PHP DNS (Bind 8.x) Management Class: Security Considerations

Security Considerations

In order to configure your name server from a web application, your web server will require read and write access to your bind configuraiton files. This means the webserver will have to be run as root (Aieeeeee!) or your bind configuration files will need to have permissions that allow the webserver access. The second method is obviously the better solution.

You should create all of your zone files as mode 664 (or 660), owned by root:[gid of webserver] This is the most secure way I can think of to set it up. Also, you should use VERY restrictive access lists within your web server (and possibly even your router).

Suggestions for setting up nameservers
If you are only serving one or two zones, it won't hurt to run a web application on your nameserver. However, ISPs -- for security reasons alone -- will probably balk at that idea. What I recommend doing is the following:

As an ISP, you probably have a management server. In other words, a machine or machines which you use for the management of other machines. It may serve your intranet or it may be a shell machine for support techs. I recommend running a web server AND a name server on this machine. You use this server for modifying zone files when customers request hostname changes or additions. This has three benefits:

  1. You don't have to restart the nameservers serving all of your zones every time a change is requested.
  2. You don't introduce any extra load of shell access to your name server machines. Your name servers basically become a black box.
  3. Your name servers will never contain zones with errors since they will automatically be rejected. This will guarantee that your name servers will always start.
Create an access list within the administration server so your customers can't query it. (just a precaution). Now set up your name servers to slave all of the zones from the administration server.

Now the only time you need to restart your nameservers is when zones are added and/or removed. When changes are made, only the administration name server gets restarted, and the slaves are "NOTIFIED" via the name service slaving protocol (named-xfer) that there are updates.

Adding zones to the slave servers
As of this writing, I have not added support to configuration slave servers automatically. I simply run a script which generates the slave config from the master config and pushes the files to the slave servers. This is obviously not very pretty. Support will be added for the automation of this task (most likely via scp and/or nfs).