7afecc12f4
This version has many new features, see /usr/share/doc/bind9/README for details.
260 lines
12 KiB
HTML
260 lines
12 KiB
HTML
<!--
|
||
- Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
|
||
- Copyright (C) 2000-2003 Internet Software Consortium.
|
||
-
|
||
- Permission to use, copy, modify, and/or distribute this software for any
|
||
- purpose with or without fee is hereby granted, provided that the above
|
||
- copyright notice and this permission notice appear in all copies.
|
||
-
|
||
- THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
|
||
- REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
|
||
- AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
|
||
- INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
|
||
- LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
|
||
- OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
|
||
- PERFORMANCE OF THIS SOFTWARE.
|
||
-->
|
||
<!-- $Id: Bv9ARM.ch07.html,v 1.242.8.1.2.1 2011-06-09 03:41:08 tbox Exp $ -->
|
||
<html>
|
||
<head>
|
||
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
|
||
<title>Chapter 7. BIND 9 Security Considerations</title>
|
||
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
|
||
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
|
||
<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
|
||
<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
|
||
</head>
|
||
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
|
||
<div class="navheader">
|
||
<table width="100%" summary="Navigation header">
|
||
<tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
|
||
<tr>
|
||
<td width="20%" align="left">
|
||
<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
|
||
<th width="60%" align="center"> </th>
|
||
<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
|
||
</td>
|
||
</tr>
|
||
</table>
|
||
<hr>
|
||
</div>
|
||
<div class="chapter" lang="en">
|
||
<div class="titlepage"><div><div><h2 class="title">
|
||
<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
|
||
<div class="toc">
|
||
<p><b>Table of Contents</b></p>
|
||
<dl>
|
||
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
|
||
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2602626"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
|
||
<dd><dl>
|
||
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2602707">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
|
||
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2602766">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
|
||
</dl></dd>
|
||
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
|
||
</dl>
|
||
</div>
|
||
<div class="sect1" lang="en">
|
||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||
<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
|
||
<p>
|
||
Access Control Lists (ACLs) are address match lists that
|
||
you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
|
||
<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
|
||
<span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
|
||
<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
|
||
etc.
|
||
</p>
|
||
<p>
|
||
Using ACLs allows you to have finer control over who can access
|
||
your name server, without cluttering up your config files with huge
|
||
lists of IP addresses.
|
||
</p>
|
||
<p>
|
||
It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
|
||
control access to your server. Limiting access to your server by
|
||
outside parties can help prevent spoofing and denial of service (DoS) attacks against
|
||
your server.
|
||
</p>
|
||
<p>
|
||
Here is an example of how to properly apply ACLs:
|
||
</p>
|
||
<pre class="programlisting">
|
||
// Set up an ACL named "bogusnets" that will block
|
||
// RFC1918 space and some reserved space, which is
|
||
// commonly used in spoofing attacks.
|
||
acl bogusnets {
|
||
0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
|
||
224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12;
|
||
192.168.0.0/16;
|
||
};
|
||
|
||
// Set up an ACL called our-nets. Replace this with the
|
||
// real IP numbers.
|
||
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
|
||
options {
|
||
...
|
||
...
|
||
allow-query { our-nets; };
|
||
allow-recursion { our-nets; };
|
||
...
|
||
blackhole { bogusnets; };
|
||
...
|
||
};
|
||
|
||
zone "example.com" {
|
||
type master;
|
||
file "m/example.com";
|
||
allow-query { any; };
|
||
};
|
||
</pre>
|
||
<p>
|
||
This allows recursive queries of the server from the outside
|
||
unless recursion has been previously disabled.
|
||
</p>
|
||
<p>
|
||
For more information on how to use ACLs to protect your server,
|
||
see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
|
||
</p>
|
||
<p>
|
||
<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
|
||
</p>
|
||
</div>
|
||
<div class="sect1" lang="en">
|
||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||
<a name="id2602626"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
|
||
</h2></div></div></div>
|
||
<p>
|
||
On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
|
||
in a <span class="emphasis"><em>chrooted</em></span> environment (using
|
||
the <span><strong class="command">chroot()</strong></span> function) by specifying
|
||
the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
|
||
This can help improve system security by placing
|
||
<acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
|
||
the damage done if a server is compromised.
