diff options
Diffstat (limited to 'contrib/bind9/doc/arm/Bv9ARM.ch07.html')
| -rw-r--r-- | contrib/bind9/doc/arm/Bv9ARM.ch07.html | 253 |
1 files changed, 0 insertions, 253 deletions
diff --git a/contrib/bind9/doc/arm/Bv9ARM.ch07.html b/contrib/bind9/doc/arm/Bv9ARM.ch07.html deleted file mode 100644 index 96acfe6..0000000 --- a/contrib/bind9/doc/arm/Bv9ARM.ch07.html +++ /dev/null @@ -1,253 +0,0 @@ -<!-- - - Copyright (C) 2004-2007 Internet Systems Consortium, Inc. ("ISC") - - Copyright (C) 2000-2003 Internet Software Consortium. - - - - Permission to use, copy, modify, and distribute this software for any - - purpose with or without fee is hereby granted, provided that the above - - copyright notice and this permission notice appear in all copies. - - - - THE SOFTWARE IS PROVIDED "AS IS" AND ISC DISCLAIMS ALL WARRANTIES WITH - - REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF MERCHANTABILITY - - AND FITNESS. IN NO EVENT SHALL ISC BE LIABLE FOR ANY SPECIAL, DIRECT, - - INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM - - LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE - - OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR - - PERFORMANCE OF THIS SOFTWARE. ---> -<!-- $Id: Bv9ARM.ch07.html,v 1.75.18.63 2007/10/31 01:35:59 marka Exp $ --> -<html> -<head> -<meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"> -<title>Chapter 7. BIND 9 Security Considerations</title> -<meta name="generator" content="DocBook XSL Stylesheets V1.71.1"> -<link rel="start" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> -<link rel="up" href="Bv9ARM.html" title="BIND 9 Administrator Reference Manual"> -<link rel="prev" href="Bv9ARM.ch06.html" title="Chapter 6. BIND 9 Configuration Reference"> -<link rel="next" href="Bv9ARM.ch08.html" title="Chapter 8. Troubleshooting"> -</head> -<body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"> -<div class="navheader"> -<table width="100%" summary="Navigation header"> -<tr><th colspan="3" align="center">Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</th></tr> -<tr> -<td width="20%" align="left"> -<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td> -<th width="60%" align="center"> </th> -<td width="20%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a> -</td> -</tr> -</table> -<hr> -</div> -<div class="chapter" lang="en"> -<div class="titlepage"><div><div><h2 class="title"> -<a name="Bv9ARM.ch07"></a>Chapter 7. <acronym class="acronym">BIND</acronym> 9 Security Considerations</h2></div></div></div> -<div class="toc"> -<p><b>Table of Contents</b></p> -<dl> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#Access_Control_Lists">Access Control Lists</a></span></dt> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#id2592714"><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span></a></span></dt> -<dd><dl> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592791">The <span><strong class="command">chroot</strong></span> Environment</a></span></dt> -<dt><span class="sect2"><a href="Bv9ARM.ch07.html#id2592851">Using the <span><strong class="command">setuid</strong></span> Function</a></span></dt> -</dl></dd> -<dt><span class="sect1"><a href="Bv9ARM.ch07.html#dynamic_update_security">Dynamic Update Security</a></span></dt> -</dl> -</div> -<div class="sect1" lang="en"> -<div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="Access_Control_Lists"></a>Access Control Lists</h2></div></div></div> -<p> - Access Control Lists (ACLs), are address match lists that - you can set up and nickname for future use in <span><strong class="command">allow-notify</strong></span>, - <span><strong class="command">allow-query</strong></span>, <span><strong class="command">allow-recursion</strong></span>, - <span><strong class="command">blackhole</strong></span>, <span><strong class="command">allow-transfer</strong></span>, - etc. - </p> -<p> - Using ACLs allows you to have finer control over who can access - your name server, without cluttering up your config files with huge - lists of IP addresses. - </p> -<p> - It is a <span class="emphasis"><em>good idea</em></span> to use ACLs, and to - control access to your server. Limiting access to your server by - outside parties can help prevent spoofing and denial of service (DoS) attacks against - your server. - </p> -<p> - Here is an example of how to properly apply ACLs: - </p> -<pre class="programlisting"> -// Set up an ACL named "bogusnets" that will block RFC1918 space -// and some reserved space, which is commonly used in spoofing attacks. -acl bogusnets { - 0.0.0.0/8; 1.0.0.0/8; 2.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; - 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; -}; - -// Set up an ACL called our-nets. Replace this with the real IP numbers. -acl our-nets { x.x.x.x/24; x.x.x.x/21; }; -options { - ... - ... - allow-query { our-nets; }; - allow-recursion { our-nets; }; - ... - blackhole { bogusnets; }; - ... -}; - -zone "example.com" { - type master; - file "m/example.com"; - allow-query { any; }; -}; -</pre> -<p> - This allows recursive queries of the server from the outside - unless recursion has been previously disabled. - </p> -<p> - For more information on how to use ACLs to protect your server, - see the <span class="emphasis"><em>AUSCERT</em></span> advisory at: - </p> -<p> - <a href="ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos" target="_top">ftp://ftp.auscert.org.au/pub/auscert/advisory/AL-1999.004.dns_dos</a> - </p> -</div> -<div class="sect1" lang="en"> -<div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="id2592714"></a><span><strong class="command">Chroot</strong></span> and <span><strong class="command">Setuid</strong></span> -</h2></div></div></div> -<p> - On UNIX servers, it is possible to run <acronym class="acronym">BIND</acronym> in a <span class="emphasis"><em>chrooted</em></span> environment - (using the <span><strong class="command">chroot()</strong></span> function) by specifying the "<code class="option">-t</code>" - option. This can help improve system security by placing <acronym class="acronym">BIND</acronym> in - a "sandbox", which will limit the damage done if a server is - compromised. - </p> -<p> - Another useful feature in the UNIX version of <acronym class="acronym">BIND</acronym> is the - ability to run the daemon as an unprivileged user ( <code class="option">-u</code> <em class="replaceable"><code>user</code></em> ). - We suggest running as an unprivileged user when using the <span><strong class="command">chroot</strong></span> feature. - </p> -<p> - Here is an example command line to load <acronym class="acronym">BIND</acronym> in a <span><strong class="command">chroot</strong></span> sandbox, - <span><strong class="command">/var/named</strong></span>, and to run <span><strong class="command">named</strong></span> <span><strong class="command">setuid</strong></span> to - user 202: - </p> -<p> - <strong class="userinput"><code>/usr/local/bin/named -u 202 -t /var/named</code></strong> - </p> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2592791"></a>The <span><strong class="command">chroot</strong></span> Environment</h3></div></div></div> -<p> - In order for a <span><strong class="command">chroot</strong></span> environment - to - work properly in a particular directory - (for example, <code class="filename">/var/named</code>), - you will need to set up an environment that includes everything - <acronym class="acronym">BIND</acronym> needs to run. - From <acronym class="acronym">BIND</acronym>'s point of view, <code class="filename">/var/named</code> is - the root of the filesystem. You will need to adjust the values of - options like - like <span><strong class="command">directory</strong></span> and <span><strong class="command">pid-file</strong></span> to account - for this. - </p> -<p> - Unlike with earlier versions of BIND, you typically will - <span class="emphasis"><em>not</em></span> need to compile <span><strong class="command">named</strong></span> - statically nor install shared libraries under the new root. - However, depending on your operating system, you may need - to set up things like - <code class="filename">/dev/zero</code>, - <code class="filename">/dev/random</code>, - <code class="filename">/dev/log</code>, and - <code class="filename">/etc/localtime</code>. - </p> -</div> -<div class="sect2" lang="en"> -<div class="titlepage"><div><div><h3 class="title"> -<a name="id2592851"></a>Using the <span><strong class="command">setuid</strong></span> Function</h3></div></div></div> -<p> - Prior to running the <span><strong class="command">named</strong></span> daemon, - use - the <span><strong class="command">touch</strong></span> utility (to change file - access and - modification times) or the <span><strong class="command">chown</strong></span> - utility (to - set the user id and/or group id) on files - to which you want <acronym class="acronym">BIND</acronym> - to write. - </p> -<div class="note" style="margin-left: 0.5in; margin-right: 0.5in;"> -<h3 class="title">Note</h3> - Note that if the <span><strong class="command">named</strong></span> daemon is running as an - unprivileged user, it will not be able to bind to new restricted - ports if the server is reloaded. - </div> -</div> -</div> -<div class="sect1" lang="en"> -<div class="titlepage"><div><div><h2 class="title" style="clear: both"> -<a name="dynamic_update_security"></a>Dynamic Update Security</h2></div></div></div> -<p> - Access to the dynamic - update facility should be strictly limited. In earlier versions of - <acronym class="acronym">BIND</acronym>, the only way to do this was - based on the IP - address of the host requesting the update, by listing an IP address - or - network prefix in the <span><strong class="command">allow-update</strong></span> - zone option. - This method is insecure since the source address of the update UDP - packet - is easily forged. Also note that if the IP addresses allowed by the - <span><strong class="command">allow-update</strong></span> option include the - address of a slave - server which performs forwarding of dynamic updates, the master can - be - trivially attacked by sending the update to the slave, which will - forward it to the master with its own source IP address causing the - master to approve it without question. - </p> -<p> - For these reasons, we strongly recommend that updates be - cryptographically authenticated by means of transaction signatures - (TSIG). That is, the <span><strong class="command">allow-update</strong></span> - option should - list only TSIG key names, not IP addresses or network - prefixes. Alternatively, the new <span><strong class="command">update-policy</strong></span> - option can be used. - </p> -<p> - Some sites choose to keep all dynamically-updated DNS data - in a subdomain and delegate that subdomain to a separate zone. This - way, the top-level zone containing critical data such as the IP - addresses - of public web and mail servers need not allow dynamic update at - all. - </p> -</div> -</div> -<div class="navfooter"> -<hr> -<table width="100%" summary="Navigation footer"> -<tr> -<td width="40%" align="left"> -<a accesskey="p" href="Bv9ARM.ch06.html">Prev</a> </td> -<td width="20%" align="center"> </td> -<td width="40%" align="right"> <a accesskey="n" href="Bv9ARM.ch08.html">Next</a> -</td> -</tr> -<tr> -<td width="40%" align="left" valign="top">Chapter 6. <acronym class="acronym">BIND</acronym> 9 Configuration Reference </td> -<td width="20%" align="center"><a accesskey="h" href="Bv9ARM.html">Home</a></td> -<td width="40%" align="right" valign="top"> Chapter 8. Troubleshooting</td> -</tr> -</table> -</div> -</body> -</html> |
