin/named -u 202 -t /var/named</B

501941f0b6cce74c2ff75b10aff3f230d5d37e4cEvan Hunt></TT

8bcd80824c51c802c2927236b012cd526f569b04Mark Andrews></P

8bcd80824c51c802c2927236b012cd526f569b04Mark Andrews><DIV

1831311ac6179951c8fcca75aa29dc2f5c0218b9Francis Dupont><H2

1831311ac6179951c8fcca75aa29dc2f5c0218b9Francis Dupont><A

289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews>7.2.1. The <B

71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt>chroot</B

71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt> Environment</A

71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt></H2

289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews><P

289ae548d52bc8f982d9823af64cafda7bd92232Mark Andrews>In order for a <B

71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt>chroot()</B

71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Hunt> environment to

71bd858d8ed62672e7c23999dc7c02fd16a55089Evan Huntwork properly in a particular directory

1831311ac6179951c8fcca75aa29dc2f5c0218b9Francis Dupont(for example, <TT

70be3889746884692aa49939833d624ddd432bf0Mark Andrews>/var/named</TT

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews>),

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrewsyou will need to set up an environment that includes everything

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<SPAN

feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt>BIND</SPAN

feb067b25a8e33db62e2a7bf2e83bbb7f6eee845Evan Hunt> needs to run.

8a9bac8dec81997fec38fb880dc81b41eb026c27Mark AndrewsFrom <SPAN

8a9bac8dec81997fec38fb880dc81b41eb026c27Mark Andrews>BIND</SPAN

3a7b1fb32a27df5326f7fea318f68703c0de7e2eMark Andrews>'s point of view, <TT

3a7b1fb32a27df5326f7fea318f68703c0de7e2eMark Andrews>/var/named</TT

a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrews> is

a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrewsthe root of the filesystem. You will need to adjust the values of options like

a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrewslike <B

a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrews>directory</B

a20996ab6ff2be473b85470fddd2380a3e180e7bMark Andrews> and <B

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews>pid-file</B

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews> to account

0415ca35ada2cac6a86127eaca64f3a997aea121Evan Huntfor this.

0415ca35ada2cac6a86127eaca64f3a997aea121Evan Hunt</P

0415ca35ada2cac6a86127eaca64f3a997aea121Evan Hunt><P

9a97696b543b9957049a663b4f73245589c47921Mark Andrews>&#13;Unlike with earlier versions of BIND, you will typically

9a97696b543b9957049a663b4f73245589c47921Mark Andrews<I

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews>not</I

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews> need to compile <B

d5518bf5bc1830f89f411288f39c5c9e6eb7511cMark Andrews>named</B

d5518bf5bc1830f89f411288f39c5c9e6eb7511cMark Andrews>

d5518bf5bc1830f89f411288f39c5c9e6eb7511cMark Andrewsstatically nor install shared libraries under the new root.

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark AndrewsHowever, depending on your operating system, you may need

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrewsto set up things like

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<TT

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews>/dev/zero</TT

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews>,

23ac30603a7639bea1d331537634b079b046b122Mark Andrews<TT

23ac30603a7639bea1d331537634b079b046b122Mark Andrews>/dev/random</TT

6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt>,

6fa84a3e255ef9e6233f0a8d134fc6d273f04599Evan Hunt<TT

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews>/dev/log</TT

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews>, and/or

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews<TT

c870001ae1bff0e38f622c4ed56872c7f1d2d336Mark Andrews>/etc/localtime</TT

c870001ae1bff0e38f622c4ed56872c7f1d2d336Mark Andrews>.

186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews</P

186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews></DIV

186e7f37c9fc985a7a7264cc8170e48a25bed434Mark Andrews><DIV

5c00d1c90030a311d2700970fa7cffc8f828a48cBob Halley><H2

850b5e80930907e4747347201dc41e4d04e036f8Mark Andrews><A

850b5e80930907e4747347201dc41e4d04e036f8Mark Andrews>7.2.2. Using the <B

850b5e80930907e4747347201dc41e4d04e036f8Mark Andrews>setuid</B

5c00d1c90030a311d2700970fa7cffc8f828a48cBob Halley> Function</A

c174d5c13c03dd59283243e3fd5461d41140a798Evan Hunt></H2

c174d5c13c03dd59283243e3fd5461d41140a798Evan Hunt><P

c174d5c13c03dd59283243e3fd5461d41140a798Evan Hunt>Prior to running the <B

801707fe19600313a0b1f7845a518100f69e58b6Evan Hunt>named</B

801707fe19600313a0b1f7845a518100f69e58b6Evan Hunt> daemon, use

cae2cb086244dfb883739edbe79e34756079f70eMark Andrewsthe <B

cae2cb086244dfb883739edbe79e34756079f70eMark Andrews>touch</B

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews> utility (to change file access and

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrewsmodification times) or the <B

5506903c9215faf42586307c2288942fd804c579Evan Hunt>chown</B

5506903c9215faf42586307c2288942fd804c579Evan Hunt> utility (to

5506903c9215faf42586307c2288942fd804c579Evan Huntset the user id and/or group id) on files

