Bv9ARM.ch07.html revision ccc383f3a74bdf3559650c630bbca24b11d8f8ae
ec79b29695b183f794264bbb578c51e93d1f9b1emartin - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
6aa2272cc4af77e605ba2c4a4781f8567408b7e3pquerna - Copyright (C) 2000-2003 Internet Software Consortium.
188befd3a49e3a126bd801d7dc5a7f6e63ad4332mturk - Permission to use, copy, modify, and distribute this software for any
188befd3a49e3a126bd801d7dc5a7f6e63ad4332mturk - purpose with or without fee is hereby granted, provided that the above
188befd3a49e3a126bd801d7dc5a7f6e63ad4332mturk - copyright notice and this permission notice appear in all copies.
188befd3a49e3a126bd801d7dc5a7f6e63ad4332mturk - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
188befd3a49e3a126bd801d7dc5a7f6e63ad4332mturk - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
8fd638698262130d00458b2c95548f6f94875847rpluem - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
534611d341a1a48b93c7a1fd5e333dbd261527d3rpluem - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
534611d341a1a48b93c7a1fd5e333dbd261527d3rpluem - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
534611d341a1a48b93c7a1fd5e333dbd261527d3rpluem - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq - PERFORMANCE OF THIS SOFTWARE.
e99dfd55d29a7b4209b814efc7270d0b74ccee74niq<!-- $Id: Bv9ARM.ch07.html,v 1.176 2008/10/28 01:11:26 tbox Exp $ -->
d1420fcb98890b212bb4632fb1097fe764f6b76ajim<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
d1420fcb98890b212bb4632fb1097fe764f6b76ajim<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
127aef4ce9f7b6b32a95c5ed9a93b796d18755e6rpluem<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
127aef4ce9f7b6b32a95c5ed9a93b796d18755e6rpluem<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
127aef4ce9f7b6b32a95c5ed9a93b796d18755e6rpluem<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
127aef4ce9f7b6b32a95c5ed9a93b796d18755e6rpluem<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
75dd7bfd71e6d1b7f2dd29efb41b0aed5c46a51crpluem<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
62a2cea4c337100e330fd31c786c5323de2ff1a2rpluem<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
62a2cea4c337100e330fd31c786c5323de2ff1a2rpluem<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
c7f65019a793b500f0e61d1be5c08d041c543470wrowe<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
7aa189407cc993c97b31167201319a9ab2e1715ewrowe<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
79d4b708d021714647aab8b138ae671ed24765cewrowe<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
79d4b708d021714647aab8b138ae671ed24765cewrowe<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2597645"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
79d4b708d021714647aab8b138ae671ed24765cewrowe<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2597722">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
79d4b708d021714647aab8b138ae671ed24765cewrowe<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2597782">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
88d0e50f16b21d4d0af0a48da7ad28fb5991834crpluem<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
15264721069299ec26493e21d56bf8ff7faf6f0drpluem<div class="titlepage"><div><div><h2 class="title" style="clear: both">
15264721069299ec26493e21d56bf8ff7faf6f0drpluem<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem Access Control Lists (ACLs), are address match lists that
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
11e1b16b907afb7de0678e28fe4849d9029e2df8rpluem <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
d4d8fbf75076eccfed70c8f715f7ed4210ab5ccdbnicholes <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
48fa058fe468025347930610ac2473094fa0f4e4chrisd Using ACLs allows you to have finer control over who can access
48fa058fe468025347930610ac2473094fa0f4e4chrisd your name server, without cluttering up your config files with huge
48fa058fe468025347930610ac2473094fa0f4e4chrisd lists of IP addresses.
3ec4328f079d8867cc323155e59678ad9437914frooneg It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd control access to your server. Limiting access to your server by
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd outside parties can help prevent spoofing and denial of service (DoS) attacks against
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd your server.
de0d0b50c96fae59c28e09fed61b0d15cfa4147bchrisd Here is an example of how to properly apply ACLs:
db78659055df54243bca678c35bd2ce7e31a9237rooneg// Set up an ACL named "bogusnets" that will block RFC1918 space
edf6757df85878dc8ce11fb3840ee4cde6de5b2frooneg// and some reserved space, which is commonly used in spoofing attacks.
db78659055df54243bca678c35bd2ce7e31a9237roonegacl bogusnets {
95817edd05387a5276f51fcd5db79fc21b89b55brooneg 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
63689d77e084e36b8194fb6df5adfc0344965e01trawick// Set up an ACL called our-nets. Replace this with the real IP numbers.
5714cdd83e23557d801437daa5e3ab8ba78ae595jorton allow-query { our-nets; };
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes allow-recursion { our-nets; };
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes blackhole { bogusnets; };
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes type master;
a1a615ca49b162d71d88089210395c9a9cfeb539rpluem allow-query { any; };
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes This allows recursive queries of the server from the outside
a1a615ca49b162d71d88089210395c9a9cfeb539rpluem unless recursion has been previously disabled.
