DNS & Mail in the DMZ Jason Heiss Collective Technologies [email_address]   [email_address]
Firewall Architectures
Screening Router Architecture
Screened Subnet Architecture
DNS (Domain Name Service)
Goals <ul><li>Separate internal and external DNS servers </li></ul><ul><ul><li>Limit the information about your network th...
Internal BIND Configuration <ul><li>named.conf </li></ul><ul><li>options { </li></ul><ul><li>forward only; </li></ul><ul><...
DMZ BIND Configuration <ul><li>named.conf </li></ul><ul><li>acl slaves { 10.1.2.3; 192.168.1.1; }; </li></ul><ul><li>optio...
Running BIND as Non-root User <ul><li>Very simple starting with BIND 8 </li></ul><ul><ul><li>“ named –u bind –g bind” </li...
Running BIND in chroot <ul><li>Looks simple </li></ul><ul><ul><li>“ named –t /var/named ” </li></ul></ul><ul><li>syslog </...
Running BIND in chroot, cont. <ul><li>Slaves </li></ul><ul><ul><li>Zone transfers to slaves use named-xfer </li></ul></ul>...
ndc <ul><li>ndc, for the most part, works fine (reload, stop, etc.) with all of this special configuration </li></ul><ul><...
Complications <ul><li>Subdomains </li></ul><ul><ul><li>client.foo.net queries intradns.foo.net for host.sub.foo.net </li><...
Complications, cont. <ul><li>Subdomains, cont. </li></ul><ul><ul><li>If you are big enough to need subdomains, you can pro...
Complications, cont. <ul><li>Double-reverse DNS lookups </li></ul><ul><ul><li>Performed by many FTP sites </li></ul></ul><...
Mail
Goals <ul><li>Separate internal and external mail servers </li></ul><ul><ul><li>Protects internal mail server(s) from atta...
Internal Sendmail Configuration <ul><li>FEATURE(`local_procmail')dnl </li></ul><ul><li>FEATURE(`mailertable')dnl </li></ul...
Internal Sendmail Config, cont. <ul><li>/etc/mail/mailertable </li></ul><ul><ul><li>foo.net local: </li></ul></ul><ul><ul>...
DMZ Sendmail Configuration <ul><li>MASQUERADE_AS(`foo.net')dnl </li></ul><ul><li>FEATURE(`mailertable')dnl </li></ul><ul><...
DMZ Sendmail Config, cont. <ul><li>/etc/mail/mailertable </li></ul><ul><ul><li>foo.net  smtp:mailhub.foo.net </li></ul></u...
Running Sendmail as Non-root User <ul><li>Queue should be owned by mail user so that Sendmail can queue mail temporarily <...
References <ul><li>BIND </li></ul><ul><ul><li>Grasshopper (Cricket) book (O’Reilly) </li></ul></ul><ul><ul><li>Building In...
Upcoming SlideShare
Loading in...5
×

DNS

592

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
592
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
18
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Single router filters incoming and outgoing traffic No defense in depth/Single point of failure (security-wise)
  • Exterior router limits access to DMZ hosts Internal router further limits access to internal hosts All inbound packets must terminate in the DMZ Defense in depth
  • Internal DNS server probably more critical to daily operations of business (unless you’re an Internet company!)
  • The configs shown are only the most basic bits, for demonstration purposes only, etc. This config not for a chroot’d setup, see DMZ config for that The forwarders would typically be your bastion DNS server(s) in the DMZ Root hints not needed because forwards do all non-local lookups
  • Sample config for a chroot’d setup on a bastion host
  • Making the main directory writeable by bind would expose named.conf and your master zone files to modification, etc.
  • /var/run/log in FreeBSD, /dev/log in Linux syslog syntax shown (-l) is for FreeBSD, Linux reportedly uses the –a flag Holelogd works for systems where syslogd doesn’t support multiple sockets Alternative to making /var/run in your chroot directory is to use the controls statement in named.conf to change the path to the socket Symlink for ndc socket in /var/run is for ndc, which doesn’t know about the chroot
  • Example libs are for FreeBSD 4.x See Linux HOWTO for Linux libs and other requirements
  • NXDOMAIN is shorthand RFC-speak for non-existent domain
  • Also issues (depending on setup) with all subdomain queries being sent from the main internal server to the forwarder, which has to do a recursive query (query main server for delegation, query subdomain server for data). This causes extra load on forwarders. Also talked about in the cricket book.
