9. Security considerations¶
9.1. Access Control Lists¶
Access Control Lists (ACLs) are address match lists that you can set up
and nickname for future use in allow-notify
, allow-query
,
allow-query-on
, allow-recursion
, allow-recursion-on
,
block
, allow-transfer
, etc.
Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge lists of IP addresses.
It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and denial of service (DoS) attacks against your server.
Here is an example of how to properly apply ACLs:
// Set up an ACL named "bogusnets" that will block
// RFC1918 space and some reserved space, which is
// commonly used in spoofing attacks.
acl bogusnets {
0.0.0.0/8; 192.0.2.0/24; 224.0.0.0/3;
10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};
// Set up an ACL called our-nets. Replace this with the
// real IP numbers.
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
...
...
allow-query { our-nets; };
allow-recursion { our-nets; };
...
block { bogusnets; };
...
};
zone "example.com" {
type master;
file "m/example.com";
allow-query { any; };
};
This allows recursive queries of the server from the outside unless recursion has been previously disabled.
9.2. chroot()
and setuid()
¶
It is possible to run named in a chroot environment (where
it internally uses the chroot(2) function) by specifying the
-t
argument. This can help improve system security by placing
named in a sandbox, which will limit the damage done if a
server is compromised.
Another useful feature in Loop is the ability to run named as
an unprivileged user (where it internally uses the setuid(2)
function) by specifying the -u
argument. We suggest running
named as an unprivileged user when running in a chroot
environment.
Here is an example command line to start named in a chroot
sandbox /var/lib/loop
, and setuid()
it to user 202:
# /usr/sbin/named -u 202 -t /var/lib/loop
9.2.1. The chroot
Environment¶
In order for a chroot
environment to work properly in a particular
directory (for example, /var/lib/loop
), you will need to
set up an environment that includes everything Loop needs to run. From
Loop's point of view, /var/lib/loop
is the root of the
filesystem. You will need to adjust the values of options like
directory
and pid-file
to account for this.
Depending on your operating system, you may need to set up things like
/dev/zero
, /dev/random
, /dev/log
, and /etc/localtime
.
9.2.2. Using the setuid
Function¶
Prior to running the named
daemon, use the touch
utility (to
change file access and modification times) or the chown
utility (to
set the user id and/or group id) on files to which you want Loop to
write.
Note
If the
named
daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the server is reloaded.
9.3. DNS UPDATE security¶
Access to the DNS UPDATE feature (dynamic updates) should be strictly
controlled. Limiting access based on the IP address of the host
requesting the update (by listing an IP address or network prefix in the
allow-update
zone option) is insecure as the source IP address of
UDP datagrams can be forged. Also, if the IP addresses allowed by the
allow-update
option include the address of a slave server which
performs forwarding of DNS UPDATEs, the master can be trivially attacked
by sending the DNS UPDATE to the slave, which will forward it to the
master with its own source IP address causing the master to approve it
without question.
For these reasons, we strongly recommend that DNS UPDATEs be
cryptographically authenticated only by means of transaction signatures
(TSIG). That is, the allow-update
option should list only TSIG key
names, not IP addresses or network prefixes. Alternatively, the
update-policy
option can be used.
Some sites choose to keep all dynamically-updated DNS data in a subdomain, and delegate that subdomain to a separate child zone. This way, the parent zone which may contain critical data such as the IP addresses of public web and mail servers need not allow dynamic updates at all.
9.4. Control channel security¶
Control channel communications between rndc and named are cryptographically authenticated using HMACs to protect against unauthorized modification, but they are transmitted in-the-clear. Encryption is not currently used to hide control channel communications from interception. Depending on the requirement, an encrypted transport such as IPsec or Wireguard may be used when transmitting control channel communications over the public internet.