DNSDNS Security Tutorial

About This Presentation

Title:

DNSDNS Security Tutorial

Description:

DNS created in 1983 by Paul Mockapetris (RFCs 1034 and 1035), modified, updated, ... Snapshots (Alphas) Never Use Snapshots on production servers. Getting BIND 9. HTTP ... – PowerPoint PPT presentation

Number of Views:254

Avg rating:3.0/5.0

Slides: 169

Provided by: apni6

Category:

more less

Transcript and Presenter's Notes

Title: DNSDNS Security Tutorial

1
DNS/DNS Security Tutorial

03 April 2008
Jakarta, Indonesia
APJII Open Policy Meeting

2
Acknowledgements

Bill Manning
Ed Lewis
Joe Abley
Olaf M. Kolkman

3
Introduction to DNS

4
Naming History

1970s ARPANET
Host.txt maintained by the SRI-NIC
pulled from a single machine
Problems
traffic and load
Name collisions
Consistency
DNS created in 1983 by Paul Mockapetris (RFCs
1034 and 1035), modified, updated, and enhanced
by a myriad of subsequent RFCs

5
DNS

A lookup mechanism for translating objects into
other objects
A globally distributed, loosely coherent,
scalable, reliable, dynamic database
Comprised of three components
A name space
Servers making that name space available
Resolvers (clients) which query the servers about
the name space

6
DNS Features Global Distribution

Data is maintained locally, but retrievable
globally
No single computer has all DNS data
DNS lookups can be performed by any device
Remote DNS data is locally cachable to improve
performance

7
DNS Features Loose Coherency

The database is always internally consistent
Each version of a subset of the database (a zone)
has a serial number
The serial number is incremented on each database
change
Changes to the master copy of the database are
replicated according to timing set by the zone
administrator
Cached data expires according to timeout set by
zone administrator

8
DNS Features Scalability

No limit to the size of the database
One server has over 20,000,000 names
Not a particularly good idea
No limit to the number of queries
24,000 queries per second handled easily
Queries distributed among masters, slaves, and
caches

9
DNS Features Reliability

Data is replicated
Data from master is copied to multiple slaves
Clients can query
Master server
Any of the copies at slave servers
Clients will typically query local caches

10
DNS Features Dynamicity

Database can be updated dynamically
Add/delete/modify of any record
Modification of the master database triggers
replication
Only master can be dynamically updated
Creates a single point of failure

11
Concept DNS Names

How names appear in the DNS
Fully Qualified Domain Name (FQDN)
WWW.APNIC.NET.
labels separated by dots
DNS provides a mapping from FQDNs to resources of
several types
Names are used as a key when fetching data in the
DNS

12
Concept DNS Names contd.

Domain names can be mapped to a tree
New branches at the dots

Root DNS
dots
net
org
com
ccTLDs
iana
apnic
whois
www
ftp
whois
13
Concept Resource Records

The DNS maps names into data using Resource
Records.
More detail later

Resource Record
www.apnic.net. A 10.10.10.2
Address Resource
14
Concept Domains

Domains are namespaces
Everything below .com is in the com domain
Everything below apnic.net is in the apnic.net
domain and in the net domain

15
Concept Domains

com
net
edu

google
sun
apnic
tislabs
isi

moon

training
www
www
ftp

ns1
ns2
16
Delegation

Administrators can create subdomains to group
hosts
According to geography, organizational
affiliation or any other criterion
An administrator of a domain can delegate
responsibility for managing a subdomain to
someone else
But this isnt required
The parent domain retains links to the delegated
subdomain
The parent domain remembers who it delegated
the subdomain to

17
Concept Zones and Delegations

Zones are administrative spaces
Zone administrators are responsible for portion
of a domains name space
Authority is delegated from a parent and to a
child

18
Concept Zones and Delegations

net domain
com
net
edu

google
apnic
tislabs
sun
isi

moon

training
www
www
ftp

ns1
ns2
19
Concept Name Servers

Name servers answer DNS questions
Several types of name servers
Authoritative servers
master (primary)
slave (secondary)
(Caching) recursive servers
also caching forwarders
Mixture of functionality

20
Concept Name Servers contd.

Authoritative name server
Give authoritative answers for one or more zones
The master server normally loads the data from a
zone file
A slave server normally replicates the data from
the master via a zone transfer

21
Concept Name Servers contd.

Authoritative name server

slave
master
slave
22
Concept Name Servers contd.

Recursive server
Do the actual lookups ask questions to the DNS
on behalf of the clients
Answers are obtained from authoritative servers
but the answers forwarded to the clients are
marked as not authoritative
Answers are stored for future reference in the
cache

23
Concept Resolvers

Resolvers ask the questions to the DNS system on
behalf of the application
Normally implemented in a system library (e.g,
libc)
gethostbyname(char name)
gethostbyaddr(char addr, int len, type)

24
Concept Resolving process Cache

Question www.apnic.net A
root-server
www.apnic.net A ?
Ask net server _at_ X.gtld-servers.net ( glue)
www.apnic.net A ?
Caching forwarder (recursive)
Resolver
192.168.5.10
www.apnic.net A ?
gtld-server
Ask apnic server _at_ ns.apnic.net ( glue)
Add to cache
www.apnic.net A ?
192.168.5.10
apnic-server
25
Concept Resource Records

