summaryrefslogtreecommitdiffstats
path: root/doc/arm/security.rst
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--doc/arm/security.rst228
1 files changed, 228 insertions, 0 deletions
diff --git a/doc/arm/security.rst b/doc/arm/security.rst
new file mode 100644
index 0000000..c17643b
--- /dev/null
+++ b/doc/arm/security.rst
@@ -0,0 +1,228 @@
+.. Copyright (C) Internet Systems Consortium, Inc. ("ISC")
+..
+.. SPDX-License-Identifier: MPL-2.0
+..
+.. This Source Code Form is subject to the terms of the Mozilla Public
+.. License, v. 2.0. If a copy of the MPL was not distributed with this
+.. file, you can obtain one at https://mozilla.org/MPL/2.0/.
+..
+.. See the COPYRIGHT file distributed with this work for additional
+.. information regarding copyright ownership.
+
+.. Security:
+
+BIND 9 Security Considerations
+==============================
+
+.. _Access_Control_Lists:
+
+Access Control Lists
+--------------------
+
+Access Control Lists (ACLs) are address match lists that can be set up
+and nicknamed for future use in ``allow-notify``, ``allow-query``,
+``allow-query-on``, ``allow-recursion``, ``blackhole``,
+``allow-transfer``, ``match-clients``, etc.
+
+ACLs give users finer control over who can access the
+name server, without cluttering up configuration files with huge lists of
+IP addresses.
+
+It is a *good idea* to use ACLs, and to control access.
+Limiting access to the server by outside parties can help prevent
+spoofing and denial of service (DoS) attacks against the server.
+
+ACLs match clients on the basis of up to three characteristics: 1) The
+client's IP address; 2) the TSIG or SIG(0) key that was used to sign the
+request, if any; and 3) an address prefix encoded in an EDNS
+Client-Subnet option, if any.
+
+Here is an example of ACLs based on client addresses:
+
+::
+
+ // Set up an ACL named "bogusnets" that blocks
+ // RFC1918 space and some reserved space, which is
+ // commonly used in spoofing attacks.
+ acl bogusnets {
+ 0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
+ 10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
+ };
+
+ // Set up an ACL called our-nets. Replace this with the
+ // real IP numbers.
+ acl our-nets { x.x.x.x/24; x.x.x.x/21; };
+ options {
+ ...
+ ...
+ allow-query { our-nets; };
+ allow-recursion { our-nets; };
+ ...
+ blackhole { bogusnets; };
+ ...
+ };
+
+ zone "example.com" {
+ type primary;
+ file "m/example.com";
+ allow-query { any; };
+ };
+
+This allows authoritative queries for ``example.com`` from any address,
+but recursive queries only from the networks specified in ``our-nets``,
+and no queries at all from the networks specified in ``bogusnets``.
+
+In addition to network addresses and prefixes, which are matched against
+the source address of the DNS request, ACLs may include ``key``
+elements, which specify the name of a TSIG or SIG(0) key.
+
+When BIND 9 is built with GeoIP support, ACLs can also be used for
+geographic access restrictions. This is done by specifying an ACL
+element of the form: ``geoip db database field value``.
+
+The ``field`` parameter indicates which field to search for a match. Available fields
+are ``country``, ``region``, ``city``, ``continent``, ``postal`` (postal code),
+``metro`` (metro code), ``area`` (area code), ``tz`` (timezone), ``isp``,
+``asnum``, and ``domain``.
+
+``value`` is the value to search for within the database. A string may be quoted
+if it contains spaces or other special characters. An ``asnum`` search for
+autonomous system number can be specified using the string "ASNNNN" or the
+integer NNNN. If a ``country`` search is specified with a string that is two characters
+long, it must be a standard ISO-3166-1 two-letter country code; otherwise,
+it is interpreted as the full name of the country. Similarly, if
+``region`` is the search term and the string is two characters long, it is treated as a
+standard two-letter state or province abbreviation; otherwise, it is treated as the
+full name of the state or province.
+
+The ``database`` field indicates which GeoIP database to search for a match. In
+most cases this is unnecessary, because most search fields can only be found in
+a single database. However, searches for ``continent`` or ``country`` can be
+answered from either the ``city`` or ``country`` databases, so for these search
+types, specifying a ``database`` forces the query to be answered from that
+database and no other. If a ``database`` is not specified, these queries
+are first answered from the ``city`` database if it is installed, and then from the ``country``
+database if it is installed. Valid database names are ``country``,
+``city``, ``asnum``, ``isp``, and ``domain``.
