SlideShare a Scribd company logo

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

Download as ODP, PDF
Utah Networxs Consultoria e Treinamento
Utah Networxs Consultoria e Treinamento

Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service. By Utah Networxs Follow - @fabioandpires Follow - @utah_networxs

Technology
1 of 45
“DNSSEC WHAT IS IT ?”
WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is a hierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
TYPE OF DNS ? The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machines around the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
DNS RFC'S The roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs (Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
THE DNS ROOT SERVER WORD MAP
OPERATION OF DNS SERVER
WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTION Section AUTHORITY and ADDITIONAL name is the same domain QUERY
Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two shares Used mainly in zone transfers (master and slave) same domain QUERY
TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible with DNSSEC has a pair of electronic keys consisting of a private key and a public key.
DNS VS DNSSEC
PRATICE DNS SERVER #CHROOT JAIL
CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chroot root@moe:~# apt-get install debootstrap root@moe:~# cd /chroot root@moe:~# debootstrap squeeze .
SOLVED FUTURE JAIL PROBLEMS 01 – Mount /dev/ and /dev/pts devices root@moe:~# mount --bind /dev /chroot/dev root@moe:~# mount --bind /dev/pts /chroot/dev/pts 02 – Set CHROOT jail root@moe:~# cd .. root@moe:~# chroot /chroot
INSTALL PACKAGES root@moe:~# apt-get install sysklogd openssh-server vim bind9 MAIN CONFIG BIND9 FILES /etc/bind /etc/default/bind BIND9 SCRIPT INIT /etc/init.d/bind9
MAKE DIRECTORIES root@moe:~# mkdir -p /var/lib/named root@moe:~# mkdir -p /var/lib/named/etc/bind root@moe:~# mkdir -p /var/lib/named/dev root@moe:~# mkdir -p /var/lib/named/var/cache/bind root@moe:~# mkdir -p /var/lib/named/var/run/bind/run root@moe:~# mkdir -p /var/lib/named/var/run/named root@moe:~# mkdir -p /var/lib/named/lib
EDIT DEFAULT FILES root@moe:~# vi /etc/bind/default Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named” root@moe:~# vi /etc/init.d/bind9 Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named”
COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/ CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
CREATE BLOCK FILES root@moe:~# cd /var/lib/named/dev root@moe:~# mknod null c 1 3 root@moe:~# mknod random c 1 8 root@moe:~# mknod zero c 1 5 root@moe:~# mknod urandom c 1 9
RESTART BIND9 SERVICE root@moe:~# invoke-rc.d bind9 restart
MAIN CONFIGURE FILES  named.conf  named.conf.options  zones/db.direta.interna  zones/db.reversa.interna  zones/db.direta.externa  zones/db.reversa.externa
ACLS AND VIEWS CONCEPT ACL – Access Control List Views
CONFIGURE NAMED.CONF acl intranet { 192.168.0.0/16; }; acl extranet { 0.0.0.0/0; };
CONFIGURE NAMED.CONF view bsidesplocal { match-clients { "intranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; };
CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
NAMED.CONF GLOSSARY Line beginning with '/ /' = commented line include = Includes the specified file acl = Defines an Access List Zone = Sets a Zone type = Defines the type of zone file = Shows the full path of the configuration of the zone allow-transfer servers = Sets Slaves to receive updates from this server update-policy local = Line used to update automatic spot in our case used to re-sign zones automatically expire before the keys key-directory = Indicates the directory that contains the key areas necessary to update-policy is successful also-notify = Indicates that the master server sends updates to the slave server every time bind restarts Notify = defines whether or not there will be no notifications area
DB.ZONES FILES root@moe:~# mkdir /var/lib/named/etc/bind/zones root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
DIRECT ZONE EXAMPLE $TTL 86400 l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( l l 2012101801 ; Serial l 1200 ; Refresh l 2400 ; Retry l 4800 ; Expire l 1209600 ) ; Negative Cache TTL l ; l l @ IN NS moe.bsidesp.utah.net.br. l @ IN NS homer.bsidesp.utah.net.br. l @ IN MX 5 moe.bsidesp.utah.net.br. l @ IN MX 10 homer.bsidesp.utah.net.br. l @ IN A 189.100.100.10 l @ IN A 189.99.99.9 l l moe IN A 189.99.99.9 l homer IN A 187.100.100.10 l ftp IN CNAME homer.bsidesp.utah.net.br. l pop IN CNAME homer.bsidesp.utah.net.br
REVERSE ZONE EXAMPLE $TTL 86400 @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL ; @ IN NS moe.bsidesp.utah.net.br. @ IN NS homer.bsidesp.utah.net.br. @ IN MX 5 moe.bsidesp.utah.net.br. @ IN MX 10 homer.bsidesp.utah.net.br. 9 IN PTR moe.bsidesp.utah.net.br. 10 IN PTR homer.bsidesp.utah.net.br. 10 IN PTR www.bsidesp.utah.net.br. 10 IN PTR ftp.bsidesp.utah.net.br. 10 IN PTR pop.bsidesp.utah.net.br.
GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.options l auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes; l
MAKE KEY DNSSEC root@moe:~# mkdir /var/lib/named/etc/bind/zones/keys root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones/keys root@moe:/var/lib/named/etc/bind/zones/keys# dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5 –b 2048 –K /var/lib/named/etc/bind/zones/keys – n ZONE bsidesp.utah.net.br
GLOSSARY OPTIONS -r = device-ramdomização -type f = key -a = Encryption Algorithm -b = Key Size -K = Directory Keys -n = Zone
ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys# l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
GLOSSARY OPTIONS S = Signature-intelligent, search keys zone; -z = Ignores the SEP bit key and signs throughout the area; -K = Directory of the Keys; N-Format = Serial SOA, in our case we use 'unixtime' to increment the serial with the signature; -o = Zone and Zone Configuration File.
CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
SHARED IN REGISTRO.BR
GET KEYTAG AND DIGEST root@moe:/var/lib/named/etc/bind/zones/keys# cat bsidesp.utah.net.br | head -1 bsidesp.utah.net.br IN DS 51074 1 1 D836A983AE90B051414E88D62379A94C9C9F71DD Keytag = 51074 Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
DOBTS ? SPECIAL THANKS ISAIAS SOUZA SILVA
SOURCES OF RESEARCH BIND9 PROJECT https://www.isc.org/software/bind REGISTRO.BR www.registro.br QGSEG http://www.qgseg.com.br/ WIKIPEDIA http://pt.wikipedia.org

