Detailed Objective

Weight: 3

Description:
Candidates should be able to configure a DNS server to run as a non-root user and run in a chroot jail. This objective includes secure exchange of data between DNS servers.

• Key knowledge area(s):
  • BIND 8.x and 9.x configuration files
  • Configuring BIND to run in a chroot jail
  • DNSSEC configuration files, tools and utilities
  • Split configuration of BIND using the forwarders statement

• The following is a partial list of the used files, terms and utilities:
  • SysV init files or rc.local
  • /etc/named.conf
  • /etc/passwd
  • dnskeygen

Securing a DNS server =

First of all, check security mailing lists and web sites for new versions of BIND. Particularly, versions prior to 8.2.3 are vulnerable to known attacks.

Hide your version number from foreign queries – it could be used to craft a special attack against you. Since BIND 8.2, you may use in named.conf:

options {
version « None of your business »;
};

You can also restrict queries : Globally :

options {
allow-query { address-match-list; };
};

Or per-zone (which take precedence over global ACLs) :

zone « test.com » {
type slave;
file « db.test »;
allow-query { 192.168.0.0/24; };
};

Even more important, make sure only real slave DNS can transfer your zones from your master. Use the keyword allow-transfer : Globally (in an « options » statement), applies to all zones Per-zone On the slaves, disable zone transfers! Use « allow-transfer { none; }; »

Don't run BIND as root ! Since 8.1.2, there are options to change the user (-u ) and group (-g) under which BIND runs. Use a non-priviledged user (i.e create a new one, without shell access). Make sure your zone files have ther correct permission (named.conf is read while BIND is still under root's permissions, so don't change this file's permissions)

Also, run bind in a chroot jail. Since 8.1.2, there is option -t to specify the directory for the nameserver to chroot() to. Make sure all the files needed by BIND (i.e log files, etc..) are under the root-jail If you plan to use ndc with a chroot'ed BIND, don't forget to pass the new pathname to the UNIX socket to ndc !

Here's a little bit on how to setup a chrooted bind9 environment in Debian. As the configuration in bind9 is very similar, the same procedure applies to bind8 for creating a chrooted environment.

• Stop the currently running bind.

/etc/init.d/bind9 stop

• In order to chroot bind in a jail, we need to specify what environment in /etc/default/bind9:

OPTIONS="-u bind -t /var/lib/named"

• We still want logging in our /var/log/syslog, so we change /etc/default/syslogd that it opens an extra socket to which the chrooted bind can log through into /var/log/syslog.

SYSLOGD="-a /var/lib/named/dev/log"

• Run a couple of mkdir's for the environment

mkdir /var/lib/named
mkdir -p /var/lib/named/var/run/bind/run
mkdir /var/lib/named/etc
mkdir /var/lib/named/dev
mkdir /var/lib/named/var/cache 

• Move over our existing config

mv /etc/bind /var/lib/named/etc/bind

• Link it

ln -s /var/lib/named/etc/bind /etc/bind

• Change ownership in the chrooted var and etc

chown -R bind:bind /var/lib/named/var/* 
chown -R bind:bind /var/lib/named/etc/bind

• Create some devices & set permissions

mknod /var/lib/named/dev/null c 1 3
mknod /var/lib/named/dev/random c 1 8
chown 666 /var/lib/named/dev/random /var/lib/named/dev/null

• Restart syslogd & start bind

/etc/init.d/sysklogd restart
/etc/init.d/bind9 start

If bind does not start and there are error messages in the syslog, keep in mind that these messages where created from inside the chrooted domain, hence a permission problem about /var/run/bind/run/named.pid would mean that it is really a problem about /var/lib/named/var/run/bind/run/named.pid

Key terms, files and utilities : SysV init files /etc/named.conf /etc/passwd

Exercises