diff options
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch07.html')
| -rw-r--r-- | contrib/bind9/doc/arm/Bv9ARM.ch07.html | 500 |
1 files changed, 500 insertions, 0 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html new file mode 100644 index 000000000000..a7c470773876 --- /dev/null +++ b/contrib/bind9/doc/arm/Bv9ARM.ch07.html @@ -0,0 +1,500 @@ +<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"> +<HTML +><HEAD +><TITLE +>BIND 9 Security Considerations</TITLE +><META +NAME="GENERATOR" +CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK +REL="HOME" +TITLE="BIND 9 Administrator Reference Manual" +HREF="Bv9ARM.html"><LINK +REL="PREVIOUS" +TITLE="BIND 9 Configuration Reference" +HREF="Bv9ARM.ch06.html"><LINK +REL="NEXT" +TITLE="Troubleshooting" +HREF="Bv9ARM.ch08.html"></HEAD +><BODY +CLASS="chapter" +BGCOLOR="#FFFFFF" +TEXT="#000000" +LINK="#0000FF" +VLINK="#840084" +ALINK="#0000FF" +><DIV +CLASS="NAVHEADER" +><TABLE +SUMMARY="Header navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TH +COLSPAN="3" +ALIGN="center" +>BIND 9 Administrator Reference Manual</TH +></TR +><TR +><TD +WIDTH="10%" +ALIGN="left" +VALIGN="bottom" +><A +HREF="Bv9ARM.ch06.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="80%" +ALIGN="center" +VALIGN="bottom" +></TD +><TD +WIDTH="10%" +ALIGN="right" +VALIGN="bottom" +><A +HREF="Bv9ARM.ch08.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +></TABLE +><HR +ALIGN="LEFT" +WIDTH="100%"></DIV +><DIV +CLASS="chapter" +><H1 +><A +NAME="ch07" +></A +>Chapter 7. <ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> 9 Security Considerations</H1 +><DIV +CLASS="TOC" +><DL +><DT +><B +>Table of Contents</B +></DT +><DT +>7.1. <A +HREF="Bv9ARM.ch07.html#Access_Control_Lists" +>Access Control Lists</A +></DT +><DT +>7.2. <A +HREF="Bv9ARM.ch07.html#AEN4658" +><B +CLASS="command" +>chroot</B +> and <B +CLASS="command" +>setuid</B +> (for +UNIX servers)</A +></DT +><DT +>7.3. <A +HREF="Bv9ARM.ch07.html#dynamic_update_security" +>Dynamic Update Security</A +></DT +></DL +></DIV +><DIV +CLASS="sect1" +><H1 +CLASS="sect1" +><A +NAME="Access_Control_Lists" +>7.1. Access Control Lists</A +></H1 +><P +>Access Control Lists (ACLs), are address match lists that +you can set up and nickname for future use in <B +CLASS="command" +>allow-notify</B +>, +<B +CLASS="command" +>allow-query</B +>, <B +CLASS="command" +>allow-recursion</B +>, +<B +CLASS="command" +>blackhole</B +>, <B +CLASS="command" +>allow-transfer</B +>, +etc.</P +><P +>Using ACLs allows you to have finer control over who can access +your name server, without cluttering up your config files with huge +lists of IP addresses.</P +><P +>It is a <SPAN +CLASS="emphasis" +><I +CLASS="emphasis" +>good idea</I +></SPAN +> to use ACLs, and to +control access to your server. Limiting access to your server by +outside parties can help prevent spoofing and DoS attacks against +your server.</P +><P +>Here is an example of how to properly apply ACLs:</P +><PRE +CLASS="programlisting" +> // Set up an ACL named "bogusnets" that will block RFC1918 space, +// which is commonly used in spoofing attacks. +acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; }; +// Set up an ACL called our-nets. Replace this with the real IP numbers. +acl our-nets { x.x.x.x/24; x.x.x.x/21; }; +options { + ... + ... + allow-query { our-nets; }; + allow-recursion { our-nets; }; + ... + blackhole { bogusnets; }; + ... +}; +zone "example.com" { + type master; + file "m/example.com"; + allow-query { any; }; +}; +</PRE +><P +>This allows recursive queries of the server from the outside +unless recursion has been previously disabled.</P +><P +>For more information on how to use ACLs to protect your server, +see the <SPAN +CLASS="emphasis" +><I +CLASS="emphasis" +>AUSCERT</I +></SPAN +> advisory at +<A +HREF="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" +TARGET="_top" +>ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</A +></P +></DIV +><DIV +CLASS="sect1" +><H1 +CLASS="sect1" +><A +NAME="AEN4658" +>7.2. <B +CLASS="command" +>chroot</B +> and <B +CLASS="command" +>setuid</B +> (for +UNIX servers)</A +></H1 +><P +>On UNIX servers, it is possible to run <ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> in a <SPAN +CLASS="emphasis" +><I +CLASS="emphasis" +>chrooted</I +></SPAN +> environment +(<B +CLASS="command" +>chroot()</B +>) by specifying the "<VAR +CLASS="option" +>-t</VAR +>" +option. This can help improve system security by placing <ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> in +a "sandbox", which will limit the damage done if a server is compromised.</P +><P +>Another useful feature in the UNIX version of <ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> is the +ability to run the daemon as an unprivileged user ( <VAR +CLASS="option" +>-u</VAR +> <VAR +CLASS="replaceable" +>user</VAR +> ). +We suggest running as an unprivileged user when using the <B +CLASS="command" +>chroot</B +> feature.