Bv9ARM.ch07.html revision f9aef05653eeb454c489d5bd2bde6daab774ad4a
2N/A<!--
2N/A - Copyright (C) 2004-2013 Internet Systems Consortium, Inc. ("ISC")
2N/A - Copyright (C) 2000-2003 Internet Software Consortium.
2N/A -
2N/A - Permission to use, copy, modify, and/or distribute this software for any
2N/A - purpose with or without fee is hereby granted, provided that the above
2N/A - copyright notice and this permission notice appear in all copies.
2N/A -
2N/A - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
2N/A - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
2N/A - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
2N/A - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
2N/A - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
2N/A - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
2N/A - PERFORMANCE OF THIS SOFTWARE.
2N/A-->
2N/A<!-- $Id$ -->
2N/A<html>
2N/A<head>
2N/A<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
2N/A<title>Chapter�7.�BIND 9 Security Considerations</title>
2N/A<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
2N/A<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2N/A<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
2N/A<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
2N/A<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting">
2N/A</head>
2N/A<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
2N/A<div class="navheader">
2N/A<table width="100%" summary="Navigation header">
2N/A<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
2N/A<tr>
2N/A<td width="20%" align="left">
2N/A<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
2N/A<th width="60%" align="center">�</th>
2N/A<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
2N/A</td>
2N/A</tr>
2N/A</table>
2N/A<hr>
2N/A</div>
2N/A<div class="chapter" lang="en">
2N/A<div class="titlepage"><div><div><h2 class="title">
2N/A<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
2N/A<div class="toc">
2N/A<p><b>Table of Contents</b></p>
2N/A<dl>
2N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
2N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2605864"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
2N/A<dd><dl>
2N/A<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2605945">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
2N/A<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2606005">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
2N/A</dl></dd>
2N/A<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
2N/A</dl>
2N/A</div>
2N/A<div class="sect1" lang="en">
2N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2N/A<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
2N/A<p>
2N/A Access Control Lists (ACLs) are address match lists that
2N/A you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
2N/A <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
2N/A <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
2N/A <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
2N/A etc.
2N/A </p>
2N/A<p>
2N/A Using ACLs allows you to have finer control over who can access
2N/A your name server, without cluttering up your config files with huge
2N/A lists of IP addresses.
2N/A </p>
2N/A<p>
2N/A It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
2N/A control access to your server. Limiting access to your server by
2N/A outside parties can help prevent spoofing and denial of service (DoS) attacks against
2N/A your server.
2N/A </p>
2N/A<p>
2N/A Here is an example of how to properly apply ACLs:
2N/A </p>
2N/A<pre class="programlisting">
2N/A// Set up an ACL named "bogusnets" that will block
2N/A// RFC1918 space and some reserved space, which is
2N/A// commonly used in spoofing attacks.
2N/Aacl bogusnets {
2N/A 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
2N/A 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
2N/A};
2N/A
2N/A// Set up an ACL called our-nets. Replace this with the
2N/A// real IP numbers.
2N/Aacl our-nets { x.x.x.x/24; x.x.x.x/21; };
2N/Aoptions {
2N/A ...
2N/A ...
2N/A allow-query { our-nets; };
2N/A allow-recursion { our-nets; };
2N/A ...
2N/A blackhole { bogusnets; };
2N/A ...
2N/A};
2N/A
2N/Azone "example.com" {
2N/A type master;
2N/A file "m/example.com";
2N/A allow-query { any; };
2N/A};
2N/A</pre>
2N/A<p>
2N/A This allows recursive queries of the server from the outside
2N/A unless recursion has been previously disabled.
2N/A </p>
2N/A</div>
2N/A<div class="sect1" lang="en">
2N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2N/A<a name="id2605864"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
2N/A</h2></div></div></div>
2N/A<p>
2N/A On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
2N/A in a <span class="emphasis"><em>chrooted</em></span> environment (using
2N/A the <span><strong class="command">chroot()</strong></span> function) by specifying
2N/A the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
2N/A This can help improve system security by placing
2N/A <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
2N/A the damage done if a server is compromised.
