contrib/bind9/doc/arm/Bv9ARM.ch07.html

   1 <!--
   2  - Copyright (C) 2004-2011 Internet Systems Consortium, Inc. ("ISC")
   3  - Copyright (C) 2000-2003 Internet Software Consortium.
   4  -
   5  - Permission to use, copy, modify, and/or distribute this software for any
   6  - purpose with or without fee is hereby granted, provided that the above
   7  - copyright notice and this permission notice appear in all copies.
   8  -
   9  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
  10  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
  11  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
  12  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
  13  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
  14  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
  15  - PERFORMANCE OF THIS SOFTWARE.
  16 -->
  17 <!-- $Id: Bv9ARM.ch07.html,v 1.242.8.7 2011-08-03 02:35:10 tbox Exp $ -->
  18 <html>
  19 <head>
  20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
  21 <title>Chapter 7. BIND 9 Security Considerations</title>
  22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
  23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
  24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
  25 <link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
  26 <link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
  27 </head>
  28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
  29 <div class="navheader">
  30 <table width="100%" summary="Navigation header">
  31 <tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
  32 <tr>
  33 <td width="20%" align="left">
  34 <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
  35 <th width="60%" align="center"> </th>
  36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
  37 </td>
  38 </tr>
  39 </table>
  40 <hr>
  41 </div>
  42 <div class="chapter" lang="en">
  43 <div class="titlepage"><div><div><h2 class="title">
  44 <a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
  45 <div class="toc">
  46 <p><b>Table of Contents</b></p>
  47 <dl>
  48 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
  49 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2602996"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
  50 <dd><dl>
  51 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603077">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
  52 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603137">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
  53 </dl></dd>
  54 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
  55 </dl>
  56 </div>
  57 <div class="sect1" lang="en">
  58 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
  59 <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
  60 <p>
  61           Access Control Lists (ACLs) are address match lists that
  62           you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
  63           <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
  64           <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
  65           <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
  66           etc.
  67         </p>
  68 <p>
  69           Using ACLs allows you to have finer control over who can access
  70           your name server, without cluttering up your config files with huge
  71           lists of IP addresses.
  72         </p>
  73 <p>
  74           It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
  75           control access to your server. Limiting access to your server by
  76           outside parties can help prevent spoofing and denial of service (DoS) attacks against
  77           your server.
  78         </p>
  79 <p>
  80           Here is an example of how to properly apply ACLs:
  81         </p>
  82 <pre class="programlisting">
  83 // Set up an ACL named "bogusnets" that will block
  84 // RFC1918 space and some reserved space, which is
  85 // commonly used in spoofing attacks.
  86 acl bogusnets {
  87         0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24;
  88         224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12;
  89         192.168.0.0/16;
  90 };
  91
  92 // Set up an ACL called our-nets. Replace this with the
  93 // real IP numbers.
  94 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
  95 options {
  96   ...
  97   ...
  98   allow-query { our-nets; };
  99   allow-recursion { our-nets; };
 100   ...
 101   blackhole { bogusnets; };
 102   ...
 103 };
 104
 105 zone "example.com" {
 106   type master;
 107   file "m/example.com";
 108   allow-query { any; };
 109 };
 110 </pre>
 111 <p>
 112           This allows recursive queries of the server from the outside
 113           unless recursion has been previously disabled.
 114         </p>
 115 <p>
 116           For more information on how to use ACLs to protect your server,
 117           see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
 118         </p>
 119 <p>
 120           <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
 121         </p>
 122 </div>
 123 <div class="sect1" lang="en">
 124 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 125 <a name="id2602996"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 126 </h2></div></div></div>
 127 <p>
 128           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
 129           in a <span class="emphasis"><em>chrooted</em></span> environment (using
 130           the <span><strong class="command">chroot()</strong></span> function) by specifying
 131           the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
 132           This can help improve system security by placing
 133           <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
 134           the damage done if a server is compromised.