Recommended

CG - Output Primitives
CG - Output PrimitivesCG - Output Primitives
CG - Output Primitivesvinay arora
 
Intro to Classification: Logistic Regression & SVM
Intro to Classification: Logistic Regression & SVMIntro to Classification: Logistic Regression & SVM
Intro to Classification: Logistic Regression & SVMNYC Predictive Analytics
 
Graphic Notes on Introduction to Linear Algebra
Graphic Notes on Introduction to Linear AlgebraGraphic Notes on Introduction to Linear Algebra
Graphic Notes on Introduction to Linear AlgebraKenji Hiranabe
 
Quadratics
QuadraticsQuadratics
QuadraticsDods Dodong
 
5.1 greedy
5.1 greedy5.1 greedy
5.1 greedyKrish_ver2
 
Matrix chain multiplication
Matrix chain multiplicationMatrix chain multiplication
Matrix chain multiplicationRespa Peter
 
Bressenham’s Midpoint Circle Drawing Algorithm
Bressenham’s Midpoint Circle Drawing AlgorithmBressenham’s Midpoint Circle Drawing Algorithm
Bressenham’s Midpoint Circle Drawing AlgorithmMrinmoy Dalal
 
Relaxation method
Relaxation methodRelaxation method
Relaxation methodParinda Rajapaksha
 

Recommended

CG - Output Primitives
CG - Output PrimitivesCG - Output Primitives
CG - Output Primitivesvinay arora
 
