cb2846ded4de1abbb5934b92132baf826f1babfebnicholes<HTML

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><HEAD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TITLE

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>BIND 9 Security Considerations</TITLE

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><META

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes"><LINK

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesHREF="Bv9ARM.html"><LINK

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesHREF="Bv9ARM.ch06.html"><LINK

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesHREF="Bv9ARM.ch08.html"></HEAD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><BODY

70953fb44a7140fe206c3a5f011e24209c8c5c6abnicholes><DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TABLE

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TR

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TH

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>BIND 9 Administrator Reference Manual</TH

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></TR

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TR

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Prev</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></TD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></TD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><TD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Next</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></TD

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></TR

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></TABLE

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><HR

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesWIDTH="100%"></DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><H1

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Chapter 7. <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>BIND</SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> 9 Security Considerations</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></H1

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DL

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Table of Contents</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>7.1. <A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Access Control Lists</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>7.2. <A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>chroot</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> and <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>setuid</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> (for

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesUNIX servers)</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>7.3. <A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Dynamic Update Security</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></DT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></DL

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><H1

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>7.1. Access Control Lists</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></H1

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Access Control Lists (ACLs), are address match lists that

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesyou can set up and nickname for future use in <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>allow-notify</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>,

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes<B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>allow-query</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>, <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>allow-recursion</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>,

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes<B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>blackhole</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>, <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>allow-transfer</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>,

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesetc.</P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Using ACLs allows you to have finer control over who can access

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesyour name server, without cluttering up your config files with huge

cb2846ded4de1abbb5934b92132baf826f1babfebnicholeslists of IP addresses.</P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>It is a <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>good idea</I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> to use ACLs, and to

cb2846ded4de1abbb5934b92132baf826f1babfebnicholescontrol access to your server. Limiting access to your server by

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesoutside parties can help prevent spoofing and DoS attacks against

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesyour server.</P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Here is an example of how to properly apply ACLs:</P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><PRE

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>&#13;// Set up an ACL named "bogusnets" that will block RFC1918 space,

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes// which is commonly used in spoofing attacks.

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesacl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes// Set up an ACL called our-nets. Replace this with the real IP numbers.

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesacl our-nets { x.x.x.x/24; x.x.x.x/21; };

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesoptions {

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes ...

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes ...

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes allow-query { our-nets; };

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes allow-recursion { our-nets; };

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes ...

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes blackhole { bogusnets; };

bf1e7c075ccc3e6597d17de7641332ff6ff92e8astriker ...

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes};

cb2846ded4de1abbb5934b92132baf826f1babfebnicholeszone "example.com" {

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes type master;

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes file "m/example.com";

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes allow-query { any; };

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes};

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes</PRE

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>This allows recursive queries of the server from the outside

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesunless recursion has been previously disabled.</P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>For more information on how to use ACLs to protect your server,

cb2846ded4de1abbb5934b92132baf826f1babfebnicholessee the <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>AUSCERT</I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> advisory at

9046ab142ed19505e034af0afb8c15be512b8526bnicholes<A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><DIV

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><H1

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>7.2. <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>chroot</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> and <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>setuid</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> (for

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesUNIX servers)</A

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></H1

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>On UNIX servers, it is possible to run <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>BIND</SPAN

e75db68cd3a838dfe6de1553907416c3834ebb40bnicholes> in a <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>chrooted</I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> environment

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes(<B

609ef720afd62ca63391c9fdb415cd2faf29aa46bnicholes>chroot()</B

609ef720afd62ca63391c9fdb415cd2faf29aa46bnicholes>) by specifying the "<TT

609ef720afd62ca63391c9fdb415cd2faf29aa46bnicholes>-t</TT

609ef720afd62ca63391c9fdb415cd2faf29aa46bnicholes>"

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesoption. This can help improve system security by placing <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>BIND</SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> in

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesa "sandbox", which will limit the damage done if a server is compromised.</P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Another useful feature in the UNIX version of <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>BIND</SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> is the

