NetBSD/usr.sbin/named/doc/bog/ns.me

130 lines
6.5 KiB
Plaintext
Raw Normal View History

1998-01-09 11:03:16 +03:00
.\" $NetBSD: ns.me,v 1.2 1998/01/09 08:09:50 perry Exp $
.\"
1997-04-13 13:06:10 +04:00
.\" Copyright (c) 1986, 1988
.\" The Regents of the University of California. All rights reserved.
.\"
.\" Redistribution and use in source and binary forms, with or without
.\" modification, are permitted provided that the following conditions
.\" are met:
.\" 1. Redistributions of source code must retain the above copyright
.\" notice, this list of conditions and the following disclaimer.
.\" 2. Redistributions in binary form must reproduce the above copyright
.\" notice, this list of conditions and the following disclaimer in the
.\" documentation and/or other materials provided with the distribution.
.\" 3. All advertising materials mentioning features or use of this software
.\" must display the following acknowledgement:
.\" This product includes software developed by the University of
.\" California, Berkeley and its contributors.
.\" 4. Neither the name of the University nor the names of its contributors
.\" may be used to endorse or promote products derived from this software
.\" without specific prior written permission.
.\"
.\" THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
.\" ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
.\" IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
.\" ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
.\" FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
.\" DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
.\" OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
.\" HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
.\" LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
.\" OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
.\" SUCH DAMAGE.
.\" -
.\" Portions Copyright (c) 1993 by Digital Equipment Corporation.
.\"
.\" Permission to use, copy, modify, and distribute this software for any
.\" purpose with or without fee is hereby granted, provided that the above
.\" copyright notice and this permission notice appear in all copies, and that
.\" the name of Digital Equipment Corporation not be used in advertising or
.\" publicity pertaining to distribution of the document or software without
.\" specific, written prior permission.
.\"
.\" THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
.\" WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
.\" OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
.\" CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
.\" DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
.\" PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
.\" ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
.\" SOFTWARE.
.\"
.\" @(#)ns.me 6.3 (Berkeley) 9/19/89
.\"
.sh 1 "The Name Service"
.pp
The basic function of the name server is to provide information about network
objects by answering queries. The specifications for this name server are
defined in RFC1034, RFC1035 and RFC974. These documents can be found in
\fI/usr/src/etc/named/doc\fP in 4.3BSD or \fIftp\fPed from
\fBftp.rs.internic.net\fP.
It is also recommended that you read the related manual pages,
\fInamed\fP\|(8),
\fIresolver\fP\|(3),
and \fIresolver\fP\|(5).
.pp
The advantage of using a name server over the host table lookup for host
name resolution is to avoid the need for a single centralized clearinghouse
for all names. The authority for this information can be delegated to the
different organizations on the network responsible for it.
.pp
The host table lookup routines require that the master file for the entire
network be maintained at a central location by a few people. This works
fine for small networks where there are only a few machines and the
different organizations responsible for them cooperate. But this does not
work well for large networks where machines cross organizational boundaries.
.pp
With the name server, the network can be broken into a hierarchy of domains.
The name space is organized as a tree according to organizational or
administrative boundaries.
Each node, called a \fIdomain\fP, is given a label, and the name of the
domain is the concatenation of all the labels of the domains from
the root to the current domain, listed from right to left separated by dots.
A label need only be unique within its domain.
The whole space is partitioned into several areas called \fIzones\fP,
each starting at a domain and extending down to the leaf domains or to
domains where other zones start.
Zones usually represent administrative boundaries.
An example of a host address for a host at the University of California,
Berkeley would look as follows:
.(b
\fImonet\fP\|\fB.\fP\|\fIBerkeley\fP\|\fB.\fP\|\fIEDU\fP
.)b
The top level domain for educational organizations is EDU;
Berkeley is a subdomain of EDU and monet is the name of the host.
.sh 1 Security
.pp
This section examines some of the know security implications of various
versions of BIND. Some of these have been used to attack the nameservers
in the past.
.sh 2 "Unnecessary Glue"
.pp
Unnecessary glue can lead to incorrect records being loaded into the
server. This can result in connections going to the wrong machines.
.pp
To prevent unnecessary glue being loaded, all the servers of zones being
servered by a server and the servers of the parent zones need to be
upgraded to BIND 4.9.3 or later.
.sh 2 "Insertion of data into a zone that is being servered"
.pp
BIND versions prior to BIND 4.9.2 are subject to the insertion of
resource records into zone that they are serving.
.sh 2 "Denial of Service: Hash Bug Exploit"
.pp
September 1996 saw the COM TLD subject to a denial of service attack by
injecting into the DNS a record with a final label of COM, eight spaces
and COM. This effected BIND 4.9.4 servers. Similar attacks are possible
on BIND 4.9.3 and BIND 4.9.3-P1.
.pp
It is recommend that you run a BIND 4.9.4-P1 or later server to avoid
this exploit.
.sh 2 "Denial of Service: TTL Inconsistency Attacks"
.pp
If you are still using multiple TTL values within a RRset you can be
subject to a denial of service attack. BIND 4.9.5 onwards uses multiple
ttl values within a RRset to reject obviously bad RRset.
.pp
It is recommend that you upgrade to BIND 4.9.5 or later as these server
prevent you loading multiple TTL values and doesn't merge answers received
across the network.