Intro to Classification: Logistic Regression & SVM
Intro to Classification: Logistic Regression & SVMIntro to Classification: Logistic Regression & SVM
Intro to Classification: Logistic Regression & SVMNYC Predictive Analytics
 
Graphic Notes on Introduction to Linear Algebra
Graphic Notes on Introduction to Linear AlgebraGraphic Notes on Introduction to Linear Algebra
Graphic Notes on Introduction to Linear AlgebraKenji Hiranabe
 
Quadratics
QuadraticsQuadratics
QuadraticsDods Dodong
 
5.1 greedy
5.1 greedy5.1 greedy
5.1 greedyKrish_ver2
 
Matrix chain multiplication
Matrix chain multiplicationMatrix chain multiplication
Matrix chain multiplicationRespa Peter
 
Bressenham’s Midpoint Circle Drawing Algorithm
Bressenham’s Midpoint Circle Drawing AlgorithmBressenham’s Midpoint Circle Drawing Algorithm
Bressenham’s Midpoint Circle Drawing AlgorithmMrinmoy Dalal
 
Relaxation method
Relaxation methodRelaxation method
Relaxation methodParinda Rajapaksha
 
LISP: Input And Output
LISP: Input And OutputLISP: Input And Output
LISP: Input And OutputDataminingTools Inc
 
convex hull
convex hullconvex hull
convex hullravikirankalal
 
Compiler design important questions
Compiler design important questionsCompiler design important questions
Compiler design important questionsakila viji
 
Matrix of linear transformation 1.9-dfs
Matrix of linear transformation 1.9-dfsMatrix of linear transformation 1.9-dfs
Matrix of linear transformation 1.9-dfsFarhana Shaheen
 
Numerical Methods - Power Method for Eigen values
Numerical Methods - Power Method for Eigen valuesNumerical Methods - Power Method for Eigen values
Numerical Methods - Power Method for Eigen valuesDr. Nirav Vyas
 
Booth and bit pair encoding
Booth and bit pair encodingBooth and bit pair encoding
Booth and bit pair encodingBasit Ali
 
daa-unit-3-greedy method
daa-unit-3-greedy methoddaa-unit-3-greedy method
daa-unit-3-greedy methodhodcsencet
 
Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Joonyoung Yi
 
Anti aliasing,area sampling,koch curve and c curve
Anti aliasing,area sampling,koch curve and c curveAnti aliasing,area sampling,koch curve and c curve
Anti aliasing,area sampling,koch curve and c curvePallab Kumar Nandi
 
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygons
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygonsLiang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygons
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygonsLahiru Danushka
 
Graphics practical lab manual
Graphics practical lab manualGraphics practical lab manual
Graphics practical lab manualVivek Kumar Sinha
 
Random walk on Graphs
Random walk on GraphsRandom walk on Graphs
Random walk on GraphsPavan Kapanipathi
 
Newton Raphson
Newton RaphsonNewton Raphson
Newton RaphsonNasima Akhtar
 
Clipping
ClippingClipping
ClippingAMIT VIRAMGAMI
 
Formula book
Formula bookFormula book
Formula bookRehman Munir
 
03 Analysis of Algorithms: Probabilistic Analysis
03 Analysis of Algorithms: Probabilistic Analysis03 Analysis of Algorithms: Probabilistic Analysis
03 Analysis of Algorithms: Probabilistic AnalysisAndres Mendez-Vazquez
 
2 d transformation
2 d transformation2 d transformation
2 d transformationAnkit Garg
 
NP completeness
NP completenessNP completeness
NP completenessAmrinder Arora
 
lecture1 introduction to computer graphics(Computer graphics tutorials)
lecture1 introduction to computer graphics(Computer graphics tutorials)lecture1 introduction to computer graphics(Computer graphics tutorials)
lecture1 introduction to computer graphics(Computer graphics tutorials)Daroko blog(www.professionalbloggertricks.com)
 
Mid-Point Cirle Drawing Algorithm
Mid-Point Cirle Drawing AlgorithmMid-Point Cirle Drawing Algorithm
Mid-Point Cirle Drawing AlgorithmNeha Kaurav
 
