Bv9ARM.ch07.html revision e0172ab8e2bf2fd2315f5c9b34cae8e013c71dda
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
1167fc7904c5f0a472f8df207ac46dd52c7f1ec8Automatic Updater>BIND 9 Security Considerations</TITLE
46da3117812814a29432a8d9a9ccf8acdbfdadceAutomatic UpdaterNAME="GENERATOR"
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserCONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
79b273c187a4aa1016a62181983dfdd0521681aeMark AndrewsTITLE="BIND 9 Administrator Reference Manual"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonREL="PREVIOUS"
b253dcf9668f95e141bce9556dc88e30d3305a1dTinderbox UserTITLE="BIND 9 Configuration Reference"
1ac49378a458420bc685293d12e567d7222d17b6Tinderbox UserTITLE="Troubleshooting"
6c910bd5e4a85a56e3a61fdf7b237a45bb2553eeTinderbox UserCLASS="chapter"
3cc98b8ecedcbc8465f1cf2740b966b315662430Automatic UpdaterBGCOLOR="#FFFFFF"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsTEXT="#000000"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsLINK="#0000FF"
a01aa536188bb3535dfc1107a623e6355a8e6b7cMark AndrewsVLINK="#840084"
89623368b8f662d458d9964b923050f33c5f75b0Tinderbox UserALINK="#0000FF"
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic UpdaterCLASS="NAVHEADER"
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic UpdaterSUMMARY="Header navigation table"
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic UpdaterCELLPADDING="0"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCELLSPACING="0"
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan HuntALIGN="center"
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updater>BIND 9 Administrator Reference Manual</TH
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan HuntVALIGN="bottom"
aa9c561961e9d877946ebaa8795fa2be054ab7bfEvan HuntACCESSKEY="P"
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic UpdaterVALIGN="bottom"
eabc9c3c07cd956d3c436bd7614cb162dabdda76Mark AndrewsVALIGN="bottom"
80faf1588895fd26490f82f95a7a1b771df1c324Automatic UpdaterCLASS="chapter"
693c4232dfdffaff672197d4b9fea944c64cf80aAutomatic Updater>Chapter 7. <ACRONYM
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="acronym"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson> 9 Security Considerations</H1
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater>Table of Contents</B
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox UserHREF="Bv9ARM.ch07.html#Access_Control_Lists"
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews>Access Control Lists</A
3349f0044fda807e1fd6681c833d3593a22dad86Tinderbox UserCLASS="command"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="command"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsUNIX servers)</A
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark AndrewsHREF="Bv9ARM.ch07.html#dynamic_update_security"
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews>Dynamic Update Security</A
a01aa536188bb3535dfc1107a623e6355a8e6b7cMark AndrewsCLASS="sect1"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="sect1"
b871c7156eb037d41f53828c6fcb9cc876128962Mark AndrewsNAME="Access_Control_Lists"
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews>7.1. Access Control Lists</A
b871c7156eb037d41f53828c6fcb9cc876128962Mark Andrews>Access Control Lists (ACLs), are address match lists that
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updateryou can set up and nickname for future use in <B
cdfc81e048bd34c1d628380247bda6b80a89e20eAutomatic UpdaterCLASS="command"
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater>allow-notify</B
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic UpdaterCLASS="command"
fe80a4909bf62b602feaf246866e9d29f7654194Automatic Updater>allow-query</B
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic UpdaterCLASS="command"
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>allow-recursion</B
91216cff91b34c9ff6e846dc23f248219cafe660Andreas GustafssonCLASS="command"
dd65eb1efb40b1c47d57963192bfc54873b219beAutomatic UpdaterCLASS="command"
133e6d43fa82e80d3798be4de00f4540f485ec6cAutomatic Updater>allow-transfer</B
91216cff91b34c9ff6e846dc23f248219cafe660Andreas Gustafsson>Using ACLs allows you to have finer control over who can access
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updateryour name server, without cluttering up your config files with huge
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Userlists of IP addresses.</P
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User>It is a <SPAN
1368e4b34cef64604c874fcc40201c78e548714cTinderbox UserCLASS="emphasis"
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserCLASS="emphasis"
c6a0f4ae1d7183a16ffb196b86b647f870694796Automatic Updater> to use ACLs, and to
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updatercontrol access to your server. Limiting access to your server by
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox Useroutside parties can help prevent spoofing and DoS attacks against
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox Useryour server.</P
8711e5c73ca872d59810760af0332194cbdd619bAutomatic Updater>Here is an example of how to properly apply ACLs:</P
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic UpdaterCLASS="programlisting"
9513a2a6670951f5cf5477fcfec9f933fcaff628Automatic Updater> // Set up an ACL named "bogusnets" that will block RFC1918 space,
8f2c45a35dd8c40bcc9caba8f7d40ce64fc27bcdAutomatic Updater// which is commonly used in spoofing attacks.
