← Back to branch summary

~ubuntu-branches/ubuntu/maverick/bind9/maverick

« back to all changes in this revision

Viewing changes to doc/arm/Bv9ARM.ch07.html

  • Committer: Bazaar Package Importer
  • Author(s): LaMont Jones, LaMont Jones, Internet Software Consortium, Inc, localization folks
  • Date: 2008-08-02 14:20:20 UTC
  • mfrom: (1.2.1 upstream) (6.1.24 intrepid)
  • Revision ID: james.westby@ubuntu.com-20080802142020-l1hon9jy8lbbjxmg
http://bugs.debian.org/149259
http://bugs.debian.org/492418
http://bugs.debian.org/493392
http://bugs.debian.org/492564
http://bugs.debian.org/490027
http://bugs.debian.org/492949
http://bugs.debian.org/492425
http://bugs.debian.org/491369
http://bugs.debian.org/492048
http://bugs.debian.org/490630
http://bugs.debian.org/492587
[LaMont Jones]

* default to using resolvconf if it is installed
* fix sonames and dependencies.  Closes: #149259, #492418
* Do not build-depend libcap2-dev on non-linux.  Closes: #493392
* drop unused query-loc manpage.  Closes: #492564
* lwresd: Deliver /etc/bind directory.  Closes: #490027
* fix query-source comment in default install

[Internet Software Consortium, Inc]

* 9.5.0-P2.  Closes: #492949

[localization folks]

* l10n: Spanish debconf translation.  Closes: #492425 (Ignacio Mondino)
* l10n: Swedish debconf templates.  Closes: #491369 (Martin Ågren)
* l10n: Japanese debconf translations.  Closes: #492048 (Hideki Yamane
  (Debian-JP))
* l10n: Finnish translation.  Closes: #490630 (Esko Arajärvi)
* l10n: Italian debconf translations.  Closes: #492587 (Alessandro Vietta)

Show diffs side-by-side

added added

removed removed

Lines of Context:
doc/arm/Bv9ARM.ch07.html
1
1
<!--
2
 
 - Copyright (C) 2004, 2005 Internet Systems Consortium, Inc. ("ISC")
 
2
 - Copyright (C) 2004-2008 Internet Systems Consortium, Inc. ("ISC")
3
3
 - Copyright (C) 2000-2003 Internet Software Consortium.
4
4
 - 
5
5
 - Permission to use, copy, modify, and distribute this software for any
14
14
 - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR
15
15
 - PERFORMANCE OF THIS SOFTWARE.
16
16
-->
17
 
<!-- $Id: Bv9ARM.ch07.html,v 1.50.2.9.2.24 2005/10/13 02:34:02 marka Exp $ -->
 
17
<!-- $Id: Bv9ARM.ch07.html,v 1.152.18.9 2008/05/06 01:41:46 tbox Exp $ -->
18
18
<html>
19
19
<head>
20
20
<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1">
21
21
<title>Chapter�7.�BIND 9 Security Considerations</title>
22
 
<meta name="generator" content="DocBook XSL Stylesheets V1.69.1">
 
22
<meta name="generator" content="DocBook XSL Stylesheets V1.71.1">
23
23
<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
24
24
<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual">
25
25
<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter�6.�BIND 9 Configuration Reference">
28
28
<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF">
29
29
<div class="navheader">
30
30
<table width="100%" summary="Navigation header">
31
 
<tr><th colspan="3" align="center">Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</th></tr>
 
31
<tr><th colspan="3" align="center">Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr>
32
32
<tr>
33
33
<td width="20%" align="left">
34
34
<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a>�</td>
41
41
</div>
42
42
<div class="chapter" lang="en">
43
43
<div class="titlepage"><div><div><h2 class="title">
44
 
<a name="Bv9ARM.ch07"></a>Chapter�7.�<span class="acronym">BIND</span> 9 Security Considerations</h2></div></div></div>
 
44
<a name="Bv9ARM.ch07"></a>Chapter�7.�<acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div>
45
45
<div class="toc">
46
46
<p><b>Table of Contents</b></p>
47
47
<dl>
48
48
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt>
49
 
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2567222"><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
50
 