Resource records consist of its name, its TTL,
its class, its type and its RDATA
TTL is a timing parameter
IN class is widest used
There are multiple types of RR records
Everything behind the type identifier is called
rdata

www.apnic.net. 3600 IN A 10.10.10.2
ttl
Label
type
rdata
class
26
Example RRs in a zone file

apnic.net. 7200 IN SOA ns.apnic.net.
admin.apnic.net. (
2008022601 Serial
12H Refresh 12 hours
4H Retry 4 hours
4D Expire 4 days
2H Negative cache 2
hours )
apnic.net. 7200 IN NS ns.apnic.net.
apnic.net. 7200 IN NS ns.ripe.net.
whois.apnic.net. 3600 IN A 193.0.1.162

host25.apnic.net. 2600 IN A 193.0.3.25
27
Resource Record SOA and NS

The SOA and NS records are used to provide
information about the zone itself
The NS indicates where information about a given
zone can be found
apnic.net. 7200 IN NS ns.apnic.net.
apnic.net. 7200 IN NS ns.ripe.net.
The SOA record provides information about the
start of authority, i.e. the top of the zone,
also called the APEX

28
Concept TTL and other Timers

TTL is a timer used in caches
An indication for how long the data may be reused
Data that is expected to be stable can have
high TTLs
SOA timers are used for maintaining consistency
between primary and secondary servers

29
Places where DNS data lives

Changes do not propagate instantly

Slave
Might take up to refresh to get data from
master
Not going to net if TTLgt0
Cache server
Master
Registry DB
Slave server
30
To remember...

Multiple authoritative servers to distribute load
and risk
Put your name servers apart from each other
Caches to reduce load to authoritative servers
and reduce response times
SOA timers and TTL need to be tuned to needs of
zone. Stable data higher numbers

31
What have we learned so far

We learned about the architectures of
resolvers,
caching forwarders,
authoritative servers,
timing parameters
We continue writing a zone file

32
Writing a zone file

Zone file is written by the zone administrator
Zone file is read by the master server and its
content is replicated to slave servers
What is in the zone file will end up in the
database
Because of timing issues it might take some time
before the data is actually visible at the client
side

33
First attempt

The header of the zone file
Start with a SOA record
Include authoritative name servers and, if
needed, glue
Add other information
Add other RRs
Delegate to other zones

34
Authoritative NS records and related A records

NS record for all the authoritative servers
They need to carry the zone at the moment you
publish
A records only for in-zone name servers
Delegating NS records might have glue associated

apnic.net. 3600 IN NS NS1.apnic.net. apnic.net.
3600 IN NS NS2.apnic.net. NS1.apnic.net. 3600
IN A 203.0.0.4 NS2.apnic.net. 3600 IN A
193.0.0.202
35
Other APEX data
apnic.net. 3600 IN MX 50 mailhost.apnic.net. apni
c.net. 3600 IN MX 150 mailhost2.apnic.net. apnic
.net. 3600 IN TXT Demonstration and test zone

SMTP uses MX records to find the destination
mail server
If a mail is sent to admin_at_apnic.net the sending
mail agent looks up apnic.net MX
MX record contains mail relays with priority
The lower the number the higher the priority
Dont add MX records without having a mail relay
configured

36
Other data in the zone

Add all the other data to your zone file
Some notes on notation
Note the fully qualified domain name including
trailing dot
Note TTL and CLASS

localhost.apnic.net. 3600 IN A
127.0.0.1 NS1.apnic.net. 4500 IN A
203.0.0.4 www.apnic.net. 3600 IN CNAME
wasabi.apnic.net. apnic.net. 3600 IN MX 50 mail.ap
nic.net.
37
Zone file format short cutsnice formatting

apnic.net. 3600 IN SOA NS1.apnic.net.
admin\.email.apnic.net. ( 2008022601
serial 1h refresh 30M retry
1W expiry 3600 ) neg. answ.
Ttl apnic.net. 3600 IN NS NS1.apnic.net. apnic
.net. 3600 IN NS NS2.apnic.net. apnic.net.
3600 IN MX 50 mail.apnic.net. apnic.net.
3600 IN MX 150 mailhost2.apnic.net. apnic.net
. 3600 IN TXT Demonstration and test
zone NS1.apnic.net. 4500 IN A
203.0.0.4 NS2.apnic.net. 3600 IN A
193.0.0.202 localhost.apnic.net. 3600 IN A
127.0.0.1 www.apnic.net. 3600 IN CNAME
IN.apnic.net.
38
Zone file short cuts repeating last name

apnic.net. 3600 IN SOA NS1.apnic.net.
admin\.email.apnic.net. ( 2008022601
serial 1h refresh 30M
retry 1W expiry 3600 ) neg. answ.
Ttl 3600 IN NS NS1.apnic.net.
3600 IN NS NS2.apnic.net. 3600 IN
MX 50 mail.apnic.net. 3600 IN MX 150
mailhost2.apnic.net. 3600 IN TXT
Demonstration and test zone NS1.apnic.net.
3600 IN A 203.0.0.4 NS2.apnic.net. 3600
IN A 193.0.0.202 localhost.apnic.net. 4500 IN
A 127.0.0.1 www.apnic.net. 3600 IN CNAME
IN.apnic.net.
39
Zone file short cuts default TTL

