1N/A>BIND 9 Security Considerations</
TITLE 1N/ACONTENT="Modular DocBook HTML Stylesheet Version 1.57"><
LINK 1N/ATITLE="BIND 9 Configuration Reference" 1N/ATITLE="Troubleshooting" 1N/A> 9 Security Considerations</
A 1N/A>Table of Contents</
B 1N/A>Access Control Lists</
A 1N/ANAME="Access_Control_Lists" 1N/A>7.1. Access Control Lists</
A 1N/A>Access Control Lists (ACLs), are address match lists that
1N/Ayou can set up and nickname for future use in <
B 1N/A>Using ACLs allows you to have finer control over who can access
1N/Ayour nameserver, without cluttering up your config files with huge
1N/Alists of IP addresses.</
P 1N/A> to use ACLs, and to
1N/Acontrol access to your server. Limiting access to your server by
1N/Aoutside parties can help prevent spoofing and DoS attacks against
1N/A>Here is an example of how to properly apply ACLs:</
P 1N/ACLASS="programlisting" 1N/A> // Set up an ACL named "bogusnets" that will block RFC1918 space,
1N/A// which is commonly used in spoofing attacks.
1N/A// Set up an ACL called our-nets. Replace this with the real IP numbers.
1N/A allow-query { our-nets; };
1N/A allow-recursion { our-nets; };
1N/A blackhole { bogusnets; };
1N/A allow-query { any; };
1N/A>This allows recursive queries of the server from the outside
1N/Aunless recursion has been previously disabled.</
P 1N/A>For more information on how to use ACLs to protect your server,
1N/A>On UNIX servers, it is possible to run <
SPAN 1N/A>) by specifying the "<
TT 1N/Aoption. This can help improve system security by placing <
SPAN 1N/Aa "sandbox," which will limit the damage done if a server is compromised.</
P 1N/A>Another useful feature in the UNIX version of <
SPAN 1N/Aability to run the daemon as a nonprivileged user ( <
TT 1N/AWe suggest running as a nonprivileged user when using the <
B 1N/A>Here is an example command line to load <
SPAN 1N/Awork properly in a particular directory (for example, <
TT 1N/Ayou will need to set up an environment that includes everything
1N/A> needs to run. From <
SPAN 1N/A>'s point of view, <
TT 1N/Athe root of the filesystem. You will need <
TT 1N/Aand any library directories and files that <
SPAN 1N/Ayour system. Please consult your operating system's instructions
1N/Aif you need help figuring out which library files you need to copy
1N/A>If you are running an operating system that supports static
1N/Abinaries, you can also compile <
SPAN 1N/A> statically and avoid the need
1N/Ato copy system libraries over to your <
B 1N/A>Prior to running the <
B 1N/A> utility (to change file access and
1N/Amodification times) or the <
B 1N/Aset the user id
and/
or group id) on files to which you want <
SPAN 1N/A>7.3. Dynamic Updates</
A 1N/A>Access to the dynamic update facility should be strictly limited.
1N/AIn earlier versions of <
SPAN 1N/A> the only way to do this was based on
1N/Athe IP address of the host requesting the update. <
SPAN 1N/Asupports authenticating updates cryptographically by means of transaction
1N/Asignatures (TSIG). The use of TSIG is strongly recommended.</
P 1N/A>Some sites choose to keep all dynamically updated DNS data
1N/Ain a subdomain and delegate that subdomain to a separate zone. This
1N/Away, the top-level zone containing critical data such as the IP addresses
1N/Aof public web and mail servers need not allow dynamic update at
1N/A> 9 Configuration Reference</
TD