Dns
DnsDns
DnsMd Shihab
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 

More Related Content

What's hot

Compiler design important questions
Compiler design important questionsCompiler design important questions
Compiler design important questionsakila viji
 
Matrix of linear transformation 1.9-dfs
Matrix of linear transformation 1.9-dfsMatrix of linear transformation 1.9-dfs
Matrix of linear transformation 1.9-dfsFarhana Shaheen
 
Numerical Methods - Power Method for Eigen values
Numerical Methods - Power Method for Eigen valuesNumerical Methods - Power Method for Eigen values
Numerical Methods - Power Method for Eigen valuesDr. Nirav Vyas
 
Booth and bit pair encoding
Booth and bit pair encodingBooth and bit pair encoding
Booth and bit pair encodingBasit Ali
 
daa-unit-3-greedy method
daa-unit-3-greedy methoddaa-unit-3-greedy method
daa-unit-3-greedy methodhodcsencet
 
Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Joonyoung Yi
 
Anti aliasing,area sampling,koch curve and c curve
Anti aliasing,area sampling,koch curve and c curveAnti aliasing,area sampling,koch curve and c curve
Anti aliasing,area sampling,koch curve and c curvePallab Kumar Nandi
 
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygons
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygonsLiang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygons
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygonsLahiru Danushka
 
Graphics practical lab manual
Graphics practical lab manualGraphics practical lab manual
Graphics practical lab manualVivek Kumar Sinha
 
03 Analysis of Algorithms: Probabilistic Analysis
03 Analysis of Algorithms: Probabilistic Analysis03 Analysis of Algorithms: Probabilistic Analysis
03 Analysis of Algorithms: Probabilistic AnalysisAndres Mendez-Vazquez
 
2 d transformation
2 d transformation2 d transformation
2 d transformationAnkit Garg
 
Mid-Point Cirle Drawing Algorithm
Mid-Point Cirle Drawing AlgorithmMid-Point Cirle Drawing Algorithm
Mid-Point Cirle Drawing AlgorithmNeha Kaurav
 

What's hot (20)

LISP: Input And Output
LISP: Input And OutputLISP: Input And Output
LISP: Input And Output
 
convex hull
convex hullconvex hull
convex hull
 
Compiler design important questions
Compiler design important questionsCompiler design important questions
Compiler design important questions
 
Matrix of linear transformation 1.9-dfs
Matrix of linear transformation 1.9-dfsMatrix of linear transformation 1.9-dfs
Matrix of linear transformation 1.9-dfs
 
Numerical Methods - Power Method for Eigen values
Numerical Methods - Power Method for Eigen valuesNumerical Methods - Power Method for Eigen values
Numerical Methods - Power Method for Eigen values
 
Booth and bit pair encoding
Booth and bit pair encodingBooth and bit pair encoding
Booth and bit pair encoding
 
daa-unit-3-greedy method
daa-unit-3-greedy methoddaa-unit-3-greedy method
daa-unit-3-greedy method
 
Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)Exact Matrix Completion via Convex Optimization Slide (PPT)
Exact Matrix Completion via Convex Optimization Slide (PPT)
 
Anti aliasing,area sampling,koch curve and c curve
Anti aliasing,area sampling,koch curve and c curveAnti aliasing,area sampling,koch curve and c curve
Anti aliasing,area sampling,koch curve and c curve
 
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygons
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygonsLiang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygons
Liang- Barsky Algorithm, Polygon clipping & pipeline clipping of polygons
 
Graphics practical lab manual
Graphics practical lab manualGraphics practical lab manual
Graphics practical lab manual
 
Random walk on Graphs
Random walk on GraphsRandom walk on Graphs
Random walk on Graphs
 