TTL 3600 Default TTL directive apnic.net. IN
SOA NS1.apnic.net. admin\.email.apnic.net. (
2008022601 serial 1h refresh
30M retry 1W expiry 3600 )
neg. answ. Ttl IN NS
NS1.apnic.net. IN NS
NS2.apnic.net. IN MX 50 mail.apnic.net. I
N MX 150 mailhost2.apnic.net. IN TXT
Demonstration and test zone NS1.apnic.net. IN
A 203.0.0.4 NS2.apnic.net. IN A
193.0.0.202 localhost.apnic.net. 4500 IN A
127.0.0.1 www.apnic.net. IN CNAME
NS1.apnic.net.
40
Zone file short cuts ORIGIN

TTL 3600 Default TTL directive ORIGIN
apnic.net. _at_ IN SOA NS1 admin\.email.apnic.net
. ( 2008022601 serial 1h
refresh 30M retry 1W expiry
3600 ) neg. answ. Ttl IN NS NS1
IN NS NS2 IN MX 50
mailhost IN MX 150 mailhost2 IN TXT
Demonstration and test zone NS1 IN A
203.0.0.4 NS2 IN A 193.0.0.202 localhost
4500 IN A 127.0.0.1 www IN CNAME NS1
41
Zone file short cuts Eliminate IN

TTL 3600 Default TTL directive ORIGIN
apnic.net. _at_ SOA NS1 admin\.email.sanog.org.
( 2008022601 serial 1h
refresh 30M retry 1W expiry
3600 ) neg. answ. Ttl NS NS1
NS NS2 MX 50 mailhost MX
150 mailhost2 TXT Demonstration and test
zone NS1 A 203.0.0.4 NS2 A
193.0.0.202 localhost 4500 A
127.0.0.1 www CNAME NS1
42
Delegating a zone (becoming a parent)

Delegate authority for a sub domain to another
party (splitting of training.apnic.net from
apnic.net)

com
net
edu

google
sun
apnic
tislabs
isi

moon

training
www

www
ftp

ns1
ns2
43
Concept Glue

Delegation is done by adding NS records
training.apnic.net. NS ns1.training.apnic.net.
training.apnic.net. NS ns2.training.apnic.net.
training.apnic.net. NS ns1.apnic.net.
training.apnic.net. NS ns2.apnic.net.
How to get to ns1 and ns2 We need the addresses
Add glue records to so that resolvers can reach
ns1 and ns2
ns1.training.apnic.net. A 10.0.0.1
ns2.training.apnic.net. A 10.0.0.2

44
Concept Glue contd.

Glue is non-authoritative data
Dont include glue for servers that are not in
sub zones

training.apnic.net. NS ns1.training.apnic.net. T
raining.apnic.net. NS ns2.training.apnic.net. tra
ining.apnic.net. NS ns2.apnic.net. training.apni
c.net. NS ns1.apnic.net.
ns1.training.apnic.net. A 10.0.0.1 Ns2.training.
apnic.net. A 10.0.0.2
45
Delegating training.apnic.net. from apnic.net.

training.apnic.net Setup minimum two
servers Create zone file with NS records Add all
training.apnic.net data
apnic.net Add NS records and glue Make sure
there is no other data from the
training.apnic.net. zone in the zone file
46
Questions ?

47
BIND Installation

48
Overview

Retrieving BIND
Building and Installing BIND
Mailing Lists

49
Retrieving BIND

HTTP, FTP
Internet Systems Consortium
http//www.isc.org
Other packages
OpenSSL
Will be needed for DNSSEC

50
BIND

Version 8
In use, available, obsolete
Don't start to use it
Migrate to Version 9
Version 9
Current version (9.4.2)
Release
Release Candidate (Betas)
Snapshots (Alphas)
Never Use Snapshots on production servers

51
Getting BIND 9

HTTP
http//www.isc.org/products/BIND/
http//www.isc.org/products/BIND/bind9.html
BIND 9.4.2 today
FTP
ftp.isc.org - anonymous
Change Directory to /isc/bind9
cd 9.4.2
ftp//ftp.isc.org/isc/bind9/9.4.2/bind-9.4.2.tar.g
z

52
Overview

Retrieving BIND
Building and Installing BIND
Mailing Lists

53
Unpacking BIND9

tar -xvfz bind-9.4.2.tar.gz
Uncompresses and creates directory
bind-9.4.2
What's in there?
A lot of stuff (dig, libraries etc)
./configure (script)
./doc/arm/Bv9ARM.html
Administrator's Reference Manual
Good source!!!

54
Building BIND9

must be in the BIND 9.4.2 directory
gt./configure (options)
Determine the appropriate includes and compiler
settings
gt make
Build and compile
gt make install
sudo (if not root)
Install BIND

55
What happens

Executables
/usr/local/sbin
dnssec-keygen, dnssec-makekeyset, dnssec-signkey,
dnssec-signzone
lwresd, named-checkconf, named-checkzone
rndc, rndc-confgen
named
/usr/local/bin
dig
host, isc-config.sh, nslookup
nsupdate
And libraries included

56
Testing

Make sure right version is now installed
gt named v
gt BIND 9.4.2

57
Overview

Retrieving BIND
Building, Installing BIND
Mailing Lists

58
BIND 9 Mailing Lists

Joining mail lists
http//www.isc.org/services/public/lists/bind-list
s.html
bind9-users, bind-announce
(bind-users is for bind8)
Archives
http//www.isc.org/ml-archives/

