upstream/bind9
1
0
Fork 0
mirror of https://github.com/isc-projects/bind9.git synced 2026-06-06 11:22:04 -04:00
Code Issues Projects Releases Packages Wiki Activity Actions
bind9/doc/arm/7security.xml
Eric Luce 3827c16dce This is the initial addition of the XML version of the BIND v9 ARM. 
These files are based on the BIND v9 ARM in FrameMaker. After these
files are edited they will become the master source for the BIND v9 ARM.

Still need to include style sheets and the actual XML DocBook DTD
for those who do not have it.
2000-09-07 19:15:51 +00:00

82 lines
4.9 KiB
XML
Raw Blame History

<chapter><title><acronym>BIND</acronym> 9 Security Considerations</title>
<sect1><title id="Access_Control_Lists">Access Control Lists</title>
<para>Access Control Lists (ACLs), are address match lists that
you can set up and nickname for future use in <command>allow-query</command>, <command>allow-recursion</command>, <command>blackhole</command>, <command>allow-transfer</command>,
etc.</para>
<para>Using ACLs allows you to have finer control over who can access
your nameserver, without cluttering up your config files with huge
lists of IP addresses.</para>
<para>It is a <emphasis>good idea</emphasis> to use ACLs, and to
control access to your server. Limiting access to your server by
outside parties can help prevent spoofing and DoS attacks against
your server.</para>
<para>Here is an example of how to properly apply ACLs:</para>
<programlisting>
// Set up an ACL named "bogusnets" that will block RFC1918 space,
// which is commonly used in spoofing attacks.
acl bogusnets { 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; };
// Set up an ACL called our-nets. Replace this with the real IP numbers.
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
...
...
allow-query { our-nets; };
allow-recursion { our-nets; };
...
blackhole { bogusnets; };
...
};
zone "example.com" {
type master;
file "m/example.com";
allow-query { any; };
};
</programlisting>
<para>This allows recursive queries of the server from the outside
unless recursion has been previously disabled.</para>
<para>For more information on how to use ACLs to protect your server,
see the <emphasis>AUSCERT</emphasis> advisory at
<ulink url="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</ulink></para></sect1>
<sect1><title><command>chroot</command> and <command>setuid</command> (for
UNIX servers)</title>
<para>On UNIX servers, it is possible to run <acronym>BIND</acronym> in a <emphasis>chrooted</emphasis> environment
(<command>chroot()</command>) by specifying the "<option>-t</option>"
option. This can help improve system security by placing <acronym>BIND</acronym> in
a "sandbox," which will limit the damage done if a server is compromised.</para>
<para>Another useful feature in the UNIX version of <acronym>BIND</acronym> is the
ability to run the daemon as a nonprivileged user ( <option>-u</option> <replaceable>user</replaceable> ).
We suggest running as a nonprivileged user when using the <command>chroot</command> feature.</para>
<para>Here is an example command line to load <acronym>BIND</acronym> in a <command>chroot()</command> sandbox,
<command>/var/named</command>, and to run <command>named</command> <command>setuid</command> to
user 202:</para>
<para><userinput>/usr/local/bin/named -u 202 -t /var/named</userinput></para>
<sect2><title>The <command>chroot</command> Environment</title>
<para>In order for a <command>chroot()</command> environment to
work properly in a particular directory (for example, <filename>/var/named</filename>),
you will need to set up an environment that includes everything
<acronym>BIND</acronym> needs to run. From <acronym>BIND</acronym>'s point of view, <filename>/var/named</filename> is
the root of the filesystem. You will need <filename>/dev/null</filename>,
and any library directories and files that <acronym>BIND</acronym> needs to run on
your system. Please consult your operating system's instructions
if you need help figuring out which library files you need to copy
over to the <command>chroot()</command> sandbox.</para>
<para>If you are running an operating system that supports static
binaries, you can also compile <acronym>BIND</acronym> statically and avoid the need
to copy system libraries over to your <command>chroot()</command> sandbox.</para></sect2>
<sect2><title>Using the <command>setuid</command> Function </title>
<para>Prior to running the <command>named</command> daemon, use
the <command>touch</command> utility (to change file access and
modification times) or the <command>chown</command> utility (to
set the user id and/or group id) on files to which you want <acronym>BIND</acronym>
to write.</para></sect2></sect1>
<sect1><title>Dynamic Updates</title>
<para>Access to the dynamic update facility should be strictly limited.
In earlier versions of <acronym>BIND</acronym> the only way to do this was based on
the IP address of the host requesting the update. <acronym>BIND9</acronym> also
supports authenticating updates cryptographically by means of transaction
signatures (TSIG). The use of TSIG is strongly recommended.</para>
<para>Some sites choose to keep all dynamically updated DNS data
in a subdomain and delegate that subdomain to a separate zone. This
way, the top-level zone containing critical data such as the IP addresses
of public web and mail servers need not allow dynamic update at
all.</para></sect1></chapter>
Reference in a new issue View git blame Copy permalink