1 .. Copyright (C) Internet Systems Consortium, Inc. ("ISC") 2 .. 3 .. SPDX-License-Identifier: MPL-2.0 4 .. 5 .. This Source Code Form is subject to the terms of the Mozilla Public 6 .. License, v. 2.0. If a copy of the MPL was not distributed with this 7 .. file, you can obtain one at https://mozilla.org/MPL/2.0/. 8 .. 9 .. See the COPYRIGHT file distributed with this work for additional 10 .. information regarding copyright ownership. 11 12 .. _security: 13 14 Security Configurations 15 ======================= 16 17 Security Assumptions 18 -------------------- 19 BIND 9's design assumes that access to the objects listed below is limited only to 20 trusted parties. An incorrect deployment, which does not follow rules set by this 21 section, cannot be the basis for CVE assignment or special security-sensitive 22 handling of issues. 23 24 Unauthorized access can potentially disclose sensitive data, slow down server 25 operation, etc. Unauthorized, unexpected, or incorrect writes to any of the following listed objects 26 can potentially cause crashes, incorrect data handling, or corruption: 27 28 - All files stored on disk - including zone files, configuration files, key 29 files, temporary files, etc. 30 - Clients communicating via the :any:`controls` socket using configured keys 31 - Access to :any:`statistics-channels` from untrusted clients 32 - Sockets used for :any:`update-policy` type `external` 33 34 Certain aspects of the DNS protocol are left unspecified, such as the handling of 35 responses from DNS servers which do not fully conform to the DNS protocol. For 36 such a situation, BIND implements its own safety checks and limits which are 37 subject to change as the protocol and deployment evolve. 38 39 Authoritative Servers 40 ~~~~~~~~~~~~~~~~~~~~~ 41 By default, zones use intentionally lenient limits (unlimited size, long 42 transfer timeouts, etc.). These defaults can be misused by the source of data 43 (zone transfers or UPDATEs) to exhaust resources on the receiving side. 44 45 The impact of malicious zone changes can be limited, to an extent, using 46 configuration options listed in sections :ref:`server_resource_limits` and 47 :ref:`zone_transfers`. Limits should also be applied to zones where malicious clients may potentially be authorized to use :ref:`dynamic_update`. 48 49 DNS Resolvers 50 ~~~~~~~~~~~~~ 51 By definition, DNS resolvers act as traffic amplifiers; 52 during normal operation, a DNS resolver can legitimately generate more outgoing 53 traffic (counted in packets or bytes) than the incoming client traffic that 54 triggered it. The DNS protocol specification does not currently specify limits 55 for this amplification, but BIND implements its own limits to balance 56 interoperability and safety. As a general rule, if a traffic amplification factor 57 for any given scenario is lower than 100 packets, ISC does not handle the given 58 scenario as a security issue. These limits are subject to change as DNS 59 deployment evolves. 60 61 All DNS answers received by the DNS resolver are treated as untrusted input and are 62 subject to safety and correctness checks. However, protocol non-conformity 63 might cause unexpected behavior. If such unexpected behavior is limited to DNS 64 domains hosted on non-conformant servers, it is not deemed a security issue *in 65 BIND*. 66 67 .. _file_permissions: 68 69 .. _access_Control_Lists: 70 71 Access Control Lists 72 -------------------- 73 74 Access Control Lists (ACLs) are address match lists that can be set up 75 and nicknamed for future use in :any:`allow-notify`, :any:`allow-query`, 76 :any:`allow-query-on`, :any:`allow-recursion`, :any:`blackhole`, 77 :any:`allow-transfer`, :any:`match-clients`, etc. 78 79 ACLs give users finer control over who can access the 80 name server, without cluttering up configuration files with huge lists of 81 IP addresses. 82 83 It is a *good idea* to use ACLs and to control access. 84 Limiting access to the server by outside parties can help prevent 85 spoofing and denial-of-service (DoS) attacks against the server. 86 87 ACLs match clients on the basis of up to three characteristics: 1) The 88 client's IP address; 2) the TSIG or SIG(0) key that was used to sign the 89 request, if any; and 3) an address prefix encoded in an EDNS 90 Client-Subnet option, if any. 91 92 Here is an example of ACLs based on client addresses: 93 94 :: 95 96 // Set up an ACL named "bogusnets" that blocks 97 // RFC1918 space and some reserved space, which is 98 // commonly used in spoofing attacks. 