59
Questions?
60
Recursive Server

61
Overview

Recursive Service
Root server list
localhost
0.0.127.in-addr.arpa
named.conf

62
Recursive Server

Used to lookup data by applications
Needs to know how to reach top of DNS
Also should stop some queries
localhost, 127.0.0.1
Files
named.conf
root.hints
localhost zone
0.0.127.in-addr.arpa zone
We'll do named.conf last

63
Root server list

List of the 13 root server records
Where to get it
ftp rs.internic.net
anonymous login
cd domain
get one of these files (they are nearly the
same)
db.cache
named.root
named.cache

64
What it looks like

This file holds the information on root
name servers needed to
initialize cache of Internet domain name
servers
(e.g. reference this file in the "cache
. ltfilegt"
configuration file of BIND domain name
servers).
This file is made available by InterNIC
under anonymous FTP as
file
/domain/named.cache
on server FTP.INTERNIC.NET
last update Nov 5, 2002
related version of root zone
2002110501
formerly NS.INTERNIC.NET
. 3600000 IN NS
A.ROOT-SERVERS.NET.
A.ROOT-SERVERS.NET. 3600000 A
198.41.0.4

65
What you do to this file (hints file)

Nothing
You will refer to it in named.conf using a zone
statement
In real networks, don't change it
But for learning, we will change it

66
localhost

Loopback name in operating systems
Means 127.0.0.1
Queries for this shouldn't use recursion
So we will configure a file to define the
localhost. zone
Note the "."

67
localhost file

TTL 86400
_at_ IN SOA localhost. root.localhost. (
1 serial
1800 refresh
900 retry
69120 expire
1080 negative cache ttl
)
NS localhost.
A 127.0.0.1

68
Reverse for localhost

Since we want "localhost -gt 127.0.0.1" we want to
have "127.0.0.1 -gt localhost"
We need a zone called 0.0.127.in-addr.arpa.

69
0.0.127.in-addr.arpa file

TTL 86400
_at_ IN SOA localhost. root.localhost. (
1 serial
1800 refresh
900 retry
69120 expire
1080 negative cache ttl
)
NS localhost.
1 PTR localhost.

70
Assembling the files

Here's my directory
/var/named/recursive ls
0.0.127.in-addr.arpa localhost
named.root
The directory name and file names will be in
named.conf
Now I create a named.conf file in the same
directory

71
named.conf

options
directory "/var/named/recursive"
recursion yes // by default recursion is
on
zone "."
type hint
file "named.root"
zone "localhost."
type master
file "localhost"
zone "0.0.127.in-addr.arpa."
type master
file "0.0.127.in-addr.arpa"

72
Running the server

From the directory
named -g -c named.conf

73
Testing the server

Just to show it is alive
dig _at_127.0.0.1 www.arin.net
ltltgtgt DiG 9.2.2rc1 ltltgtgt _at_127.0.0.1 www.arin.net
global options printcmd
Got answer
-gtgtHEADERltlt- opcode QUERY, status NOERROR,
id 16580
flags qr rd ra QUERY 1, ANSWER 2,
AUTHORITY 10, ADDITIONAL 0
QUESTION SECTION
www.arin.net. IN A
ANSWER SECTION
www.arin.net. 10800 IN A
192.149.252.17
www.arin.net. 10800 IN A
192.149.252.16
AUTHORITY SECTION
arin.net. 10800 IN NS
arrowroot.arin.net.
(and so on)
Query time 3066 msec
SERVER 127.0.0.153(127.0.0.1)
WHEN Wed Feb 19 110705 2003
MSG SIZE rcvd 251

74
Congratulations - Your First Server!

It's just the beginning...

75
Questions ?
76
Reverse DNS

77
Overview

Principles
Creating reverse zones
Setting up nameservers
Reverse delegation procedures

78
What is Reverse DNS?

Forward DNS maps names to numbers
svc00.apnic.net -gt 202.12.28.131
Reverse DNS maps numbers to names
202.12.28.131 -gt svc00.apnic.net

79
Reverse DNS - why bother?

Service denial
That only allow access when fully reverse
delegated eg. anonymous ftp
Diagnostics
Assisting in trace routes etc
SPAM identifications
Registration responsibilities

80
Principles DNS tree
- Mapping numbers to names - reverse DNS
Root DNS
net
edu
com
au
apnic
whois
whois
.in-addr
.arpa
22
.64
.202
81
Creating reverse zones

Same as creating a forward zone file
SOA and initial NS records are the same as normal
zone
Main difference
need to create additional PTR records
Can use BIND or other DNS software to create and
manage reverse zones
Details can be different

82
Creating reverse zones - contd

Files involved
Zone files
Forward zone file
e.g. db.domain.net
Reverse zone file
e.g. db.192.168.254
Config files
ltnamed.confgt
Other
Hints files etc.
Root.hints

83
Start of Authority (SOA) record

ltdomain.name.gt CLASS SOA lthostname.domain.name.
gt ltmailbox.domain.namegt ( ltserial-numb
ergt ltrefreshgt ltretrygt
ltexpiregt ltnegative-cachinggt )
253.253.192.in-addr.arpa.
84
Pointer (PTR) records

Create pointer (PTR) records for each IP address
or

131.28.12.202.in-addr.arpa. IN PTR
svc00.apnic.net.
131 IN PTR svc00.apnic.net.
85
A reverse zone example
ORIGIN 1.168.192.in-addr.arpa. _at_ 3600 IN SOA
test.company.org. ( sys\.admin.company.org.
2002021301 serial 1h
refresh 30M retry 1W
expiry 3600 ) neg. answ.
ttl NS ns.company.org. NS ns2.company.org.
1 PTR gw.company.org 2 PTR ns.company.org. auto
generate 65 PTR host65.company.org GENERATE
65-127 PTR host.company.org.

