Bind / named security

Networking/Security Forums -> UNIX // GNU/Linux

Author: chrisLocation: ~/security-forums PostPosted: Mon Jan 06, 2003 12:40 am    Post subject: Bind / named security
• Zone transfers should only be permitted by master name servers to update the zone
(domain) information in their slave servers. Failure to do so may result in IP numbers and
hostnames being revealed to unauthorized users. Restrict queries to only public domains.
Suitable for name servers with both public and private zones.

// Allow transfer only to our slave name server. Allow queries
// only by hosts in the network.
zone “” {
type master;
file “master/”;
allow-transfer {; };
allow-query {; };

• Deny and log queries for our version number except from the local host. The ability to
determine the bind version enables an attacker to find the corresponding exploit for that

// Disable the ability to determine the version of BIND running
zone “bind” chaos {
type master;
file “master/bind”;
allow-query { localhost; };

The ./master/bind file should then contain:

$TTL 1d
@ CHAOS SOA localhost. root.localhost. (
1 ; serial
3H ; refresh
15M ; retry
1W ; expire
1D ) ; minimum
NS localhost.

• Control which interfaces named listens on. Restricting the interfaces on which named
runs can limit the exposure to only the necessary networks.
listen-on {; };

• Use Access Control Lists to classify groups of hosts with differing degrees of trust. The
“internal” ACL label might be used to describe internal hosts that are permitted a greater
degree of access to the information than other hosts might be. Before it can be used it
must be defined:

acl “internal” {
{;; };

It can then be used in “zone” statements or the main “options” statement:
zone “” {
type master;
file “master/”;
allow-query { “internal”; };

• Configure BIND to run as a normal user. Once BIND has been started, it has the ability
to relinquish its privileges, and run as a user with limited abilities instead of root.
# useradd -M -r -d /var/named -s /bin/false named
# groupadd -r named

This account should be used for nothing other than running the name server. Ensure the
zone files are readable by the named user. It is then necessary to modify the default
named init script, typically found in /etc/rc.d/init.d/named on Red Hat or
/etc/init.d/named on Debian:
/usr/sbin/named -u named -g named

It is also possible to run named in a “chroot jail” which helps to restrict the damage that
can be done should named be subverted.

Networking/Security Forums -> UNIX // GNU/Linux

output generated using printer-friendly topic mod, All times are GMT + 2 Hours

Page 1 of 1

Powered by phpBB 2.0.x © 2001 phpBB Group