Transcript 00-dark - ZYTRAX
Module 10
Advanced Topics
DNS and DHCP
DHCP can be configured to auto update (using DDNS) the forward and reverse map zones Can be secured using allow-update crypto) or update-policy (IP and (crypto only) Crypto may use TSIG or SIG(0) Used by AD extensively Interaction between AD and BIND9
DNS - DHCP
DNS - Security Overview
DNS and Security
Local (1) is admin based Variety of sysadmin techniques (permissions) Chroot (jail) DDNS (2) - inhibit or use IP/Crypto controls Zone Transfers (3) - inhibit or use IP/Crypto controls Resolver (4) - DNSSEC - viable Resolver (5) - DNSSEC - not viable
Open vs Closed Resolvers
Allows anyone, anywhere to query your resolver DDoS amplification attacks recursion yes; defaulted Big Deal ~50% of resolvers were open BIND9.4 partial close using allow-query cache {localnets; localhost;}; Always use allow-recursion with explicit list (use ACL clause for big lists)
Closing DNS - Techniques
# If authoritative servers (master/slave) # inhibit all recursion recursion no; # if master/slave with caching (hybrid) or caching only (resolver) # use an appropriate local address scope statement # to limit recursion requests to local users allow-recursion {192.168.2.0/24;}; // change IPs as required # OR if the DNS server's IPs and netmasks cover the whole # local network you can use: allow-recursion {"localnets";”localhost”;}; # personal DNS # hard limits on reading listen-on {127.0.0.1;}; // or listen-on {localhost;}; listen-on-v6 {::1;}; // OR listen-on-v6 {localhost;}; # OR allow-recursion {"localhost";};
DNS - Uses
DNSBL - DNS Blacklist Used for email blacklists Whitelists ENUM Maps E.164 (Telephone numbers) Generic Principle of adding some (processed) name to a base name to get a DNS response
DNS - DNSBL
$TTL 2d # default RR TTL $ORIGIN blacklist.example.com.
IN SOA ns1.example.com. hostmaster.example.com.( 2.0.0.127 IN A 2003080800 ; se = serial number 3h ; ref = refresh 15m ; ret = update retry 3w ; ex = expiry 3h ; min = minimum ) IN NS ns1.example.com.
IN NS ns2.example.com.
# black list records - uses origin substitution rule (order unimportant) 127.0.0.2 # allows testing # black list RRs 135.2.168.192 IN A 127.0.0.2 # or some result code address ...
...
IN TXT "Optional-explanation for black listing" # the above entries expands to 135.2.168.192.blacklist.example.com
135.17.168.192 IN A 127.0.0.2 # generic list
DNS - Other Lists
$TTL 2d # default RR TTL $ORIGIN whitelist.example.com.
...
# white list records - using origin substitution rule # order not important other than for local usage reasons # normal whitelist RRs # by convention this address should be listed to allow for external testing 2.0.0.127 IN A 127.0.0.2
# black list RRs 135.2.168.192 IN A 127.0.0.2 # or some result code address ...
...
...
IN TXT "Optional-explanation for listing" # the above entries expand to 135.2.168.192.blacklist.example.com
135.17.168.192 IN A 127.0.0.2 # generic list # name based RRs for white listing friend.com IN A 127.0.0.1 # all domain email addresses IN TXT "Optional-explanation for listing" # expands to friend.com.whitelist.example.com
joe.my.my IN A 127.0.0.2 # single address # expands to joe.my.my.whitelist.example.com
DNS - Best Practices
Don't mix Authoritative and caching practical only for big sites Configurations document config file changes don't assume defaults - be explicit Closed resolvers Zone files document changes use $ORIGIN (with dot!) Be consistent with names (w/o $ORIGIN)
DNS Resources
http://www.zytrax.com/books/dns http://www.isc.org (BIND 9) www.dnssec-deployment.org
www.dnssec.net (info portal) Pro DNS and BIND!
Quick Quiz
Can DHCP be used to update the reverse map file?
Name at least two security threats.
Why is an OPEN DNS a Bad Thing?
Name at least one other use for DNS.
Why is $ORIGIN important?