Newton Raphson
Newton RaphsonNewton Raphson
Newton Raphson
 
Clipping
ClippingClipping
Clipping
 
Formula book
Formula bookFormula book
Formula book
 
03 Analysis of Algorithms: Probabilistic Analysis
03 Analysis of Algorithms: Probabilistic Analysis03 Analysis of Algorithms: Probabilistic Analysis
03 Analysis of Algorithms: Probabilistic Analysis
 
2 d transformation
2 d transformation2 d transformation
2 d transformation
 
NP completeness
NP completenessNP completeness
NP completeness
 
lecture1 introduction to computer graphics(Computer graphics tutorials)
lecture1 introduction to computer graphics(Computer graphics tutorials)lecture1 introduction to computer graphics(Computer graphics tutorials)
lecture1 introduction to computer graphics(Computer graphics tutorials)
 
Mid-Point Cirle Drawing Algorithm
Mid-Point Cirle Drawing AlgorithmMid-Point Cirle Drawing Algorithm
Mid-Point Cirle Drawing Algorithm
 

Similar to DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016Maarten Balliauw
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealMaarten Balliauw
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamMyNOG
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Servervipulvaid
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name ServiceJohnny Fortune
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name SystemPeter R. Egli
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS ConfigurationVinod Gour
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus networkAalap Tripathy
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxviditsir
 
DNSPresentation.pptx
DNSPresentation.pptxDNSPresentation.pptx
DNSPresentation.pptxKailashTayde
 

Similar to DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL (20)

Dns
DnsDns
Dns
 
DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016DNS for Developers - NDC Oslo 2016
DNS for Developers - NDC Oslo 2016
 
Domain Name System(ppt)
Domain Name System(ppt)Domain Name System(ppt)
Domain Name System(ppt)
 
DNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo MontrealDNS for Developers - ConFoo Montreal
DNS for Developers - ConFoo Montreal
 
Dns
DnsDns
Dns
 
Dns
DnsDns
Dns
 
DNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul IslamDNS/DNSSEC by Nurul Islam
DNS/DNSSEC by Nurul Islam
 
Domain Name Server
Domain Name ServerDomain Name Server
Domain Name Server
 
DNS – Domain Name Service
DNS – Domain Name ServiceDNS – Domain Name Service
DNS – Domain Name Service
 
DNS - Domain Name System
DNS - Domain Name SystemDNS - Domain Name System
DNS - Domain Name System
 
DNS
DNSDNS
DNS
 
Hands-on DNSSEC Deployment
Hands-on DNSSEC DeploymentHands-on DNSSEC Deployment
Hands-on DNSSEC Deployment
 
Introduction
IntroductionIntroduction
Introduction
 
Linux administration ii-parti
Linux administration ii-partiLinux administration ii-parti
Linux administration ii-parti
 
DNS Configuration
DNS ConfigurationDNS Configuration
DNS Configuration
 
Design of a campus network
Design of a campus networkDesign of a campus network
Design of a campus network
 
DNS_Tutorial 2.pptx
DNS_Tutorial 2.pptxDNS_Tutorial 2.pptx
DNS_Tutorial 2.pptx
 
DNSPresentation.pptx
DNSPresentation.pptxDNSPresentation.pptx
DNSPresentation.pptx
 
Rhel4
Rhel4Rhel4
Rhel4
 
DNS - MCSE 2019
DNS - MCSE 2019DNS - MCSE 2019
DNS - MCSE 2019
 

Recently uploaded

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...HostedbyConfluent
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersThousandEyes
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAndikSusilo4
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphNeo4j
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Alan Dix
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 

Recently uploaded (20)

AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Pigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping ElbowsPigging Solutions Piggable Sweeping Elbows
Pigging Solutions Piggable Sweeping Elbows
 
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
Transforming Data Streams with Kafka Connect: An Introduction to Single Messa...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for PartnersEnhancing Worker Digital Experience: A Hands-on Workshop for Partners
Enhancing Worker Digital Experience: A Hands-on Workshop for Partners
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Azure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & ApplicationAzure Monitor & Application Insight to monitor Infrastructure & Application
Azure Monitor & Application Insight to monitor Infrastructure & Application
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge GraphSIEMENS: RAPUNZEL – A Tale About Knowledge Graph
SIEMENS: RAPUNZEL – A Tale About Knowledge Graph
 
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
Neo4j - How KGs are shaping the future of Generative AI at AWS Summit London ...
 