  • Unique records can be generic (192-168-1-1.foo.net or whatever) Masquerading==PAT (There goes Linux, messing up another perfectly good term)
  • Point at website for more complete m4 file
  • Must make database map out of mailertable with “makemap hash mailertable &lt; mailertable” Could use access_db (discussed shortly) instead of relay-domains
  • Again note that you must make a database map out of mailertable and access **Explain access** **Note 8.10+**
  • DNS

    1. 1. DNS & Mail in the DMZ Jason Heiss Collective Technologies [email_address] [email_address]
    2. 2. Firewall Architectures
    3. 3. Screening Router Architecture
    4. 4. Screened Subnet Architecture
    5. 5. DNS (Domain Name Service)
    6. 6. Goals <ul><li>Separate internal and external DNS servers </li></ul><ul><ul><li>Limit the information about your network that is publicly available </li></ul></ul><ul><ul><li>Protect the internal DNS server from attack </li></ul></ul><ul><li>Run as separate user </li></ul><ul><ul><li>Successful attack on DNS server does not give root </li></ul></ul><ul><li>Run in chroot environment </li></ul><ul><ul><li>Successful attack doesn’t expose entire server </li></ul></ul>
    7. 7. Internal BIND Configuration <ul><li>named.conf </li></ul><ul><li>options { </li></ul><ul><li>forward only; </li></ul><ul><li>forwarders { 1.2.3.4; 1.2.3.5;}; </li></ul><ul><li>} </li></ul><ul><li>zone “foo.net” { </li></ul><ul><li>type master; </li></ul><ul><li>file “foo.net”; </li></ul><ul><li>} </li></ul><ul><li>No root hints file </li></ul><ul><li>Zone files contain full info </li></ul>
    8. 8. DMZ BIND Configuration <ul><li>named.conf </li></ul><ul><li>acl slaves { 10.1.2.3; 192.168.1.1; }; </li></ul><ul><li>options { </li></ul><ul><li>version “”; </li></ul><ul><li>directory “/”; # Really /var/named </li></ul><ul><li>named-xfer “/bin/named.xfer”; </li></ul><ul><li>allow-transfer { slaves; }; </li></ul><ul><li>} </li></ul><ul><li>zone “.” { type hint; file “root.hints”; }; </li></ul><ul><li>zone “foo.net” {type master; file “foo.net”; }; </li></ul><ul><li>Zone files contain only external hosts </li></ul>
    9. 9. Running BIND as Non-root User <ul><li>Very simple starting with BIND 8 </li></ul><ul><ul><li>“ named –u bind –g bind” </li></ul></ul><ul><li>The only things the bind user should be able to write to are files for slave zones </li></ul><ul><ul><li>By default, these are dumped into the main directory (from named.conf) with somewhat random names </li></ul></ul><ul><ul><li>This directory, therefore, would need to be writeable by bind </li></ul></ul><ul><ul><li>Best to specify specific filenames for each slave zone in named.conf and make only those files writeable by bind </li></ul></ul>
    10. 10. Running BIND in chroot <ul><li>Looks simple </li></ul><ul><ul><li>“ named –t /var/named ” </li></ul></ul><ul><li>syslog </li></ul><ul><ul><li>Can’t get at /var/run/log (or /dev/log or whatever) </li></ul></ul><ul><ul><li>“ syslog –l /var/named/var/run/log” </li></ul></ul><ul><ul><li>holelogd from Obtuse System’s utils package </li></ul></ul><ul><li>ndc </li></ul><ul><ul><li>named makes a UNIX socket for ndc to talk to </li></ul></ul><ul><ul><li>mkdir /var/named/var/run </li></ul></ul><ul><ul><li>ln –s /var/named/var/run/ndc /var/run/ndc </li></ul></ul>
    11. 11. Running BIND in chroot, cont. <ul><li>Slaves </li></ul><ul><ul><li>Zone transfers to slaves use named-xfer </li></ul></ul><ul><ul><li>Must reside in chroot directory </li></ul></ul><ul><ul><li>Probably will require some dynamic libraries (or compile a static version of named-xfer) </li></ul></ul><ul><ul><ul><li>/usr/libexec/ld-elf.so.1 </li></ul></ul></ul><ul><ul><ul><li>/usr/lib/libutil.so.3 </li></ul></ul></ul><ul><ul><ul><li>/usr/lib/libc.so.4 </li></ul></ul></ul>