4e0e18467f8ec5a9e5d0c538ce46bf07409ecf9bTinderbox Useracl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
e85565067cf73f8cc21ee29b11761659f1d47ee9Automatic Updater// Set up an ACL called our-nets. Replace this with the real IP numbers.
59528addd704f8d5757b54e540520f74e588a7c7Automatic Updater allow-query { our-nets; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater allow-recursion { our-nets; };
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater blackhole { bogusnets; };
19b3dc94bce93fa76bd7e066f9298630dbc9dcb4Automatic Updater allow-query { any; };
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>This allows recursive queries of the server from the outside
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterunless recursion has been previously disabled.</P
dbd021853bb1cd6ab128e8da8865f5965030aedcTinderbox User>For more information on how to use ACLs to protect your server,
71bd43eebd9d6e42dbcae62b730f5b6508d5acd8Automatic UpdaterCLASS="emphasis"
7262eb86f2b465822206122921e2f357218f0cfdAutomatic UpdaterCLASS="emphasis"
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic UpdaterHREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="sect1"
89623368b8f662d458d9964b923050f33c5f75b0Tinderbox UserNAME="AEN4810"
cafd3a2b9974fe0a4ab95e0289746062bd958d68Automatic UpdaterCLASS="command"
7a2a1b8b14fc804ac80612d7b98064095e445be5Automatic UpdaterCLASS="command"
1368e4b34cef64604c874fcc40201c78e548714cTinderbox UserUNIX servers)</A
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User>On UNIX servers, it is possible to run <ACRONYM
fe84edc17e0d582cf7b4270f8df9d4742a107b1cAutomatic UpdaterCLASS="acronym"
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox UserCLASS="emphasis"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="emphasis"
c3fd32ed29e9e419bb56583f4272a506773b1ea0Automatic UpdaterCLASS="command"
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User>) by specifying the "<VAR
3857cb6fcabeb79d85de4b3e3e4ab99912b701f8Mark Andrewsoption. This can help improve system security by placing <ACRONYM
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox UserCLASS="acronym"
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox User>BIND</ACRONYM
9174e44c14b1cb91a651fa1dc29470438c246ab9Automatic Updatera "sandbox", which will limit the damage done if a server is compromised.</P
e2caa7536302de34de6cc04025abcd53dc3a499aAutomatic Updater>Another useful feature in the UNIX version of <ACRONYM
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserCLASS="acronym"
8292deab031e7599cd7622aa7675fbe139ca6095Mark Andrews>BIND</ACRONYM
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark Andrewsability to run the daemon as an unprivileged user ( <VAR
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark AndrewsCLASS="option"
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark AndrewsCLASS="replaceable"
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark AndrewsWe suggest running as an unprivileged user when using the <B
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark AndrewsCLASS="command"
78f3ed4bc2fcd3d270bfd599804f3b27a1db4d91Mark Andrews>Here is an example command line to load <ACRONYM
3351ccbd5c1961404044f8273d54dad405f53960Mark AndrewsCLASS="acronym"
0b57424d28c9a67018107133f9fbc0a7dcf057e2Mark AndrewsCLASS="command"
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic UpdaterCLASS="command"
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic Updater>, and to run <B
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic UpdaterCLASS="command"
e8fc8c884b44371784805e1e0d3100da403dd3f1Automatic UpdaterCLASS="command"
b253dcf9668f95e141bce9556dc88e30d3305a1dTinderbox UserCLASS="userinput"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark AndrewsCLASS="sect2"
c651f15b30f1dae5cc2f00878fb5da5b3a35a468Mark Andrews>7.2.1. The <B
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark AndrewsCLASS="command"
4b2cb1422c7c600fbc13b1cb06a8b4693bc11af8Mark Andrews> Environment</A
7f79131f9a8e804b93c57f3c679065cce878b726Automatic Updater>In order for a <B
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic UpdaterCLASS="command"
f2770f6b39a9b2a98afb7a11ed105f73f1570c1eAutomatic Updater> environment to
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrewswork properly in a particular directory
efb0e886f18894a1d2489f1ad74ad14b579e11c7Mark Andrews(for example, <TT
b886b04d8d2b085cbf3e1bf4442dee87f43ba5e4Tinderbox UserCLASS="filename"
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox Useryou will need to set up an environment that includes everything
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserCLASS="acronym"
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User> needs to run.
