Your SlideShare is downloading. ×
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

DNSSEC - WHAT IS IT ? INSTALL AND CONFIGURE IN CHROOT JAIL

557

Published on

Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service. …

Install and Understand DNSSEC in Linux Server running BIND 9 with CHROOT JAIL system and Service.

By Utah Networxs

Follow - @fabioandpires
Follow - @utah_networxs

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
557
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
12
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. “DNSSEC WHAT IS IT ?”
  • 2. WHO WE ARE? FIRST SCHOOL AND CONSULTING LINUX IN BRAZIL. 17 YEARS OF PRATICE IN LINUX 12 YEARS WITH BEST LINUX IN BRAZIL MORE THAN 50.000 STUDENTS TRAINEDMORE THEAN 5.000 CLIENTS TO DIFERENT PROJECTS LPI-C ATP IN BRAZIL MORE: www.utah.com.br
  • 3. SOCIAL MEDIAFollow! @fabioandpiresFollow! @utah_networxs Enjoy! Utah Networxs
  • 4. Speaker: Fabio Pires Mini Curriculum: Graduated in Computer Science Graduated in Bachelor of ComputingPost Graduate in Project Analysis and Systems - FATEC Post Graduate in S.O. Linux - UFLA LPIC Teacher of Undergraduate and Graduate Twitter in Spare Time Contact: fpires@utah.com.br
  • 5. WHAT IS DNS SERVER ? “DNS – DOMAIN NAME SYSTEM” Management system is ahierarchical name and distributed operating on two definitions: 1 - Review and update your database. 2 - Resolve domain names into network addresses (IPs).
  • 6. TYPE OF DNS ?The authoritative is responsible for keeping the maps referring to a local area and respond to requests coming from machinesaround the world, they need to resolve domain names in the area over which this server is authoritative; The Recursive What is responsible for receiving recursive DNS queries from local clients and consult with external servers, in order to obtain answers to queries made.
  • 7. DNS RFCSThe roots in RFCs 882 and 883, and was updated in RFCs 1034 and 1035. http://tools.ietf.org/html/rfc1034 http://tools.ietf.org/html/rfc1035
  • 8. THE DNS ROOT SERVER THERE IS JUST A DNS SERVER ROOT AND THIS WAS 13 TIMES REPLICATED. The Table has only one entry for each existing Top Level Domain. The Top Level Domains are of two types: gTLDs(Generic Top Level Domains - generic domains used worldwide) and ccTLDs (Country Code Top Level Domains - domain extensions administered by countries).
  • 9. THE DNS ROOT SERVER WORD MAP
  • 10. OPERATION OF DNS SERVER
  • 11. WHY DNS SERVER ARE COMPROMISED? DOS and DDOS ATACKS; Recursion { any; }; DNS CACHE POISONING; Reponse Same UDP Port QUESTION section refered true question QUERY ID fits QUESTIONSection AUTHORITY and ADDITIONAL name is the same domain QUERY
  • 12. Mitigation TSIG / DNSSEC WHAT IS IT ? TSIG – Transations Signatures (RFC 2845) Traffic signed with a shared key (simetric) between two sharesUsed mainly in zone transfers (master and slave) same domain QUERY
  • 13. TSIG / DNSSEC WHAT IS IT ? The mechanism used by DNSSEC is based on technology that employs cryptographic signatures. DNSSEC uses a system of asymmetric keys. This means that someone with a domain compatible withDNSSEC has a pair of electronic keys consisting of a private key and a public key.
  • 14. DNS VS DNSSEC
  • 15. PRATICE DNS SERVER #CHROOT JAIL
  • 16. CHROOT BIND IN CHROOT JAIL / bin boot bin chroot boot dev dev etc etc home home lib lib mnt mnt opt opt proc proc root root sbin sbin dev tmp tmp etc bind usr usr lib var var lib named var
  • 17. MAKE A CHROOT JAIL Operational System: Debian Version Name: Squeeze Version Release: 6.0.5 Architeture: x86_64 Diretory: /chrootroot@moe:~# apt-get install debootstraproot@moe:~# cd /chrootroot@moe:~# debootstrap squeeze .
  • 18. SOLVED FUTURE JAIL PROBLEMS01 – Mount /dev/ and /dev/pts devicesroot@moe:~# mount --bind /dev /chroot/devroot@moe:~# mount --bind /dev/pts/chroot/dev/pts02 – Set CHROOT jailroot@moe:~# cd ..root@moe:~# chroot /chroot