UNIX servers)</a></span></dt>
 
49
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2596516"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt>
51
50
<dd><dl>
52
 
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567366">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
53
 
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2567424">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
 
51
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2596593">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt>
 
52
<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2596652">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt>
54
53
</dl></dd>
55
54
<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt>
56
55
</dl>
58
57
<div class="sect1" lang="en">
59
58
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
60
59
<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div>
61
 
<p>Access Control Lists (ACLs), are address match lists that
62
 
you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
63
 
<span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>,
64
 
<span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
65
 
etc.</p>
66
 
<p>Using ACLs allows you to have finer control over who can access
67
 
your name server, without cluttering up your config files with huge
68
 
lists of IP addresses.</p>
69
 
<p>It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
70
 
control access to your server. Limiting access to your server by
71
 
outside parties can help prevent spoofing and DoS attacks against
72
 
your server.</p>
73
 
<p>Here is an example of how to properly apply ACLs:</p>
 
60
<p>
 
61
          Access Control Lists (ACLs), are address match lists that
 
62
          you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>,
 
63
          <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-query-on</strong></span>,
 
64
          <span><strong class="command">allow-recursion</strong></span>, <span><strong class="command">allow-recursion-on</strong></span>,
 
65
          <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>,
 
66
          etc.
 
67
        </p>
 
68
<p>
 
69
          Using ACLs allows you to have finer control over who can access
 
70
          your name server, without cluttering up your config files with huge
 
71
          lists of IP addresses.
 
72
        </p>
 
73
<p>
 
74
          It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to
 
75
          control access to your server. Limiting access to your server by
 
76
          outside parties can help prevent spoofing and denial of service (DoS) attacks against
 
77
          your server.
 
78
        </p>
 
79
<p>
 
80
          Here is an example of how to properly apply ACLs:
 
81
        </p>
74
82
<pre class="programlisting">
75
 
// Set up an ACL named "bogusnets" that will block RFC1918 space,
76
 
// which is commonly used in spoofing attacks.
77
 
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
 
83
// Set up an ACL named "bogusnets" that will block RFC1918 space
 
84
// and some reserved space, which is commonly used in spoofing attacks.
 
85
acl bogusnets {
 
86
        0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
 
87
        10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
 
88
};
 
89
 
78
90
// Set up an ACL called our-nets. Replace this with the real IP numbers.
79
 
acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 
 
91
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
80
92
options {
81
93
  ...
82
94
  ...
86
98
  blackhole { bogusnets; };
87
99
  ...
88
100
};
 
101
 
89
102
zone "example.com" {
90
103
  type master;
91
104
  file "m/example.com";
92
105
  allow-query { any; };
93
106
};
94
107
</pre>
95
 
<p>This allows recursive queries of the server from the outside
96
 
unless recursion has been previously disabled.</p>
97
 
<p>For more information on how to use ACLs to protect your server,
98
 
see the <span class="emphasis"><em>AUSCERT</em></span> advisory at
99
 
<a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a></p>
 
108
<p>
 
109
          This allows recursive queries of the server from the outside
 
110
          unless recursion has been previously disabled.
 
111
        </p>
 
112
<p>
 
113
          For more information on how to use ACLs to protect your server,
 
114
          see the <span class="emphasis"><em>AUSCERT</em></span> advisory at:
 
115
        </p>
 
116
<p>
 
117
          <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a>
 
118
        </p>
100
119
</div>
101
120
<div class="sect1" lang="en">
102
121
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
103
 
<a name="id2567222"></a><span><strong class="command">chroot</strong></span> and <span><strong class="command">setuid</strong></span> (for
104
 
UNIX servers)</h2></div></div></div>
105
 
<p>On UNIX servers, it is possible to run <span class="acronym">BIND</span> in a <span class="emphasis"><em>chrooted</em></span> environment
106
 
(<span><strong class="command">chroot()</strong></span>) by specifying the "<code class="option">-t</code>"
107
 
option. This can help improve system security by placing <span class="acronym">BIND</span> in
108
 
a "sandbox", which will limit the damage done if a server is compromised.</p>
109
 
<p>Another useful feature in the UNIX version of <span class="acronym">BIND</span> is the
110
 
ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
111
 
We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.</p>
112
 
<p>Here is an example command line to load <span class="acronym">BIND</span> in a <span><strong class="command">chroot()</strong></span> sandbox, 
113
 
<span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
114
 
user 202:</p>
115
 
<p><strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong></p>
 
122
<a name="id2596516"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span>
 
123
</h2></div></div></div>
 
124
<p>
 
125
          On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment
 
126
          (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>"
 
127
          option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in
 
128
          a "sandbox", which will limit the damage done if a server is
 
129
          compromised.
 
