Part IV DNS Security
l Chapter 13 TSIG
and DNSSEC
l Chapter 14 RNDC
service
l Chapter 15 Some
DNS Security Issues
l Chapter 16 DNS
Cache Poisoning
Chapter 13 TSIG and DNSSEC
1.TSIG: Transaction Signatures
a. Authenticates DNS messages by signing them with a
shared symmetric key
• Secure access control mechanism
• Guarantees message not altered
in transit
b. Requires clocks to be synchronized between
communicating machines
ex) using
NTP server
2. Installing TSIG Keys
a. Generate a key with dnssec-keygen
b. Use key directive to install and name
the key on both machines
• The name must be the same both
places
c. Only named on the two servers should
know the key!
• Configure key in a file with
secure permissions and use include
3. How to use TSIG
a. Create TSIG symmetric keys
# dnssec-keygen -a HMAC-MD5 -b 128 -n HOST chul.com
# ls
/etc/named/
Kchul.com.+157+56137.key
Kchul.com.+157+56137.private
b. Add Key to /etc/named.conf on Master and Slave
server
# vi
/etc/named.conf (Master)
key “chul.com”
{
algorithm
hmac-md5;
secret
“24XuKLUSdkQYjbDXw7Z48g==”;
};
# vi /etc/named.conf (Slave)
key “chul.com” {
algorithm
hmac-md5;
secret
“24XuKLUSdkQYjbDXw7Z48g==”;
};
server 192.168.80.5 {
keys {
chul.com; };
};
c. Permit allow-transfer using TSIG key on
Master
zone "chul.com" IN {
type
master;
file
"chul.zone";
allow-transfer { key chul.com; };
};
d. Dynamic DNS update using TSIG key
zone “chul.com" IN {
type master;
file
“chul.zone";
allow-update
{ key chul.com; };
};
Chapter 14
RNDC Service
1. RNDC Service
• A name server control
utility that comes along with the bind package
• Uses digital
signature to communicate with name servers
• Be used to reload
configuration file and zones, flush DNS cache
2. RNDC Configuration on Master nameesrver
a.Create new key using rndc-confgen
# rndc-confgen –a –b 256 –k rndc-key
b. Create rndc.conf
key "rndc-key" {
algorithm
hmac-md5;
secret
"uAJDgQqSXujG/91/O7KyxcgUwtyNoZCUgagnZp7Cy2k="; };
options {
default-key
"rndc-key";
default-server 127.0.0.1;
default-port 953; };
c. Edit /etc/named.conf
key "rndc-key" {
algorithm hmac-md5;
secret "uAJDgQqSXujG/91/O7KyxcgUwtyNoZCUgagnZp7Cy2k=";
};
controls {
inet 127.0.0.1 allow { localhost; } keys { rndc-key; }; };
# service named restart
# rndc status
3. RNDC
Configuration on Master and Slave nameserver
3.1 On
Slave nameserver
a. Create
new remote key using dnssec-keygen
#
dnssec-keygen –a HMAC-MD5 –b 128 –n HOST remote-key
b. Create
rndc.conf (/etc/rndc.conf)
key "remote-key"
{
algorithm hmac-md5;
secret
"uAJDgQqSXujG/91/O7KyxcgUwtyNoZCUgagnZp7Cy2k=";
};
server
192.168.80.5 {
key ”remote-key”;
};
3.2 On Master nameserver
(/etc/named.conf)
key "remote-key"
{
algorithm hmac-md5;
secret
"uAJDgQqSXujG/91/O7KyxcgUwtyNoZCUgagnZp7Cy2k=";
};
controls {
inet 192.168.80.5 allow {
192.168.80.6; } keys { remote-key; };
};
# rndc reload
4. How to
use RNDC
a. Basic
usage
# rndc –s
192.168.80.5 reload
# rndc –s
192.168.80.5 reload localhost
# rndc –s
192.168.80.5 status refresh halt
# rndc –s 192.168.80.5 querylog
on
b. Usage for Dynamic DNS
# rndc –s 192.168.80.5 freeze
chul.com //suspend updates to all
dynamic zones.
# rndc –s 192.168.80.5 reload
chul.com
# rndc –s 192.168.80.5 thaw
chul.com //enable and reload updates
to all dynamic zones
c. Updating zone keys
# vi /etc/named.conf
zone "chul.com" IN {
type master;
file "chul.zone";
auto-dnssec allow or maintain;
update-policy {
grant ddns-key.chul.com
zonesub ANY; };
# rndc –s 192.168.80.5 sign
chul.com [in internal]
# rndc –s 192.168.80.5 validation
on
Chapter 15 Some BIND Security Issues
1. Bind version information
• BIND leaks version information through built-in CH TXT
resource records
• Best way to block is to use a custom view to suppress
all CH records
$ host -c chaos -t txt
version.bind ns.chul.com
$ dig @ns.chul.com txt chaos
version.bind
# vi /etc/named.conf
Options {
version “Who are you“;
2. Restricting queries in a particular zone
BIND also allow you to apply an
access control list to a particular zone. In this case, just use allow-query as
a substatement to the zone statement for the zone you want to protect:
acl
“mylist“ { 192.168.0/24; 127/8; };
zone “chul.com" {
type slave;
file “chul.com";
masters { 192.168.80.5; };
allow-query { “mylist"; };
};
3. use-id-pool
• introduced in BIND 8.2
• tells our name server to take special care to use
random message IDs in queries.
• the message IDs aren't random enough to prevent
brute-force attacks that try to guess the IDs our name server has outstanding
in order to spoof a response
options {
use-id-pool
yes;
};
4. Query number restriction
§ The number of recursive query to allow at the same
time (1000)
§ The number of tcp query to allow at the same time
(100)
Options {
recursive-clients
3000;
tcp-clients 2000;
};
5. Useful websites for DNS
§ www.bind9.net
Chapter 16 DNS Cache Poisoning
1.DNS spoofing (DNS cache
poisoning): a computer hacking attack, whereby data is introduced into a
DNS name server's cache database, causing the name server to return an
incorrect IP address, diverting traffic to attacker’s computer
2. Solutions
a.
Use up-to-date BIND version
b.
DNSSEC – use authentication
c.
Randomize UDP source port
Part V DNS GUI Tools
l Chapter 17
Webmin
l Chapter 18
DnsBindEditor
Chapter 17 WebMIN
1. What is Webmin?
• web-based interface
for system administration for Unix.
• Using any modern web
browser, you can setup user accounts, Apache, DNS,file sharing and much more.
• removes the need to
manually edit Unix configuration files like /etc/passwd
• lets you manage a
system from the console or remotely
2. Donwload
www.webmin.com/download.html
# rpm –Uvh
webmin-1.630-1.noarch.rpm
3. How to use WebMIN
https://server.chul.com:10000/
Login as a root
Chapter 18 DnsBindEditor
1. What is DnsBindEditor?
l BIND Easy Editor
l Commercial version, support trial
version for 30 days
2. Donwload the package
www.dnsbindeditor.com
dns-bind-editor-linux-jvm-x32-installer-2.3.0
3. How to configure DnsBindEditor
a. Get evaluation license for
DnsBindEditor from website
b. How to install
# chmod 755
dns-bind-editor-linux-jvm-x32-installer-2.3.0
# cp
dns-bind-editor-linux-jvm-x32-installer-2.3.0 /usr/local/src
#
./dns-bind-editor-linux-jvm-x32-installer-2.3.0
No comments:
Post a Comment