]>
Commit | Line | Data |
---|---|---|
0e2063c3 PL |
1 | Security of PowerDNS |
2 | ==================== | |
223bb49e PL |
3 | PowerDNS has several options to easily allow it to run more securely. |
4 | Most notable are the :ref:`setting-chroot`, :ref:`setting-setuid` and :ref:`setting-setgid` options. | |
5 | ||
0e2063c3 PL |
6 | For Security Advisories, see the :doc:`dedicated page <security-advisories/index>`. |
7 | ||
8 | .. _securitypolicy: | |
9 | ||
10 | .. include:: common/security-policy.rst | |
11 | ||
223bb49e PL |
12 | For additional information on PowerDNS security, PowerDNS security incidents and PowerDNS security policy, see :ref:`securitypolicy`. |
13 | ||
0e2063c3 PL |
14 | Securing the Process |
15 | -------------------- | |
16 | ||
223bb49e PL |
17 | Running as a less privileged identity |
18 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
19 | By specifying :ref:`setting-setuid` and :ref:`setting-setgid`, PowerDNS changes to this identity shortly after binding to the privileged DNS ports. | |
20 | These options are highly recommended. | |
21 | It is suggested that a separate identity is created for PowerDNS as the user 'nobody' is in fact quite powerful on most systems. | |
22 | ||
23 | Both these parameters can be specified either numerically or as real names. | |
24 | Set these parameters immediately if they are not set! | |
25 | ||
26 | Jailing the process in a chroot | |
27 | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ | |
20a23b5c PD |
28 | Modern Linux distributions, with systemd for process management, do a better job of constraining PowerDNS than chroot can. |
29 | We strongly suggest using distribution/OS features for process containment instead of the :ref:`setting-chroot` option. | |
30 | The text below is kept for those users that have specific reasons to prefer chroot. | |
31 | chroot functionality is not actively tested during development and might break during upgrades. | |
32 | ||
223bb49e PL |
33 | The :ref:`setting-chroot` option secures PowerDNS to its own directory so that even if it should become compromised and under control of external influences, it will have a hard time affecting the rest of the system. |
34 | ||
35 | Even though this will hamper hackers a lot, chroot jails have been known to be broken. | |
36 | ||
0e2063c3 PL |
37 | .. warning:: |
38 | When chrooting The PowerDNS, take care that backends will be able to get to their files. Many databases need access to a UNIX domain | |
39 | socket which should live within the chroot. It is often possible to | |
40 | hardlink such a socket into the chroot dir. | |
223bb49e | 41 | |
20a23b5c | 42 | When running with primary or secondary support, be aware that many operating |
223bb49e PL |
43 | systems need access to specific libraries (often ``/lib/libnss*``) in |
44 | order to support resolution of domain names! You can also hardlink | |
45 | these. | |
46 | ||
47 | In addition, make sure that ``/dev/log`` is available from within the chroot. | |
48 | Logging will silently fail over time otherwise (on logrotate). | |
49 | ||
50 | The default PowerDNS configuration is best chrooted to ``./``, which boils down to the configured location of the controlsocket. | |
51 | ||
52 | This is achieved by adding the following to pdns.conf: ``chroot=./``, and restarting PowerDNS. | |
53 | ||
54 | Security Considerations | |
55 | ----------------------- | |
56 | In general, make sure that the PowerDNS process is unable to execute commands on your backend database. | |
57 | Most database backends will only need SELECT privilege. | |
58 | Take care to not connect to your database as the 'root' or 'sa' user, and configure the chosen user to have very slight privileges. | |
59 | ||
60 | Databases empathically do not need to run on the same machine that runs PowerDNS! | |
61 | In fact, in benchmarks it has been discovered that having a separate database machine actually improves performance. | |
62 | ||
63 | Separation will enhance your database security highly. Recommended. | |
64 | ||
0e2063c3 PL |
65 | .. _securitypolling: |
66 | ||
67 | .. include:: common/secpoll.rst | |
74bfff0e O |
68 | |
69 | Trusting zone files | |
70 | ------------------- | |
71 | In some scenarios the PowerDNS server must handle zone files coming from an untrusted third party. | |
72 | For these cases, it is recommended to take extra protective measures in addition to the measures above: | |
73 | ||
74 | - Set :ref:`setting-max-generate-steps` to a low number, this will limit the amount of resources used by rogue ``$GENERATE`` templates. | |
75 | - Set :ref:`setting-max-include-depth` to ``0``, this will disallow the ``$INCLUDE`` directive, avoiding problems with include loops and related issues. | |
76 | - Set :ref:`setting-enable-lua-records` to ``no``, this will disable :ref:`Lua Records<lua-details-security>`. | |
77 | ||
78 | Depending on your specific requirements, it might be good perform checks on zone files before loading the zone into PowerDNS to: | |
79 | ||
80 | - Enforce reasonable ``TTL`` values. | |
81 | - Enforce reasonable values in the ``SOA`` records. | |
82 | - Validate delegations. | |
d3eea6b5 | 83 | - Enforce a reasonable maximum for the total number of records. |
f98a1e40 | 84 | - Enforce a reasonable maximum for the number of records per record set. |