Bv9ARM.ch07.html revision d893c6248414d34d434a63216eaa5bd1fbec4ca4
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Copyright (C) 2004-2010 Internet Systems Consortium, Inc. ("ISC")
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - Copyright (C) 2000-2003 Internet Software Consortium.
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - Permission to use, copy, modify, and/or distribute this software for any
5347c0fcb04eaea19d9f39795646239f487c6207Tinderbox User - purpose with or without fee is hereby granted, provided that the above
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - copyright notice and this permission notice appear in all copies.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein - PERFORMANCE OF THIS SOFTWARE.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<!-- $Id: Bv9ARM.ch07.html,v 1.233 2010/12/09 01:14:11 tbox Exp $ -->
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<title>Chapter�7.�BIND 9 Security Considerations</title>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="titlepage"><div><div><h2 class="title">
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
2b4d1b54f6ca406b8233d9e6fea9593df6dad035Tinderbox User<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2601700"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601917">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2601977">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
af40ebed6257e4ac1996144530b3de317cf4da11Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater Access Control Lists (ACLs) are address match lists that
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Using ACLs allows you to have finer control over who can access
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User your name server, without cluttering up your config files with huge
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User lists of IP addresses.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
6f64d4ab8e68f9b2333bcbfc755396d29a4a9d7cAutomatic Updater control access to your server. Limiting access to your server by
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt outside parties can help prevent spoofing and denial of service (DoS) attacks against
bbbf2e27d3a981163dab139497d6b2dc85449db0Tinderbox User Here is an example of how to properly apply ACLs:
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User// Set up an ACL named "bogusnets" that will block
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User// RFC1918 space and some reserved space, which is
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User// commonly used in spoofing attacks.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox Useracl bogusnets {
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
44d0f0256fbdce130a18655023c3b06bacacbd61Automatic Updater// Set up an ACL called our-nets. Replace this with the
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User// real IP numbers.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User allow-query { our-nets; };
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User allow-recursion { our-nets; };
260e8e04b0dc24cb884c789b5d9eb046457f264eTinderbox User blackhole { bogusnets; };
983df82baf1d7d0b668c98cf45928a19f175c6e7Tinderbox User allow-query { any; };
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This allows recursive queries of the server from the outside
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein unless recursion has been previously disabled.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein For more information on how to use ACLs to protect your server,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<div class="titlepage"><div><div><h2 class="title" style="clear: both">
71c66a876ecca77923638d3f94cc0783152b2f03Mark Andrews<a name="id2601700"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in a <span class="emphasis"><em>chrooted</em></span> environment (using
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the <span><strong class="command">chroot()</strong></span> function) by specifying
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User This can help improve system security by placing
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
dec590a3deb8e87380a8bd3a77d535dba3729bf6Tinderbox User the damage done if a server is compromised.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
5a4557e8de2951a2796676b5ec4b6a90caa5be14Mark Andrews We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h3 class="title">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<a name="id2601917"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
acb72d5e2c83b597332e3eb0c7d59e1142f1adfdMark Andrews In order for a <span><strong class="command">chroot</strong></span> environment
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt work properly in a particular directory
852ccdd42a71550c974111b49415204ffeca6573Automatic Updater (for example, <code class="filename">/var/named</code>),
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User you will need to set up an environment that includes everything
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <acronym class="acronym">BIND</acronym> needs to run.
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
3cddb2c552ee6582e8db0849c28747f6b6ca57feAutomatic Updater the root of the filesystem. You will need to adjust the values of
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt options like
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater Unlike with earlier versions of BIND, you typically will
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt statically nor install shared libraries under the new root.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt However, depending on your operating system, you may need
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater to set up things like
66f25f2ceeb589e67efe7af2413baaa3426b0042Automatic Updater <code class="filename">/dev/random</code>,
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User <code class="filename">/etc/localtime</code>.
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater<div class="titlepage"><div><div><h3 class="title">
38417cbfb1a328c20b5b723b8584a02c57f88897Automatic Updater<a name="id2601977"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User Prior to running the <span><strong class="command">named</strong></span> daemon,
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein the <span><strong class="command">touch</strong></span> utility (to change file
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein modification times) or the <span><strong class="command">chown</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein to which you want <acronym class="acronym">BIND</acronym>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein Note that if the <span><strong class="command">named</strong></span> daemon is running as an
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User unprivileged user, it will not be able to bind to new restricted
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein ports if the server is reloaded.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<div class="titlepage"><div><div><h2 class="title" style="clear: both">
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater Access to the dynamic
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater update facility should be strictly limited. In earlier versions of
3a5fe5abf08f16b8d31ab8ee9a788063110ef000Automatic Updater <acronym class="acronym">BIND</acronym>, the only way to do this was
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein based on the IP
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User address of the host requesting the update, by listing an IP address
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein network prefix in the <span><strong class="command">allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein zone option.
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein This method is insecure since the source address of the update UDP
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User is easily forged. Also note that if the IP addresses allowed by the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein <span><strong class="command">allow-update</strong></span> option include the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein address of a slave
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein server which performs forwarding of dynamic updates, the master can
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User trivially attacked by sending the update to the slave, which will
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein forward it to the master with its own source IP address causing the
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein master to approve it without question.
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt For these reasons, we strongly recommend that updates be
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein cryptographically authenticated by means of transaction signatures
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein option should
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User list only TSIG key names, not IP addresses or network
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt option can be used.
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User Some sites choose to keep all dynamically-updated DNS data
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt in a subdomain and delegate that subdomain to a separate zone. This
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein way, the top-level zone containing critical data such as the IP
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User of public web and mail servers need not allow dynamic update at
794b79e6bbc3f5db1ea6ae154d739b9f1ef1a375Tinderbox User<table width="100%" summary="Navigation footer">
fd2597f75693a2279fdf588bd40dfe2407c42028Tinderbox User<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
14a656f94b1fd0ababd84a772228dfa52276ba15Evan Hunt<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
60e5e10f8d2e2b0c41e8abad38cacd867caa6ab2Rob Austein<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>