1*00b67f09SDavid van Moolenbroek<!-- 2*00b67f09SDavid van Moolenbroek - Copyright (C) 2004-2015 Internet Systems Consortium, Inc. ("ISC") 3*00b67f09SDavid van Moolenbroek - Copyright (C) 2000-2003 Internet Software Consortium. 4*00b67f09SDavid van Moolenbroek - 5*00b67f09SDavid van Moolenbroek - Permission to use, copy, modify, and/or distribute this software for any 6*00b67f09SDavid van Moolenbroek - purpose with or without fee is hereby granted, provided that the above 7*00b67f09SDavid van Moolenbroek - copyright notice and this permission notice appear in all copies. 8*00b67f09SDavid van Moolenbroek - 9*00b67f09SDavid van Moolenbroek - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH 10*00b67f09SDavid van Moolenbroek - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY 11*00b67f09SDavid van Moolenbroek - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, 12*00b67f09SDavid van Moolenbroek - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM 13*00b67f09SDavid van Moolenbroek - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE 14*00b67f09SDavid van Moolenbroek - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR 15*00b67f09SDavid van Moolenbroek - PERFORMANCE OF THIS SOFTWARE. 16*00b67f09SDavid van Moolenbroek--> 17*00b67f09SDavid van Moolenbroek<!-- $Id: Bv9ARM.ch07.html,v 1.5 2015/09/03 07:33:34 christos Exp $ --> 18*00b67f09SDavid van Moolenbroek<html> 19*00b67f09SDavid van Moolenbroek<head> 20*00b67f09SDavid van Moolenbroek<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> 21*00b67f09SDavid van Moolenbroek<title>Chapter�7.�BIND 9 Security Considerations</title> 22*00b67f09SDavid van Moolenbroek<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> 23*00b67f09SDavid van Moolenbroek<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 24*00b67f09SDavid van Moolenbroek<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> 25*00b67f09SDavid van Moolenbroek<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference"> 26*00b67f09SDavid van Moolenbroek<link rel="next" href="Bv9ARM.ch08.html" title="Chapter�8.�Troubleshooting"> 27*00b67f09SDavid van Moolenbroek</head> 28*00b67f09SDavid van Moolenbroek<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> 29*00b67f09SDavid van Moolenbroek<div class="navheader"> 30*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation header"> 31*00b67f09SDavid van Moolenbroek<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr> 32*00b67f09SDavid van Moolenbroek<tr> 33*00b67f09SDavid van Moolenbroek<td width="20%" align="left"> 34*00b67f09SDavid van Moolenbroek<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td> 35*00b67f09SDavid van Moolenbroek<th width="60%" align="center">�</th> 36*00b67f09SDavid van Moolenbroek<td width="20%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a> 37*00b67f09SDavid van Moolenbroek</td> 38*00b67f09SDavid van Moolenbroek</tr> 39*00b67f09SDavid van Moolenbroek</table> 40*00b67f09SDavid van Moolenbroek<hr> 41*00b67f09SDavid van Moolenbroek</div> 42*00b67f09SDavid van Moolenbroek<div class="chapter" lang="en"> 43*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title"> 44*00b67f09SDavid van Moolenbroek<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div> 45*00b67f09SDavid van Moolenbroek<div class="toc"> 46*00b67f09SDavid van Moolenbroek<p><b>Table of Contents</b></p> 47*00b67f09SDavid van Moolenbroek<dl> 48*00b67f09SDavid van Moolenbroek<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> 49*00b67f09SDavid van Moolenbroek<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2606376"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> 50*00b67f09SDavid van Moolenbroek<dd><dl> 51*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2606457">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> 52*00b67f09SDavid van Moolenbroek<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2606517">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> 53*00b67f09SDavid van Moolenbroek</dl></dd> 54*00b67f09SDavid van Moolenbroek<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> 55*00b67f09SDavid van Moolenbroek</dl> 56*00b67f09SDavid van Moolenbroek</div> 57*00b67f09SDavid van Moolenbroek<div class="sect1" lang="en"> 58*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 59*00b67f09SDavid van Moolenbroek<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div> 60*00b67f09SDavid van Moolenbroek<p> 61*00b67f09SDavid van Moolenbroek