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesability to run the daemon as an unprivileged user ( <TT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>-u</TT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> <TT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>user</I

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes></TT

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> ).

cb2846ded4de1abbb5934b92132baf826f1babfebnicholesWe suggest running as an unprivileged user when using the <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>chroot</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> feature.</P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes><P

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>Here is an example command line to load <SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>BIND</SPAN

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> in a <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>chroot()</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> sandbox,

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes<B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>/var/named</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>, and to run <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>named</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> <B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes>setuid</B

cb2846ded4de1abbb5934b92132baf826f1babfebnicholes> to

user 202:</P

><P

><TT

><B

>/usr/local/bin/named -u 202 -t /var/named</B

></TT

></P

><DIV

><H2

><A

>7.2.1. The <B

>chroot</B

> Environment</A

></H2

><P

>In order for a <B

>chroot()</B

> environment to

work properly in a particular directory

(for example, <TT

>/var/named</TT

>),

you will need to set up an environment that includes everything

<SPAN

>BIND</SPAN

> needs to run.

From <SPAN

>BIND</SPAN

>'s point of view, <TT

>/var/named</TT

> is

the root of the filesystem. You will need to adjust the values of options like

like <B

>directory</B

> and <B

>pid-file</B

> to account

for this.

</P

><P

>&#13;Unlike with earlier versions of BIND, you will typically

<SPAN

><I

>not</I

></SPAN

> need to compile <B

>named</B

>

statically nor install shared libraries under the new root.

However, depending on your operating system, you may need

to set up things like

<TT

>/dev/zero</TT

>,

<TT

>/dev/random</TT

>,

<TT

>/dev/log</TT

>, and/or

<TT

>/etc/localtime</TT

>.

</P

></DIV

><DIV

><H2

><A

>7.2.2. Using the <B

>setuid</B

> Function</A

></H2

><P

>Prior to running the <B

>named</B

> daemon, use

the <B

>touch</B

> utility (to change file access and

modification times) or the <B

>chown</B

> utility (to

set the user id and/or group id) on files

to which you want <SPAN

>BIND</SPAN

>

to write. Note that if the <B

>named</B

> daemon is running as an

unprivileged user, it will not be able to bind to new restricted ports if the

server is reloaded.</P

></DIV

></DIV

><DIV

><H1

><A

>7.3. Dynamic Update Security</A

></H1

><P

>Access to the dynamic

update facility should be strictly limited. In earlier versions of

<SPAN

>BIND</SPAN

> the only way to do this was based on the IP

address of the host requesting the update, by listing an IP address or

network prefix in the <B

>allow-update</B

> zone option.

This method is insecure since the source address of the update UDP packet

is easily forged. Also note that if the IP addresses allowed by the

<B

>allow-update</B

> option include the address of a slave

server which performs forwarding of dynamic updates, the master can be

trivially attacked by sending the update to the slave, which will

forward it to the master with its own source IP address causing the

master to approve it without question.</P

><P

>For these reasons, we strongly recommend that updates be

cryptographically authenticated by means of transaction signatures

(TSIG). That is, the <B

>allow-update</B

> option should

list only TSIG key names, not IP addresses or network

prefixes. Alternatively, the new <B

>update-policy</B

>

option can be used.</P

><P

>Some sites choose to keep all dynamically updated DNS data

in a subdomain and delegate that subdomain to a separate zone. This

way, the top-level zone containing critical data such as the IP addresses

of public web and mail servers need not allow dynamic update at

all.</P

></DIV

></DIV

><DIV

><HR

WIDTH="100%"><TABLE

><TR

><TD

><A

>Prev</A

></TD

><TD

><A

>Home</A

></TD

><TD

><A

>Next</A

></TD

></TR

><TR

><TD

><SPAN

>BIND</SPAN

> 9 Configuration Reference</TD

><TD

>&nbsp;</TD

><TD

>Troubleshooting</TD

></TR

></TABLE

></DIV

></BODY

></HTML

>