130
        </p>
 
131
<p>
 
132
          Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the
 
133
          ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ).
 
134
          We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature.
 
135
        </p>
 
136
<p>
 
137
          Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox,
 
138
          <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to
 
139
          user 202:
 
140
        </p>
 
141
<p>
 
142
          <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong>
 
143
        </p>
116
144
<div class="sect2" lang="en">
117
145
<div class="titlepage"><div><div><h3 class="title">
118
 
<a name="id2567366"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
119
 
<p>In order for a <span><strong class="command">chroot()</strong></span> environment to
120
 
work properly in a particular directory
121
 
(for example, <code class="filename">/var/named</code>),
122
 
you will need to set up an environment that includes everything
123
 
<span class="acronym">BIND</span> needs to run.
124
 
From <span class="acronym">BIND</span>'s point of view, <code class="filename">/var/named</code> is
125
 
the root of the filesystem.  You will need to adjust the values of options like
126
 
like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
127
 
for this.
128
 
</p>
129
 
<p>
130
 
Unlike with earlier versions of BIND, you will typically
131
 
<span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
132
 
statically nor install shared libraries under the new root.
133
 
However, depending on your operating system, you may need
134
 
to set up things like
135
 
<code class="filename">/dev/zero</code>,
136
 
<code class="filename">/dev/random</code>,
137
 
<code class="filename">/dev/log</code>, and/or
138
 
<code class="filename">/etc/localtime</code>.
139
 
</p>
 
146
<a name="id2596593"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div>
 
147
<p>
 
148
            In order for a <span><strong class="command">chroot</strong></span> environment
 
149
            to
 
150
            work properly in a particular directory
 
151
            (for example, <code class="filename">/var/named</code>),
 
152
            you will need to set up an environment that includes everything
 
153
            <acronym class="acronym">BIND</acronym> needs to run.
 
154
            From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is
 
155
            the root of the filesystem.  You will need to adjust the values of
 
156
            options like
 
157
            like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account
 
158
            for this.
 
159
          </p>
 
160
<p>
 
161
            Unlike with earlier versions of BIND, you typically will
 
162
            <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span>
 
163
            statically nor install shared libraries under the new root.
 
164
            However, depending on your operating system, you may need
 
165
            to set up things like
 
166
            <code class="filename">/dev/zero</code>,
 
167
            <code class="filename">/dev/random</code>,
 
168
            <code class="filename">/dev/log</code>, and
 
169
            <code class="filename">/etc/localtime</code>.
 
170
          </p>
140
171
</div>
141
172
<div class="sect2" lang="en">
142
173
<div class="titlepage"><div><div><h3 class="title">
143
 
<a name="id2567424"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
144
 
<p>Prior to running the <span><strong class="command">named</strong></span> daemon, use
145
 
the <span><strong class="command">touch</strong></span> utility (to change file access and
146
 
modification times) or the <span><strong class="command">chown</strong></span> utility (to
147
 
set the user id and/or group id) on files
148
 
to which you want <span class="acronym">BIND</span>
149
 
to write.  Note that if the <span><strong class="command">named</strong></span> daemon is running as an
150
 
unprivileged user, it will not be able to bind to new restricted ports if the
151
 
server is reloaded.</p>
 
174
<a name="id2596652"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div>
 
175
<p>
 
176
            Prior to running the <span><strong class="command">named</strong></span> daemon,
 
177
            use
 
178
            the <span><strong class="command">touch</strong></span> utility (to change file
 
179
            access and
 
180
            modification times) or the <span><strong class="command">chown</strong></span>
 
181
            utility (to
 
182
            set the user id and/or group id) on files
 
183
            to which you want <acronym class="acronym">BIND</acronym>
 
184
            to write.
 