86
Setting up the primary nameserver

Add an entry specifying the primary server to the
named.conf file
ltdomain-namegt
Ex 28.12.202.in-addr.arpa.
lttype mastergt
Define the name server as the primary
ltpath-namegt
location of the file that contains the zone
records

zone "ltdomain-namegt" in type master file
"ltpath-namegt"
87
Setting up the secondary nameserver

Add an entry specifying the primary server to the
named.conf file
lttype slavegt defines the name server as the
secondary
ltip addressgt is the IP address of the primary
name server
ltdomain-namegt is same as before
ltpath-namegt is where the back-up file is

zone "ltdomain-namegt" in type slave file
"ltpath-namegt" Masters ltIP addressgt
88
Reverse delegation requirements

/24 Delegations
Address blocks should be assigned/allocated
At least two name servers
/16 Delegations
Same as /24 delegations
APNIC delegates entire zone to member
Recommend APNIC secondary zone
lt /24 Delegations
Read classless in-addr.arpa delegation

RFC 2317
89
APNIC ISPs responsibilities

APNIC
Manage reverse delegations of address block
distributed by APNIC
Process organisations requests for reverse
delegations of network allocations
Organisations
Be familiar with APNIC procedures
Ensure that addresses are reverse-mapped
Maintain nameservers for allocations
Minimise pollution of DNS

90
Subdomains of in-addr.arpa domain

Example an organisation given a /16
192.168.0.0/16 (one zone file and further
delegations to downstreams)
168.192.in-addr.arpa zone file should have
0.168.192.in-addr.arpa. NS ns1.organisation0.com.
0.168.192.in-addr.arpa. NS ns2.organisation0.com.
1.168.192.in-addr.arpa. NS ns1.organisation1.com.
1.168.192.in-addr.arpa. NS ns2.organisation1.com.
2.168.192.in-addr.arpa. NS ns1.organisation2.com.
2.168.192.in-addr.arpa. NS ns2.organisation2.com.

91
Subdomains of in-addr.arpa domain

Example an organisation given a /20
192.168.0.0/20 (a lot of zone files!) have to
do it per /24)
Zone files
0.168.192.in-addr.arpa.
1.168.192.in-addr.arpa.
2.168.192.in-addr.arpa.
15.168.192.in-addr.arpa.

92
Subdomains of in-addr.arpa domain

Example case of a /24 subnetted with the mask
255.255.255.192
In-addr zone 254.253.192.in-addr.arpa
Subnets
192.253.254.0/26
192.253.254.64/26
192.253.254.128/26
192.253.254.192/26
If different organisations has to manage the
reverse-mapping for each subnet
Solution to follow

93
Classless in-addr for 192.253.254/24

CNAME records for each of the domain names in the
zone
Pointing to domain names in the new subdomains

ORIGIN 254.253.192.in-addr.arpa. 0-63 NS
ns1.organisation1.com. 0-63 NS
ns2.organisation1.com. 1 CNAME
1.0-63 2 CNAME 2.0-63 64-127 NS
ns1.organisation2.com. 64-127 NS
ns2.organisation2.com. 65 CNAME
65.64-127 66 CNAME 66.64-127
94
Classless in-addr for 192.253.254/24

Using GENERATE (db.192.253.254 file)

ORIGIN 254.253.192.in-addr.arpa. 0-63 NS
ns1.organisation1.com. 0-63 NS
ns2.organisation1.com. GENERATE 1-63 CNAME
.0-63 64-127 NS ns1.organisation2.com. 64
-127 NS ns2.organisation2.com. GENERATE
65-127 CNAME .64-127
95
Classless in-addr for 192.253.254.0/26

Now, the zone data file for 0-63.254.253.192.in-ad
dr.arpa can contain just PTR records for IP
addresses 192.253.254.1 through 192.253.154.63

ORIGIN 0-63.254.253.192.in-addr.arpa. TTL 1d _at_
SOA ns1.organisation1.com. Root.ns1.organisation
1.com. ( 1 Serial 3h Refresh 1h
Retry 1w Expire 1h ) Negative caching
TTL NS ns1.organisation1.com. NS ns2.organisa
tion1.com. 1 PTR org1-name1.organisation
1.com. 2 PTR org1-name2.organisation1.com
. 3 PTR org1-name3.organisation1.com.
96
Reverse delegation procedures

Upon allocation, member is asked if they want /24
place holder domain objects with member
maintainer
Gives member direct control
Standard APNIC database object,
can be updated through myAPNIC, Online form or
via email.
Nameserver/domain set up verified before being
submitted to the database.
Protection by maintainer object
(current auths CRYPT-PW, PGP).
Zone file updated 2-hourly

97
Reverse delegation procedures

Use MyAPNIC to create domain objects
Highly recommended
Or use the web form
http//www.apnic.net/db/domain.html
On-line form interface
Real time feedback
Gives errors, warnings in zone configuration
serial number of zone consistent across
nameservers
nameservers listed in zone consistent

