]> CyberLeo.Net >> Repos - FreeBSD/releng/9.2.git/blob - contrib/bind9/doc/arm/Bv9ARM.ch07.html
projects / FreeBSD / releng / 9.2.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
history | raw | HEAD
- Copy stable/9 to releng/9.2 as part of the 9.2-RELEASE cycle.
[FreeBSD/releng/9.2.git] / contrib / bind9 / doc / arm / Bv9ARM.ch07.html
1 <!--
2  - Copyright (C) 2004-2012 Internet Systems Consortium, Inc. ("ISC")
3  - Copyright (C) 2000-2003 Internet Software Consortium.
4  - 
5  - Permission to use, copy, modify, and/or distribute this software for any
6  - purpose with or without fee is hereby granted, provided that the above
7  - copyright notice and this permission notice appear in all copies.
8  - 
9  - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH
10  - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY
11  - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT,
12  - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM
13  - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE
14  - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15  - PERFORMANCE OF THIS SOFTWARE.
16 -->
17 <!-- $Id$ -->
18 <html>
19 <head>
20 <meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21 <title>Chapter 7. BIND 9 Security Considerations</title>
22 <meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23 <link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24 <link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25 <link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference">
26 <link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting">
27 </head>
28 <body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29 <div class="navheader">
30 <table width="100%" summary="Navigation header">
31 <tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
32 <tr>
33 <td width="20%" align="left">
34 <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
35 <th width="60%" align="center"> </th>
36 <td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
37 </td>
38 </tr>
39 </table>
40 <hr>
41 </div>
42 <div class="chapter" lang="en">
43 <div class="titlepage"><div><div><h2 class="title">
44 <a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
45 <div class="toc">
46 <p><b>Table of Contents</b></p>
47 <dl>
48 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
49 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2603136"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
50 <dd><dl>
51 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603285">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
52 <dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2603345">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
53 </dl></dd>
54 <dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
55 </dl>
56 </div>
57 <div class="sect1" lang="en">
58 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
59 <a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
60 <p>
61           Access Control Lists (ACLs) are address match lists that
62           you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
63           <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
64           <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
65           <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
66           etc.
67         </p>
68 <p>
69           Using ACLs allows you to have finer control over who can access
70           your name server, without cluttering up your config files with huge
71           lists of IP addresses.
72         </p>
73 <p>
74           It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
75           control access to your server. Limiting access to your server by
76           outside parties can help prevent spoofing and denial of service (DoS) attacks against
77           your server.
78         </p>
79 <p>
80           Here is an example of how to properly apply ACLs:
81         </p>
82 <pre class="programlisting">
83 // Set up an ACL named "bogusnets" that will block
84 // RFC1918 space and some reserved space, which is
85 // commonly used in spoofing attacks.
86 acl bogusnets {
87         0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
88         10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
89 };
90
91 // Set up an ACL called our-nets. Replace this with the
92 // real IP numbers.
93 acl our-nets { x.x.x.x/24; x.x.x.x/21; };
94 options {
95   ...
96   ...
97   allow-query { our-nets; };
98   allow-recursion { our-nets; };
99   ...
100   blackhole { bogusnets; };
101   ...
102 };
103
104 zone "example.com" {
105   type master;
106   file "m/example.com";
107   allow-query { any; };
108 };
109 </pre>
110 <p>
111           This allows recursive queries of the server from the outside
112           unless recursion has been previously disabled.
113         </p>
114 <p>
115           For more information on how to use ACLs to protect your server,
116           see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
117         </p>
118 <p>
119           <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
120         </p>
121 </div>
122 <div class="sect1" lang="en">
123 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
124 <a name="id2603136"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
125 </h2></div></div></div>
126 <p>
127           On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym>
128           in a <span class="emphasis"><em>chrooted</em></span> environment (using
129           the <span><strong class="command">chroot()</strong></span> function) by specifying
130           the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>.