185
          </p>
 
186
<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;">
 
187
<h3 class="title">Note</h3>
 
188
            Note that if the <span><strong class="command">named</strong></span> daemon is running as an
 
189
            unprivileged user, it will not be able to bind to new restricted
 
190
            ports if the server is reloaded.
 
191
          </div>
152
192
</div>
153
193
</div>
154
194
<div class="sect1" lang="en">
155
195
<div class="titlepage"><div><div><h2 class="title" style="clear: both">
156
196
<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div>
157
 
<p>Access to the dynamic
158
 
update facility should be strictly limited.  In earlier versions of
159
 
<span class="acronym">BIND</span> the only way to do this was based on the IP
160
 
address of the host requesting the update, by listing an IP address or
161
 
network prefix in the <span><strong class="command">allow-update</strong></span> zone option.
162
 
This method is insecure since the source address of the update UDP packet
163
 
is easily forged.  Also note that if the IP addresses allowed by the
164
 
<span><strong class="command">allow-update</strong></span> option include the address of a slave
165
 
server which performs forwarding of dynamic updates, the master can be
166
 
trivially attacked by sending the update to the slave, which will
167
 
forward it to the master with its own source IP address causing the
168
 
master to approve it without question.</p>
169
 
<p>For these reasons, we strongly recommend that updates be
170
 
cryptographically authenticated by means of transaction signatures
171
 
(TSIG).  That is, the <span><strong class="command">allow-update</strong></span> option should
172
 
list only TSIG key names, not IP addresses or network
173
 
prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
174
 
option can be used.</p>
175
 
<p>Some sites choose to keep all dynamically updated DNS data
176
 
in a subdomain and delegate that subdomain to a separate zone. This
177
 
way, the top-level zone containing critical data such as the IP addresses
178
 
of public web and mail servers need not allow dynamic update at
179
 
all.</p>
 
197
<p>
 
198
          Access to the dynamic
 
199
          update facility should be strictly limited.  In earlier versions of
 
200
          <acronym class="acronym">BIND</acronym>, the only way to do this was
 
201
          based on the IP
 
202
          address of the host requesting the update, by listing an IP address
 
203
          or
 
204
          network prefix in the <span><strong class="command">allow-update</strong></span>
 
205
          zone option.
 
206
          This method is insecure since the source address of the update UDP
 
207
          packet
 
208
          is easily forged.  Also note that if the IP addresses allowed by the
 
209
          <span><strong class="command">allow-update</strong></span> option include the
 
210
          address of a slave
 
211
          server which performs forwarding of dynamic updates, the master can
 
212
          be
 
213
          trivially attacked by sending the update to the slave, which will
 
214
          forward it to the master with its own source IP address causing the
 
215
          master to approve it without question.
 
216
        </p>
 
217
<p>
 
218
          For these reasons, we strongly recommend that updates be
 
219
          cryptographically authenticated by means of transaction signatures
 
220
          (TSIG).  That is, the <span><strong class="command">allow-update</strong></span>
 
221
          option should
 
222
          list only TSIG key names, not IP addresses or network
 
223
          prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span>
 
224
          option can be used.
 
225
        </p>
 
226
<p>
 
227
          Some sites choose to keep all dynamically-updated DNS data
 
228
          in a subdomain and delegate that subdomain to a separate zone. This
 
229
          way, the top-level zone containing critical data such as the IP
 
230
          addresses
 
231
          of public web and mail servers need not allow dynamic update at
 
232
          all.
 
233
        </p>
180
234
</div>
181
235
</div>
182
236
<div class="navfooter">
190
244
</td>
191
245
</tr>
192
246
<tr>
193
 
<td width="40%" align="left" valign="top">Chapter�6.�<span class="acronym">BIND</span> 9 Configuration Reference�</td>
 
247
<td width="40%" align="left" valign="top">Chapter�6.�<acronym class="acronym">BIND</acronym> 9 Configuration Reference�</td>
194
248
<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td>
195
249
<td width="40%" align="right" valign="top">�Chapter�8.�Troubleshooting</td>
196
250
</tr>