98
Evaluation procedures

Parser checks for
whois database
IP address range is assigned or allocated
Must be in APNIC database
Maintainer object
Mandatory field of domain object
Nic-handles
zone-c, tech-c, admin-c

99
Online errors (also via email)
100
Request submission error
Update failed
Authorisation failed
101
Successful update
102
Creation of domain objects

If you opt to create the domain objects yourself
Either you can use MyAPNIC
Or use web/email templates
Using web/email templates will result in initial
errors
As the /8 is hierarchically maintained by
MAINT-AP-DNS
Contact lthelpdesk_at_apnic.netgt

103
Whois domain object
Reverse Zone
domain 28.12.202.in-addr.arpa descr
in-addr.arpa zone for 28.12.202.in-addr.arpa admin
-c DNS3-AP tech-c DNS3-AP zone-c
DNS3-AP nserver ns.telstra.net nserver
rs.arin.net nserver ns.myapnic.net nserver
svc00.apnic.net nserver
ns.apnic.net mnt-by MAINT-APNIC-AP mnt-lower
MAINT-DNS-AP changed inaddr_at_apnic.net
19990810 source APNIC
Contacts
Name Servers
Maintainers (protection)
104
Removing lame delegations

Objective
To repair or remove persistently lame DNS
delegations
DNS delegations are lame if
Some or all of the registered DNS nameservers are
unreachable or badly configured
APNIC commenced formal implementation of the lame
DNS reverse delegation procedures

105
IPv6 Reverse delegations

106
IPv6 representation in the DNS

Forward lookup support Multiple RR records for
name to number
AAAA (Similar to A RR for IPv4 )
Reverse lookup support
Reverse nibble format for zone ip6.arpa

107
IPv6 forward and reverse mappings

Existing A record will not accommodate IPv6s 128
bit addresses
BIND expects an A records record-specific data
to be a 32-bit address (in dotted-octet format)
An address record
AAAA (RFC 1886)
A reverse-mapping domain
ip6.arpa

108
The reverse DNS tree with IPv6
Root DNS
net
edu
com
int
in-addr
apnic
IP6
whois
whois
RIR
ISP
IPv6 Addresses
Customer
109

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.
0.0.0.1.2.3.4.ip6.arpa.

110
Sample forward lookup file

domain.edu TTL 86400 _at_ IN
SOA ns1.domain.edu. root.domain.edu.
( 2002093000 serial - YYYYMMDDXX 21600
refresh - 6 hours 1200 retry - 20
minutes 3600000 expire - long
time 86400) minimum TTL - 24 hours
Nameservers IN NS ns1.domain.edu. IN NS ns2.do
main.edu. Hosts with just A
records host1 IN A 1.0.0.1 Hosts with both A
and AAAA records host2 IN A 1.0.0.2 IN AAAA 200
14681002
111
IPv6 reverse lookups

IETF decided to restandardize IPv6 PTR RRs
They will be found in the IP6.ARPA namespace
The ip6.int domains has been deprecated
Now using ip6.arpa for reverse

112
IPv6 reverse lookups - PTR records

Similar to the in-addr.arpa
Example reverse name lookup for a host with
address 3ffe80502011860421

b.a.9.8.7.6.5.0.4.0.0.0.3.0.0.0.2.0.0.0.1.0.0.0.0.
0.0.0.1.2.3.4.ip6.arpa. IN
PTR test.ip6.example.com.
ORIGIN 0.6.8.1.1.0.2.0.0.5.0.8.e.f.f.3.ip6.arpa.
1.0.0.0.0.0.0.0.0.0.0.0.2.4.0.0 14400 IN PTR
host.example.com.
113
Sample reverse lookup file

0.0.0.0.0.0.1.0.8.6.4.0.1.0.0.2.rev These
are reverses for 2001468100/64) File can
be used for both ip6.arpa and ip6.int. TTL
86400 _at_ IN SOA ns1.domain.edu.
root.domain.edu. ( 2002093000 serial -
YYYYMMDDXX 21600 refresh - 6
hours 1200 retry - 20 minutes 3600000
expire - long time 86400) minimum TTL - 24
hours Nameservers IN NS ns1.domain.edu. IN
NS ns2.domain.edu. 1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0
IN PTR host1.ip6.domain.edu 2.0.0.0.0.0.0.0.0.0.0
.0.0.0.0.0 IN PTR host2.domain.edu Can
delegate to other nameservers in the usual way
114
Questions ?

