9. Security considerations

9.1. Access Control Lists

Access Control Lists (ACLs) are address match lists that you can set up and nickname for future use in allow-notify, allow-query, allow-query-on, allow-recursion, allow-recursion-on, block, allow-transfer, etc.

Using ACLs allows you to have finer control over who can access your name server, without cluttering up your config files with huge lists of IP addresses.

It is a good idea to use ACLs, and to control access to your server. Limiting access to your server by outside parties can help prevent spoofing and denial of service (DoS) attacks against your server.

Here is an example of how to properly apply ACLs:

// Set up an ACL named "bogusnets" that will block
// RFC1918 space and some reserved space, which is
// commonly used in spoofing attacks.
acl bogusnets {
    0.0.0.0/8;  192.0.2.0/24; 224.0.0.0/3;
    10.0.0.0/8; 172.16.0.0/12; 192.168.0.0/16;
};

// Set up an ACL called our-nets. Replace this with the
// real IP numbers.
acl our-nets { x.x.x.x/24; x.x.x.x/21; };
options {
  ...
  ...
  allow-query { our-nets; };
  allow-recursion { our-nets; };
  ...
  block { bogusnets; };
  ...
};

zone "example.com" {
  type master;
  file "m/example.com";
  allow-query { any; };
};

This allows recursive queries of the server from the outside unless recursion has been previously disabled.

9.2. chroot() and setuid()

It is possible to run named in a chroot environment (where it internally uses the chroot(2) function) by specifying the -t argument. This can help improve system security by placing named in a sandbox, which will limit the damage done if a server is compromised.

Another useful feature in Loop is the ability to run named as an unprivileged user (where it internally uses the setuid(2) function) by specifying the -u argument. We suggest running named as an unprivileged user when running in a chroot environment.

Here is an example command line to start named in a chroot sandbox /var/lib/loop, and setuid() it to user 202:

# /usr/sbin/named -u 202 -t /var/lib/loop

9.2.1. The chroot Environment

In order for a chroot environment to work properly in a particular directory (for example, /var/lib/loop), you will need to set up an environment that includes everything Loop needs to run. From Loop's point of view, /var/lib/loop is the root of the filesystem. You will need to adjust the values of options like directory and pid-file to account for this.

Depending on your operating system, you may need to set up things like /dev/zero, /dev/random, /dev/log, and /etc/localtime.

9.2.2. Using the setuid Function

Prior to running the named daemon, use the touch utility (to change file access and modification times) or the chown utility (to set the user id and/or group id) on files to which you want Loop to write.

Note

If the named daemon is running as an unprivileged user, it will not be able to bind to new restricted ports if the server is reloaded.

9.3. DNS UPDATE security

Access to the DNS UPDATE feature (dynamic updates) should be strictly controlled. Limiting access based on the IP address of the host requesting the update (by listing an IP address or network prefix in the allow-update zone option) is insecure as the source IP address of UDP datagrams can be forged. Also, if the IP addresses allowed by the allow-update option include the address of a slave server which performs forwarding of DNS UPDATEs, the master can be trivially attacked by sending the DNS UPDATE to the slave, which will forward it to the master with its own source IP address causing the master to approve it without question.

For these reasons, we strongly recommend that DNS UPDATEs be cryptographically authenticated only by means of transaction signatures (TSIG). That is, the allow-update option should list only TSIG key names, not IP addresses or network prefixes. Alternatively, the update-policy option can be used.

Some sites choose to keep all dynamically-updated DNS data in a subdomain, and delegate that subdomain to a separate child zone. This way, the parent zone which may contain critical data such as the IP addresses of public web and mail servers need not allow dynamic updates at all.

9.4. Control channel security

Control channel communications between rndc and named are cryptographically authenticated using HMACs to protect against unauthorized modification, but they are transmitted in-the-clear. Encryption is not currently used to hide control channel communications from interception. Depending on the requirement, an encrypted transport such as IPsec or Wireguard may be used when transmitting control channel communications over the public internet.