Access Control Lists (ACLs) are address match lists that 62*00b67f09SDavid van Moolenbroek you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>, 63*00b67f09SDavid van Moolenbroek <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>, 64*00b67f09SDavid van Moolenbroek <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>, 65*00b67f09SDavid van Moolenbroek <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>, 66*00b67f09SDavid van Moolenbroek etc. 67*00b67f09SDavid van Moolenbroek </p> 68*00b67f09SDavid van Moolenbroek<p> 69*00b67f09SDavid van Moolenbroek Using ACLs allows you to have finer control over who can access 70*00b67f09SDavid van Moolenbroek your name server, without cluttering up your config files with huge 71*00b67f09SDavid van Moolenbroek lists of IP addresses. 72*00b67f09SDavid van Moolenbroek </p> 73*00b67f09SDavid van Moolenbroek<p> 74*00b67f09SDavid van Moolenbroek It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to 75*00b67f09SDavid van Moolenbroek control access to your server. Limiting access to your server by 76*00b67f09SDavid van Moolenbroek outside parties can help prevent spoofing and denial of service (DoS) attacks against 77*00b67f09SDavid van Moolenbroek your server. 78*00b67f09SDavid van Moolenbroek </p> 79*00b67f09SDavid van Moolenbroek<p> 80*00b67f09SDavid van Moolenbroek Here is an example of how to properly apply ACLs: 81*00b67f09SDavid van Moolenbroek </p> 82*00b67f09SDavid van Moolenbroek<pre class="programlisting"> 83*00b67f09SDavid van Moolenbroek// Set up an ACL named "bogusnets" that will block 84*00b67f09SDavid van Moolenbroek// RFC1918 space and some reserved space, which is 85*00b67f09SDavid van Moolenbroek// commonly used in spoofing attacks. 86*00b67f09SDavid van Moolenbroekacl bogusnets { 87*00b67f09SDavid van Moolenbroek 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 88*00b67f09SDavid van Moolenbroek 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; 89*00b67f09SDavid van Moolenbroek}; 90*00b67f09SDavid van Moolenbroek 91*00b67f09SDavid van Moolenbroek// Set up an ACL called our-nets. Replace this with the 92*00b67f09SDavid van Moolenbroek// real IP numbers. 93*00b67f09SDavid van Moolenbroekacl our-nets { x.x.x.x/24; x.x.x.x/21; }; 94*00b67f09SDavid van Moolenbroekoptions { 95*00b67f09SDavid van Moolenbroek ... 96*00b67f09SDavid van Moolenbroek ... 97*00b67f09SDavid van Moolenbroek allow-query { our-nets; }; 98*00b67f09SDavid van Moolenbroek allow-recursion { our-nets; }; 99*00b67f09SDavid van Moolenbroek ... 100*00b67f09SDavid van Moolenbroek blackhole { bogusnets; }; 101*00b67f09SDavid van Moolenbroek ... 102*00b67f09SDavid van Moolenbroek}; 103*00b67f09SDavid van Moolenbroek 104*00b67f09SDavid van Moolenbroekzone "example.com" { 105*00b67f09SDavid van Moolenbroek type master; 106*00b67f09SDavid van Moolenbroek file "m/example.com"; 107*00b67f09SDavid van Moolenbroek allow-query { any; }; 108*00b67f09SDavid van Moolenbroek}; 109*00b67f09SDavid van Moolenbroek</pre> 110*00b67f09SDavid van Moolenbroek<p> 111*00b67f09SDavid van Moolenbroek This allows recursive queries of the server from the outside 112*00b67f09SDavid van Moolenbroek unless recursion has been previously disabled. 113*00b67f09SDavid van Moolenbroek </p> 114*00b67f09SDavid van Moolenbroek</div> 115*00b67f09SDavid van Moolenbroek<div class="sect1" lang="en"> 116*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 117*00b67f09SDavid van Moolenbroek<a name="id2606376"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> 118*00b67f09SDavid van Moolenbroek</h2></div></div></div> 119*00b67f09SDavid van Moolenbroek<p> 120*00b67f09SDavid van Moolenbroek On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> 121*00b67f09SDavid van Moolenbroek in a <span class="emphasis"><em>chrooted</em></span> environment (using 122*00b67f09SDavid van Moolenbroek the <span><strong class="command">chroot()</strong></span> function) by specifying 123*00b67f09SDavid van Moolenbroek the "<code class="option">-t</code>" option for <span><strong class="command">named</strong></span>. 124*00b67f09SDavid van Moolenbroek This can help improve system security by placing 125*00b67f09SDavid van Moolenbroek <acronym class="acronym">BIND</acronym> in a "sandbox", which will limit 126*00b67f09SDavid van Moolenbroek the damage done if a server is compromised. 