115
DNS Security
116
DNS Secure Configurations

Administrative Security
Server configurations, BIND configuration, File
permissions etc.
Zone transfers
Limiting and controlling source and destination
of zone transfer operations
Secure authentication of source and destination
Dynamic Updates
Possible corruption/poison of master zone
Limit access and secure authentication needed
Zone Integrity
Zone data is correct

117
RNDC TSIG

118
What is RNDC?

Remote Name Daemon Controller
Command-line control of named daemon
Usually on same host, can be across hosts
Locally or remotely

119
Configuring RNDC

"rndc-confgen" generates lines to be added to two
files
rndc.conf
named.conf

120
Generating the lines gt rndc-confgen
key rndc-key algorith hmac-md5 secret
rXxroiejf8937Bjf_-532ktj/ Options
default-key rndc-key default-server
127.0.0.1 default-port 953 End of
rndc.conf User with the followign in
named.conf, adjusting the allow list as
needed key rndc-key algorithm
hmac-md5 secret rXxroiejf8937Bjf_-532ktj/
controls inet 127.0.0.1 port
953 allow 127.0.0.1 keys rndc-key

121
Using an rndc.conf file

/etc/rndc.conf specifies defaults for rndc
E.g.,
key "rndc-key"
algorithm hmac-md5
secret "dY7/uIiR0fKGvi5z50Q"
options
default-key "rndc-key"
default-server 127.0.0.1
default-port 953

122
Enabling RNDC in the server named.conf

key definition
key rndc-key
secret "dY7/uIiR0fKGvi5z50Q" algorithm
hmac-md5
Warning example secret looks good but is invalid
(don't copy it!)
controls statement
controls
inet 127.0.0.1 port 953 // for remote host,
use
allow 127.0.0.1 // actual IP
keys "rndc-key"

123
What can be done with RNDC

gt rndc stop - kills server
gt rndc status - prints some information
gt rndc stats - generates stat file (named.stats)
gt rndc reload - refresh zone(s), with variations
gt rndc trace - increases debug level
gt rndc flush - removes cached data
other commands in the ARM

124
TSIG

125
What is TSIG - Transaction Signature?

A mechanism for protecting a message from a
primary to secondary and vice versa
A keyed-hash is applied (like a digital
signature) so recipient can verify message
DNS question or answer
the timestamp
Based on a shared secret - both sender and
receiver are configured with it

126
What is TSIG - Transaction Signature?

TSIG (RFC 2845)
authorizing dynamic updates zone transfers
authentication of caching forwarders
Used in server configuration, not in zone file

127
Names and Secrets

TSIG name
A name is given to the key, the name is what is
transmitted in the message (so receiver knows
what key the sender used)
TSIG secret value
A value determined during key generation
Usually seen in Base64 encoding

128
Using TSIG to protect AXFR

Deriving a secret
gt dnssec-keygen -a ltalgorithmgt -b ltbitsgt -n host
ltname of the keygt
e.g.
gt dnssec-keygen a HMAC-MD5 b 128 n HOST
ns1-ns2.pcx.net
This will generate the key
gt Kns1-ns2.pcx.net.15715921
gtls
Kns1-ns2.pcx.net.15715921.key
Kns1-ns2.pcx.net.15715921.private

129
Using TSIG to protect AXFR

Configuring the key
in named.conf file, same syntax as for rndc
key algorithm ... secret ...
Making use of the key
in named.conf file
server x key ...
where 'x' is an IP number of the other server

130
TSIG keys

Issue Naming the key
Name is arbitrary, but must be consistent between
the named.conf and client
There is an advantage to making it the same as a
domain in the zone
To test the keys, turn on key-based authorization
of AXFR - just for testing

131
Making TSIG keys

dnssec-keygen -a HMAC-MD5 -b 128 -n host \
slave1.dynamic.myzone.example.
dnssec-keygen -a HMAC-MD5 -b 128 -n host \
slave2.dynamic.myzone.example.
ls
Kslave1.dynamic.myzone.example.15742488.key
Kslave1.dynamic.myzone.example.15742488.private
Kslave2.dynamic.myzone.example.15757806.key
Kslave2.dynamic.myzone.example.15757806.private

132
Configuration Example named.conf
Primary server 10.33.40.46 key ns1-ns2.pcx. net
algorithm hmac-md5 secret "APlaceToBe" se
rver 10.33.50.35 keys ns1-ns2.pcx.net zo
ne "my.zone.test." type master file
db.myzone allow-transfer key
ns1-ns2..pcx.net
Secondary server 10.33.50.35 key ns1-ns2.pcx.net
algorithm hmac-md5 secret "APlaceToBe" se
rver 10.33.40.46 keys ns1-ns2.pcx.net z
one "my.zone.test." type slave file
myzone.backup masters 10.33.40.46 allow-t
ransfer key ns1-ns2.pcx.net
You can save this in a file and refer to it in
the named.conf using include
statement include /var/named/master/tsig-key-ns1
-ns2
133
TIME!!!

TSIG is time sensitive - to stop replays
Message protection expires in 5 minutes
Make sure time is synchronized
For testing, set the time
In operations, (secure) NTP is needed

134
Address Match Lists

135
Elements in an address match list

Individual IP addresses
Addresses/netmask pairs
Names of other ACLs
In some contexts, key names

136
Purposes in Bind

Restricting queries zone xfer
Authorizing dynamic updates
Selecting interfaces to listen on
Sorting responses
Address match lists are always enclosed in curly
braces.

137
Notes on Address Match list

Elements must be separated by
The list must be terminated with a
Elements of the address match list are checked
sequentially.
To negate elements of the address match list
prepend them with !
Use acl statement to name an address match list.
acl must be define before it can be used
elsewhere.