    12. 12. ndc <ul><li>ndc, for the most part, works fine (reload, stop, etc.) with all of this special configuration </li></ul><ul><ul><li>Need symlink from the real /var/run/ndc to the chroot /var/run/ndc if chroot’d </li></ul></ul><ul><li>‘ ndc start’ fires up named with no arguments </li></ul><ul><ul><li>‘ ndc start –u bind –g bind –t /var/named’ </li></ul></ul>
    13. 13. Complications <ul><li>Subdomains </li></ul><ul><ul><li>client.foo.net queries intradns.foo.net for host.sub.foo.net </li></ul></ul><ul><ul><li>Intradns ignores delegation and forwards query to bastion host </li></ul></ul><ul><ul><li>Bastion host is authoritative for (limited) foo.net, doesn’t know about sub.foo.net, and thus returns NXDOMAIN </li></ul></ul>
    14. 14. Complications, cont. <ul><li>Subdomains, cont. </li></ul><ul><ul><li>If you are big enough to need subdomains, you can probably afford a couple extra PCs to separate external DNS from forwarders </li></ul></ul><ul><ul><li>See DNS & Bind (DNS and Internet Firewalls section) for extensive discussion of problems and solutions </li></ul></ul>
    15. 15. Complications, cont. <ul><li>Double-reverse DNS lookups </li></ul><ul><ul><li>Performed by many FTP sites </li></ul></ul><ul><ul><li>Server looks up hostname associated with connecting IP </li></ul></ul><ul><ul><li>Server then looks up IP associated with that hostname </li></ul></ul><ul><ul><li>This IP must match original </li></ul></ul><ul><ul><li>Requires unique A and PTR records for all public IPs </li></ul></ul><ul><ul><li>Good case for proxies or NAT/PAT (masquerading) </li></ul></ul>
    16. 16. Mail
    17. 17. Goals <ul><li>Separate internal and external mail servers </li></ul><ul><ul><li>Protects internal mail server(s) from attack </li></ul></ul><ul><ul><li>Provides choke point to apply filters </li></ul></ul><ul><ul><ul><li>Masquerading </li></ul></ul></ul><ul><ul><ul><li>Virus scanning </li></ul></ul></ul><ul><li>Run as separate user </li></ul><ul><li>Run in chroot environment </li></ul><ul><ul><li>Sendmail does not have a built-in chroot feature </li></ul></ul><ul><ul><li>Would be a good idea if your MTA supports it </li></ul></ul>
    18. 18. Internal Sendmail Configuration <ul><li>FEATURE(`local_procmail')dnl </li></ul><ul><li>FEATURE(`mailertable')dnl </li></ul><ul><li>MAILER(`local')dnl </li></ul><ul><li>MAILER(`smtp')dnl </li></ul><ul><li>define(`SMART_HOST', `bastion.foo.net')dnl </li></ul>
    19. 19. Internal Sendmail Config, cont. <ul><li>/etc/mail/mailertable </li></ul><ul><ul><li>foo.net local: </li></ul></ul><ul><ul><li>.foo.net local: </li></ul></ul><ul><li>/etc/mail/relay-domains </li></ul><ul><ul><li>foo.net </li></ul></ul>
    20. 20. DMZ Sendmail Configuration <ul><li>MASQUERADE_AS(`foo.net')dnl </li></ul><ul><li>FEATURE(`mailertable')dnl </li></ul><ul><li>FEATURE(`access_db’)dnl </li></ul><ul><li>MAILER(`smtp')dnl </li></ul><ul><li>define(`confRUN_AS_USER', `mail:mail')dnl </li></ul><ul><li>define(`confSMTP_LOGIN_MSG', `')dnl </li></ul><ul><li>define(`confPRIVACY_FLAGS', `goaway')dnl </li></ul>
    21. 21. DMZ Sendmail Config, cont. <ul><li>/etc/mail/mailertable </li></ul><ul><ul><li>foo.net smtp:mailhub.foo.net </li></ul></ul><ul><ul><li>.foo.net smtp:mailhub.foo.net </li></ul></ul><ul><li>/etc/mail/access </li></ul><ul><ul><li>Connect:mailhub.foo.net RELAY </li></ul></ul><ul><ul><li>To:foo.net RELAY </li></ul></ul>
    22. 22. Running Sendmail as Non-root User <ul><li>Queue should be owned by mail user so that Sendmail can queue mail temporarily </li></ul><ul><li>Otherwise user should have no privileges </li></ul>
    23. 23. References <ul><li>BIND </li></ul><ul><ul><li>Grasshopper (Cricket) book (O’Reilly) </li></ul></ul><ul><ul><li>Building Internet Firewalls (O’Reilly) </li></ul></ul><ul><ul><li>Linux HOWTO </li></ul></ul><ul><li>Sendmail </li></ul><ul><ul><li>www.sendmail.org (Configuration Information) </li></ul></ul><ul><ul><li>www.sendmail.net (Good release notes) </li></ul></ul><ul><ul><li>ofb.net/~jheiss/sendmail_proxy.html </li></ul></ul><ul><ul><li>Bat book (O’Reilly) </li></ul></ul>
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×