UNIX System Administration Handbook - Evi Nemeth [276]
Table 16.10 Security features in named.conf
named can run in a chrooted environment under a nonprivileged UID, thus removing any possibility of rootly running-amok. It can use transaction signatures to control dynamic updates, and of course, it also supports the whole DNSSEC hairball. These topics are taken up in the next few sections.
Access control lists revisited
ACLs are named address match lists that can appear as arguments to statements such as allow-query, allow-transfer, and blackhole. ACLs can help with two major DNS security issues: spoofing and denial of service attacks. Their basic syntax was described on page 422.
Every site should at least have one ACL for bogus addresses and one ACL for local addresses. For example:
acl bogusnets { // ACL for bogus networks
0.0.0.0/8 ; // default, wild card addresses
169.254.0.0/16 ; // link-local delegated addresses10
192.0.2.0/24 ; // sample addresses, like example.com
224.0.0.0/3 ; // multicast address space
10.0.0.0/8 ; // private address space (RFC1918)11
172.16.0.0/12 ; // private address space (RFC1918)
192.168.0.0/16 ; // private address space (RFC1918)
} ;
acl cunets { // ACL for University of Colorado networks
128.138.0.0/16 ; // main campus network
198.11.16/24 ;
204.228.69/24 ;
};
In the global options section of your config file, you could then include
allow-recursion { cunets; } ;
blackhole { bogusnets; } ;
It’s also a good idea to restrict zone transfers to legitimate slave servers. An ACL makes things nice and tidy.
acl ourslaves {
128.138.242.1 ; // anchor
...
} ;
acl measurements {
128.9.160.157 ; // bill manning's measurements
198.32.4.0/24 ; // bill manning's measurements
192.5.5.0/24 ; // mark lottors's measurements
} ;
The actual restriction is implemented with a line such as:
allow-transfer { ourslaves; measurements; } ;
Transfers are limited to our own slave servers and to the machines of two Internet measurement projects that walk the reverse DNS tree to determine the size of the Internet and the percentage of misconfigured servers. Limiting transfers in this way makes it impossible for other sites to dump your entire database with nslookup, dig, or host.
For example:
% nslookup
Default Server: server-name
Address: server-IP-address
> ls cs.colorado.edu.
[server name]
*** Can't list domain cs.colorado.edu: Unspecified error
You should still protect your network at a lower level through router access control lists and normal security hygiene on each host. If those measures are not possible, you can refuse DNS packets except to a gateway machine that you monitor closely.
Confining named
To confine the damage that someone could do if they compromised your server, you can run named in a chrooted environment and/or run it as a nonprivileged user. The -t flag specifies the directory to chroot to, and the -u and -g flags specify the UID and GID under which to run. BIND 9 supports the -u flag, but not the -g flag. For example, the commands
# named -u 53 -g 53 -t /var/named /* BIND 8 */
# named -u 53 -t /var/named /* BIND 9 */
would start named with UID 53, GID 53 (in BIND 8 only), and a root directory of /var/named.
The chroot directory cannot be an empty directory since it must contain all the files that named normally requires in order to run: /dev/null, shared libraries, the zone files, named.conf, etc. If you can compile named to statically link its libraries, you don’t have to figure out which library files to copy to /var/named.
If hackers compromise your named, they can potentially gain access to the system as whatever user named runs as. If this user is root and you do not use a chrooted environment, such a breach can be quite destructive. Many sites don’t bother to use the -u, -g, and -t flags, but they must then be faster to upgrade than the hackers are to attack