9935447b51456f598b45246d0114b8006049244dMark Andrewsto which you want <SPAN

9935447b51456f598b45246d0114b8006049244dMark Andrews>BIND</SPAN

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews>

fd837244be31850a764863688bce11df9ce972f4Andreas Gustafssonto write. Note that if the <B

62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews>named</B

62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrews> daemon is running as a

62ec9fd1681ffae7d6b0d54618599ecf650e3100Mark Andrewsnonprivileged user, it will not be able to bind to new restricted ports if the

98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Huntserver is reloaded.</P

98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt></DIV

98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt></DIV

b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews><DIV

b123b265e3a3d9b72a14230b6517e0f6fdb5c5b5Mark Andrews><H1

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont><A

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont>7.3. Dynamic Update Security</A

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont></H1

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont><P

98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt>Access to the dynamic

98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Huntupdate facility should be strictly limited. In earlier versions of

98922b2b2b024dcca25be7c220cf3b16b1e6c4b5Evan Hunt<SPAN

9fffc937a9d0ba8f6c08f7502763f5d3107259c4Mark Andrews>BIND</SPAN

9fffc937a9d0ba8f6c08f7502763f5d3107259c4Mark Andrews> the only way to do this was based on the IP

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Huntaddress of the host requesting the update, by listing an IP address or

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Huntnetwork prefix in the <B

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont>allow-update</B

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont> zone option.

78608b0a454246d0e1e0169f1d671b8427e48199Francis DupontThis method is insecure since the source address of the update UDP packet

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupontis easily forged. Also note that if the IP addresses allowed by the

78608b0a454246d0e1e0169f1d671b8427e48199Francis Dupont<B

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt>allow-update</B

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Hunt> option include the address of a slave

ba751492fcc4f161a18b983d4f018a1a52938cb9Evan Huntserver which performs forwarding of dynamic updates, the master can be

8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Hunttrivially attacked by sending the update to the slave, which will

8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Huntforward it to the master with its own source IP address causing the

8cbf3b6fc35091abde426930f2eadb8f53476c98Evan Huntmaster to approve it without question.</P

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt><P

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt>For these reasons, we strongly recommend that updates be

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Huntcryptographically authenticated by means of transaction signatures

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt(TSIG). That is, the <B

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt>allow-update</B

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Hunt> option should

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Huntlist only TSIG key names, not IP addresses or network

8b9c4592ed718c4187971f1104381faf538bf4f7Evan Huntprefixes. Alternatively, the new <B

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews>update-policy</B

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews>

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrewsoption can be used.</P

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews><P

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews>Some sites choose to keep all dynamically updated DNS data

1d32b1df372d6be6bac6450739b9e5ea23819995Evan Huntin a subdomain and delegate that subdomain to a separate zone. This

1d32b1df372d6be6bac6450739b9e5ea23819995Evan Huntway, the top-level zone containing critical data such as the IP addresses

1d32b1df372d6be6bac6450739b9e5ea23819995Evan Huntof public web and mail servers need not allow dynamic update at

2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrewsall.</P

2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrews></DIV

2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrews></DIV

2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrews><DIV

2a1860ad83294da4abe34a72bdb6f5a28b87f2efMark Andrews><HR

31b7a2fed64e388db772a74742a4adc95d1a21e6Mark AndrewsWIDTH="100%"><TABLE

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews><TR

03152360db6fcb0fcc95fa63c20c5c829c95f1f6Mark Andrews><TD

38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt><A

38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt>Prev</A

38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt></TD

cae2cb086244dfb883739edbe79e34756079f70eMark Andrews><TD

38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt><A

38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt>Home</A

38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt></TD

38cd4d14cc341c2663e574035074788bb6f0fce2Evan Hunt><TD

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews><A

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews>Next</A

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews></TD

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews></TR

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews><TR

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews><TD

dc2a0aa7aaa8b85398ae183c7274c0eeec5009afMark Andrews><SPAN

101a7960b7989a18d873f3302b3b2415aeafb108Mark Andrews>BIND</SPAN

101a7960b7989a18d873f3302b3b2415aeafb108Mark Andrews> 9 Configuration Reference</TD

101a7960b7989a18d873f3302b3b2415aeafb108Mark Andrews><TD

5506903c9215faf42586307c2288942fd804c579Evan Hunt>&nbsp;</TD

5506903c9215faf42586307c2288942fd804c579Evan Hunt><TD

2b50e0d877db0d668f363d50914232f82ad8c454Mark Andrews>Troubleshooting</TD

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews></TR

f8727bd90366af835f551da1b5e1fdfcd2d3d01fBrian Wellington></TABLE

f8727bd90366af835f551da1b5e1fdfcd2d3d01fBrian Wellington></DIV

f54d0c9c6e65de367d4ef08f51d22a2fb4c56208Mark Andrews></BODY

f8727bd90366af835f551da1b5e1fdfcd2d3d01fBrian Wellington></HTML

134ba0e08a0ae9a564a8d8628fc633377d3fc239Bob Halley>