99 acl bogusnets { 100 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3; 101 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16; 102 }; 103 104 // Set up an ACL called our-nets. Replace this with the 105 // real IP numbers. 106 acl our-nets { x.x.x.x/24; x.x.x.x/21; }; 107 options { 108 ... 109 ... 110 allow-query { our-nets; }; 111 allow-recursion { our-nets; }; 112 ... 113 blackhole { bogusnets; }; 114 ... 115 }; 116 117 zone "example.com" { 118 type primary; 119 file "m/example.com"; 120 allow-query { any; }; 121 }; 122 123 This allows authoritative queries for ``example.com`` from any address, 124 but recursive queries only from the networks specified in ``our-nets``, 125 and no queries at all from the networks specified in ``bogusnets``. 126 127 In addition to network addresses and prefixes, which are matched against 128 the source address of the DNS request, ACLs may include ``key`` 129 elements, which specify the name of a TSIG or SIG(0) key. 130 131 When BIND 9 is built with GeoIP support, ACLs can also be used for 132 geographic access restrictions. This is done by specifying an ACL 133 element of the form: ``geoip db database field value``. 134 135 The ``field`` parameter indicates which field to search for a match. Available fields 136 are ``country``, ``region``, ``city``, ``continent``, ``postal`` (postal code), 137 ``metro`` (metro code), ``area`` (area code), ``tz`` (timezone), ``isp``, 138 ``asnum``, and ``domain``. 139 140 ``value`` is the value to search for within the database. A string may be quoted 141 if it contains spaces or other special characters. An ``asnum`` search for 142 autonomous system number can be specified using the string "ASNNNN" or the 143 integer NNNN. If a ``country`` search is specified with a string that is two characters 144 long, it must be a standard ISO-3166-1 two-letter country code; otherwise, 145 it is interpreted as the full name of the country. Similarly, if 146 ``region`` is the search term and the string is two characters long, it is treated as a 147 standard two-letter state or province abbreviation; otherwise, it is treated as the 148 full name of the state or province. 149 150 The :any:`database` field indicates which GeoIP database to search for a match. In 151 most cases this is unnecessary, because most search fields can only be found in 152 a single database. However, searches for ``continent`` or ``country`` can be 153 answered from either the ``city`` or ``country`` databases, so for these search 154 types, specifying a :any:`database` forces the query to be answered from that 155 database and no other. If a :any:`database` is not specified, these queries 156 are first answered from the ``city`` database if it is installed, and then from the ``country`` 157 database if it is installed. Valid database names are ``country``, 158 ``city``, ``asnum``, ``isp``, and ``domain``. 159 160 Some example GeoIP ACLs: 161 162 :: 163 164 geoip country US; 165 geoip country JP; 166 geoip db country country Canada; 167 geoip region WA; 168 geoip city "San Francisco"; 169 geoip region Oklahoma; 170 geoip postal 95062; 171 geoip tz "America/Los_Angeles"; 172 geoip org "Internet Systems Consortium"; 173 174 ACLs use a "first-match" logic rather than "best-match"; if an address 175 prefix matches an ACL element, then that ACL is considered to have 176 matched even if a later element would have matched more specifically. 177 For example, the ACL ``{ 10/8; !10.0.0.1; }`` would actually match a 178 query from 10.0.0.1, because the first element indicates that the query 179 should be accepted, and the second element is ignored. 180 181 When using "nested" ACLs (that is, ACLs included or referenced within 182 other ACLs), a negative match of a nested ACL tells the containing ACL to 183 continue looking for matches. This enables complex ACLs to be 184 constructed, in which multiple client characteristics can be checked at 185 the same time. For example, to construct an ACL which allows a query 186 only when it originates from a particular network *and* only when it is 187 signed with a particular key, use: 188 189 :: 190 191 allow-query { !