|
||
</p>
|
||
<p>
|
||
Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
|
||
ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
|
||
We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
|
||
</p>
|
||
<p>
|
||
Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
|
||
<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
|
||
user 202:
|
||
</p>
|
||
<p>
|
||
<strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
|
||
</p>
|
||
<div class="sect2" lang="en">
|
||
<div class="titlepage"><div><div><h3 class="title">
|
||
<a name="id2602707"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
|
||
<p>
|
||
In order for a <span><strong class="command">chroot</strong></span> environment
|
||
to
|
||
work properly in a particular directory
|
||
(for example, <code class="filename">/var/named</code>),
|
||
you will need to set up an environment that includes everything
|
||
<acronym class="acronym">BIND</acronym> needs to run.
|
||
From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
|
||
the root of the filesystem. You will need to adjust the values of
|
||
options like
|
||
like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
|
||
for this.
|
||
</p>
|
||
<p>
|
||
Unlike with earlier versions of BIND, you typically will
|
||
<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
|
||
statically nor install shared libraries under the new root.
|
||
However, depending on your operating system, you may need
|
||
to set up things like
|
||
<code class="filename">/dev/zero</code>,
|
||
<code class="filename">/dev/random</code>,
|
||
<code class="filename">/dev/log</code>, and
|
||
<code class="filename">/etc/localtime</code>.
|
||
</p>
|
||
</div>
|
||
<div class="sect2" lang="en">
|
||
<div class="titlepage"><div><div><h3 class="title">
|
||
<a name="id2602766"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
|
||
<p>
|
||
Prior to running the <span><strong class="command">named</strong></span> daemon,
|
||
use
|
||
the <span><strong class="command">touch</strong></span> utility (to change file
|
||
access and
|
||
modification times) or the <span><strong class="command">chown</strong></span>
|
||
utility (to
|
||
set the user id and/or group id) on files
|
||
to which you want <acronym class="acronym">BIND</acronym>
|
||
to write.
|
||
</p>
|
||
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
|
||
<h3 class="title">Note</h3>
|
||
Note that if the <span><strong class="command">named</strong></span> daemon is running as an
|
||
unprivileged user, it will not be able to bind to new restricted
|
||
ports if the server is reloaded.
|
||
</div>
|
||
</div>
|
||
</div>
|
||
<div class="sect1" lang="en">
|
||
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
|
||
<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
|
||
<p>
|
||
Access to the dynamic
|
||
update facility should be strictly limited. In earlier versions of
|
||
<acronym class="acronym">BIND</acronym>, the only way to do this was
|
||
based on the IP
|
||
address of the host requesting the update, by listing an IP address
|
||
or
|
||
network prefix in the <span><strong class="command">allow-update</strong></span>
|
||
zone option.
|
||
This method is insecure since the source address of the update UDP
|
||
packet
|
||
is easily forged. Also note that if the IP addresses allowed by the
|
||
<span><strong class="command">allow-update</strong></span> option include the
|
||
address of a slave
|
||
server which performs forwarding of dynamic updates, the master can
|
||
be
|
||
trivially attacked by sending the update to the slave, which will
|
||
forward it to the master with its own source IP address causing the
|
||
master to approve it without question.
|
||
</p>
|
||
<p>
|
||
For these reasons, we strongly recommend that updates be
|
||
cryptographically authenticated by means of transaction signatures
|
||
(TSIG). That is, the <span><strong class="command">allow-update</strong></span>
|
||
option should
|
||
list only TSIG key names, not IP addresses or network
|
||
prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
|
||
option can be used.
|
||
</p>
|
||
<p>
|
||
Some sites choose to keep all dynamically-updated DNS data
|
||
in a subdomain and delegate that subdomain to a separate zone. This
|
||
way, the top-level zone containing critical data such as the IP
|
||
addresses
|
||
of public web and mail servers need not allow dynamic update at
|
||
all.
|
||
</p>
|
||
</div>
|
||
</div>
|
||
<div class="navfooter">
|
||
<hr>
|
||
<table width="100%" summary="Navigation footer">
|
||
<tr>
|
||
<td width="40%" align="left">
|
||
<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
|
||
<td width="20%" align="center"> </td>
|
||
<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
|
||
</td>
|
||
</tr>
|
||
<tr>
|
||
<td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
|
||
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
|
||
<td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
|
||
</tr>
|
||
</table>
|
||
</div>
|
||
</body>
|
||
</html>
|