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...Swan(sea) Song – personal research during my six years at Swansea ... and bey...
Swan(sea) Song – personal research during my six years at Swansea ... and bey...
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

  • 2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINED MORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  • 3. SOCIAL MEDIA Follow! @fabioandpires Follow! @utah_networxs Enjoy! Utah Networxs
  • 4. Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of Computing Post Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  • 5. WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is a hierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
  • 6. TYPE OF DNS ? The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machines around the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
  • 7. DNS RFC'S The roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
  • 8. THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs (Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
  • 9. THE DNS ROOT SERVER WORD MAP
  • 11. WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTION Section AUTHORITY and ADDITIONAL name is the same domain QUERY
  • 12. Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two shares Used mainly in zone transfers (master and slave) same domain QUERY
  • 13. TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible with DNSSEC has a pair of electronic keys consisting of a private key and a public key.
  • 15. PRATICE DNS SERVER #CHROOT JAIL
  • 16. CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
  • 17. MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chroot root@moe:~# apt-get install debootstrap root@moe:~# cd /chroot root@moe:~# debootstrap squeeze .
  • 18. SOLVED FUTURE JAIL PROBLEMS 01 – Mount /dev/ and /dev/pts devices root@moe:~# mount --bind /dev /chroot/dev root@moe:~# mount --bind /dev/pts /chroot/dev/pts 02 – Set CHROOT jail root@moe:~# cd .. root@moe:~# chroot /chroot
  • 19. INSTALL PACKAGES root@moe:~# apt-get install sysklogd openssh-server vim bind9 MAIN CONFIG BIND9 FILES /etc/bind /etc/default/bind BIND9 SCRIPT INIT /etc/init.d/bind9
  • 20. MAKE DIRECTORIES root@moe:~# mkdir -p /var/lib/named root@moe:~# mkdir -p /var/lib/named/etc/bind root@moe:~# mkdir -p /var/lib/named/dev root@moe:~# mkdir -p /var/lib/named/var/cache/bind root@moe:~# mkdir -p /var/lib/named/var/run/bind/run root@moe:~# mkdir -p /var/lib/named/var/run/named root@moe:~# mkdir -p /var/lib/named/lib
  • 21. EDIT DEFAULT FILES root@moe:~# vi /etc/bind/default Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named” root@moe:~# vi /etc/init.d/bind9 Change: OPTIONS=”-u bind” To: OPTIONS=”-u bind -t /var/lib/named”
  • 22. COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/ CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
  • 23. CREATE BLOCK FILES root@moe:~# cd /var/lib/named/dev root@moe:~# mknod null c 1 3 root@moe:~# mknod random c 1 8 root@moe:~# mknod zero c 1 5 root@moe:~# mknod urandom c 1 9
  • 24. RESTART BIND9 SERVICE root@moe:~# invoke-rc.d bind9 restart
  • 25. MAIN CONFIGURE FILES  named.conf  named.conf.options  zones/db.direta.interna  zones/db.reversa.interna  zones/db.direta.externa  zones/db.reversa.externa
  • 26. ACLS AND VIEWS CONCEPT ACL – Access Control List Views
  • 27. CONFIGURE NAMED.CONF acl intranet { 192.168.0.0/16; }; acl extranet { 0.0.0.0/0; };
  • 28. CONFIGURE NAMED.CONF view bsidesplocal { match-clients { "intranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes; }; };