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes For more information on how to use ACLs to protect your server,
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes<div class="titlepage"><div><div><h2 class="title" style="clear: both">
69c36bbae91de0e99a682aaae9d6fa61fceb2771bnicholes<a name="id2597645"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
1b0dce86d7fc8a5aa4c89b05255be26e508c615crpluem On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
1b0dce86d7fc8a5aa4c89b05255be26e508c615crpluem (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
1b0dce86d7fc8a5aa4c89b05255be26e508c615crpluem option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
1b0dce86d7fc8a5aa4c89b05255be26e508c615crpluem a "sandbox", which will limit the damage done if a server is
edc5389f50ce4153e6192740f3c7a188c8cf8d67niq compromised.
6c05afd314b4ddd545d63b4ff5de822cc30eec79trawick Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
6c05afd314b4ddd545d63b4ff5de822cc30eec79trawick ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
13cd67e9c1dacbd6b9f040bda337c725cedd98f3brianp We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
a623efbff95aab78da9e030524b0fa69b054f6d0brianp Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
a623efbff95aab78da9e030524b0fa69b054f6d0brianp <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
0b4b04d8621478ba59f0a6ba2950ddc02ab92b58colm <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
2f1bb5376c5c4022383bb729679ca751dd75a2eabrianp<a name="id2597722"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
ad862ab5716726a2d72a292ba1dfb29566c86153brianp In order for a <span><strong class="command">chroot</strong></span> environment
17d53ea32c4968e47733f1c2c063ae07d280efd6jerenkrantz work properly in a particular directory
17d53ea32c4968e47733f1c2c063ae07d280efd6jerenkrantz (for example, <code class="filename">/var/named</code>),
17d53ea32c4968e47733f1c2c063ae07d280efd6jerenkrantz you will need to set up an environment that includes everything
2d5532b13110a8d85653da92e97795b09cc25cc2trawick <acronym class="acronym">BIND</acronym> needs to run.
b38565306421ff53e9f7499bc728d6df5cec294dpquerna From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
b38565306421ff53e9f7499bc728d6df5cec294dpquerna the root of the filesystem. You will need to adjust the values of
b38565306421ff53e9f7499bc728d6df5cec294dpquerna options like
b38565306421ff53e9f7499bc728d6df5cec294dpquerna like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem Unlike with earlier versions of BIND, you typically will
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem statically nor install shared libraries under the new root.
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem However, depending on your operating system, you may need
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem to set up things like
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem<a name="id2597782"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem Prior to running the <span><strong class="command">named</strong></span> daemon,
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem the <span><strong class="command">touch</strong></span> utility (to change file
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem modification times) or the <span><strong class="command">chown</strong></span>
4b4d33edc11ab08e8019d2c2557fea73b2fdbdb0trawick utility (to
4b4d33edc11ab08e8019d2c2557fea73b2fdbdb0trawick to which you want <acronym class="acronym">BIND</acronym>
4b4d33edc11ab08e8019d2c2557fea73b2fdbdb0trawick<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
4b4d33edc11ab08e8019d2c2557fea73b2fdbdb0trawick Note that if the <span><strong class="command">named</strong></span> daemon is running as an
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem unprivileged user, it will not be able to bind to new restricted
b5fca7531f2de1c6710b45ed4f4b6089fa5a06c0rpluem ports if the server is reloaded.
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem Access to the dynamic
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem update facility should be strictly limited. In earlier versions of
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem <acronym class="acronym">BIND</acronym>, the only way to do this was
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem based on the IP
a9e9e4d9b1e6bb081282f75bf450b7d7d5a1f581rpluem address of the host requesting the update, by listing an IP address
200fd0ce73d992a43b500ddfe94487a840bd56darpluem network prefix in the <span><strong class="command">allow-update</strong></span>
200fd0ce73d992a43b500ddfe94487a840bd56darpluem zone option.
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem This method is insecure since the source address of the update UDP
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem is easily forged. Also note that if the IP addresses allowed by the
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem <span><strong class="command">allow-update</strong></span> option include the
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem address of a slave
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem server which performs forwarding of dynamic updates, the master can
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem trivially attacked by sending the update to the slave, which will
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem forward it to the master with its own source IP address causing the
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem master to approve it without question.
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem For these reasons, we strongly recommend that updates be
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem cryptographically authenticated by means of transaction signatures
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem option should
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem list only TSIG key names, not IP addresses or network
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem option can be used.
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem Some sites choose to keep all dynamically-updated DNS data
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem in a subdomain and delegate that subdomain to a separate zone. This
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem way, the top-level zone containing critical data such as the IP
0c5a6a11ce72ad41b14c755f4a2254e0c7b70245rpluem of public web and mail servers need not allow dynamic update at
200fd0ce73d992a43b500ddfe94487a840bd56darpluem<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
cbb903af5066589fe0e73f3ecf06abdc71e38effrpluem<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
0919d062982a9c9d2f4a8933ef54ccba2dd2b8f8rpluem<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>