 135         </p>
 136 <p>
 137           Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
 138           ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
 139           We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
 140         </p>
 141 <p>
 142           Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
 143           <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
 144           user 202:
 145         </p>
 146 <p>
 147           <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
 148         </p>
 149 <div class="sect2" lang="en">
 150 <div class="titlepage"><div><div><h3 class="title">
 151 <a name="id2603077"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 152 <p>
 153             In order for a <span><strong class="command">chroot</strong></span> environment
 154             to
 155             work properly in a particular directory
 156             (for example, <code class="filename">/var/named</code>),
 157             you will need to set up an environment that includes everything
 158             <acronym class="acronym">BIND</acronym> needs to run.
 159             From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
 160             the root of the filesystem.  You will need to adjust the values of
 161             options like
 162             like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
 163             for this.
 164           </p>
 165 <p>
 166             Unlike with earlier versions of BIND, you typically will
 167             <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
 168             statically nor install shared libraries under the new root.
 169             However, depending on your operating system, you may need
 170             to set up things like
 171             <code class="filename">/dev/zero</code>,
 172             <code class="filename">/dev/random</code>,
 173             <code class="filename">/dev/log</code>, and
 174             <code class="filename">/etc/localtime</code>.
 175           </p>
 176 </div>
 177 <div class="sect2" lang="en">
 178 <div class="titlepage"><div><div><h3 class="title">
 179 <a name="id2603137"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 180 <p>
 181             Prior to running the <span><strong class="command">named</strong></span> daemon,
 182             use
 183             the <span><strong class="command">touch</strong></span> utility (to change file
 184             access and
 185             modification times) or the <span><strong class="command">chown</strong></span>
 186             utility (to
 187             set the user id and/or group id) on files
 188             to which you want <acronym class="acronym">BIND</acronym>
 189             to write.
 190           </p>
 191 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 192 <h3 class="title">Note</h3>
 193             Note that if the <span><strong class="command">named</strong></span> daemon is running as an
 194             unprivileged user, it will not be able to bind to new restricted
 195             ports if the server is reloaded.
 196           </div>
 197 </div>
 198 </div>
 199 <div class="sect1" lang="en">
 200 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
 201 <a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
 202 <p>
 203           Access to the dynamic
 204           update facility should be strictly limited.  In earlier versions of
 205           <acronym class="acronym">BIND</acronym>, the only way to do this was
 206           based on the IP
 207           address of the host requesting the update, by listing an IP address
 208           or
 209           network prefix in the <span><strong class="command">allow-update</strong></span>
 210           zone option.
 211           This method is insecure since the source address of the update UDP
 212           packet
 213           is easily forged.  Also note that if the IP addresses allowed by the
 214           <span><strong class="command">allow-update</strong></span> option include the
 215           address of a slave
 216           server which performs forwarding of dynamic updates, the master can
 217           be
 218           trivially attacked by sending the update to the slave, which will
 219           forward it to the master with its own source IP address causing the
 220           master to approve it without question.
 221         </p>
 222 <p>
 223           For these reasons, we strongly recommend that updates be
 224           cryptographically authenticated by means of transaction signatures
 225           (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
 226           option should
 227           list only TSIG key names, not IP addresses or network
 228           prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
 229           option can be used.
 230         </p>
 231 <p>
 232           Some sites choose to keep all dynamically-updated DNS data
 233           in a subdomain and delegate that subdomain to a separate zone. This
 234           way, the top-level zone containing critical data such as the IP
 235           addresses
 236           of public web and mail servers need not allow dynamic update at
 237           all.
 238         </p>
 239 </div>
 240 </div>
 241 <div class="navfooter">
 242 <hr>
 243 <table width="100%" summary="Navigation footer">
 244 <tr>
 245 <td width="40%" align="left">
 246 <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
 247 <td width="20%" align="center"> </td>
 248 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
 249 </td>
 250 </tr>
 251 <tr>
 252 <td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
 253 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
 254 <td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
 255 </tr>
 256 </table>
 257 </div>
 258 </body>
 259 </html>