138
Example Address match lists

For network 192.168.0.0 255.255.255.0
192.168.0.0/24
For network plus loopback
192.168.0.0/24 127.0.0.1
Addresses plus key name
192.168.0.0/24 127.0.0.1 tequila.apnic.net

139
The acl Statement

Syntax
acl ltacl namegt address match listgt
Example
acl internal 127.0.0.1 192.168.0/24
acl dynamic-update key dhcp.apnic.net

140
Notes on the acl Statement

The acl name need not be quoted.
There are four predefined ACLs
any (Any IP address)
none (No IP address)
localhost (loopback, 127.0.0.1)
localnets (all networks the name server is
directly connected to)

141
Blackhole

options
blackhole ACL-name or itemized list

142
Allow-transfer

zone "myzone.example."
type master
file "myzone.example."
allow-transfer ACL-name or
itemized list

143
Allow-Query

zone "myzone.example."
type master
file "myzone.example."
allow-query ACL-name or
itemized list

144
Listen-on

options
listen-on port ACL-
name or itemized list

145
Summary

ACLs and Configuration options can be used to
create simple split DNS.
It is cumbersome and difficult to maintain.
Good operational practice suggests that ACLs and
configuration options be reviewed regularly to
ensure that they accurately reflect desired
behaviour

146
Views

The view statement is a powerful new feature of
BIND 9 that lets a name server answer a DNS query
differently depending on who is asking. It is
particularly useful for implementing split DNS
setups without having to run multiple servers.

147
Syntax

view view_name class match-clients
address_match_list match-destinations
address_match_list match-recursive-only
yes_or_no view_option ...
zone_statement ...

148
Example Config

view "internal" // This should match our
internal networks. match-clients
10.0.0.0/8 // Provide recursive
service to internal clients only. recursion
yes // Provide a complete view of the
example.com zone // including addresses of
internal hosts. zone "example.com"
type master file
"example-internal.db"

149
Continued

view "external" // Match all clients not
matched by the previous view. match-clients
any // Refuse recursive service to
external clients. recursion no //
Provide a restricted view of the example.com
zone // containing only publicly accessible
hosts. zone "example.com" type
master file "example-external.db"

150
DNSSEC

151
Background

The original DNS protocol wasnt designed with
security in mind
It has very few built-in security mechanism
As the Internet grew wilder wollier, IETF
realized this would be a problem
For example DNS spoofing was to easy
DNSSEC and TSIG were develop to help address this
problem

152
Why DNSSEC?

DNS is not secure
Applications depend on DNS
Known vulnerabilities
DNSSEC protects against data spoofing and
corruption

153
Overview

Introduction
DNSSEC mechanisms
To authenticate servers (TSIG )
To establish authenticity and integrity of data
Quick overview
New RRs
Using public key cryptography to sign a single
zone
Delegating signing authority building chains of
trust
Key exchange and rollovers
Conclusions

154
Reminder DNS Resolving
Question www.apnic.net A
root-server
www.apnic.net A ?
www.apnic.net A ?
go ask net server _at_ X.gtld-servers.net ( glue)
Resolver
192.168.5.10
www.apnic.net A ?
gtld-server
go ask ripe server _at_ ns.apnic.net ( glue)
www.apnic.net A ?
192.168.5.10
apnic-server
155
DNS Data Flow
master
Caching forwarder
Dynamic updates
resolver
156
DNS Vulnerabilities
Corrupting data
Impersonating master
Cache impersonation
master
Caching forwarder
Dynamic updates
resolver
Cache pollution by Data spoofing
Unauthorized updates
Server protection
Data protection
157
TSIG Protected Vulnerabilities
master
Caching forwarder
Dynamic updates
slaves
resolver
158
Vulnerabilities protected by DNSKEY / RRSIG /
NSEC
master
Caching forwarder
Dynamic updates
slaves
resolver
159
Difference Between TSIG and DNSSEC

TSIG secures transaction
Making sure DNS messages come from the right
place and aren't modified in transit
DNSSEC secures (signs) zone data
Making sure resource records are those signed
by the administrator of the zone
Only endpoints that share a key can use TSIG to
verify DNS messages
Any endpoints that support DNSSEC can use it to
verify signed zone data

160
Enable dnssec

In the named.conf,
Options
directory .
dnssec-enable yes

161
Create key pairs

To create ZSK
gt dnssec-keygen -a rsasha1 -b 1024 -n zone
champika.net
To create KSK
gt dnssec-keygen -a rsasha1 -b 1400 -f KSK -n zone
champika.net

162
What will be created?

After key generations (ZSK KSK) you will see 2
files have been created
Files with .key and .private extensions
.key file contains your public key where as
.private file contains your private key

163
Publishing your public key

Using INCLUDE you can call the public key
(DNSKEY RR) inside the zone file
INCLUDE /path/Kchampika.net.00557163.key ZSK
INCLUDE /path/Kchampika.net.00540485.key KSK
You can also manually enter the DNSKEY RR in the
zone file

164
Signing the zone

gt dnssec-signzone -o champika.net -t -k
Kchampika.net.00557163 db.champika.net
Kchampika.net.00540485
Once you sign the zone a file with a .signed
extension will be created
- db.champika.net.signed

165
Signed Zone

Observe the signed zone file
Resource Records
DNSKEY
RRSIG
NSEC
Difference in the file size
db.champika.net Vs db.champika.net.signed

166
Updates to the config file

Modify the zone statement
Replace the previous zone file with the signed
zone file

167
Testing the server

Ask a dnssec enabled question from the server and
see whether the answer contains dnssec-enabled
data
Basically the answers are signed
gt dig _at_localhost www.champika.net dnssec
multiline

168
Questions ?

Write a Comment

User Comments (0)