1
Download Securing Debian Manual
Transcript
Chapter 5. Securing services running on your system
71
Changing the version.bind record does not provide actual protection against attacks, but it might be considered a useful
safeguard.
A sample named.conf configuration file might be the following:
acl internal {
127.0.0.1/32;
10.0.0.0/8;
aa.bb.cc.dd;
};
// localhost
// internal
// eth0 IP
acl friendly {
ee.ff.gg.hh;
aa.bb.cc.dd;
127.0.0.1/32;
10.0.0.0/8;
};
//
//
//
//
slave DNS
eth0 IP
localhost
internal
options {
directory "/var/cache/bind";
allow-query { internal; };
allow-recursion { internal; };
allow-transfer { none; };
};
// From here to the mysite.bogus zone
// is basically unmodified from the debian default
logging {
category lame-servers { null; };
category cname { null; };
};
zone "." {
type hint;
file "/etc/bind/db.root";
};
zone "localhost" {
type master;
file "/etc/bind/db.local";
};
zone "127.in-addr.arpa" {
type master;
file "/etc/bind/db.127";
};
zone "0.in-addr.arpa" {
type master;
file "/etc/bind/db.0";
};
zone "255.in-addr.arpa" {
type master;
file "/etc/bind/db.255";
};
// zones I added myself
zone "mysite.bogus" {
type master;
file "/etc/bind/named.mysite";
allow-query { any; };
allow-transfer { friendly; };
};
Please (again) check the Bug Tracking System regarding Bind, specifically Bug #94760 (regarding ACLs on zone transfers)
(http://bugs.debian.org/94760). Feel free to contribute to the bug report if you think you can add useful information.
5.7.2
Changing BIND’s user
Regarding limiting BIND’s privileges you must be aware that if a non-root user runs BIND, then BIND cannot detect new
interfaces automatically, for example when you put a PCMCIA card into your laptop. Check the README.Debian file in
your named documentation (/usr/share/doc/bind/README.Debian) directory for more information about this issue.
There have been many recent security problems concerning BIND, so switching the user is useful when possible. We will
detail here the steps needed in order to do this, however, if you want to do this in an automatic way you might try the script
provided in ‘Sample script to change the default Bind installation.’ on page 147.
Notice, in any case, that this only applies to BIND version 8. In the Debian packages for BIND version 9 (since the 9.2.1-5
version, available since sarge) the bind user is created and used by setting the OPTIONS variable in /etc/default/bind9.
If you are using BIND version 9 and your name server daemon is not running as the bind user verify the settings on that file.