{ !10/8; any; }; key example; }; 192 193 Within the nested ACL, any address that is *not* in the 10/8 network 194 prefix is rejected, which terminates the processing of the ACL. 195 Any address that *is* in the 10/8 network prefix is accepted, but 196 this causes a negative match of the nested ACL, so the containing ACL 197 continues processing. The query is accepted if it is signed by 198 the key ``example``, and rejected otherwise. The ACL, then, only 199 matches when *both* conditions are true. 200 201 .. _chroot_and_setuid: 202 203 ``Chroot`` and ``Setuid`` 204 ------------------------- 205 206 On Unix servers, it is possible to run BIND in a *chrooted* environment 207 (using the ``chroot()`` function) by specifying the :option:`-t <named -t>` option for 208 :iscman:`named`. This can help improve system security by placing BIND in a 209 "sandbox," which limits the damage done if a server is compromised. 210 211 Another useful feature in the Unix version of BIND is the ability to run 212 the daemon as an unprivileged user (:option:`-u <named -u>` user). We suggest running 213 as an unprivileged user when using the ``chroot`` feature. 214 215 Here is an example command line to load BIND in a ``chroot`` sandbox, 216 ``/var/named``, and to run :iscman:`named` ``setuid`` to user 202: 217 218 ``/usr/local/sbin/named -u 202 -t /var/named`` 219 220 .. _chroot: 221 222 The ``chroot`` Environment 223 ~~~~~~~~~~~~~~~~~~~~~~~~~~ 224 225 For a ``chroot`` environment to work properly in a particular 226 directory (for example, ``/var/named``), the 227 environment must include everything BIND needs to run. From BIND's 228 point of view, ``/var/named`` is the root of the filesystem; 229 the values of options like :any:`directory` and :any:`pid-file` 230 must be adjusted to account for this. 231 232 Unlike with earlier versions of BIND, 233 :iscman:`named` does *not* typically need to be compiled statically, nor do shared libraries need to be installed under the new 234 root. However, depending on the operating system, it may be necessary to set 235 up locations such as ``/dev/zero``, ``/dev/random``, ``/dev/log``, and 236 ``/etc/localtime``. 237 238 .. _setuid: 239 240 Using the ``setuid`` Function 241 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 242 243 Prior to running the :iscman:`named` daemon, use the ``touch`` utility (to 244 change file access and modification times) or the ``chown`` utility (to 245 set the user id and/or group id) on files where BIND should 246 write. 247 248 .. note:: 249 250 If the :iscman:`named` daemon is running as an unprivileged user, it 251 cannot bind to new restricted ports if the server is 252 reloaded. 253 254 .. _dynamic_update_security: 255 256 Dynamic Update Security 257 ----------------------- 258 259 Access to the dynamic update facility should be strictly limited. In 260 earlier versions of BIND, the only way to do this was based on the IP 261 address of the host requesting the update, by listing an IP address or 262 network prefix in the :any:`allow-update` zone option. This method is 263 insecure, since the source address of the update UDP packet is easily 264 forged. Also note that if the IP addresses allowed by the 265 :any:`allow-update` option include the address of a secondary server which 266 performs forwarding of dynamic updates, the primary can be trivially 267 attacked by sending the update to the secondary, which forwards it to 268 the primary with its own source IP address - causing the primary to approve 269 it without question. 270 271 For these reasons, we strongly recommend that updates be 272 cryptographically authenticated by means of transaction signatures 273 (TSIG). That is, the :any:`allow-update` option should list only TSIG key 274 names, not IP addresses or network prefixes. Alternatively, the 275 :any:`update-policy` option can be used. 276 277 Some sites choose to keep all dynamically updated DNS data in a 278 subdomain and delegate that subdomain to a separate zone. This way, the 279 top-level zone containing critical data, such as the IP addresses of 280 public web and mail servers, need not allow dynamic updates at all. 281 282 .. _sec_file_transfer: 283 284 .. _dns_over_tls: 285
Indexes created Fri Jun 19 00:25:02 UTC 2026