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic UpdaterCLASS="acronym"
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User>BIND</ACRONYM
f7369b2881b5e63d69600adcedc8ba938303d30cTinderbox User>'s point of view, <TT
d6317350b1180aa4517f2e8a92fa8fbcbf904ad8Automatic UpdaterCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonthe root of the filesystem. You will need to adjust the values of options like
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> Unlike with earlier versions of BIND, you will typically
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="emphasis"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> need to compile <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonstatically nor install shared libraries under the new root.
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonHowever, depending on your operating system, you may need
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonto set up things like
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="filename"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonNAME="AEN4851"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>7.2.2. Using the <B
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic UpdaterCLASS="command"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater>Prior to running the <B
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterCLASS="command"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterCLASS="command"
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updater> utility (to change file access and
ae7e54b14c946e0984c191554db9abb4893f9349Automatic Updatermodification times) or the <B
ae7e54b14c946e0984c191554db9abb4893f9349Automatic UpdaterCLASS="command"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellingtonto which you want <ACRONYM
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian WellingtonCLASS="acronym"
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellington>BIND</ACRONYM
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsto write. Note that if the <B
aa1d397c4736cd86540555193d71e55fa3b37b2aMark AndrewsCLASS="command"
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrews> daemon is running as an
d4ef65050feac78554addf6e16a06c6e2e0bd331Brian Wellingtonunprivileged user, it will not be able to bind to new restricted ports if the
aa1d397c4736cd86540555193d71e55fa3b37b2aMark Andrewsserver is reloaded.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonNAME="dynamic_update_security"
e10d61d84e0b735f1e8eca18644cfdb1b06cad33Tinderbox User>7.3. Dynamic Update Security</A
febbdb34a7f7759922e239655e7429d78d3a8d26Tinderbox User>Access to the dynamic
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updaterupdate facility should be strictly limited. In earlier versions of
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="acronym"
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox User>BIND</ACRONYM
e01f44b37ba11c9d34f4a8394f950efae5c07f33Automatic Updater> the only way to do this was based on the IP
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox Useraddress of the host requesting the update, by listing an IP address or
c01dec514a81ecf8c17ca3ef8c3ba95e437295ebAutomatic Updaternetwork prefix in the <B
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic UpdaterCLASS="command"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater>allow-update</B
3de6db3208d51de1e138b63b9670430c03f99694Automatic UpdaterThis method is insecure since the source address of the update UDP packet
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updateris easily forged. Also note that if the IP addresses allowed by the
710bce1a85c96e85ca1a90471382055acd29d51fTinderbox UserCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>allow-update</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> option include the address of a slave
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonserver which performs forwarding of dynamic updates, the master can be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtontrivially attacked by sending the update to the slave, which will
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonforward it to the master with its own source IP address causing the
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonmaster to approve it without question.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>For these reasons, we strongly recommend that updates be
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtoncryptographically authenticated by means of transaction signatures
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington(TSIG). That is, the <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>allow-update</B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington> option should
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonlist only TSIG key names, not IP addresses or network
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonprefixes. Alternatively, the new <B
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCLASS="command"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>update-policy</B
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrewsoption can be used.</P
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellington>Some sites choose to keep all dynamically updated DNS data
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian Wellingtonin a subdomain and delegate that subdomain to a separate zone. This
e130ab53e992670e2a2ecf043976ac09f21358d1Automatic Updaterway, the top-level zone containing critical data such as the IP addresses
9cd5eb6fe0f26d65724b99216cb31dcdd12e4afdAutomatic Updaterof public web and mail servers need not allow dynamic update at
79cea03ba823e2d3a34895f0ba91d7fb5ad799e7Automatic UpdaterCLASS="NAVFOOTER"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsSUMMARY="Footer navigation table"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCELLPADDING="0"
9e3a7b0faf417a10f5f689edf288807b2d5eedc5Brian WellingtonCELLSPACING="0"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsALIGN="center"
7d704e522860496310bb29c28e76064868401a9cMark AndrewsACCESSKEY="H"
42bee07ebb8152a6ec2f87f4790d87368c24704cAutomatic UpdaterCLASS="acronym"
ce9cad6bb04869c5e94d9dc721032b25117f9210Automatic Updater> 9 Configuration Reference</TD
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsALIGN="center"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark AndrewsALIGN="right"
7adcb4de92bf4383a4c5624c4ed256736d02bc6dMark Andrews>Troubleshooting</TD