  • 29. CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 30. NAMED.CONF GLOSSARY Line beginning with '/ /' = commented line include = Includes the specified file acl = Defines an Access List Zone = Sets a Zone type = Defines the type of zone file = Shows the full path of the configuration of the zone allow-transfer servers = Sets Slaves to receive updates from this server update-policy local = Line used to update automatic spot in our case used to re-sign zones automatically expire before the keys key-directory = Indicates the directory that contains the key areas necessary to update-policy is successful also-notify = Indicates that the master server sends updates to the slave server every time bind restarts Notify = defines whether or not there will be no notifications area
  • 31. DB.ZONES FILES root@moe:~# mkdir /var/lib/named/etc/bind/zones root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
  • 32. DIRECT ZONE EXAMPLE $TTL 86400 l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( l l 2012101801 ; Serial l 1200 ; Refresh l 2400 ; Retry l 4800 ; Expire l 1209600 ) ; Negative Cache TTL l ; l l @ IN NS moe.bsidesp.utah.net.br. l @ IN NS homer.bsidesp.utah.net.br. l @ IN MX 5 moe.bsidesp.utah.net.br. l @ IN MX 10 homer.bsidesp.utah.net.br. l @ IN A 189.100.100.10 l @ IN A 189.99.99.9 l l moe IN A 189.99.99.9 l homer IN A 187.100.100.10 l ftp IN CNAME homer.bsidesp.utah.net.br. l pop IN CNAME homer.bsidesp.utah.net.br
  • 33. REVERSE ZONE EXAMPLE $TTL 86400 @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL ; @ IN NS moe.bsidesp.utah.net.br. @ IN NS homer.bsidesp.utah.net.br. @ IN MX 5 moe.bsidesp.utah.net.br. @ IN MX 10 homer.bsidesp.utah.net.br. 9 IN PTR moe.bsidesp.utah.net.br. 10 IN PTR homer.bsidesp.utah.net.br. 10 IN PTR www.bsidesp.utah.net.br. 10 IN PTR ftp.bsidesp.utah.net.br. 10 IN PTR pop.bsidesp.utah.net.br.
  • 34. GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
  • 35. GLOSSARY ZONE FILE TTL = Time in seconds that the record of the zone remains in the cache server; Serial Number = reference to a server SLAVE whether there were changes in configuration file of the zone; Refresh = Time in seconds that the secondary server will wait to check for updates on the primary server; Retry = Time in seconds in case of failure of the refresh until the next check; Expires = Time in seconds that the secondary server continues answering the area if the primary server is out of the air, since this time the exhausted also secondary server stops responding to this area; Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cache stores the information before starting a new search recursive; NS = Name Server A = Host (IP) MX = Mail Box Alias = aliases are at the end of the file structure as above, there are the nicknames defined zone as www, ftp, smtp, etc. ..
  • 36. CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.options l auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes; l
  • 37. MAKE KEY DNSSEC root@moe:~# mkdir /var/lib/named/etc/bind/zones/keys root@moe:~# chown bind.bind /var/lib/named/etc/bind/zones/keys root@moe:/var/lib/named/etc/bind/zones/keys# dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5 –b 2048 –K /var/lib/named/etc/bind/zones/keys – n ZONE bsidesp.utah.net.br
  • 38. GLOSSARY OPTIONS -r = device-ramdomização -type f = key -a = Encryption Algorithm -b = Key Size -K = Directory Keys -n = Zone
  • 39. ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys# l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
  • 40. GLOSSARY OPTIONS S = Signature-intelligent, search keys zone; -z = Ignores the SEP bit key and signs throughout the area; -K = Directory of the Keys; N-Format = Serial SOA, in our case we use 'unixtime' to increment the serial with the signature; -o = Zone and Zone Configuration File.
  • 41. CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 43. GET KEYTAG AND DIGEST root@moe:/var/lib/named/etc/bind/zones/keys# cat bsidesp.utah.net.br | head -1 bsidesp.utah.net.br IN DS 51074 1 1 D836A983AE90B051414E88D62379A94C9C9F71DD Keytag = 51074 Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
  • 44. DOBTS ? SPECIAL THANKS ISAIAS SOUZA SILVA
  • 45. SOURCES OF RESEARCH BIND9 PROJECT https://www.isc.org/software/bind REGISTRO.BR www.registro.br QGSEG http://www.qgseg.com.br/ WIKIPEDIA http://pt.wikipedia.org