+
+Some example GeoIP ACLs:
+
+::
+
+ geoip country US;
+ geoip country JP;
+ geoip db country country Canada;
+ geoip region WA;
+ geoip city "San Francisco";
+ geoip region Oklahoma;
+ geoip postal 95062;
+ geoip tz "America/Los_Angeles";
+ geoip org "Internet Systems Consortium";
+
+ACLs use a "first-match" logic rather than "best-match"; if an address
+prefix matches an ACL element, then that ACL is considered to have
+matched even if a later element would have matched more specifically.
+For example, the ACL ``{ 10/8; !10.0.0.1; }`` would actually match a
+query from 10.0.0.1, because the first element indicates that the query
+should be accepted, and the second element is ignored.
+
+When using "nested" ACLs (that is, ACLs included or referenced within
+other ACLs), a negative match of a nested ACL tells the containing ACL to
+continue looking for matches. This enables complex ACLs to be
+constructed, in which multiple client characteristics can be checked at
+the same time. For example, to construct an ACL which allows a query
+only when it originates from a particular network *and* only when it is
+signed with a particular key, use:
+
+::
+
+ allow-query { !{ !10/8; any; }; key example; };
+
+Within the nested ACL, any address that is *not* in the 10/8 network
+prefix is rejected, which terminates the processing of the ACL.
+Any address that *is* in the 10/8 network prefix is accepted, but
+this causes a negative match of the nested ACL, so the containing ACL
+continues processing. The query is accepted if it is signed by
+the key ``example``, and rejected otherwise. The ACL, then, only
+matches when *both* conditions are true.
+
+.. _chroot_and_setuid:
+
+``Chroot`` and ``Setuid``
+-------------------------
+
+On Unix servers, it is possible to run BIND in a *chrooted* environment
+(using the ``chroot()`` function) by specifying the ``-t`` option for
+``named``. This can help improve system security by placing BIND in a
+"sandbox," which limits the damage done if a server is compromised.
+
+Another useful feature in the Unix version of BIND is the ability to run
+the daemon as an unprivileged user (``-u`` user). We suggest running
+as an unprivileged user when using the ``chroot`` feature.
+
+Here is an example command line to load BIND in a ``chroot`` sandbox,
+``/var/named``, and to run ``named`` ``setuid`` to user 202:
+
+``/usr/local/sbin/named -u 202 -t /var/named``
+
+.. _chroot:
+
+The ``chroot`` Environment
+~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+For a ``chroot`` environment to work properly in a particular
+directory (for example, ``/var/named``), the
+environment must include everything BIND needs to run. From BIND's
+point of view, ``/var/named`` is the root of the filesystem;
+the values of options like ``directory`` and ``pid-file``
+must be adjusted to account for this.
+
+Unlike with earlier versions of BIND,
+``named`` does *not* typically need to be compiled statically, nor do shared libraries need to be installed under the new
+root. However, depending on the operating system, it may be necessary to set
+up locations such as ``/dev/zero``, ``/dev/random``, ``/dev/log``, and
+``/etc/localtime``.
+
+.. _setuid:
+
+Using the ``setuid`` Function
+~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+
+Prior to running the ``named`` daemon, use the ``touch`` utility (to
+change file access and modification times) or the ``chown`` utility (to
+set the user id and/or group id) on files where BIND should
+write.
+
+.. note::
+
+ If the ``named`` daemon is running as an unprivileged user, it
+ cannot bind to new restricted ports if the server is
+ reloaded.
+
+.. _dynamic_update_security:
+
+Dynamic Update Security
+-----------------------
+
+Access to the dynamic update facility should be strictly limited. In
+earlier versions of BIND, the only way to do this was based on the IP
+address of the host requesting the update, by listing an IP address or
+network prefix in the ``allow-update`` zone option. This method is
+insecure, since the source address of the update UDP packet is easily
+forged. Also note that if the IP addresses allowed by the
+``allow-update`` option include the address of a secondary server which
+performs forwarding of dynamic updates, the primary can be trivially
+attacked by sending the update to the secondary, which forwards it to
+the primary with its own source IP address - causing the primary to approve
+it without question.
+
+For these reasons, we strongly recommend that updates be
+cryptographically authenticated by means of transaction signatures
+(TSIG). That is, the ``allow-update`` option should list only TSIG key
+names, not IP addresses or network prefixes. Alternatively, the
+``update-policy`` option can be used.
+
+Some sites choose to keep all dynamically updated DNS data in a
+subdomain and delegate that subdomain to a separate zone. This way, the
+top-level zone containing critical data, such as the IP addresses of
+public web and mail servers, need not allow dynamic updates at all.