X-Original-To: alpine-devel@lists.alpinelinux.org Delivered-To: alpine-devel@mail.alpinelinux.org Received: from ganymede.devever.net (ganymede.devever.net [198.52.199.91]) by mail.alpinelinux.org (Postfix) with ESMTP id BB8E6DC00D7 for ; Thu, 16 Oct 2014 15:52:45 +0000 (UTC) Received: from localhost (ganymede.devever.net [127.0.0.1]) by ganymede.devever.net (Postfix) with ESMTP id 2515A1C8148; Thu, 16 Oct 2014 15:52:45 +0000 (GMT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=devever.net; h= x-mailer:message-id:date:date:subject:subject:from:from:received :received; s=mimas; t=1413474765; x=1431664126; bh=N2JPZ9vhB+ea4 wpCChzQ8zq+TFeDTAMbBCwNZE8wnBg=; b=b/ftRbkye7Qs6yLmDQ8x59y2vRJPc TIpAsq7zDFAAuXQT8nXNsI51dMFgOmEg1mx8UwtpEwKfUcgIzBpCYh6vetu18OqH d0h5r/b2X53Hj7hbqYYZjcYkg4mpDGC/IiG5dZegBjJjWnqmzSFSSpnrxSnZ8/e1 3XLP2+C9khwFuLz2HcaVeWLEdBHtyKIWsRuvFW7OAccJBBxmK8SCsqI7GCVKa9gf VHvJIm/1iRT3mEafRD0QkmXxoysh1jShN9ryTtapkhLcvaywZsxSweJCcrNEZDjx 41l44+ihp3OZUdBMc3YFl7ju1PMEdSk9Wb2LbVU2p9o8B8HkSrz9UcGYg== Received: from ganymede.devever.net ([127.0.0.1]) by localhost (ganymede.devever.net [127.0.0.1]) (amavisd-new, port 10026) with LMTP id DEkF-PCLfvXy; Thu, 16 Oct 2014 15:52:45 +0000 (GMT) Received: from andover.lhh.devever.net (ganymede.devever.net [127.0.0.1]) by ganymede.devever.net (Postfix) with ESMTP id 2683B1C8060; Thu, 16 Oct 2014 15:52:44 +0000 (GMT) From: Hugo Landau To: alpine-devel@lists.alpinelinux.org Cc: Hugo Landau Subject: [alpine-devel] [PATCH] bind: Modify default config to be more secure Date: Thu, 16 Oct 2014 16:52:17 +0100 Message-Id: <1413474737-18941-1-git-send-email-hlandau@devever.net> X-Mailer: git-send-email 2.1.2 X-Mailinglist: alpine-devel Precedence: list List-Id: Alpine Development List-Unsubscribe: List-Post: List-Help: List-Subscribe: By default BIND will happily serve as both an authoritative nameserver and recursive resolver, but this is no longer a recommended or desirable configuration. The previous default configuration did not draw attention to this fact and the issues involved. Users are now made to rename one of two sample configuration files, named.conf.authoritative or named.conf.recursive. Comments inside either file advise DNS administrators of the most prevalent security issues. This ensures that users setting up an authoritative nameserver do not unwittingly also operate a resolver. In the previous default configuration, BIND would happily perform recursive resolution for localhost, which means that the local machine may receive non-authoritative data from what is supposed to be an authoritative nameserver. Both default configurations disable zone transfers by default, as BIND defaults to enabling them for any host (!). --- main/bind/APKBUILD | 26 ++++++---- main/bind/named.conf | 53 ------------------- main/bind/named.conf.authoritative | 56 ++++++++++++++++++++ main/bind/named.conf.recursive | 104 +++++++++++++++++++++++++++++++++++++ main/bind/named.initd | 2 +- 5 files changed, 177 insertions(+), 64 deletions(-) delete mode 100644 main/bind/named.conf create mode 100644 main/bind/named.conf.authoritative create mode 100644 main/bind/named.conf.recursive diff --git a/main/bind/APKBUILD b/main/bind/APKBUILD index c14e770..7b64031 100644 --- a/main/bind/APKBUILD +++ b/main/bind/APKBUILD @@ -5,7 +5,7 @@ pkgver=9.10.1 _ver=${pkgver%_p*} _p=${pkgver#*_p} [ "$_p" != "$pkgver" ] && _ver="${_ver}-P$_p" -pkgrel=0 +pkgrel=1 pkgdesc="The Berkeley Internet Name Domain Name Server and tools" url="http://www.isc.org" arch="all" @@ -20,7 +20,8 @@ source="http://ftp.isc.org/isc/bind9/${_ver}/bind-${_ver}.tar.gz bind.so_bsdcompat.patch named.initd named.confd - named.conf + named.conf.authoritative + named.conf.recursive 127.zone localhost.zone named.ca @@ -88,8 +89,10 @@ package() { "$pkgdir"/etc/init.d/named || return 1 install -Dm644 "$srcdir"/named.confd \ "$pkgdir"/etc/conf.d/named || return 1 - install -Dm644 "$srcdir"/named.conf \ - "$pkgdir"/etc/bind/named.conf || return 1 + install -Dm644 "$srcdir"/named.conf.authoritative \ + "$pkgdir"/etc/bind/named.conf.authoritative || return 1 + install -Dm644 "$srcdir"/named.conf.recursive \ + "$pkgdir"/etc/bind/named.conf.recursive || return 1 install -Dm644 "$srcdir"/named.ca \ "$pkgdir"/var/bind/named.ca || return 1 install -Dm644 "$srcdir"/127.zone \ @@ -111,25 +114,28 @@ tools() { md5sums="82a69faf01b569568d9233f2666e744d bind-9.10.1.tar.gz f270a5b0a28ab6e818840c5c368ddbcc bind.so_bsdcompat.patch -216a2e5cd7c5406f18b648a4d877b750 named.initd +4a5322cd4df5b33283b19b6010a5c024 named.initd 418a367cecfdf8760c92235d3967867e named.confd -be5fd752bdbd59385f2a559d603098d5 named.conf +a9de5fb1c027a7eedf440bf187594f07 named.conf.authoritative +886fe73bf37335df1ef15ff842b568b3 named.conf.recursive a7455b009b7fccd74ac6f6eaa6902a00 127.zone c3220168fabfb31a25e8c3a545545e34 localhost.zone a94e29ac677846f3d4d618c50b7d34f1 named.ca" sha256sums="5361eca2b8b6bc0b13904b0f964336a478dfbc165711547f6cc3f8752ac60181 bind-9.10.1.tar.gz 4c5dc352da0a12bdda2644e835f7eabde4f5687f1a98acd65b22be4ee587c086 bind.so_bsdcompat.patch -474088616d1c4a5fc835d3c64ba30264a72b7e107865a35a711149dde4443b6b named.initd +058d9d1d6c35f79bc704e87186072d0a79f9a4f269363a8c367885dabf016913 named.initd c0e7b365dca072dc96a97c8f81dff012aff7fe57337c10b63cd9f292d03c207d named.confd -ab2f7305e9a1d30406528c5ef079beb4970c89572e90d57bb5ddb27b8126ad13 named.conf +28fa20e9c744bd0cd57e0015823362af9bc7311a42cc7f3eae67826a60d6acdc named.conf.authoritative +633f1b97fbf509880c278e92adedc85fd72d519f7a5b1ecd6b3fb727722f5098 named.conf.recursive 65b909fc1398dfa5b532ab395d6920758937093cf7e5b5bec8242dff4fe15e89 127.zone b6dff70386920adb21883566610b0a45b9de5a3847a870e4ad1902c5c7900399 localhost.zone 0bd88f7f5cab2f872d3619700e382c1df6837a8aacf28cf6a0bf336742a0ee56 named.ca" sha512sums="16b05e3dbda72b6f5b7436271dd9cadbe0da9207b65b5ecbb6abe7042436c1baf740fb04ecaeefcff5f14e9f4747150faf9251deac68437323f05e80631e8723 bind-9.10.1.tar.gz f3e3d1b680617485b9db20a59a10fec3b3b539d423984493228a7d5aaa29d699b9012ad60e863e56bdaf15b73952c22710d0ded1c86cd24417ac775ee062cfa3 bind.so_bsdcompat.patch -de7c25cd8faa67355218c86a798ac803eb418a67c996490fdc3216e74ee4afaddc4113f8398217d385035ac286a17fce7b1d7b9f485db87ec0dec0de916b7e69 named.initd +8ccc944eb35cd5523b63fabc912b63e60e3d97abebc81e2edcae557dbde6a9b2fc3da71ecaed8c991cffaf73061f59a76ab339ce90f8412b5516744c47887712 named.initd 127bdcc0b5079961f0951344bc3fad547450c81aee2149eac8c41a8c0c973ea0ffe3f956684c6fcb735a29c43d2ff48c153b6a71a0f15757819a72c492488ddf named.confd -64d95e7171c990f3191455bfe88acc53ee7dc7e38b87c8317b0bbcffa3a0117337e8da5f74cd33e7c3cb23a5003ac26eb172fd744f580aa20d3f8aab90c1f279 named.conf +d2f61d02d7829af51faf14fbe2bafe8bc90087e6b6697c6275a269ebbddcaa14a234fff5c41da793e945e8ff1de3de0858a40334e0d24289eab98df4bb721ac5 named.conf.authoritative +3aba9763cfaf0880a89fd01202f41406b465547296ce91373eb999ea7719040bc1ac4e47b0de025a8060f693d3d88774a20d09a43fa7ac6aa43989b58b5ee8fe named.conf.recursive eed9886717539399518e011ae5eae6335aed4fae019e1def088c5be26bdc896c99c07adf84ee61babafa31d31ff3b028263d1c88d2eee17ecf4c95a9d77d524c 127.zone 340e86472a2c2746fe585c0aa5f079d3a9b46e828c1f53d48026533a169b7f77ded7d0a13d291d6962607bb9481456e6fa69df1834603e7555332615fb998f0b localhost.zone badb85a67199b1ff28cdd3529c6d7c70b2757a71f52fd5e0aecb6dab80fa1838af863cd5d451be078cad3ef35f0c256aaac1831671cec119c5a689503e98a192 named.ca" diff --git a/main/bind/named.conf b/main/bind/named.conf deleted file mode 100644 index d58c61b..0000000 --- a/main/bind/named.conf +++ /dev/null @@ -1,53 +0,0 @@ -options { - directory "/var/bind"; - - // uncomment the following lines to turn on DNS forwarding, - // and change the forwarding ip address(es) : - //forward first; - //forwarders { - // 123.123.123.123; - // 123.123.123.123; - //}; - - listen-on-v6 { none; }; - listen-on { 127.0.0.1; }; - - // to allow only specific hosts to use the DNS server: - //allow-query { - // 127.0.0.1; - //}; - - // if you have problems and are behind a firewall: - //query-source address * port 53; - pid-file "/var/run/named/named.pid"; -}; - -// Briefly, a zone which has been declared delegation-only will be effectively -// limited to containing NS RRs for subdomains, but no actual data beyond its -// own apex (for example, its SOA RR and apex NS RRset). This can be used to -// filter out "wildcard" or "synthesized" data from NAT boxes or from -// authoritative name servers whose undelegated (in-zone) data is of no -// interest. -// See http://www.isc.org/products/BIND/delegation-only.html for more info - -//zone "COM" { type delegation-only; }; -//zone "NET" { type delegation-only; }; - -zone "." IN { - type hint; - file "named.ca"; -}; - -zone "localhost" IN { - type master; - file "pri/localhost.zone"; - allow-update { none; }; - notify no; -}; - -zone "127.in-addr.arpa" IN { - type master; - file "pri/127.zone"; - allow-update { none; }; - notify no; -}; diff --git a/main/bind/named.conf.authoritative b/main/bind/named.conf.authoritative new file mode 100644 index 0000000..71e98dd --- /dev/null +++ b/main/bind/named.conf.authoritative @@ -0,0 +1,56 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as an +// authoritative nameserver. If you want to run a recursive DNS resolver +// instead, see /etc/bind/named.conf.recursive. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a secure starting point for running an authoritative nameserver. + +options { + directory "/var/bind"; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you want to allow only specific hosts to use the DNS server: + //allow-query { + // 127.0.0.1; + //}; + + // Specify a list of IPs/masks to allow zone transfers to here. + // + // You can override this on a per-zone basis by specifying this inside a zone + // block. + // + // Warning: Removing this block will cause BIND to revert to its default + // behaviour of allowing zone transfers to any host (!). + allow-transfer { + none; + }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Changing this is NOT RECOMMENDED; see the notes above and in + // named.conf.recursive. + allow-recursion { none; }; + recursion no; +}; + +// Example of how to configure a zone for which this server is the master: +//zone "example.com" IN { +// type master; +// file "/etc/bind/master/example.com"; +//}; + +// You can include files: +//include "/etc/bind/example.conf"; diff --git a/main/bind/named.conf.recursive b/main/bind/named.conf.recursive new file mode 100644 index 0000000..a068b22 --- /dev/null +++ b/main/bind/named.conf.recursive @@ -0,0 +1,104 @@ +// Copy this file to /etc/bind/named.conf if you want to run bind as a +// recursive DNS resolver. If you want to run an authoritative nameserver +// instead, see /etc/bind/named.conf.authoritative. +// +// BIND supports using the same daemon as both authoritative nameserver and +// recursive resolver; it supports this because it is the oldest and original +// nameserver and so was designed before it was realized that combining these +// functions is inadvisable. +// +// In actual fact, combining these functions is a very bad idea. It is thus +// recommended that you run a given instance of BIND as either an authoritative +// nameserver or recursive resolver, not both. The example configuration herein +// provides a starting