127*00b67f09SDavid van Moolenbroek </p> 128*00b67f09SDavid van Moolenbroek<p> 129*00b67f09SDavid van Moolenbroek Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the 130*00b67f09SDavid van Moolenbroek ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ). 131*00b67f09SDavid van Moolenbroek We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature. 132*00b67f09SDavid van Moolenbroek </p> 133*00b67f09SDavid van Moolenbroek<p> 134*00b67f09SDavid van Moolenbroek Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox, 135*00b67f09SDavid van Moolenbroek <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to 136*00b67f09SDavid van Moolenbroek user 202: 137*00b67f09SDavid van Moolenbroek </p> 138*00b67f09SDavid van Moolenbroek<p> 139*00b67f09SDavid van Moolenbroek <strong class="userinput"><code>/usr/local/sbin/named -u 202 -t /var/named</code></strong> 140*00b67f09SDavid van Moolenbroek </p> 141*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 142*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 143*00b67f09SDavid van Moolenbroek<a name="id2606457"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div> 144*00b67f09SDavid van Moolenbroek<p> 145*00b67f09SDavid van Moolenbroek In order for a <span><strong class="command">chroot</strong></span> environment 146*00b67f09SDavid van Moolenbroek to 147*00b67f09SDavid van Moolenbroek work properly in a particular directory 148*00b67f09SDavid van Moolenbroek (for example, <code class="filename">/var/named</code>), 149*00b67f09SDavid van Moolenbroek you will need to set up an environment that includes everything 150*00b67f09SDavid van Moolenbroek <acronym class="acronym">BIND</acronym> needs to run. 151*00b67f09SDavid van Moolenbroek From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is 152*00b67f09SDavid van Moolenbroek the root of the filesystem. You will need to adjust the values of 153*00b67f09SDavid van Moolenbroek options like 154*00b67f09SDavid van Moolenbroek like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account 155*00b67f09SDavid van Moolenbroek for this. 156*00b67f09SDavid van Moolenbroek </p> 157*00b67f09SDavid van Moolenbroek<p> 158*00b67f09SDavid van Moolenbroek Unlike with earlier versions of BIND, you typically will 159*00b67f09SDavid van Moolenbroek <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span> 160*00b67f09SDavid van Moolenbroek statically nor install shared libraries under the new root. 161*00b67f09SDavid van Moolenbroek However, depending on your operating system, you may need 162*00b67f09SDavid van Moolenbroek to set up things like 163*00b67f09SDavid van Moolenbroek <code class="filename">/dev/zero</code>, 164*00b67f09SDavid van Moolenbroek <code class="filename">/dev/random</code>, 165*00b67f09SDavid van Moolenbroek <code class="filename">/dev/log</code>, and 166*00b67f09SDavid van Moolenbroek <code class="filename">/etc/localtime</code>. 167*00b67f09SDavid van Moolenbroek </p> 168*00b67f09SDavid van Moolenbroek</div> 169*00b67f09SDavid van Moolenbroek<div class="sect2" lang="en"> 170*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h3 class="title"> 171*00b67f09SDavid van Moolenbroek<a name="id2606517"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div> 172*00b67f09SDavid van Moolenbroek<p> 173*00b67f09SDavid van Moolenbroek Prior to running the <span><strong class="command">named</strong></span> daemon, 174*00b67f09SDavid van Moolenbroek use 175*00b67f09SDavid van Moolenbroek the <span><strong class="command">touch</strong></span> utility (to change file 176*00b67f09SDavid van Moolenbroek access and 177*00b67f09SDavid van Moolenbroek modification times) or the <span><strong class="command">chown</strong></span> 178*00b67f09SDavid van Moolenbroek utility (to 179*00b67f09SDavid van Moolenbroek set the user id and/or group id) on files 180*00b67f09SDavid van Moolenbroek to which you want <acronym class="acronym">BIND</acronym> 181*00b67f09SDavid van Moolenbroek to write. 182*00b67f09SDavid van Moolenbroek </p> 183*00b67f09SDavid van Moolenbroek<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> 184*00b67f09SDavid van Moolenbroek<h3 class="title">Note</h3> 185*00b67f09SDavid van Moolenbroek Note that if the <span><strong class="command">named</strong></span> daemon is running as an 186*00b67f09SDavid van Moolenbroek unprivileged user, it will not be able to bind to new restricted 187*00b67f09SDavid van Moolenbroek ports if the server is reloaded. 