2N/A </p>
2N/A<p>
2N/A Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
2N/A ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
2N/A We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
2N/A </p>
2N/A<p>
2N/A Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
2N/A <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
2N/A user 202:
2N/A </p>
2N/A<p>
2N/A <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
2N/A </p>
2N/A<div class="sect2" lang="en">
2N/A<div class="titlepage"><div><div><h3 class="title">
2N/A<a name="id2605945"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
2N/A<p>
2N/A In order for a <span><strong class="command">chroot</strong></span> environment
2N/A to
2N/A work properly in a particular directory
2N/A (for example, <code class="filename">/var/named</code>),
2N/A you will need to set up an environment that includes everything
2N/A <acronym class="acronym">BIND</acronym> needs to run.
2N/A From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
2N/A the root of the filesystem. You will need to adjust the values of
2N/A options like
2N/A like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
2N/A for this.
2N/A </p>
2N/A<p>
2N/A Unlike with earlier versions of BIND, you typically will
2N/A <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
2N/A statically nor install shared libraries under the new root.
2N/A However, depending on your operating system, you may need
2N/A to set up things like
2N/A <code class="filename">/dev/zero</code>,
2N/A <code class="filename">/dev/random</code>,
2N/A <code class="filename">/dev/log</code>, and
2N/A <code class="filename">/etc/localtime</code>.
2N/A </p>
2N/A</div>
2N/A<div class="sect2" lang="en">
2N/A<div class="titlepage"><div><div><h3 class="title">
2N/A<a name="id2606005"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
2N/A<p>
2N/A Prior to running the <span><strong class="command">named</strong></span> daemon,
2N/A use
2N/A the <span><strong class="command">touch</strong></span> utility (to change file
2N/A access and
2N/A modification times) or the <span><strong class="command">chown</strong></span>
2N/A utility (to
2N/A set the user id and/or group id) on files
2N/A to which you want <acronym class="acronym">BIND</acronym>
2N/A to write.
2N/A </p>
2N/A<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
2N/A<h3 class="title">Note</h3>
2N/A Note that if the <span><strong class="command">named</strong></span> daemon is running as an
2N/A unprivileged user, it will not be able to bind to new restricted
2N/A ports if the server is reloaded.
2N/A </div>
2N/A</div>
2N/A</div>
2N/A<div class="sect1" lang="en">
2N/A<div class="titlepage"><div><div><h2 class="title" style="clear: both">
2N/A<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
2N/A<p>
2N/A Access to the dynamic
2N/A update facility should be strictly limited. In earlier versions of
2N/A <acronym class="acronym">BIND</acronym>, the only way to do this was
2N/A based on the IP
2N/A address of the host requesting the update, by listing an IP address
2N/A or
2N/A network prefix in the <span><strong class="command">allow-update</strong></span>
2N/A zone option.
2N/A This method is insecure since the source address of the update UDP
2N/A packet
2N/A is easily forged. Also note that if the IP addresses allowed by the
2N/A <span><strong class="command">allow-update</strong></span> option include the
2N/A address of a slave
2N/A server which performs forwarding of dynamic updates, the master can
2N/A be
2N/A trivially attacked by sending the update to the slave, which will
2N/A forward it to the master with its own source IP address causing the
2N/A master to approve it without question.
2N/A </p>
2N/A<p>
2N/A For these reasons, we strongly recommend that updates be
2N/A cryptographically authenticated by means of transaction signatures
2N/A (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
2N/A option should
2N/A list only TSIG key names, not IP addresses or network
2N/A prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
2N/A option can be used.
2N/A </p>
2N/A<p>
2N/A Some sites choose to keep all dynamically-updated DNS data
2N/A in a subdomain and delegate that subdomain to a separate zone. This
2N/A way, the top-level zone containing critical data such as the IP
2N/A addresses
2N/A of public web and mail servers need not allow dynamic update at
2N/A all.
2N/A </p>
2N/A</div>
2N/A</div>
2N/A<div class="navfooter">
2N/A<hr>
2N/A<table width="100%" summary="Navigation footer">
2N/A<tr>
2N/A<td width="40%" align="left">
2N/A<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
2N/A<td width="20%" align="center">�</td>
2N/A<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
2N/A</td>
2N/A</tr>
2N/A<tr>
2N/A<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
2N/A<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
2N/A<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
2N/A</tr>
2N/A</table>
2N/A</div>
2N/A</body>
2N/A</html>
2N/A