point for running a recursive resolver. +// +// +// *** IMPORTANT *** +// You should note that running an open DNS resolver (that is, a resolver which +// answers queries from any globally routable IP) makes the resolver vulnerable +// to abuse in the form of reflected DDoS attacks. +// +// These attacks are now widely prevalent on the open internet. Even if +// unadvertised, attackers can and will find your resolver by portscanning the +// global IPv4 address space. +// +// In one case the traffic generated using such an attack reached 300 Gb/s (!). +// +// It is therefore imperative that you take care to configure the resolver to +// only answer queries from IP address space you trust or control. See the +// "allow-recursion" directive below. +// +// Bear in mind that with these attacks, the "source" of a query will actually +// be the intended target of a DDoS attack, so this only protects other networks +// from attack, not your own; ideally therefore you should firewall DNS traffic +// at the borders of your network to eliminate spoofed traffic. +// +// This is a complex issue and some level of understanding of these attacks is +// advisable before you attempt to configure a resolver. + +options { + directory "/var/bind"; + + // Specify a list of CIDR masks which should be allowed to issue recursive + // queries to the DNS server. Do NOT specify 0.0.0.0/0 here; see above. + allow-recursion { + 127.0.0.1/32; + }; + + // If you want this resolver to itself resolve via means of another recursive + // resolver, uncomment this block and specify the IP addresses of the desired + // upstream resolvers. + //forwarders { + // 123.123.123.123; + // 123.123.123.123; + //}; + + // By default the resolver will attempt to perform recursive resolution itself + // if the forwarders are unavailable. If you want this resolver to fail outright + // if the upstream resolvers are unavailable, uncomment this directive. + //forward only; + + // Configure the IPs to listen on here. + listen-on { 127.0.0.1; }; + listen-on-v6 { none; }; + + // If you have problems and are behind a firewall: + //query-source address * port 53; + + pid-file "/var/run/named/named.pid"; + + // Removing this block will cause BIND to revert to its default behaviour + // of allowing zone transfers to any host (!). There is no need to allow zone + // transfers when operating as a recursive resolver. + allow-transfer { none; }; +}; + +// Briefly, a zone which has been declared delegation-only will be effectively +// limited to containing NS RRs for subdomains, but no actual data beyond its +// own apex (for example, its SOA RR and apex NS RRset). This can be used to +// filter out "wildcard" or "synthesized" data from NAT boxes or from +// authoritative name servers whose undelegated (in-zone) data is of no +// interest. +// See http://www.isc.org/products/BIND/delegation-only.html for more info + +//zone "COM" { type delegation-only; }; +//zone "NET" { type delegation-only; }; + +zone "." IN { + type hint; + file "named.ca"; +}; + +zone "localhost" IN { + type master; + file "pri/localhost.zone"; + allow-update { none; }; + notify no; +}; + +zone "127.in-addr.arpa" IN { + type master; + file "pri/127.zone"; + allow-update { none; }; + notify no; +}; diff --git a/main/bind/named.initd b/main/bind/named.initd index 812dfa9..a724848 100644 --- a/main/bind/named.initd +++ b/main/bind/named.initd @@ -21,7 +21,7 @@ checkconfig() { ebegin "Checking named configuration" if [ ! -f "${NAMED_CONF}" ] ; then - eerror "No ${NAMED_CONF} file exists!" + eerror "No ${NAMED_CONF} file exists! See the examples in /etc/bind." return 1 fi -- 2.1.2 --- Unsubscribe: alpine-devel+unsubscribe@lists.alpinelinux.org Help: alpine-devel+help@lists.alpinelinux.org ---