</P +><P +>Here is an example command line to load <ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> in a <B +CLASS="command" +>chroot()</B +> sandbox, +<B +CLASS="command" +>/var/named</B +>, and to run <B +CLASS="command" +>named</B +> <B +CLASS="command" +>setuid</B +> to +user 202:</P +><P +><KBD +CLASS="userinput" +>/usr/local/bin/named -u 202 -t /var/named</KBD +></P +><DIV +CLASS="sect2" +><H2 +CLASS="sect2" +><A +NAME="AEN4681" +>7.2.1. The <B +CLASS="command" +>chroot</B +> Environment</A +></H2 +><P +>In order for a <B +CLASS="command" +>chroot()</B +> environment to +work properly in a particular directory +(for example, <TT +CLASS="filename" +>/var/named</TT +>), +you will need to set up an environment that includes everything +<ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> needs to run. +From <ACRONYM +CLASS="acronym" +>BIND</ACRONYM +>'s point of view, <TT +CLASS="filename" +>/var/named</TT +> is +the root of the filesystem. You will need to adjust the values of options like +like <B +CLASS="command" +>directory</B +> and <B +CLASS="command" +>pid-file</B +> to account +for this. +</P +><P +> Unlike with earlier versions of BIND, you will typically +<SPAN +CLASS="emphasis" +><I +CLASS="emphasis" +>not</I +></SPAN +> need to compile <B +CLASS="command" +>named</B +> +statically nor install shared libraries under the new root. +However, depending on your operating system, you may need +to set up things like +<TT +CLASS="filename" +>/dev/zero</TT +>, +<TT +CLASS="filename" +>/dev/random</TT +>, +<TT +CLASS="filename" +>/dev/log</TT +>, and/or +<TT +CLASS="filename" +>/etc/localtime</TT +>. +</P +></DIV +><DIV +CLASS="sect2" +><H2 +CLASS="sect2" +><A +NAME="AEN4699" +>7.2.2. Using the <B +CLASS="command" +>setuid</B +> Function</A +></H2 +><P +>Prior to running the <B +CLASS="command" +>named</B +> daemon, use +the <B +CLASS="command" +>touch</B +> utility (to change file access and +modification times) or the <B +CLASS="command" +>chown</B +> utility (to +set the user id and/or group id) on files +to which you want <ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> +to write. Note that if the <B +CLASS="command" +>named</B +> daemon is running as an +unprivileged user, it will not be able to bind to new restricted ports if the +server is reloaded.</P +></DIV +></DIV +><DIV +CLASS="sect1" +><H1 +CLASS="sect1" +><A +NAME="dynamic_update_security" +>7.3. Dynamic Update Security</A +></H1 +><P +>Access to the dynamic +update facility should be strictly limited. In earlier versions of +<ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> the only way to do this was based on the IP +address of the host requesting the update, by listing an IP address or +network prefix in the <B +CLASS="command" +>allow-update</B +> zone option. +This method is insecure since the source address of the update UDP packet +is easily forged. Also note that if the IP addresses allowed by the +<B +CLASS="command" +>allow-update</B +> option include the address of a slave +server which performs forwarding of dynamic updates, the master can be +trivially attacked by sending the update to the slave, which will +forward it to the master with its own source IP address causing the +master to approve it without question.</P +><P +>For these reasons, we strongly recommend that updates be +cryptographically authenticated by means of transaction signatures +(TSIG). That is, the <B +CLASS="command" +>allow-update</B +> option should +list only TSIG key names, not IP addresses or network +prefixes. Alternatively, the new <B +CLASS="command" +>update-policy</B +> +option can be used.</P +><P +>Some sites choose to keep all dynamically updated DNS data +in a subdomain and delegate that subdomain to a separate zone. This +way, the top-level zone containing critical data such as the IP addresses +of public web and mail servers need not allow dynamic update at +all.</P +></DIV +></DIV +><DIV +CLASS="NAVFOOTER" +><HR +ALIGN="LEFT" +WIDTH="100%"><TABLE +SUMMARY="Footer navigation table" +WIDTH="100%" +BORDER="0" +CELLPADDING="0" +CELLSPACING="0" +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><A +HREF="Bv9ARM.ch06.html" +ACCESSKEY="P" +>Prev</A +></TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +><A +HREF="Bv9ARM.html" +ACCESSKEY="H" +>Home</A +></TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +><A +HREF="Bv9ARM.ch08.html" +ACCESSKEY="N" +>Next</A +></TD +></TR +><TR +><TD +WIDTH="33%" +ALIGN="left" +VALIGN="top" +><ACRONYM +CLASS="acronym" +>BIND</ACRONYM +> 9 Configuration Reference</TD +><TD +WIDTH="34%" +ALIGN="center" +VALIGN="top" +> </TD +><TD +WIDTH="33%" +ALIGN="right" +VALIGN="top" +>Troubleshooting</TD +></TR +></TABLE +></DIV +></BODY +></HTML +>
\ No newline at end of file |