2080N/A>BIND 9 Security Considerations</
TITLE 2362N/ACONTENT="Modular DocBook HTML Stylesheet Version 1.54"><
LINK 2080N/ATITLE="BIND 9 Configuration Reference" 2608N/A> 9 Security Considerations</
A 2080N/A>7.1. Access Control Lists</
A 2080N/A>Access Control Lists (ACLs), are address match lists that
2246N/Ayou can set up and nickname for future use in <
B 2080N/A>Using ACLs allows you to have finer control over who can access
2080N/Ayour nameserver, without cluttering up your config files with huge
control access to your server. Limiting access to your server by
outside parties can help prevent spoofing and DoS attacks against
>Here is an example of how to properly apply ACLs:</
P> // Set up an ACL named "bogusnets" that will block RFC1918 space,
// which is commonly used in spoofing attacks.
// Set up an ACL called our-nets. Replace this with the real IP numbers.
allow-query { our-nets; };
allow-recursion { our-nets; };
blackhole { bogusnets; };
>This allows recursive queries of the server from the outside
unless recursion has been previously disabled.</
P>For more information on how to use ACLs to protect your server,
>On UNIX servers, it is possible to run <
SPAN>) by specifying the "<
TToption. This can help improve system security by placing <
SPANa "sandbox," which will limit the damage done if a server is compromised.</
P>Another useful feature in the UNIX version of <
SPANability to run the daemon as a nonprivileged user ( <
TTWe suggest running as a nonprivileged user when using the <
B>Here is an example command line to load <
SPANwork properly in a particular directory (for example, <
TTyou will need to set up an environment that includes everything
> needs to run. From <
SPANthe root of the filesystem. You will need <
TTand any library directories and files that <
SPANyour system. Please consult your operating system's instructions
if you need help figuring out which library files you need to copy
>If you are running an operating system that supports static
binaries, you can also compile <
SPAN> statically and avoid the need
to copy system libraries over to your <
B> utility (to change file access and
modification times) or the <
Bset the user id
and/
or group id) on files to which you want <
SPAN>Access to the dynamic update facility should be strictly limited.
In earlier versions of <
SPAN> the only way to do this was based on
the IP address of the host requesting the update. <
SPANsupports authenticating updates cryptographically by means of transaction
signatures (TSIG). The use of TSIG is strongly recommended.</
P>Some sites choose to keep all dynamically updated DNS data
in a subdomain and delegate that subdomain to a separate zone. This
way, the top-level zone containing critical data such as the IP addresses
of public web and mail servers need not allow dynamic update at
> 9 Configuration Reference</
TD