188*00b67f09SDavid van Moolenbroek </div> 189*00b67f09SDavid van Moolenbroek</div> 190*00b67f09SDavid van Moolenbroek</div> 191*00b67f09SDavid van Moolenbroek<div class="sect1" lang="en"> 192*00b67f09SDavid van Moolenbroek<div class="titlepage"><div><div><h2 class="title" style="clear: both"> 193*00b67f09SDavid van Moolenbroek<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div> 194*00b67f09SDavid van Moolenbroek<p> 195*00b67f09SDavid van Moolenbroek Access to the dynamic 196*00b67f09SDavid van Moolenbroek update facility should be strictly limited. In earlier versions of 197*00b67f09SDavid van Moolenbroek <acronym class="acronym">BIND</acronym>, the only way to do this was 198*00b67f09SDavid van Moolenbroek based on the IP 199*00b67f09SDavid van Moolenbroek address of the host requesting the update, by listing an IP address 200*00b67f09SDavid van Moolenbroek or 201*00b67f09SDavid van Moolenbroek network prefix in the <span><strong class="command">allow-update</strong></span> 202*00b67f09SDavid van Moolenbroek zone option. 203*00b67f09SDavid van Moolenbroek This method is insecure since the source address of the update UDP 204*00b67f09SDavid van Moolenbroek packet 205*00b67f09SDavid van Moolenbroek is easily forged. Also note that if the IP addresses allowed by the 206*00b67f09SDavid van Moolenbroek <span><strong class="command">allow-update</strong></span> option include the 207*00b67f09SDavid van Moolenbroek address of a slave 208*00b67f09SDavid van Moolenbroek server which performs forwarding of dynamic updates, the master can 209*00b67f09SDavid van Moolenbroek be 210*00b67f09SDavid van Moolenbroek trivially attacked by sending the update to the slave, which will 211*00b67f09SDavid van Moolenbroek forward it to the master with its own source IP address causing the 212*00b67f09SDavid van Moolenbroek master to approve it without question. 213*00b67f09SDavid van Moolenbroek </p> 214*00b67f09SDavid van Moolenbroek<p> 215*00b67f09SDavid van Moolenbroek For these reasons, we strongly recommend that updates be 216*00b67f09SDavid van Moolenbroek cryptographically authenticated by means of transaction signatures 217*00b67f09SDavid van Moolenbroek (TSIG). That is, the <span><strong class="command">allow-update</strong></span> 218*00b67f09SDavid van Moolenbroek option should 219*00b67f09SDavid van Moolenbroek list only TSIG key names, not IP addresses or network 220*00b67f09SDavid van Moolenbroek prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span> 221*00b67f09SDavid van Moolenbroek option can be used. 222*00b67f09SDavid van Moolenbroek </p> 223*00b67f09SDavid van Moolenbroek<p> 224*00b67f09SDavid van Moolenbroek Some sites choose to keep all dynamically-updated DNS data 225*00b67f09SDavid van Moolenbroek in a subdomain and delegate that subdomain to a separate zone. This 226*00b67f09SDavid van Moolenbroek way, the top-level zone containing critical data such as the IP 227*00b67f09SDavid van Moolenbroek addresses 228*00b67f09SDavid van Moolenbroek of public web and mail servers need not allow dynamic update at 229*00b67f09SDavid van Moolenbroek all. 230*00b67f09SDavid van Moolenbroek </p> 231*00b67f09SDavid van Moolenbroek</div> 232*00b67f09SDavid van Moolenbroek</div> 233*00b67f09SDavid van Moolenbroek<div class="navfooter"> 234*00b67f09SDavid van Moolenbroek<hr> 235*00b67f09SDavid van Moolenbroek<table width="100%" summary="Navigation footer"> 236*00b67f09SDavid van Moolenbroek<tr> 237*00b67f09SDavid van Moolenbroek<td width="40%" align="left"> 238*00b67f09SDavid van Moolenbroek<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td> 239*00b67f09SDavid van Moolenbroek<td width="20%" align="center">�</td> 240*00b67f09SDavid van Moolenbroek<td width="40%" align="right">�<a accesskey="n" href="Bv9ARM.ch08.html">Next</a> 241*00b67f09SDavid van Moolenbroek</td> 242*00b67f09SDavid van Moolenbroek</tr> 243*00b67f09SDavid van Moolenbroek<tr> 244*00b67f09SDavid van Moolenbroek<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td> 245*00b67f09SDavid van Moolenbroek<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> 246*00b67f09SDavid van Moolenbroek<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td> 247*00b67f09SDavid van Moolenbroek</tr> 248*00b67f09SDavid van Moolenbroek</table> 249*00b67f09SDavid van Moolenbroek</div> 250*00b67f09SDavid van Moolenbroek<p style="text-align: center;">BIND 9.10.2-P4</p> 251*00b67f09SDavid van Moolenbroek</body> 252*00b67f09SDavid van Moolenbroek</html> 253