Bv9ARM.ch07.html revision cedb0bd0c1e3c461b7e479a16d3adfd5b150f1f4
6fb9b25791778f69002eb72be6235e20d98ec452Tinderbox User - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
40f53fa8d9c6a4fc38c0014495e7a42b08f52481David Lawrence - Copyright (C) 2000-2003 Internet Software Consortium.
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - Permission to use, copy, modify, and distribute this software for any
0c27b3fe77ac1d5094ba3521e8142d9e7973133fMark Andrews - purpose with or without fee is hereby granted, provided that the above
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley - copyright notice and this permission notice appear in all copies.
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
ed019cabc1cc75d4412010c331876e4ae5080a4dDavid Lawrence - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
70e5a7403f0e0a3bd292b8287c5fed5772c15270Automatic Updater - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley - PERFORMANCE OF THIS SOFTWARE.
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<!-- $Id: Bv9ARM.ch07.html,v 1.108 2005/10/13 03:14:04 marka Exp $ -->
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
da4920783eb676fcacf6d3a17c3c751a1652c680Bob Halley<title>Chapter�7.�BIND 9 Security Considerations</title>
491b48ec3f3ef014312688776ddbd4eab8a2c10cMichael Graff<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<tr><th colspan="3" align="center">Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</th></tr>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
da4920783eb676fcacf6d3a17c3c751a1652c680Bob Halley<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<div class="titlepage"><div><div><h2 class="title">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<a name="Bv9ARM.ch07"></a>Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
80b469ae8c2902dead0db953bc337c4891555348Mark Andrews<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2572720"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></a></span></dt>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2572795">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2572923">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley Access Control Lists (ACLs), are address match lists that
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley Using ACLs allows you to have finer control over who can access
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein your name server, without cluttering up your config files with huge
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley lists of IP addresses.
80b469ae8c2902dead0db953bc337c4891555348Mark Andrews It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley control access to your server. Limiting access to your server by
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley outside parties can help prevent spoofing and DoS attacks against
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley Here is an example of how to properly apply ACLs:
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley// Set up an ACL named "bogusnets" that will block RFC1918 space
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley// and some reserved space, which is commonly used in spoofing attacks.
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halleyacl bogusnets {
bfde61d5194a534d800f3b90008d1f52261922c5Mark Andrews 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews// Set up an ACL called our-nets. Replace this with the real IP numbers.
bddfe77128b0f16af263ff149db40f0d885f43d0Mark Andrews allow-query { our-nets; };
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley allow-recursion { our-nets; };
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley blackhole { bogusnets; };
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley type master;
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley allow-query { any; };
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley This allows recursive queries of the server from the outside
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley unless recursion has been previously disabled.
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley For more information on how to use ACLs to protect your server,
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<a name="id2572720"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span></h2></div></div></div>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment
ab023a65562e62b85a824509d829b6fad87e00b1Rob Austein (<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>"
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley option. This can help improve system security by placing <span class="acronym">BIND</span> in
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley a "sandbox", which will limit the damage done if a server is
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley compromised.
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the
491b48ec3f3ef014312688776ddbd4eab8a2c10cMichael Graff ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox,
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<div class="titlepage"><div><div><h3 class="title">
0f222d322b25373c4ef59d7c79f265b082ee98cdMark Andrews<a name="id2572795"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley In order for a <span><strong class="command">chroot()</strong></span> environment
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley work properly in a particular directory
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley (for example, <code class="filename">/var/named</code>),
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley you will need to set up an environment that includes everything
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley the root of the filesystem. You will need to adjust the values of
0f222d322b25373c4ef59d7c79f265b082ee98cdMark Andrews options like
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley Unlike with earlier versions of BIND, you will typically
0f222d322b25373c4ef59d7c79f265b082ee98cdMark Andrews <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley statically nor install shared libraries under the new root.
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley However, depending on your operating system, you may need
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley to set up things like
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<div class="titlepage"><div><div><h3 class="title">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<a name="id2572923"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley Prior to running the <span><strong class="command">named</strong></span> daemon,
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley the <span><strong class="command">touch</strong></span> utility (to change file
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley modification times) or the <span><strong class="command">chown</strong></span>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley to which you want <span class="acronym">BIND</span>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
491b48ec3f3ef014312688776ddbd4eab8a2c10cMichael Graff Note that if the <span><strong class="command">named</strong></span> daemon is running as an
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley unprivileged user, it will not be able to bind to new restricted
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley ports if the server is reloaded.
c3c8823fed039b3a2b8e5ca8bc2f3301d1dd840eMark Andrews<div class="titlepage"><div><div><h2 class="title" style="clear: both">
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
8ff31bab2f51b171a8eab3a0b8415c64529e116eMark Andrews Access to the dynamic
8ff31bab2f51b171a8eab3a0b8415c64529e116eMark Andrews update facility should be strictly limited. In earlier versions of
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley <span class="acronym">BIND</span> the only way to do this was
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley based on the IP
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley address of the host requesting the update, by listing an IP address
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley network prefix in the <span><strong class="command">allow-update</strong></span>
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley zone option.
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley This method is insecure since the source address of the update UDP
e851ea826066ac5a5b01c2c23218faa0273a12e8Evan Hunt is easily forged. Also note that if the IP addresses allowed by the
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley <span><strong class="command">allow-update</strong></span> option include the
a6d40879d43947d24493c93a6cbce4bd69d8730fBob Halley address of a slave