/contrib/bind9/doc/arm/Bv9ARM.ch07.html
https://bitbucket.org/freebsd/freebsd-head/ · HTML · 258 lines · 239 code · 2 blank · 17 comment · 0 complexity · 63ebf34138f27bb24ebf9fceffa024d0 MD5 · raw file
- <!--
- - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
- - Copyright (C) 2000-2003 Internet Software Consortium.
- -
- - Permission to use, copy, modify, and/or distribute this software for any
- - purpose with or without fee is hereby granted, provided that the above
- - copyright notice and this permission notice appear in all copies.
- -
- - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
- - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
- - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
- - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
- - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
- - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
- - PERFORMANCE OF THIS SOFTWARE.
- -->
- <!-- $Id$ -->
- <html>
- <head>
- <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
- <title>Chapter 7. BIND 9 Security Considerations</title>
- <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
- <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
- <link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
- <link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
- </head>
- <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
- <div class="navheader">
- <table width="100%" summary="Navigation header">
- <tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
- <tr>
- <td width="20%" align="left">
- <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
- <th width="60%" align="center"> </th>
- <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
- </td>
- </tr>
- </table>
- <hr>
- </div>
- <div class="chapter" lang="en">
- <div class="titlepage"><div><div><h2 class="title">
- <a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
- <div class="toc">
- <p><b>Table of Contents</b></p>
- <dl>
- <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
- <dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603082"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
- <dd><dl>
- <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603232">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
- <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603291">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
- </dl></dd>
- <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
- </dl>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
- <p>
- Access Control Lists (ACLs) are address match lists that
- you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
- <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
- <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
- <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
- etc.
- </p>
- <p>
- Using ACLs allows you to have finer control over who can access
- your name server, without cluttering up your config files with huge
- lists of IP addresses.
- </p>
- <p>
- It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
- control access to your server. Limiting access to your server by
- outside parties can help prevent spoofing and denial of service (DoS) attacks against
- your server.
- </p>
- <p>
- Here is an example of how to properly apply ACLs:
- </p>
- <pre class="programlisting">
- // Set up an ACL named "bogusnets" that will block
- // RFC1918 space and some reserved space, which is
- // commonly used in spoofing attacks.
- acl bogusnets {
- 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
- 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
- };
- // Set up an ACL called our-nets. Replace this with the
- // real IP numbers.
- acl our-nets { x.x.x.x/24; x.x.x.x/21; };
- options {
- ...
- ...
- allow-query { our-nets; };
- allow-recursion { our-nets; };
- ...
- blackhole { bogusnets; };
- ...
- };
- zone "example.com" {
- type master;
- file "m/example.com";
- allow-query { any; };
- };
- </pre>
- <p>
- This allows recursive queries of the server from the outside
- unless recursion has been previously disabled.
- </p>
- <p>
- For more information on how to use ACLs to protect your server,
- see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
- </p>
- <p>
- <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
- </p>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="id2603082"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
- </h2></div></div></div>
- <p>
- On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
- in a <span class="emphasis"><em>chrooted</em></span> environment (using
- the <span><strong class="command">chroot()</strong></span> function) by specifying
- the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
- This can help improve system security by placing
- <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
- the damage done if a server is compromised.
- </p>
- <p>
- Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
- ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
- We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
- </p>
- <p>
- Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
- <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
- user 202:
- </p>
- <p>
- <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
- </p>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2603232"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
- <p>
- In order for a <span><strong class="command">chroot</strong></span> environment
- to
- work properly in a particular directory
- (for example, <code class="filename">/var/named</code>),
- you will need to set up an environment that includes everything
- <acronym class="acronym">BIND</acronym> needs to run.
- From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
- the root of the filesystem. You will need to adjust the values of
- options like
- like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
- for this.
- </p>
- <p>
- Unlike with earlier versions of BIND, you typically will
- <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
- statically nor install shared libraries under the new root.
- However, depending on your operating system, you may need
- to set up things like
- <code class="filename">/dev/zero</code>,
- <code class="filename">/dev/random</code>,
- <code class="filename">/dev/log</code>, and
- <code class="filename">/etc/localtime</code>.
- </p>
- </div>
- <div class="sect2" lang="en">
- <div class="titlepage"><div><div><h3 class="title">
- <a name="id2603291"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
- <p>
- Prior to running the <span><strong class="command">named</strong></span> daemon,
- use
- the <span><strong class="command">touch</strong></span> utility (to change file
- access and
- modification times) or the <span><strong class="command">chown</strong></span>
- utility (to
- set the user id and/or group id) on files
- to which you want <acronym class="acronym">BIND</acronym>
- to write.
- </p>
- <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
- <h3 class="title">Note</h3>
- Note that if the <span><strong class="command">named</strong></span> daemon is running as an
- unprivileged user, it will not be able to bind to new restricted
- ports if the server is reloaded.
- </div>
- </div>
- </div>
- <div class="sect1" lang="en">
- <div class="titlepage"><div><div><h2 class="title" style="clear: both">
- <a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
- <p>
- Access to the dynamic
- update facility should be strictly limited. In earlier versions of
- <acronym class="acronym">BIND</acronym>, the only way to do this was
- based on the IP
- address of the host requesting the update, by listing an IP address
- or
- network prefix in the <span><strong class="command">allow-update</strong></span>
- zone option.
- This method is insecure since the source address of the update UDP
- packet
- is easily forged. Also note that if the IP addresses allowed by the
- <span><strong class="command">allow-update</strong></span> option include the
- address of a slave
- server which performs forwarding of dynamic updates, the master can
- be
- trivially attacked by sending the update to the slave, which will
- forward it to the master with its own source IP address causing the
- master to approve it without question.
- </p>
- <p>
- For these reasons, we strongly recommend that updates be
- cryptographically authenticated by means of transaction signatures
- (TSIG). That is, the <span><strong class="command">allow-update</strong></span>
- option should
- list only TSIG key names, not IP addresses or network
- prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
- option can be used.
- </p>
- <p>
- Some sites choose to keep all dynamically-updated DNS data
- in a subdomain and delegate that subdomain to a separate zone. This
- way, the top-level zone containing critical data such as the IP
- addresses
- of public web and mail servers need not allow dynamic update at
- all.
- </p>
- </div>
- </div>
- <div class="navfooter">
- <hr>
- <table width="100%" summary="Navigation footer">
- <tr>
- <td width="40%" align="left">
- <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
- <td width="20%" align="center"> </td>
- <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
- </td>
- </tr>
- <tr>
- <td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
- <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
- <td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
- </tr>
- </table>
- </div>
- </body>
- </html>