  • 19. INSTALL PACKAGESroot@moe:~# apt-get install sysklogd openssh-server vim bind9MAIN CONFIG BIND9 FILES/etc/bind/etc/default/bindBIND9 SCRIPT INIT/etc/init.d/bind9
  • 20. MAKE DIRECTORIESroot@moe:~# mkdir -p /var/lib/namedroot@moe:~# mkdir -p /var/lib/named/etc/bindroot@moe:~# mkdir -p /var/lib/named/devroot@moe:~# mkdir -p /var/lib/named/var/cache/bindroot@moe:~# mkdir -p /var/lib/named/var/run/bind/runroot@moe:~# mkdir -p /var/lib/named/var/run/namedroot@moe:~# mkdir -p /var/lib/named/lib
  • 21. EDIT DEFAULT FILESroot@moe:~# vi /etc/bind/defaultChange:OPTIONS=”-u bind”To:OPTIONS=”-u bind -t /var/lib/named”root@moe:~# vi /etc/init.d/bind9Change:OPTIONS=”-u bind”To:OPTIONS=”-u bind -t /var/lib/named”
  • 22. COPY BIND PACKAGE FILES root@moe:~# cp –R /etc/bind/* /var/lib/named/etc/bind/CHANGE DEFAUL OWNER USER AND GROUP root@moe:~# chown –R bind.bind /var/lib/named
  • 23. CREATE BLOCK FILESroot@moe:~# cd /var/lib/named/devroot@moe:~# mknod null c 1 3root@moe:~# mknod random c 1 8root@moe:~# mknod zero c 1 5root@moe:~# mknod urandom c 1 9
  • 24. RESTART BIND9 SERVICEroot@moe:~# invoke-rc.d bind9 restart
  • 25. MAIN CONFIGURE FILES named.conf named.conf.options zones/db.direta.interna zones/db.reversa.interna zones/db.direta.externa zones/db.reversa.externa
  • 26. ACLS AND VIEWS CONCEPT ACL – Access Control List Views
  • 27. CONFIGURE NAMED.CONFacl intranet { 192.168.0.0/16; };acl extranet { 0.0.0.0/0; };
  • 28. CONFIGURE NAMED.CONFview bsidesplocal { match-clients { "intranet" ;};zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.interna.direta"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes;};zone "0.168.192.in-addr.arpa" { type master; file "/etc/bind/zones/db.interna.reversa"; allow-transfer { 192.168.0.220; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 192.168.0.220; }; notify yes;};};
  • 29. CONFIGURE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes;l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 30. NAMED.CONF GLOSSARYLine beginning with / / = commented lineinclude = Includes the specified fileacl = Defines an Access ListZone = Sets a Zonetype = Defines the type of zonefile = Shows the full path of the configuration of the zoneallow-transfer servers = Sets Slaves to receive updates from this serverupdate-policy local = Line used to update automatic spot in our case usedto re-sign zones automatically expire before the keyskey-directory = Indicates the directory that contains the key areasnecessary to update-policy is successfulalso-notify = Indicates that the master server sends updates to the slaveserver every time bind restartsNotify = defines whether or not there will be no notifications area
  • 31. DB.ZONES FILESroot@moe:~# mkdir /var/lib/named/etc/bind/zonesroot@moe:~# chown bind.bind /var/lib/named/etc/bind/zones
  • 32. DIRECT ZONE EXAMPLE $TTL 86400l @ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. (ll 2012101801 ; Seriall 1200 ; Refreshl 2400 ; Retryl 4800 ; Expirel 1209600 ) ; Negative Cache TTLl ;ll @ IN NS moe.bsidesp.utah.net.br.l @ IN NS homer.bsidesp.utah.net.br.l @ IN MX 5 moe.bsidesp.utah.net.br.l @ IN MX 10 homer.bsidesp.utah.net.br.l @ IN A 189.100.100.10l @ IN A 189.99.99.9ll moe IN A 189.99.99.9l homer IN A 187.100.100.10l ftp IN CNAME homer.bsidesp.utah.net.br.l pop IN CNAME homer.bsidesp.utah.net.br
  • 33. REVERSE ZONE EXAMPLE$TTL 86400@ IN SOA moe.bsidesp.utah.net.br. root.bsidesp.utah.net.br. ( 2012101801 ; Serial 1200 ; Refresh 2400 ; Retry 4800 ; Expire 1209600 ) ; Negative Cache TTL;@ IN NS moe.bsidesp.utah.net.br.@ IN NS homer.bsidesp.utah.net.br.@ IN MX 5 moe.bsidesp.utah.net.br.@ IN MX 10 homer.bsidesp.utah.net.br.9 IN PTR moe.bsidesp.utah.net.br.10 IN PTR homer.bsidesp.utah.net.br.10 IN PTR www.bsidesp.utah.net.br.10 IN PTR ftp.bsidesp.utah.net.br.10 IN PTR pop.bsidesp.utah.net.br.