131           This can help improve system security by placing
132           <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit
133           the damage done if a server is compromised.
134         </p>
135 <p>
136           Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
137           ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
138           We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
139         </p>
140 <p>
141           Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
142           <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
143           user 202:
144         </p>
145 <p>
146           <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong>
147         </p>
148 <div class="sect2" lang="en">
149 <div class="titlepage"><div><div><h3 class="title">
150 <a name="id2603285"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
151 <p>
152             In order for a <span><strong class="command">chroot</strong></span> environment
153             to
154             work properly in a particular directory
155             (for example, <code class="filename">/var/named</code>),
156             you will need to set up an environment that includes everything
157             <acronym class="acronym">BIND</acronym> needs to run.
158             From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
159             the root of the filesystem.  You will need to adjust the values of
160             options like
161             like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
162             for this.
163           </p>
164 <p>
165             Unlike with earlier versions of BIND, you typically will
166             <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
167             statically nor install shared libraries under the new root.
168             However, depending on your operating system, you may need
169             to set up things like
170             <code class="filename">/dev/zero</code>,
171             <code class="filename">/dev/random</code>,
172             <code class="filename">/dev/log</code>, and
173             <code class="filename">/etc/localtime</code>.
174           </p>
175 </div>
176 <div class="sect2" lang="en">
177 <div class="titlepage"><div><div><h3 class="title">
178 <a name="id2603345"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
179 <p>
180             Prior to running the <span><strong class="command">named</strong></span> daemon,
181             use
182             the <span><strong class="command">touch</strong></span> utility (to change file
183             access and
184             modification times) or the <span><strong class="command">chown</strong></span>
185             utility (to
186             set the user id and/or group id) on files
187             to which you want <acronym class="acronym">BIND</acronym>
188             to write.
189           </p>
190 <div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
191 <h3 class="title">Note</h3>
192             Note that if the <span><strong class="command">named</strong></span> daemon is running as an
193             unprivileged user, it will not be able to bind to new restricted
194             ports if the server is reloaded.
195           </div>
196 </div>
197 </div>
198 <div class="sect1" lang="en">
199 <div class="titlepage"><div><div><h2 class="title" style="clear: both">
200 <a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
201 <p>
202           Access to the dynamic
203           update facility should be strictly limited.  In earlier versions of
204           <acronym class="acronym">BIND</acronym>, the only way to do this was
205           based on the IP
206           address of the host requesting the update, by listing an IP address
207           or
208           network prefix in the <span><strong class="command">allow-update</strong></span>
209           zone option.
210           This method is insecure since the source address of the update UDP
211           packet
212           is easily forged.  Also note that if the IP addresses allowed by the
213           <span><strong class="command">allow-update</strong></span> option include the
214           address of a slave
215           server which performs forwarding of dynamic updates, the master can
216           be
217           trivially attacked by sending the update to the slave, which will
218           forward it to the master with its own source IP address causing the
219           master to approve it without question.
220         </p>
221 <p>
222           For these reasons, we strongly recommend that updates be
223           cryptographically authenticated by means of transaction signatures
224           (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
225           option should
226           list only TSIG key names, not IP addresses or network
227           prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
228           option can be used.
229         </p>
230 <p>
231           Some sites choose to keep all dynamically-updated DNS data
232           in a subdomain and delegate that subdomain to a separate zone. This
233           way, the top-level zone containing critical data such as the IP
234           addresses
235           of public web and mail servers need not allow dynamic update at
236           all.
237         </p>
238 </div>
239 </div>
240 <div class="navfooter">
241 <hr>
242 <table width="100%" summary="Navigation footer">
243 <tr>
244 <td width="40%" align="left">
245 <a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td>
246 <td width="20%" align="center"> </td>
247 <td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a>
248 </td>
249 </tr>
250 <tr>
251 <td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td>
252 <td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
253 <td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td>
254 </tr>
255 </table>
256 </div>
257 </body>
258 </html>
9.2-RELEASE