  • 34. GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference to a server SLAVE whether there were changes in configuration fileof the zone;Refresh = Time in seconds that the secondary server will wait to check forupdates on the primary server;Retry = Time in seconds in case of failure of the refresh until the next check;Expires = Time in seconds that the secondary server continues answering the area if theprimary server is out of the air, since this time the exhaustedalso secondary server stops responding to this area;Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cachestores the information before starting a new searchrecursive;NS = Name ServerA = Host (IP)MX = Mail BoxAlias = aliases are at the end of the file structure as above, there are the nicknames definedzone as www, ftp, smtp, etc. ..
  • 35. GLOSSARY ZONE FILETTL = Time in seconds that the record of the zone remains in the cache server;Serial Number = reference to a server SLAVE whether there were changes in configuration fileof the zone;Refresh = Time in seconds that the secondary server will wait to check forupdates on the primary server;Retry = Time in seconds in case of failure of the refresh until the next check;Expires = Time in seconds that the secondary server continues answering the area if theprimary server is out of the air, since this time the exhaustedalso secondary server stops responding to this area;Negative Cache TTL = if a zone expires, this will be the time at which a server NXDOMAIN cachestores the information before starting a new searchrecursive;NS = Name ServerA = Host (IP)MX = Mail BoxAlias = aliases are at the end of the file structure as above, there are the nicknames definedzone as www, ftp, smtp, etc. ..
  • 36. CLOSE RECURSIVE QUERY root@moe:~# vi /var/lib/named/etc/bind/named.conf.optionsl auth-nxdomain no; # conform to RFC1035 listen-on-v6 { any; }; allow-query { internals; externals; }; allow-recursion { internals; }; dnssec-enable yes;l
  • 37. MAKE KEY DNSSECroot@moe:~#mkdir /var/lib/named/etc/bind/zones/keysroot@moe:~#chown bind.bind /var/lib/named/etc/bind/zones/keysroot@moe:/var/lib/named/etc/bind/zones/keys#dnssec-keygen –r /dev/urandom –f KSK –a RSAMD5–b 2048 –K /var/lib/named/etc/bind/zones/keys –n ZONE bsidesp.utah.net.br
  • 38. GLOSSARY OPTIONS-r = device-ramdomização-type f = key-a = Encryption Algorithm-b = Key Size-K = Directory Keys-n = Zone
  • 39. ASSIGN ZONES root@moe:/var/lib/named/etc/bind/zones/keys#l dnssec-signzone -S -z -K /var/lib/named/etc/bind/zones/keys -N unixtime –o bsidesp.utah.net.br /var/lib/named/etc/bind/zones/db.externa.direta
  • 40. GLOSSARY OPTIONSS = Signature-intelligent, search keys zone;-z = Ignores the SEP bit key and signs throughout the area;-K = Directory of the Keys;N-Format = Serial SOA, in our case we use unixtime toincrement the serialwith the signature;-o = Zone and Zone Configuration File.
  • 41. CHANGE NAMED.CONF view bsidespweb { match-clients { "extranet" ;}; zone "bsidesp.utah.net.br" { type master; file "/etc/bind/zones/db.externa.direta.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes;l }; zone "99.99.199.in-addr.arpa" { type master; file "/etc/bind/zones/db.externa.reversa.signed"; allow-transfer { 189.99.99.9; }; update-policy local; key-directory "/etc/bind/zones/keys"; also-notify { 189.99.99.9; }; notify yes; }; };
  • 42. SHARED IN REGISTRO.BR
  • 43. GET KEYTAG AND DIGESTroot@moe:/var/lib/named/etc/bind/zones/keys#cat bsidesp.utah.net.br | head -1bsidesp.utah.net.br IN DS 51074 1 1D836A983AE90B051414E88D62379A94C9C9F71DDKeytag = 51074Digest = D836A983AE90B051414E88D62379A94C9C9F71DD
  • 44. DOBTS ? SPECIAL THANKSISAIAS SOUZA SILVA
  • 45. SOURCES OF RESEARCHBIND9 PROJECThttps://www.isc.org/software/bindREGISTRO.BRwww.registro.brQGSEGhttp://www.qgseg.com.br/WIKIPEDIAhttp://pt.wikipedia.org

×